I pay too much for my cellphone service. My family burns through our data plan without realizing what’s going on as they browse the net, communicate with friends, stream videos and so on. What I really need is some sort of security information and event management (SIEM) for my cellular service that would alert me when anomalistic behaviors are occurring.

Right now, my carrier sends me a text when 75 percent, 90 percent and 100 percent of my data plan is consumed, which prompts me to review all the usage and find out who did what with 11 GB of data in as little as two weeks. The statistics typically reveal that it’s video streaming, but the connect times are short and occur during all hours of the day and night. It would’ve been great to get the alert that my son’s phone is processing video at 3 a.m. before all the data is used.

Behavioral Analytics Finds Abnormal Behavior

QRadar Security Intelligence performs this sort of anomaly detection — also known as behavioral analytics — in real time as it compares current activity to a moving average baseline used to define normal operations. This is calculated using the accumulated log source event and flow data for associated collections of IP addresses, usernames, workgroups, etc. so it can alert on a wide variety of conditions. Wouldn’t you sleep easier knowing that your IT security team will see the first occurrences of what may be a newly installed botnet agent calling home to a command-and-control (C&C) server? Or how about the first time an unauthorized user accesses a highly valued system?

Read the Ponemon Institute study on the economic benefits of QRadar

The concept of applying behavioral profiling to computer networks isn’t exactly new. It was originally proposed by Dorothy Denning back in her 1987 IEEE paper “An Intrusion-Detection Model,” but IBM Security’s QRadar implementation takes it a step further. Many vendors are only able to look at syslog events and NetFlow information, which only reveal part of the story — like seeing odd cellular data traffic at off hours. QRadar Security Intelligence incorporates Layer 7 or application insights that can quickly discover things like nonstandard protocols running through essentially reserved ports.

How QRadar Can Help

QRadar’s QFlow Collector processors employ deep packet inspection (DPI) to help uncover things like IRC traffic over Port 80, which is typically reserved for HTTP. It can also be used to identify potential data loss through file transfer protocol (FTP) servers transmitting prohibited content, such as audio or video recordings created by commercial studios. It’s like having the additional insight that the cell traffic occurring is video destined for YouTube.

This type of anomaly detection is the next best line of defense once a network’s perimeter has been breached. Today, just about the only thing attackers can’t know about our networks is what’s normal, making their movements more easily discovered when activity deviates. It’s one area you can have an advantage, and anomalies can be defined in several ways.

In addition to the behavioral profiling previously discussed, QRadar can generate alerts and offenses based on all the following: when new hosts and services appear on the network; when existing services stop or crash; when a highly valued server starts using new applications or suddenly starts communicating with assets outside your network; and when the amount of data transferred to an external source exceeds a defined threshold.

QRadar SIEM’s advanced search capabilities can also help security professionals discover low-and-slow attacks occurring over longer time periods than would surface using 30-day exponential smoothing algorithms. QRadar event and flow processor appliances often retain more than 180 days of security data, and their retention periods can easily be doubled or tripled with the addition of QRadar Data Node appliances.

Using SIEM to Improve Overall Security Posture

One of the challenges associated with SIEMs using anomaly detection technology is to know when not to apply this analysis or how to adjust any time intervals to accommodate infrequent and random acts of humans. Anomaly detection also doesn’t help the IT security professional understand the type of attack or define any remediation activities. This is why QRadar Security Intelligence includes both SIEM investigation capabilities for inspecting all the underlying events and flows and QRadar Incident Forensics technology for retrieving and analyzing all associated network packet transfers.

Read the Ponemon Institute’s IBM QRadar Security Intelligence Perception Capture Study

After the second month of paying overage charges on my data plan, my son downloaded the account app and began looking at his data usage. He’s a budding YouTube channel publisher, and there was some background service running that never seemed to quit. Once properly identified, he simply deactivated the app whenever he wasn’t editing or uploading. Immediate value was realized from insights into user and data activity, just as next generation SIEMs are able to deliver.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…