Data Collection Graduates to Actionable Intelligence: Integrating SIEM and IPS for Better Security
It’s graduation season, and I’m sure the sentiment that “knowledge is power” has been shared at more than a few commencement ceremonies. For a security analyst, knowing what is happening on the network in real time is priceless. Aggregating insights on the users, applications and devices traversing your network and then analyzing and correlating those inputs is the foundation for detecting threats and attacks against your organization.
That is one of the reasons security information and event management (SIEM) solutions have become the hub of many security programs. A good SIEM platform is able to collect the relevant data from other security devices deployed on the network. It serves as a central consolidation and integration point that delivers a comprehensive view of the network — spotting trends, patterns and potential anomalies that signal a security threat.
Security Intelligence Is a Springboard, Not a Finish Line
But what do you do with this security intelligence? Earlier in my career as a freshly minted MBA, a mentor shared her take on the saying “it’s not what you know, but who you know.” She believed that what you do with that knowledge is equally important.
Applying that thought to security, an SIEM solution can provide you with great knowledge and even help you determine which offenses warrant further analysis. But who does your SIEM know? What other solutions is it integrated with? Do those integrations allow you take immediate action to stop threats?
One such important integration is between SIEM and your intrusion prevention system (IPS). Say what you want about the perimeter disappearing, but traffic still flows in and out of your network, so having a good next-generation IPS deployed remains critical. The IPS is a great network sensor and can typically send network data and event information up to the SIEM for analysis, making the SIEM smarter in developing security intelligence.
But an even more powerful, if less common, integration is when your SIEM can send policy updates directly to your next-gen IPS. It takes your security intelligence and enables you to directly and immediately apply it to stop threats. It’s taking what and who you know and turning it into what you do next.
Actionable Intelligence: IBM QRadar and XGS Integration
The native bidirectional integration between IBM QRadar Security Intelligence Platform and IBM QRadar Network Security (XGS), a next-gen IPS appliance that was named a Leader in the 2015 Gartner IPS Magic Quadrant, enables organizations to take immediate action on their security intelligence.
By working together, QRadar and XGS are able to disrupt the life cycle of advanced attacks in the following ways:
- XGS sends network flow, user/appliance metadata and security events to QRadar for analysis. QRadar aggregates and correlates this data with other inputs to identify and prioritize threats into high-probability offenses so security analysts can take action.
- QRadar can send policy updates directly to XGS. This allows the security analyst to take immediate and effective action to stop an attack. Often referred to as right-click block, the security analyst can quarantine malware hosts, block command-and-control communications and prevent access to questionable websites with a click of the mouse.
To learn more about the IBM QRadar and XGS integration, watch the on-demand webinar “Stopping Attacks With a Click of the Mouse: How IBM QRadar and XGS Work Together to Stop Threats.” IBM Security product expert Craig Knapik share how the integration enriches overall security intelligence and improves threat detection, and how both solutions work together to disrupt the attack chain and improve network security.