Imagine if the U.S. Census were conducted not by the federal government but by each individual state. States would be responsible for determining what data to collect and how to gather it, what formats to use and who could access it. They would also decide individually who could know about the available data. You can imagine how little census data would be used in such a scenario, but the way many organizations manage data today isn’t all that different.

Streamline Data Collection to Boost Security

Security operation centers (SOCs) are collecting more log data than ever — terabytes or even petabytes per week — but they do it for specific purposes, such as detecting intrusions. That data is often squirreled away within the four walls of the SOC, never to be seen by others.

As a result, a lot of wheels get reinvented. The average enterprise uses products from more than 50 vendors. In many cases, each of those companies has to go through its own data collection process to populate its security database, which is a wasteful duplication of effort.

It’s also a security risk. A recent study found that two-thirds of IT decision-makers weren’t completely sure how many vendors had access to their systems, CSO Online reported. Of those who said they were sure, an average of 89 distinct outside parties logged in every week.

Linking Logs

Log data has all sorts of uses, particularly when data from multiple sources is combined. Database, system administration and authentication server logs can be combined with network logs, for example, to uncover patterns that wouldn’t be apparent in isolation. In addition to intrusion detection, logs can yield insight on shadow IT use, insider threats, data leakage and performance anomalies. But because each department collects data for its own use, those logs often exist on islands.

The security industry is a hotbed of innovation right now, with more than 1,200 startups competing to solve problems as quickly as possible. What they often lack is good data. That’s why IBM devised an approach to streamline data collection and increase the value of real-time and archival information by opening its trove to third parties.

A Growing Library of Security Apps

Borrowing a page from the smartphone industry, we came up with the IBM Security App Exchange, powered by QRadar SIEM. QRadar collects log data from across the enterprise, including from network devices, operating systems, applications and user activity logs. Our customers can then analyze this information in QRadar or tap into a growing library of third-party applications.

The E8 Security App for QRadar, for example, applies behavior intelligence to QRadar data, enabling administrators to look for anomalies by comparing normal behavior patterns compiled over time with abnormal events. Similarly, the Sqrrl for QRadar uses kill chain analytics to identify malicious tactics, techniques and procedures. This threat hunting platform can help security teams cut down on the time these threats can lurk inside a network.

There are nearly 70 apps in the Exchange right now, and more are on the way. Most are available on a try-before-you-buy basis, so there’s no risk to customers.

Sharing Data for the Greater Good

The App Exchange takes advantage of QRadar’s powerful features for ingesting and normalizing data from nearly any kind of log. We make this resource available to all QRadar customers to incorporate into their own analytics. When it comes to security, more data is always better than less.

IBM is fortunate to have access to logs from hundreds of sources, allowing it to streamline data collection and distribute information efficiently. Why keep it locked up when others can put it to good use? Like the U.S. Census Bureau, our goal is to share data, not keep it hidden.