I’ve worked in security for more than 15 years, and in that time I’ve worked with hundreds of customers and practitioners, helping them solve tricky security problems so they can prevent, detect and respond to threats with high levels of efficiency. One of the reasons that I love (and sometimes despise) working in cybersecurity is that it changes literally every day — sometimes every hour!
I vividly remember one incident that occurred a few years ago during a visit to the security operations center (SOC) of a large bank that had deployed IBM’s QRadar. While I was there, a distributed denial-of-service (DDoS) attack began, which had the entire security team scrambling to counter it before it affected critical bank websites. The team did track down the source of the attack and block the IPs within a couple of hours, but a lack of efficiency and automation resulted in a delayed response.
The days of manual root cause analysis and blocking, which can take hours of time and extensive manual labor, are over. That is exactly the reason IBM has added even more efficiency, automation, out-of-the-box content and collaboration capabilities to the latest release of QRadar, V7.2.6.
A Look at QRadar’s Capabilities
Let’s run through this scenario with QRadar V7.2.6’s new capabilities. QRadar’s rule engine detects attacks in many ways, including correlation of the attacker’s source IPs with blacklisted IPs acquired from an external threat feed or by triggering network behavioral anomaly rules.
The QRadar rule(s) can invoke an automated response such as blocking the attacking IPs on the wire, killing the DDoS attack within minutes. Security analysts, alerted to the offense via the QRadar console, can then collaborate with peers via X-Force Exchange and share data on the attack to help others. We call this collaborative defense.
Today, the bad guys are innovating faster than the good, and they aren’t just kids hacking away from a dorm room or their parent’s basement. They are well-funded, highly specialized organizations that run their criminal enterprises like businesses. Many are a product of the Internet generation and are extremely adept at using social tools to collaborate via the Dark Web.
The X-Force team recently delivered an interesting and scary webinar on the evolution of threats. Cybercriminals sell their technology to each other and even offer it as malware-as-a-service or exploit kits, available via subscription to lesser skilled individuals for a few bitcoins. This has created a very low barrier to entry at one end of the spectrum and a set of highly sophisticated malware and advanced persistent threats (APTs) on the top end. The scary part is attackers only need to find one or two holes in our defenses and all those security investments and hard work is for naught.
How QRadar Can Save Time and Boost Efficiency
QRadar V7.2.6 includes significant advances in threat detection and response, improved investigative workflows and even more automation to help our customers prevent, detect and respond to threats by increasing staff efficiency and decreasing response times.
My favorite way to communicate the value of what we’re doing is to tell our story in terms of what real people can do with the technology. Here are five ways QRadar is currently helping organizations remain secure.
- It is rapidly and automatically detecting advanced threats like APTs and malware outbreaks using powerful analytics such as behavior-based anomaly detection, leveraging that data to drive automated responses such as blocking IPs, shunning users and blacklisting domains. This automatically fixes security exposures with little or no human intervention required.
- QRadar combines forensics data, including full packet capture, with real-time threat detection so that it can be used in the context of ongoing investigations. It helps to track down perpetrators while the crime is being committed rather than days or months after the fact.
- The solution leverages collaboration tools to enable customers to work directly with peers in the industry and other security experts. It provides a common platform for knowledge sharing to help detect emerging threats like zero-day attacks and other indicators of compromise (IOCs) as they occur.
- QRadar also provides a mechanism with which IBM engineers and business partners can quickly and easily build and deliver new security intelligence capabilities through a curated app market, the IBM Security App Exchange.
- Finally, the platform centralizes, normalizes and prioritizes vulnerability data from many sources, correlating it with a rich set of external and internal data including threat feeds, network activity monitoring and detected IOCs. It then uses that data to determine which machines represent the highest risk to the business. By feeding that data directly into the patching process as an actionable set of high-priority patches, security holes are closed within hours or minutes.
We’re all extremely excited about the new security breakthroughs we’ve made in the new QRadar V7.2.6 release.
To Learn More
If you would like to learn more, please watch my webinar, “5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016.” In it, I’ll dive even deeper into this and many more topics.