Making a SIEM Dance With Docker
Despite having left coding 20 years ago and going over to the other side of offering and product management, I’m still a techie at heart. Next to seeing customers happy with our solutions, I also get excited about cool new tech that solves real business problems in a beautifully elegant way.
IBM Strengthens SIEM
One of the major challenges organizations struggle with in their security information and event management (SIEM) and security operations is the need for stability, robustness and predictability. Threats are operating 24/7 and the business stakes are high. To stay ahead of those rapidly developing threats, organizations need real agility, collaboration and continuously delivered innovation.
This was the key driving factor behind the IBM Security App Exchange and the QRadar SIEM app framework. But how do you deliver both sets of seemingly conflicting requirements? We knew bolt-ons and closed solutions where not going to deliver the agility, simplified workflows and lower operational costs that customers needed. We’ve all seen these approaches do little for organizations except add overheads and complexity.
IBM completely opened up the QRadar platform to enable third-party vendors (including our competitors), partners and other teams within IBM to create, seamlessly integrate and embed solutions with QRadar. This was done in the form of pluggable, independent QRadar apps, thereby enabling that agility, ecosystem and innovation. To date, we now have over 75 apps on the App Exchange from dozens of vendors, covering myriad security operations processes.
Dancing With Docker
What isn’t immediately obvious, though, is what a QRadar App actually is and why it is so important. To some, an app is maybe something as simple as a few searches, dashboards or correlation rules. While this is true, there is much more to a QRadar app, stemming from its innovative use of the Docker technology. We integrated Docker directly into QRadar — so much so that it is now, by default, present in every single QRadar instance, from the smallest versions running on laptops to the largest global deployments.
What is so wonderful about Docker? Docker is a relatively new containerization technology. It enables applications to be written and deployed into containers running in a machine instance or virtual machine (VM) without all the overhead of a full operating system for each container. Containers can store all the software they need to operate and can leverage the core host operating system (OS) for the remainder. More importantly, containers completely isolate apps from each other and the QRadar platform, so one app cannot consume all the resources on the host and cause another to fail.
Why is this so important for QRadar? Docker provides the stability and robustness through the QRadar platform and containerized apps, but it also enables agility and ecosystem through openness, pluggability and seamless app integration. It empowers QRadar apps with searches and rules, new user interfaces, data stores and complex analytics leveraging technologies such as Hadoop and Spark.
A great example of an app making full use of the QRadar Application Framework and Docker containers is the new User Behavior Analytics App. This app adds new data models, analytics, visualizations, dashboards and application program interfaces (APIs) and plans to utilize Spark to enable more advanced machine learning and behavioral analytics than those found in traditional SIEM solutions.
More Innovation to Come
Years ago, we called the QRadar architecture the “Security Intelligence Operating System (SIOS).” This is finally being fully recognized in a very tangible way thanks to these new innovations. With built-in Docker containerization and pluggable analytics from Spark, we are really excited about how effectively this technology has enabled collaboration, innovation and integration in an easily consumable and secure way. To top it all off, we have apps in the pipeline that are exciting, game changing and just outright cool!