June 3, 2014 By Chris Meenan 4 min read

One of the biggest challenges organizations face today is the need to keep more and more security data online for quick analysis by their SIEM solutions. I’m not talking an extra week or two here, but months or even years. Why? Well, it has been fairly well publicized that an attacker or insider can lurk on a network for months, evading detection and waiting for the most opportune time to attack.

So what is needed when this breach or potential breach is discovered? Quick access to historical data to find out what, if anything, happened and when. In other words, firms need the ability to look back and find those needles in the haystack — and it can be one huge haystack — that can reveal what happened. Due to the nature of breaches today and the sophisticated methods employed to execute them, understanding what is normal in a network is becoming increasingly important as a tool to detect breaches in the first place; ongoing analysis of historical data has a key role to play in that.

Getting the Most Out of Your SIEM

What does this mean for your security intelligence platform? It means that it must not only collect, normalize, categorize and correlate millions of events per second, but it must also have the ability to keep that data online for fast access, potentially for years; this means hundreds of terabytes (TBs) — if not petabytes (PBs) — of data for a lot of organizations. SIEM solutions traditionally don’t quite do this — or if they can, it is very expensive. Nor will they do it the way you really need them to because they were likely not designed to operate in this way.

One option, and one that is quite “in vogue” at the minute, is to utilize a complementary Hadoop-style system, keeping a few weeks’ worth of data in the SIEM and then exporting it into the Hadoop cluster for longer-term storage, analysis and reporting. On the face of it, Hadoop, especially open-source options, can appear pretty competitive from an overall cost perspective, and you can surely deploy Hadoop nodes on commodity hardware, so it’ll be cheap! Furthermore, any half-decent SIEM will have a nice Hadoop-friendly export mechanism, making this integration simple.

Sounds like a great solution doesn’t it? Well, there are a few gotchas.

  • The Hadoop deployment, network infrastructure and the SIEM will have to potentially be able to transfer data at millions of events per second without impacting normal operations. This can be a real challenge, especially if your network is spread across several countries or even continents, connected by easily-flooded WAN links — security data really is big.
  • A lot of the context from the SIEM can be lost. A SIEM will categorize, normalize, tag and link events with paths through the network, vulnerabilities, discovered assets, users and all their properties. It will automatically utilize threat intelligence data as it performs risk and impacting scoring. It will provide right-click, auto-complete, drill-down and pivoting that is specifically designed to make the job of detecting and analyzing a security event as quickly and easily as possible by removing arduous repetitive tasks — a good one will, anyway.
  • Users will want to drill down into this historic data seamlessly as part of their work flow and, conversely, users looking at historic data may want to look at real time data, also, so you will be looking at some level of UI integration and all headaches that can entail.
  • It is yet another security system, adding more administration, integration and maintenance costs. I think most organizations have enough of these and their associated costs, overheads and risks already.

When an organization is large enough to justify all the additional costs associated with running a Hadoop deployment — and has the skills in-house to develop it — it very well might be a viable solution for some specific use cases. In reality, however, what most users need is a security intelligence platform that will continue to provide them the actionable insight they need, even as their data volumes grow.

What about All That Data?

But what about all that data? Don’t organizations need Hadoop to handle TBs and PBs of data? Let’s see.

So you have a good SIEM handling hundreds of thousands or even millions of events per second (potentially distributed over a wide geography); doing all the things that you want it to do in real time; and providing several weeks’ or months’ worth of short-term storage and data access at your fingertips. But say you wanted to keep that data online for a year, or maybe even two. Wouldn’t it be great if all you had to do was add new, very cost-effective “nodes” to your SIEM deployment? You want the nodes to just store data and provide the ability to query it. Wouldn’t it be just fantastic if, when these nodes are added to your deployment, that data is automatically distributed across them? Wouldn’t it be great if you could add these nodes in virtual, software (on commodity hardware) or appliances forms whenever and wherever you needed them? And wouldn’t it be ideal if this was all completely transparent to users?

That is exactly what we in the IBM QRadar product team thought, so we put our heads — and keyboards — together and created the QRadar Data Node. Want to keep your data for longer or just add more querying horsepower? Just add QRadar Data Nodes to your deployment! Addition is simple, it doesn’t require any reconfiguration, your log sources stay the same, your correlation rules don’t change, your reports and integrations are unaltered and the UI doesn’t change. Data is automatically spread across nodes based on intelligent scattering policies. Each Data Node can store and crunch through 100 TB of uncompressed data and up to a whopping 800 TB of compressed data. And the best bit: You can simply keep adding them to your system whenever you need to.

And what is the impact on your users?

Nothing — apart from the fact that they will now have fast access to more historical data than ever before through the same intuitive UI, with all the same context, linkage and intelligent navigation. You will have saved yourself another security system, kept your costs down, lowered your security risks and made your security more effective. We are all very excited about the latest innovative addition to our QRadar family, and we are sure our users will be, too.

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today