Big data security analytics is an increasingly important measure for dealing with advanced persistent threats and other types of cyberattacks. Enterprise today face attacks targetthat use multiple attack vectors, occur over extended periods of time, and are designed to avoid detection by endpoint security controls. One way to address the challenges presented by these types of attacks is to take a play from the attacker's playbook:
Don't depend on a single method to accomplish your goal.
This is the driver behind the adoption of big data analytics for security. Systems such as the IBM QRadar Security Intelligence Platform, a big data analytics product from big blue, complement existing security measures -- it does not replace them.
The platform collects data from multiple sources in order to provide a comprehensive view of the security state of infrastructure, servers and data. The core functionality of IBM QRadar Security Intelligence centers on collecting and analyzing several types of data, including: log, network flow, application vulnerabilities and user activity. QRadar processes data in near real time to alert systems administrators to anomalous activity as soon as possible.
IBM QRadar big data security analytics is a distributed platform comprising several software modules running on a cluster of servers referred to as data nodes. Data nodes are the compute and storage building block of IBM QRadar. Data nodes run in a cluster and nodes can be added to provide more compute and storage resources as needed. Each node can store up to petabytes of data. Data nodes are available as hardware or virtual servers.
IBM QRadar SIEM, a data collection and integration application, collects and integrates log data from multiple types of endpoints and applications. The security information and event management (SIEM) component is responsible for normalization and other preprocessing steps needed to integrate data from multiple systems. After normalizing data, it is analyzed using threat intelligence information to detect malicious content and events. The combination of near real-time data collection, normalization and integration and up-to-date threat intelligence allows IBM QRadar SIEM to prioritize security events and help reduce the likelihood of producing false positives.
Another component, the IBM QRadar QFlow Collector, works with the QRadar SIEM to analyze application level traffic (Layer 7) to identify threats and monitor activities for compliance purposes. This component also supports threat detection without relying on signatures. And IBM QFlow Collector supports configuration management by identifying applications or servers that are running in ways that conflict with policies. For example, it can detect if a nonstandard port is used by a service or if encryption is not used on sensitive parts of the network. QFlow Collector can also detect and categorize new devices and collect data on the ports in use and services running on those devices.
Other building blocks of the IBM QRadar Security Intelligence platform include a log manager, VMware specific analysis tool and vulnerability scanning support.
The log manager is designed to collect, analyze and store large volumes of log data in real time. It captures up to hundreds of thousands of events per second and functions in cloud as well as non-cloud environments.
The VFlow Collector, like QFlow Collector, is designed to collect Layer 7 data and analyze application level events but is specially designed to support VMware environments.
The IBM Security QRadar Vulnerability Manager is a component for detecting vulnerabilities network devices as well as application servers. It integrates with the SIEM of the platform and enables integration with other data and metadata collected from devices. Together, the vulnerability manager and the SIEM can prioritize events.
IBM offers comprehensive support for QRadar through professional services, training and online resources. The big data analytics product is a software platform that can be deployed on premises. And pricing is available directly from IBM.
Big data security analytics requires the ability to scale compute and storage resources as well analyze data in multifaceted ways. The IBM Security QRadar Intelligence Platform provides both in a scalable, modular way that allows customers to deploy the right number of servers and the optimal combination of analytics capabilities. It incorporates security information and event management, application level analytics, log manager and vulnerability detection capabilities. The platform is comprehensive and suitable for large organizations with complex security analytics requirements.
In part one of this series, learn about the basics of big data security analytics
In part two discover the business case for big data security analytics
In part three find out how to evaluate big data analytics platforms
In part four compare the top big data security analytics products