Light Dark
September 26, 2016 By Denis Kennelly 3 min read
Intelligence & Analytics
Topics

I haven’t seen much love lately for security information and event management (SIEM). To steal a phrase from Gartner, the security analytics platform seems to have entered the “trough of disillusionment.” But in deploying alternatives, some enterprises may be trading one problem for another.

SIEM is great in concept. These tools were introduced about a decade ago to cope with a flood of logs and alerts that were beginning to flow in from intrusion detection (IDS) and intrusion protection systems (IPS). But as with any nascent market, SIEM lacked standards. Each vendor implemented SIEM differently, using different data stores, query languages and analytics engines. Some solutions were implemented in software and some in hardware. Each was a little different from the others.

Today, there are dozens of alternatives on the market. Meanwhile, the volume and types of alerts have continued to grow, adding to the complexity of SIEM. Security professionals have to monitor dashboards pretty much all the time, and they need to know exactly what they’re looking for. This is ironic because attackers are always looking to hit us precisely where we aren’t looking. In short, the first generation of security analytics platforms have become top heavy and complex.

**Updated** Download the 2017 Gartner Magic Quadrant for SIEM

The Need to Simplify SIEM

With the arrival of open-source frameworks such as Hadoop, which stores vast amounts of information cheaply, some IT organizations saw the opportunity to simplify SIEM by replacing dedicated software with their own data lakes. This made it simpler to load data, but it didn’t solve the problem of what to do with it. Extracting the necessary data from the various systems and interfaces is hard work, and that doesn’t go away with a data lake. Also, migrating from a purpose-built solution like SIEM to a general-purpose data platform requires a lot of customization and programming.

With a data lake, organizations still have to answer questions about what kind of data to collect, how frequently to update it, how long to keep it and which use cases to examine. Over time, the scope of the problem grows and the same complexity problems resurface. Query tools may be standardized, but queries aren’t. IT organizations still have to know what to look for and invent their own approaches to finding it. That’s what I mean by trading one problem for a slightly different one.

Solving a Complexity Problem

SIEM was never a bad idea, but the growing volumes of information that organizations layered into their SIEM systems created a complexity problem. The solution isn’t to throw out the security analytics platform, but to modify it with concepts borrowed from cloud, big data, predictive analytics and machine learning.

In the early days of SIEM, the platform had to be developed from scratch. Today, we can leverage open-source building blocks where it makes sense, then extend through crowdsourcing. The result is the IBM QRadar Security Intelligence Platform, a unified architecture for SIEM that uses an advanced analytics engines to capture data from a wide variety of sources, correlate patterns with high-risk threats and elevate high-priority incidents from the mass of data. You can use it on-premises or in the cloud.

QRadar collects information from edge protection devices, switches, routers, servers, operating systems and even applications. It applies correlation analysis and security analytics in real time to distinguish real threats from false positives. Out-of-the-box templates and filters, combined with a user interface that humans can actually understand, dramatically reduce training times.

Revamping Your Security Analytics Platform

Thanks to machine intelligence, QRadar literally learns from usage patterns. It can detect, for example, excessive usage of an application or unusual off-hours activity based on historical data. Dashboards show spikes in alert activity, enabling administrators to drill down for more information.

That machine learning is also extended to use cognitive technologies to mine the mountains of unstructured data in blogs and web posts we all see in the security world. These unstructured data sources often point to those needles of value in the haystacks of security-related information. The idea is to let the security analytics platform do the hard work and to leverage human experience via a set of standardized queries and use cases that are updated constantly.

Another great resource is the Security App Exchange, a groundbreaking collection of extensions written by IBM and its partners. These provide additional layers of analysis and reports that are validated by the QRadar team. Need a way to detect anomalous user behavior on your network? There’s an app for that.

These kinds of features are one reason IBM has again been ranked as a leader in the Gartner Magic Quadrant for SIEM. We want to help move SIEM out of the “trough of disillusionment” and back on its rightful path toward the “slope of enlightenment.”

**Updated** Download the 2017 Gartner Magic Quadrant for SIEM

 |  |  | 
Denis Kennelly
VP of Development, IBM Security

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature