AIX > Administrator > Security

IBM’s New Security Analytics Approach: QRadar Network Insights

Russell Couturier

In security terms we can think of intrusion detection systems (IDS), sandboxing, malware detection technology, IP blacklists, and threat intelligence as the wolf: any technology that requires a priori information to function. IBM is introducing a new generation of technology, QRadar network insights (QNI), that gathers information in real-time, makes real-time decisions where applicable (like the skunk who says, “I’ve eaten this before”), supplements the SIEM rules engine, and creates a repository of all events for third party analytics. QRadar network insights is a network tap that extracts flow information, protocol metadata, files, file metadata, user metadata, and content meta-data. Real-time security assertions are made where applicable; and all relevant events are forwarded to QRadar where network events can be correlated with log events, and additional rules are processed and stored in a database for further analysis.

As data moves left to right, a profile of every entity of every network flow is created allowing for downstream data correlation combined with SIEM and machine learning analytics. Unlike intrusion detection systems, a continual stream of analytics can take place in real-time, using external appliances, applications, and enrichment data to make security assessment; and flow metadata is accumulated and passed downstream to “interested applications” (This might be a machine learning environment to detect network anomalies or a sandboxing application). In this way, intelligence is accumulated as it passes through various analytic techniques.

Examples of real-time assessments made by QNI include personal identification loss, SSL certificate violations (expired or self-signed), protocol obfuscation (HTTP over a typical DNS port), recognition of potential malicious flows (botnets, tunneling, phishing) and tagging files that may contain malware. The SIEM rule engine uses the rich flow metadata to make additional security assessments like insider threat, user-risk assessment, abnormal identity behavior, and unusual file transfers. Now that the data is stored in the SIEM, other analytics that may require historical or future flow metadata can be applied. For example, an endpoint infection analysis would require historical and future flow metadata for accurate detection.

An additional benefit of gathering is the unique content-aware capabilities. Try to think of content as the unstructured text associated with instant messages, email, files, blogs, web pages. Content contains a rich data set that enables inspection for redirection to malicious sites, confidential information, personal data, and conversational categorization (what is being talked about). QNI provides the ability for rules and site-specific customization of metadata extraction by allowing regular expressions and YARA rules to be applied.

Main Differences

The QNI differs greatly from a priori security technology.

  1. All flow metadata is extracted.
  2. Flow metadata is expanded as additional analytics and are applied to it.
  3. Flow metadata can be enriched with third party intelligence at any time.
  4. It enables real-time, historical, and future analytics to be performed on the data.
  5. It is content aware and configurable.

QNI differs from typical solutions that have deployed IDS and netflow technologies.

An intrusion detection system extracts discrete metadata based upon well-defined events with downstream analytics having a very thin veneer and context of the security event. It only extracts what it is looking for. Netflow extracts a discrete limited set of flow attributes that do not inspect any of the payload or protocol data. It describes the communication characteristics of the transactions, but has absolutely no knowledge of the contents of the transaction. Finally, QNI provides all of the metadata associated with netflow, but illuminates all relevant meta-data within the flow. It is an enriched version of netflow.

The utilization of netflow for security analytics has been around for years. As clients look to upgrade their IDS or flow-processing systems, they should seriously consider migrating to or enhancing their environments with gathering type technology such a QNI. They will maintain all the benefits of their exiting flow technology and enhance it with a enriched flow events, that further enable SIEM rules, external data correlation, and post ingestion analytics.

Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.

comments powered by Disqus



2019 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

Hardening the Cloud

Security considerations to protect your organization

Verify System Integrity

AIX 6.1 and Trusted Execution help ensure secure systems

A Bankable Solution

AIX Cryptographic Services improves security while simplifying administration

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters