IBM’s New Security Analytics Approach: QRadar Network Insights
A wolf stares at prey from a distance rarely taking its eyes off the prize. It has been taught to stay low, stay quiet, and ignore everything else. Its parents provided training on how and who to hunt. As the prey approaches, a complex calculation of time, distance, and energy determine the moment of the strike. It’s a well-conditioned predator designed for a very specific task.
A skunk, on the other hand, has about a two minutes of training from its parents: spread out, wander around and look for anything that resembles food. If it looks like food, eat it. If the food stays down, keep eating it.
The wolf survives on how well it hunts, whereas the skunk survives on how well it gathers.
Threat detection technologies are aligned with the wolf utilizing highly trained environments that are focused on very specific rules, signatures, hashes, and expressions. A priori information enables the technology to search and detect threats in near real-time. This highly trained environment has fueled the industry for decades but has three significant drawbacks:
The need for a priori intelligence creates a significant window of exposure between the time the threat is spawned and security technologies are “armed” with information that describes the threat.
Not all threats can be detected in real-time using a priori information and require correlation of additional data.
Systems that detect threats using a priori information do not stockpile relevant data for additional analytics. It only knows what it is trained to see.
A New Way
A new generation of security analytics is more akin to the skunk by gathering all information, scraping what may be relevant, correlating this data with third party information and making security assessments in near real-time. It differs in that there is no a priori information and assumes all data is relevant. It inspects every piece of information, seeking data that may be relevant to an external rules engine that can be correlated with log information or can provide data for machine learning. A wolf is very efficient in that it knows what it is looking for, and in security terms, can inspect a tremendous amount of traffic with fewer resources. (For example, a wolf never assumes a mushroom is edible.) A skunk is very inefficient and requires continuous sampling of potential edible substances. In security terms, everything is a potential clue to malicious behavior. The wolf only knows what it is trained to hunt, while the skunk accumulates a wealth of knowledge over time. (See Figure 1.)
Like what you just read? To receive technical tips and articles directly in your inbox twice per month, sign up for the EXTRA e-newsletter here.
comments powered by