Security Intelligence – Combining Cyber Security and Big Data
This post is also available in: 
עברית (Hebrew)
IBM is merging two worlds into one. Big Data world and Cyber Security into “Security Intelligence”. IBMs “Security Intelligence” takes on the collection of data by “Big Data” infrastructure so the data can be analyzed in near- real-time and produce actionable alerts with low false-positive ratios.
Security cases such as advanced persistent threat detection, fraud detection and insider threat analysis require a new class of solutions in order to analyze more data content, higher flexibility, and better results.
IBM Security Intelligence in conjunction with Big Data merges the real-time security correlation and anomaly detection capabilities of the IBM QRadar Security Intelligence Platform with the custom analysis and exploration of vast business data provided by IBM InfoSphere BigInsights. The result is an integrated solution that combines intelligent monitoring and alerting with a workbench for threat and risk analysts to analyze and explore security and enterprise data.
Included in IBM Security Intelligence with Big Data is an extensive set of pre-packaged security intelligence content, ranging from a comprehensive security data taxonomy and automated data normalization, to pre-defined rules and dashboards that codify the industry’s best practices.
Mr. Hoffman, Security Intelligence, Europe Technical Manager, IBM – during his visit to Israel, told i-HLS about IBM’s SIEM (Security Information and Event Management ) solution, a solution based on “Q1 Labs”, which IBM had acquired in October 2011. Q1 Labs SIEM software collects and analyzes information from hundreds of sources across an organization such as the network, applications, user activity, mobile endpoints, and physical security devices such as badge readers. Its security SIEM software also helps IT staff and auditors manage the tracking of security incidents and model risk to better protect customers, while giving executives insight into the security and risk posture of the organization.
One of the of the IBM system’s strong advantages is scalability, the system can work with small organizations and national SOCs (Security Operational Centers).
The system monitors the traffic flow from standard network services as well as from Layer 7 Applications, and work methods facing the servers and clients, even monitoring the Botnets and their link to Open source databases – traffic management and monitoring gives almost real-time data and relevant alerts. The average system handles 50,000-100,000 events per second (and all the way to 800,000 events per second), and produces the alert –which is done by third party solutions.It’s based on a rule-based engine which contains more than 350 rules monitoring the IT behavior of the organization and alerts about anomalies, the system contains many other templates and user- friendly tools for the IT administrator of the organization allowing him to manage and create his own rules. The system self-learns to detect anomalies occurring over the organization IT systems (servers, network nodes, PCs – all the way to the application layer).
The system monitors both real time flow of data and statistics origin from log files used to achieve and determine the organization’s normal behavior, as well as to alert of events which trace is detected by following the log files along the time line.
The market for SIEM systems is growing rapidly and Mr. Hoffman sees the next generation of SIEM systems supporting administrators for the next coming years.
