The free application available on the IBM Security App Exchange is designed to target insider threats, which make up 60 percent of all cyber attacks within organisations today, according to (right) IBM Security program director, Pat Vandenberg.
The new application uses existing QRadar security data with user information pulled from the entire IT environment. QRadar is IBMs security intelligence technology that helps enterprises quickly prioritise threats and pulls in log events and network flow data from thousands of devices, endpoints and applications distributed across a company’s network. The QRadar platform looks at hundreds of different integration points to collect all the security event information available, not just with IBM solutions, but across over 100 different other vendor solutions in the space, to be able to cover whatever a user organisation has deployed. Already providing visibility into the enterprise with QRadar, Big Blue extended the platform`s capability set, to cover the insider threat use case.
The IBM QRadar Behavior Analytics application compiles risk scores for every user in a network based on activities. And it provides a behavioural analysis dashboard and watch list for leading user accounts that may pose a threat.
“What we’re looking for is anomalistic behaviour of users, whether that is through compromised credentials because somebody has inadvertently had malware deployed on their endpoint or desktop and an attacker has taken over their credentials or you’ve got a disgruntled employee,” says Vandenberg. That’s something that’s very difficult to see in an organisation for a security analyst, because they are typically seeing about 200,000 events a day.
It is routine for cybercriminals to lure employees, partners, or contractors to inadvertently download malware onto systems to gain unauthorised access to confidential information, he says, adding “The new app can help to find and eliminate that problem.”
The issue is sifting through all of the information on a company’s network to detect really small anomalies and behaviour patterns. The QRadar User Behaviour Analytics solution is designed to find those insider threats by tapping into that information to expose risk and abnormal user behaviour. Different examples of abnormal activity could be someone opening up a highly confidential document for some sort of project that isn’t supported by that individual, or logging in from an unusual location where the company doesn’t have a presence, or seeing two different servers communicating with each other that’s triggered by a user, or huge data uploads.
There are a bunch of different triggers that can identify this risky user behavior, Vandenberg said. And from that risk scores get compiled. And you get a hierarchy of these risk scores. The ones at the top are the ones that are the most risky for the security analyst to look at.
Now available for any IBM Security user, the QRadar User behaviour Analytics application initially went through a private beta stage where select IBM customers got to try it out. Vandenberg said what they like most about it was the speed in which they could get it up and running.
“You can go to the App Exchange and install this app in 15 minutes,” he said. “You’re talking about minutes to hours to go and pull in a critical use case in security as opposed to the procurement, the deployment, standing up and curating a separate solution and data set. That is a powerful element that customers are enjoying. A user can extend their capability set in minutes and hours and contain the complexity of their infrastructure,” he added.
“Organisations need a better way to protect themselves against insider threats whether they be from inadvertent actors or malicious cybercriminals with access to an organisations inner workings and technology systems,” states (left) Jason Corbin, VP of strategy and offering for IBM Security. This new app provides analysts with the ability to quickly pivot by using existing cyber-security data to see the early warning signs that are often buried in suspicious user activities, ultimately helping them more consistently address breaches before they occur.
QRadar technology is not tied into any of IBMs cognitive computing technology, but that is probably just a matter of time. However, QRadar does plug into a platform that is at the centre of analytics capabilities.
In May, IBM announced that it was teaching an instance of its Watson cognitive computing system to look for cyber-security threats, Vandenberg indicates “We did have a demo of Watson for cyber security within a QRadar use case. So this is something that IBM may move toward in the future.”