In December 2015 IBM opened up its security analytics platform IBM Security QRadar. The goal was to encourage customers, developers and third-parties to build custom applications to take advantage of the platform. It also announced the IBM Security App Exchange where companies could create, share and get new applications based on IBM’s security technologies.
The latest of those new applications has now been released. It targets User Behaviour Analytics (UBA), something that the IBM security team has been focused on for the past five years. UBA enables security teams to detect unexpected behaviour by users and applications that could indicate a security breach.
UBA, big data and analytics
The big challenge for UBA is that to do it properly requires vast amounts of data from multiple sources. It is a perfect example of the problem of big data analytics. Data has to be acquired from a lot of different sources, imported into a common database and then analysed. The larger the organisation the more complex the data set because there are so many more logs and data files to be imported. The most effective solution is to be able to do the analytics in real-time or as close to as is possible.
All of this plays to IBM’s strengths. QRadar already gathers data from a number of sources such as machine, application, network, firewall and other security logs. It can use that data to see if the types of files accessed by a user or application are typical. It is also capable of monitoring traffic patterns to see if unexpected connections are being made. All of these point to a change in behaviour which might be an indicator of a problem.
There is another challenge to making this work. To decide what is unusual or unexpected you need a baseline. Historically UBA solutions have taken a long time to create those baselines. In many cases what is established is a best guess and that creates doubt as to whether the results are real or false. In this case, IBM says that creating baselines once QRadar UBA is deployed could take as little as a couple of days. This assumes that customers have already deployed QRadar and have been gathering data. The worst case scenario would be a new QRadar deployment or the roll-out of a new application where it could take weeks to gather enough data to create a reliable behavoral baseline.
What does IBM QRadar UBA give security teams?
IBM believes that UBA is essential to uncover malicious behaviour. That behaviour could be a user stealing corporate data, a hacker using stolen credentials or malware infecting computers. Once suspicious behaviour has been spotted, QRadar will log everything. This data is stored in a read-only format making it acceptable to forensics and audit teams. This means that if a case goes to court the data is legally acceptable. IBM claims that there have already been occasions where data from QRadar has been used successfully in court cases.
To make that data easier to understand, IBM has introduced a new User Interface which is intended to streamline investigations. It allows investigators to drill down through user and account behaviour to identify what happened and when. As all the data is held in QRadar there is a common timeline and this makes drilldown and correlation of data simpler. Investigators can eventually drill down to the network layer which will show what data was moved and what IP addresses, internal and external, were involved. This is essential when an insider is sending data to a remote location.
A 3D view of the attack surface
Current research shows that it takes over 240 days to detect attacks on organisations. With some Advanced Persistent Threats (APTs) that timeline can be years rather than months. In these cases, there is a need to understand the implications of an attack across the entire business. It will also enable security teams to look back over weeks, months or even years of data to find historical instances that require further investigation
The QRadar UBA tools make it possible to identify a suspicious pattern and then use that to search historical data. That can turn up other instances where attacks may have taken place. Those attacks may be where other machines, applications or users have been compromised. Alternatively, they could expose a long-term pattern of suspicious behaviour or theft of corporate data.
Another benefit of a 3D view is that it can enable an attack to be traced back across several machines, users and systems. This is the equivalent of the patient zero approach used when tracking infectious diseases. By providing this level of view for IT security teams, IBM is allowing them to identify what caused the initial incident and improve their overall security.
A new certification will provide a better career path for security professionals
One of the risks that IBM is aware of is that the alerts could easily be misunderstood. There is only so much that automated analysis can deliver. Eventually there has to be a human element and that person has to be properly trained in order to interpret the facts. This is not just about interpretation of the data but also about how to establish a better security environment.
There will be a range of IBM courses around QRadar UBA that are likely to be announced later this year. With IBM Edge taking place in September, it is possible that more information on these will be announced then. Those courses will be part of a wider certification program for security professionals. With companies struggling to hold on to their security staff, this enables them to offer career progression to key members of their security teams.
Integration with third-party applications and other IT teams
This is not just about IBM and internal security teams. The analytics that have been gathered can be used to pass information to other systems such as operations teams. Alerts covering application behaviour might be nothing more than a poorly configured application. This is not something that security are likely to deal with. By making the data available to other teams in the IT department configurations can be fixed and hardened to prevent a repeat of the problem.
Much of the conversation around DevOps tends to focus too narrowly on the integration of the developer and operations processes. Security is just as critical a part of those processes. This wider use of the data from QRadar will help reduce further the problems of application leakage before it becomes a security exploit.
IBM is also developing a series of playbooks around UBA. These are being written by its recent acquisition Resilient Systems. These will integrate with third-party products such as Service Now and Remedy. The goal is to raise IT support tickets and send them to the IT operations teams for action.
Resilient Systems is also integration with software used by Human Resources and Legal teams. Where there is a breach, data will be sent to those teams so that they can begin the process of notification. This will speed up their response to an incident and ensure that the data required for forensics is made available to the right people.
IBM has already announced Watson for Cyber Security. If combined with QRadar it will enable logs to be ingested and analysed at greater speed. It will also take advantage of the ability of Watson to provide a more detailed analysis of the data potentially highlighting new issues. The involvement of Watson will bring the speed of detection closer to real-time, helping to stop attacks as they happen. There is also the potential for adding-in technology such as graph databases which would allow security teams to model the potential impact of a breach. This could show them the likely vectors that malware might use to spread itself across an organisation.
This is a sensible move by IBM and it gives QRadar a tool that finally enables IT security teams to deploy UBA. So far the majority of companies have had to outsource that part of their security due to a lack of skills and adequate tooling. It will be interesting to see what IBM announces next for QRadar as it continues to strengthen its security offerings.