IBM is expanding the intelligence gathering functions available to its security-event management (SEM) product QRadar Security Intelligence Platform, as well as designing a virtual-appliance version of it that works on the VMware platform.

QRadar, which IBM gained in its acquisition of Q1 Labs last fall, can already receive and correlate information based on 400 sources of security data. Now it will also take in the IBM X-Force feeds of real-time threat intelligence, providing both a dashboard view to security managers as well as allowing them to set up a SEM rule to trigger alerts based on the information.

By later this spring, QRadar will be also outfitted to take in threat information from IBM's database protection product, Guardium, as well as link to the IBM Identity and Access Management product and IBM Endpoint Manager. Plus, IBM is adding support in modules for third-party products, including Symantec DLP, Websense Triton, Stonesoft's Softgate.

This is going to enable new types of SEM threat monitoring of corporate network activity, says Phil Neray, vice president of security intelligence strategy at IBM's security systems division.

"With more context and data sources, like IBM Identity and Access Management, QRadar can look up a role, saying this is not consistent with what they're doing," he says, pointing out this could be the basis for an alert of suspicious activity. In another scenario, QRadar could detect records flowing out from an internal corporate database across the network and going to a known internet hot spot, and that event could be flagged immediately with an alert.

In addition to expanding QRadar's capabilities to synthesise information through a larger source of threat intelligence, IBM is creating a virtual-appliance version of QRadar that would work in the VMware ESX environment — though not yet for the vSphere cloud computing platform.

These additions are being rolled out in the Q2 timeframe; QRadar starts at $50,000.