IBM is growing its Security Systems unit with the launch of a new threat analytics appliance, which the company claims can identify suspicious behaviour in the network to protect organisations against hidden threats.
IBM launched its Security Systems division in October 2011, drawing together disparate security products developed by IBM over the previous 14 years and putting new focus on the four “mega trends” of Mobile, Cloud, Advanced Persistent Threats and Security Intelligence.
The company’s new QRadar Network Anomaly Detection appliance falls into the Advanced Persistent Threats category, and builds on software gained through its acquisition of security intelligence software provider Q1 Labs in January 2012. It leverages the QRadar Security Intelligence Platform and is designed to complement IBM SiteProtector and IBM Security Network IPS deployments.
QRadar analyses network activity in real-time, detecting and reporting activity that falls outside “normal baseline behaviour”. This baseline behaviour is determined using algorithms that monitor and analyse the IT systems of IBM’s 4,000 clients around the world.
“Through looking at certain industries and certain geographies, we can get an understanding of what it’s like in a particular industry or a particular country, and we’re feeding that intelligence into the platform,” explained Martin Borrett, director of IBM’s Security Systems division, speaking to Techworld at the Infosecurity show in London.
“Our clients generate roughly 13 billion security-related events every day – that’s 150,000 every second – so through doing that we get huge insight to what’s a normal baseline and what’s unusual.”
By applying behavioural analytics and anomaly detection, QRadar can flag abnormal events such as outbound traffic to countries where the company does not have business affairs, or FTP traffic in a department that doesn’t regularly use FTP services.
The new appliance also receives regular threat intelligence reports from IBM’s security research arm X-Force, which crawls more than 15 billion pages and images on the public Web and provides a real-time list of potentially malicious IP addresses. If any traffic to or from these sites is detected it can immediately alert the organisation in question.
“It’s the integration of this intelligence that’s so interesting,” said Borrett. “We’re not just looking at what’s happening at the firewall layer, or at the router or the antivirus or the operating system, we’re trying to take a broader view across all of, because that way you can really get some insight and visibility.
Borrett believes that IBM’s ability to analyse the threat landscape holistically, rather than just focusing on specific security problems, helps IBM stand out from its competitors in the IT security market.
“There are many excellent point product vendors. In their domain they have fantastic technology, and that’s important, but no one of those things is enough in itself, you really do need a range of countermeasures,” he said.
He added that IBM’s experience in the field of analytics is also a significant advantage when dealing with advanced persistent threats – which Borrett regards as a Big Data problem.
“These things create a lot of security events, particularly across big enterprises – they really have a Big Data problem,” he said. “When you’ve got that level of information then you really do need quite sophisticated analytics.
“This is an area where IBM's global scale and reach really works to its advantage.”
Infosecurity Europe runs from the 24th – 26th April 2012, in Earls Court, London.