IBM Launches QRadar User Behavior Analytics App

IBM extends its QRadar security intelligence platform with user behavior analytics to protect against insider threats.

cyber spy

IBM has delivered its new IBM QRadar User Behavior Analytics application, which enables enterprise security teams to look deeply into their organizations’ IT environments to root out abnormal behavior that can or has caused cyber-threats.

The free application, available on the IBM Security App Exchange, is designed to target insider threats, which make up 60 percent of all cyber-attacks within organizations today, Pat Vandenberg, IBM Security program director, told eWEEK.

The new application uses existing QRadar security data with user information pulled from the entire IT environment. QRadar is IBM’s security intelligence technology that helps enterprises quickly prioritize threats. IBM QRadar pulls in log events and network flow data from thousands of devices, endpoints and applications distributed across a company’s network.

The QRadar platform looks at hundreds of integration points to collect all the security event information available. And that’s not just with IBM solutions; that’s across more than 100 solutions from other vendors in the space to cover whatever a user organization has deployed.

Already providing visibility into the enterprise with QRadar, IBM extended the platform's capability set to cover the insider threat use case.

The IBM QRadar Behavior Analytics application compiles risk scores for every user in a network based on activities, and it provides a behavioral analysis dashboard and watch list for leading user accounts that may pose a threat.

“What we’re looking for is anomalistic behavior of users, whether that is through compromised credentials because somebody has inadvertently had malware deployed on their endpoint or desktop and an attacker has taken over their credentials or you’ve got a disgruntled employee,” Vandenberg said. “That’s something that’s very difficult to see in an organization for a security analyst, because they are typically seeing about 200,000 events a day.”

Cyber-criminals routinely lure employees, partners or contractors to inadvertently download malware onto systems to gain unauthorized access to confidential information, but the new app can help find and eliminate that problem, he said.

The issue is sifting through all of the information on a company’s network to detect really small anomalies and behavior patterns. The QRadar User Behavior Analytics solution is designed to find those insider threats by tapping into that information to expose risk and abnormal user behavior. Different examples of abnormal activity could be someone opening up a highly confidential document for a project that isn’t supported by that individual, or logging in from an unusual location where the company doesn’t have a presence, or seeing two different servers communicating with each other that’s triggered by a user, or huge data uploads.

“There are a bunch of different triggers that can identify this risky user behavior,” Vandenberg said. “And from that, risk scores get compiled. And you get a hierarchy of these risk scores. The ones at the top are the ones that are the most risky for the security analyst to look at.”

Now available for any IBM Security user, the QRadar User Behavior Analytics application initially went through a private beta stage in which select IBM customers were able to try it out. Vandenberg said what they liked most about it was the speed in which they could get it up and running.

“You can go to the App Exchange and install this app in 15 minutes,” he said. “You’re talking about minutes to hours to go and pull in a critical use case in security as opposed to the procurement, the deployment, standing up and curating a separate solution and data set. That is a powerful element that customers are enjoying.”

A user can extend their capability set in minutes and hours and contain the complexity of their infrastructure, he said.

“Organizations need a better way to protect themselves against insider threats—whether they be from inadvertent actors or malicious cyber-criminals with access to an organization’s inner workings and technology systems,” Jason Corbin, vice president of strategy and offering for IBM Security, said in a statement. “This new app provides analysts with the ability to quickly pivot by using existing cyber-security data to see the early warning signs that are often buried in suspicious user activities, ultimately helping them more consistently address breaches before they occur.”

Although the QRadar technology is not tied into any of IBM’s cognitive computing technology, since the company is focused on cognitive computing these days, it may be just a matter of time before it is. However, QRadar does plug into a platform that is at the center of our analytics capabilities.

In May, IBM announced that it was teaching an instance of its Watson cognitive computing system to look for cyber-security threats.

“So, you can imagine where we are going to start seeing connections to cognitive capabilities within certain platforms in our portfolio,” Vandenberg said. “We did have a demo of Watson for cyber-security within a QRadar use case. So, this is something that IBM may move toward in the future.”