IBM Uses Analytics To Boost Security Systems

IBM’s data analytics expertise is being applied to data from several sources to identify security threats

IBM unveiled enhancements to its security services portfolio, promising customers improved data analytics and deeper real-time analysis of security threats.

Customers can analyse data from multiple sources across the enterprise and determine how to tweak their security strategies and make sure security and business needs are aligned using new intelligence tools and services, IBM said. The new services are designed to help organisations make rapid decisions and prevent security breaches from impacting business, the company said.

New approach for advanced threats

The analytics tools and services include a new dashboard to provide real-time identification of advanced threats, an IP intelligence report, enhanced automated intelligence correlation engine, an IP centre dashboard, and managed security information and event management (SIEM) capabilities, according to Latha Maripuri, director if IBM Security Services.

The services detect outlying behaviour and threats by correlating a diverse set of data to help organisations make rapid decisions in case of a breach, Maripuri said. She told a group of journalists at a press event that security executives are saying, “I’ve got a lot of the pieces, but I don’t have a way to understand what’s going on.”

IBM created the new Security Systems Division in October after acquiring security intelligence and SIEM vendor Q1 Labs. The new tools and services under the Security Systems umbrella would expand IBM’s existing security analytics capabilities, Marisa Viveros, vice-president of IBM Security Services, said at the same event.

Business intelligence is the “future of security”, Viveros said, noting that IBM is pulling together all its recent security and analytics acquisitions to provide customers with deep analysis of threat data. With BI capabilities, organisations can present security insights to business and to the board of directors to justify security expenditures and policies, she said.

These tools and services will be offered as part of six subscription services that feed results from firewall logs, intrusion detection and prevention events and vulnerability scans into the X-Force Protection System and its cloud-based analytic engine, IBM said. The data sets from the subscription services provide IBM analysts with “superior visibility” into an IT environment, strengthen enterprise security and allow security teams to remediate threats more rapidly, according to the company.

Managing a flood of information

The host dashboard will use inbound and outbound firewall logs, threat intelligence feeds, intrusion detection and prevention events and geographic IP location data to identify and prioritise threats, such as botnets. The ability to combine all the information into a single dashboard was essential because “no one wants multiple dashboards”, Viveros said.

The IP intelligence report is a one page report that analyses threats, vulnerabilities and remediation activities under way. The report would give organisations insight in all the IP addresses that are hitting their servers and be able to identify which may be malicious and which ones to keep an eye on for now, according to Maripuri.

The AI correlation engine enables IBM to chain together alerts from multiple services to identify sequences of activity that represent severe incidents. The Q1 Labs acquisition would enhance the engine, according to Maripuri.

The IP centre dashboard provides IBM threat analysts with enhanced query capabilities across the managed security services customer data set. Analysts can profile suspected attackers faster, identify the number of affected customers and industries and understand the type of threats delivered. Threat analysts can perform checks to validate the severity of circumstances, streamlining the prioritisation of remediation activities, according to IBM.

The managed SIEM offering, using IBM Tivoli and Q1 Labs technology, would provide around-the-clock security monitoring and reporting to effectively identify and respond to threats and enhance existing SIEM deployments.

IBM already operates nine security operations centres, nine IBM Research centres, 11 software security development labs and three Institutes for Advanced Security around the world, according to Maripuri. The company employs thousands of security experts globally and monitors 12 billion security events per day in more than 130 countries, she said.