IBM QRadar 101

Michelle Shwe
IBM Cloud Pak Tips and Good practices
4 min readDec 21, 2021

IBM QRadar has collected multiple accolades (12 times Leader in Gartner Magic Quadrant for SIEM, in a row) and gained recognition across the industry for significantly improving the speed and reducing the skillset overhead of managing security threats — particularly Ransomware and malware.

Image by Pixabay via Pexels
Image by Pixabay via Pexels

In recent years, "Ransomware" is a word that has invoked fear and grabbed the attention of media headlines worldwide. Definition of Ransomware is malicious software that holds your computer system and data hostage until a fee is paid. No one is safe from Ransomware, from the largest global beef supplier to media publication groups and police departments. According to Forbes, the number of cybersecurity attacks is rising, and there is a lack of professionals with the required expertise to mitigate the risks. In October 2021, it was reported that nearly 465,000 cybersecurity-related postings were left unfilled across the United States of America.

To help combat the threat of Ransomware and alleviate the shortage of skilled security analysts, enterprises are turning to Security Information and Event Management (SIEM) products such as QRadar. IBM QRadar is an enterprise SIEM product whose pillars are:

  1. Complete visibility: QRadar is focused on event data collection and flow collection. Event data represents events that occur at a point in time in the user's environment, such as user logins, email, VPN connections, etc. Flow data is network activity information or session information between two hosts on a network.
  2. Prioritised threat detection: QRadar includes rules that detect various activities, including excessive firewall denies, multiple failed login attempts, and potential botnet activity. These rules perform tests on events, flows, or offences. If the test conditions are met, QRadar rules generate threat detection responses.
  3. Automated investigations: Every 60 minutes, the QRadar Advisor with Watson app gets the list of offences from QRadar that meets predefined criteria and has not yet been analysed. The app then queues up to 10 offences that match the pre-configured criteria, and each violation is investigated.
  4. Integrated response: IBM QRadar Security Automation, Orchestration and Response (SOAR) playbooks are dynamic and additive, providing the security team with guidance to respond to incidents and with the agility and intelligence to adapt to each incident's conditions.
QRadar Event Pipeline by IBM

QRadar gains insight by analysing logs from SaaS, hybrid multi-cloud, and on-premise environments, allowing the analyst to have complete visibility across multiple data sources and IT environments without authenticating to the different systems to pull the data manually. Advanced artificial intelligence and threat intelligence automatically investigate logs and network flows to detect threats and generate prioritised alerts. These automated investigations result in an up-to-60 times improvement in speed of investigation for the cybersecurity analyst.¹

QRadar by IBM

The above four pillars of QRadar SIEM form the foundations of a strategic cybersecurity approach known as the Zero Trust Framework. Zero Trust Frameworks eliminate implicit trust and continuously validate every stage of a digital interaction by following the rule of "never trust, always verify." This rule builds on the "Principle of Least Privilege," which asserts that a "subject" has the minimum access privileges needed to complete a task. Minimizing privilege helps limit damages and potential exposure when malware incidents occur. The automation that accompanies this principle also enables users to access what they need quickly. Once threats are identified, the response playbook and case management are orchestrated via integration with QRadar SOAR. QRadar SOAR increases the efficiency in threat response by allowing security teams to take inputs from various sources and apply workflows aligned to previously defined processes and procedures.

QRadar provides a one-stop solution that allows security analysts to conduct log management, network analysis, user behaviour analytics, threat intelligence, and AI-powered investigations in a single solution. Qradar is a proven leader in the SIEM industry, with four tried-and-tested foundational pillars complete visibility, prioritised threat detection, automated investigations, and integrated response. Designed to help improve and simplify the efficiency, and speed in addressing threats to IT systems, whether on-premise, on the cloud, or in a hybrid environment, consider the job done.

  1. IBM | What's new in QRadar v7.3.1 — Improve performance and uptime in QRadar by IBM

--

--

Michelle Shwe
IBM Cloud Pak Tips and Good practices

Customer Success Manager at IBM with a passion for change management and the people side of tech rollouts