• Understand what a SIEM is
• Learn about SIEM data sources
• Understand what SIEMs can/can't do
• Learn about IEM's QRadar
• Learn about the connection between QRadar and Mezmo
Security threats are constantly evolving. To stay ahead of them, organizations need systematic tools for collecting and analyzing data from across their IT environments to detect and mitigate risks.
QRadar, IBM's Security Information and Event Management (SIEM) tool, is one popular solution for this need. Keep reading for an overview of how QRadar works, why you'd use it, and which new features are available for making the most of QRadar.
To understand what QRadar is, you must first understand a SIEM.
A SIEM is a platform that automatically collects and analyzes data related to security. By parsing large volumes of data, SIEMs can detect anomalies that may signal a security issue. They then typically send alerts so that IT or security teams can respond to the problem.
SIEMs can also automatically assess the impact of known breaches and help teams determine which security risks to prioritize.
The data that SIEMs collect can originate from a wide variety of sources. Common examples of data sources for SIEMs include:
SIEMs aren't necessarily limited to these data sources. A SIEM can ingest and analyze virtually any type of data, if the data is correctly formatted. In general, the more data you feed into a SIEM, the better, as long as the information is of high quality.
SIEMs are a foundational component of any modern security toolset. Without a SIEM, it would be virtually impossible to detect and manage security threats given the vast amounts of data and the highly complex IT environments that the typical organization operates in today. Although in theory you could manually detect risks, that approach is only practical in the smallest and simplest of IT environments.
In many organizations, security teams are the primary users of a SIEM. However, other stakeholders may also benefit. For example, network engineers can use SIEMs to help determine whether an unexpected spike in network usage results from a security issue or a configuration issue. Or, developers could use SIEMs to assess whether a new application release correlates with a spike in security events.
While SIEMs are a crucial security tool, it's essential to recognize that they're not end-to-end security solutions unto themselves. Essential tasks that SIEMs typically don't handle are:
QRadar is IBM's SIEM product. In addition to offering standard SIEM functionality, QRadar is notable for these features:
Q1 Labs originally developed QRadar. IBM acquired that company in 2011, making QRadar a core part of IBM's product platform.
While a SIEM like QRadar is excellent at detecting security events, one of the common challenges that teams face in using SIEMs is feeding them sufficient data. Manually connecting each data source to a SIEM is hard work if you have dozens of different applications, operating system types, cloud services, and so on, which have logs or other data resources that need to be ingested by the SIEM.
To solve this challenge, QRadar supports integration with observability solutions like Mezmo, formerly known as LogDNA. Mezmo automatically handles the hard work of ingesting data, then streaming it into QRadar for security analysis.
In addition to saving time and effort, integration between QRadar and Mezmo provides the benefit of making it easy to perform security analysis alongside other types of analysis. You can use QRadar to assess Mezmo data sources for security purposes, while also leveraging Mezmo itself to evaluate performance, availability, and other general-purpose observability priorities.
SIEMs like QRadar are vital tools for managing modern security risks. But to get the most value out of them, you'll want a plan for solving the most common pain point of SIEM deployment, which is managing data collection. Solutions like Mezmo can help.