Understanding QRadar: A SIEM For the Cloud, Kubernetes, and More

Learning Objectives

• Understand what a SIEM is

• Learn about SIEM data sources

• Understand what SIEMs can/can't do

• Learn about IEM's QRadar

• Learn about the connection between QRadar and Mezmo

Understanding QRadar: A SIEM For the Cloud, Kubernetes, and More

Security threats are constantly evolving. To stay ahead of them, organizations need systematic tools for collecting and analyzing data from across their IT environments to detect and mitigate risks.

QRadar, IBM's Security Information and Event Management (SIEM) tool, is one popular solution for this need. Keep reading for an overview of how QRadar works, why you'd use it, and which new features are available for making the most of QRadar.


What Is a SIEM?


To understand what QRadar is, you must first understand a SIEM.

A SIEM is a platform that automatically collects and analyzes data related to security. By parsing large volumes of data, SIEMs can detect anomalies that may signal a security issue. They then typically send alerts so that IT or security teams can respond to the problem.

SIEMs can also automatically assess the impact of known breaches and help teams determine which security risks to prioritize.


SIEM Data Sources


The data that SIEMs collect can originate from a wide variety of sources. Common examples of data sources for SIEMs include:

  • Operating system logs
  • Application logs
  • Orchestration logs (like those generated by Kubernetes)
  • Logs from network devices
  • User requests and behaviors (such as account creation and login requests)
  • Network traffic data

SIEMs aren't necessarily limited to these data sources. A SIEM can ingest and analyze virtually any type of data, if the data is correctly formatted. In general, the more data you feed into a SIEM, the better, as long as the information is of high quality.


Who Needs a SIEM?


SIEMs are a foundational component of any modern security toolset. Without a SIEM, it would be virtually impossible to detect and manage security threats given the vast amounts of data and the highly complex IT environments that the typical organization operates in today. Although in theory you could manually detect  risks, that approach is only practical in the smallest and simplest of IT environments.

In many organizations, security teams are the primary users of a SIEM. However, other stakeholders may also benefit. For example, network engineers can use SIEMs to help determine whether an unexpected spike in network usage results from a security issue or a configuration issue. Or, developers could use SIEMs to assess whether a new application release correlates with a spike in security events.


What SIEMs Can't Do


While SIEMs are a crucial security tool, it's essential to recognize that they're not end-to-end security solutions unto themselves. Essential tasks that SIEMs typically don't handle are:

  • Security posture management: this refers to assessing how secure an environment's configurations are. SIEMs can detect threats that arise due to poor posture management, but SIEMs don't usually determine environment configurations.
  • Security incident response: Organizations use separate tools and processes to manage their response after a SIEM tool flags a security risk.
  • Complex threat analysis: SIEMs are great at automatically detecting and assessing risks. But in the case of genuinely complex threats or active, concerted attacks, teams will typically need more insights than the automated alerts and recommendations that SIEMs can provide.

What Is IBM QRadar?


QRadar is IBM's SIEM product. In addition to offering standard SIEM functionality, QRadar is notable for these features:

  • Automatic log normalization. Automatic log normalization helps standardize data collected from a diverse array of sources.
  • QRadar can correlate and contextualize events based on similar types of events
  • QRadar has built-in compliance reporting to support internal and external compliance reporting and auditing
  • QRadar supports deployment in cloud environments as well as on-premises
  • QRadar integrates with over 400 external products and platforms. The integrations streamline data collection from various data sources and tasks like alert and response management.

Q1 Labs originally developed QRadar. IBM acquired that company in 2011, making QRadar a core part of IBM's product platform.


Better Together: QRadar and Mezmo


While a SIEM like QRadar is excellent at detecting security events, one of the common challenges that teams face in using SIEMs is feeding them sufficient data. Manually connecting each data source to a SIEM is hard work if you have dozens of different applications, operating system types, cloud services, and so on, which have logs or other data resources that need to be ingested by the SIEM.

To solve this challenge, QRadar supports integration with observability solutions like Mezmo, formerly known as LogDNA. Mezmo automatically handles the hard work of ingesting data, then streaming it into QRadar for security analysis.

In addition to saving time and effort, integration between QRadar and Mezmo provides the benefit of making it easy to perform security analysis alongside other types of analysis. You can use QRadar to assess Mezmo data sources for security purposes, while also leveraging Mezmo itself to evaluate performance, availability, and other general-purpose observability priorities.


Conclusion


SIEMs like QRadar are vital tools for managing modern security risks. But to get the most value out of them, you'll want a plan for solving the most common pain point of SIEM deployment, which is managing data collection. Solutions like Mezmo can help.

It’s time to let data charge