is an enterprise solution that consolidates log source event data from thousands of devices distrib-uted across a network, storing every activity in its raw form, and then performing immediate correlation activities to distinguish the real threats from false positives. It also captures real-time Layer 4 network flow data and, more uniquely, Layer 7 application payloads, using deep packet inspection technology.
QRadar SIEM helps IT personnel quickly identify and remediate network attacks by rank, ordering hundreds of alerts and patterns of anomalous activity into a drastically reduced number of offenses warranting further investigation
QRadar SIEM provides contextual and actionable surveillance across the entire IT infrastructure, helping organizations detect and remediate threats often missed by other security solutions. These threats can include inappropriate use of applications; insider fraud; and advanced, “low and slow” threats easily lost in the “noise” of millions of events.
QRadar SIEM collects information that includes:
1- Security events: Events from firewalls, virtual private networks, intrusion detection systems, intrusion prevention systems and more
2- Network events: Events from switches, routers, servers, hosts and more
3- Network activity context: Layer 7 application context from network and application traffic
4- User or asset context: Contextual data from identity and access-management products and vulnerability scanners
5- Operating system information: Vendor name and version number specifics for network assets
6- Application logs: Enterprise resource planning (ERP), workflow, application databases, management platforms and more
Many organizations create millions—or even billions—of events per day, and distilling that data down to a short list of priority offenses can be daunting. QRadar SIEM automatically discovers most network log source devices and inspects network flow data to find and classify valid hosts and servers (assets) on the network—tracking the applications, protocols, services and ports they use. It collects, stores and analyzes this data and performs real-time event correlation for use in threat detection and compliance reporting and auditing. Billions of events and flows can therefore be reduced and prioritized into a handful of actionable offenses, according to their business impact.
Security teams need to answer key questions to fully understand the nature of their potential threats: Who is attacking? What is being attacked? What is the business impact? Where do I investigate? QRadar SIEM tracks significant incidents and threats, building a history of supporting data and relevant information. Details such as attack targets, point in time, asset value, vulnerability state, offending users’ identities, attacker profiles, active threats and records of previous offenses all help provide security teams with the intelligence they need to act.
QRadar SIEM supports a variety of anomaly detection capabilities to identify changes in behavior affecting applications, hosts, servers and areas of the network. For example, QRadar SIEM can detect off-hours or excessive usage of an application or cloud-based service, or network activity patterns that are inconsistent with historical, moving-average profiles and seasonal usage patterns. QRadar SIEM learns to recognize these daily and weekly usage profiles, helping IT personnel to quickly identify meaningful deviations.
QRadar SIEM provides a solid foundation for an organization’s security operations center by providing a centralized user interface that offers role-based access by function and a global view to access real-time analysis, incident management and reporting. Five default dashboards are available—including security, network activity, application activity, system monitoring and compliance—plus users can create and customize their own workspaces.
Since virtual servers are just as susceptible to security vulnerabilities as physical servers, comprehensive security intelligence solutions must also include appropriate measures to protect the applications and data residing within the virtual data center. Using QRadar VFlow Collector appliances, IT professionals gain increased visibility into the vast amount of business applications and data residing within the virtual data center. sing QRadar VFlow Collector appliances, IT professionals gain increased visibility into the vast amount of business
QRadar SIEM provides the transparency, accountability and measurability critical to an organization’s success in meeting regulatory mandates and reporting on compliance. The solution's ability to correlate and integrate surveillance feeds yields more complete metrics reporting on IT risks for auditors, as well as hundreds of reports and rules templates to address industry compliance requirements.
IBM Security QRadar Risk Manager complements QRadar SIEM by identifying a network’s most vulnerable assets. It can immediately generate alerts when these systems engage in activity that potentially exposes them. For example, organizations can scan their networks for unpatched applications, devices and systems, determine which ones connect to the Internet and prioritize remediation based on the risk profile of each application. For more information please see the QRadar Risk Manager data sheet
To achieve high-availability and disaster-recovery capabilities, identical secondary systems can be paired with all members of the QRadar appliance family. From event processor appliances, to flow processor appliances, to all-in-one and console SIEM appliances, users can add robustness and protection where and when it is needed—helping to ensure continuous operations.
With support for more than 450 products from virtually every leading vendor deployed in enterprise networks, QRadar SIEM provides collection, analysis and correlation across a broad spectrum of systems, including networked solutions, security solutions, servers, hosts, operating systems and applications. In addition, QRadar SIEM is easily extended to support proprietary applications and new systems from IBM and many other vendors.