Expert Karen Scarfone takes a look at IBM Security QRadar, a security information and event management (SIEM) tool used for collecting and analyzing security log data.
IBM QRadar is an enterprise security information and event management (SIEM) product. It collects log data from an enterprise, its network devices, host assets and operating systems, applications, vulnerabilities, and user activities and behaviors. IBM QRadar then performs real-time analysis of the log data and network flows to identify malicious activity so it can be stopped quickly, preventing or minimizing damage to the organization.
Product versions
The IBM QRadar SIEM can be deployed as a hardware, software or virtual appliance-based product. The product architecture includes event processors for collecting, storing and analyzing event data and event collectors for capturing and forwarding data. The SIEM product also includes flow processors to collect Layer 4 network flows, QFlow processors for performing deep packet inspection of Layer 7 application traffic, and centralized consoles for Security Operations Center (SOC) analysts to utilize when managing the SIEM. Flow processors offer similar capabilities to event processors, but are for network flows, and consoles are for people to utilize when using or managing the SIEM.
IBM QRadar SIEM component models include the following:
- Integrated (all-in-one) appliance
- 2100: up to 1000 events per second; up to 50,000 flows per minute; 1.5 terabytes (TB) storage
- 3105: up to 5000 events per second; up to 200,000 flows per minute; 6.2 TB storage
- 3128: up to 15,000 events per second; up to 300,000 flows per minute; 40 TB storage
- Console
- 3105: 6.2 TB storage
- 3128: 40 TB storage
- Event/flow processor
- 1805: up to 5000 events per second; up to 200,000 flows per minute; 6.2 TB storage
- 1828: up to 15,000 events per second; up to 300,000 flows per minute; 40 TB storage
- Flow processor
- 1705: up to 600,000 flows per minute; 6.2 TB storage
- 1728: up to 1.2 million flows per minute; 40 TB storage
In addition, IBM QRadar can collect log events and network flow data from cloud-based applications, and it can be deployed as a SaaS offering on the IBM cloud where deployment and maintenance is outsourced.
Additional security capabilities
In addition to the basic SIEM capabilities that enterprise SIEM products typically provide, IBM QRadar SIEM also offers support for threat intelligence feeds. Optionally, an IBM QRadar SIEM can have a license extension purchased that enables use of IBM Security X-Force Threat Intelligence, which identifies IP addresses and URLs that are associated with malicious activity. For each identified IP address or URL, the threat intelligence feed includes a threat score and category, which can help an organization better analyze and prioritize threats. IBM QRadar SIEM is part of the IBM QRadar Security Intelligence Platform, which includes modules for risk management, vulnerability management, forensics analysis and incident response.
Reporting capabilities
IBM QRadar provides support for several major compliance reporting requirements initiatives such as the Health Insurance Portability and Accountability Act ( HIPAA) and Payment Card Industry Data Security Standard (PCI DSS), Gramm-Leach-Bliley Act (GLBA), North American Electric Reliability Corporation (NERC) and Federal Energy Regulatory Commission (FERC), Sarbanes–Oxley (SOX) and more. The product also offers a report builder wizard so security teams can create custom reports.
Licensing and pricing
Because IBM QRadar SIEM is a modular product with multiple options per component, explaining its licensing and pricing in detail is outside the scope of this article, but the charge metric is generally based on usage such as log source events per second and network flows per minute. Organizations interested in better understanding the options can get the latest pricing information for all the available IBM QRadar SIEM licenses here.
IBM Security QRadar SIEM overview
IBM QRadar SIEM offers a modular, appliance-based approach to SIEM that can scale to meet the event log and network flow monitoring and analysis needs of most organizations. Additional, integrated modules for risk and vulnerability management, forensics analysis of packet captures, and incident response (from the recently acquired Resilient Systems technology) are also available as options, though they are not included. The IBM QRadar SIEM also supports IBM X-Force Threat Intelligence and other third-party threat intelligence feeds via STIX and TAXI to improve threat detection. Organizations interested in evaluating enterprise SIEM products should gather additional information about IBM QRadar SIEM in order to help determine if it meets their requirements.