I have seen a few Security Information and Event Management (SIEM) Proof-of-Concept (POC) activities with different end-users where IBM QRadar SIEM went head-to-head against other SIEM systems.
The competing POC systems are subjected to the same set of use cases or evaluation criteria, which usually cover the following:
- Support for different log or event sources
- Ease of configuring correlation rules
- Query and report performance (How fast are results generated?)
- Ease of management
- Deployment time metrics
Here are some of the things to note:
- Given a 4-week window to complete a specified set of use cases, QRadar was deployed and met all evaluation requirements in less than a week. The others took longer to to deploy and configure (about 3-4 weeks). Interestingly enough, some were still not able to meet all of the requirements within the allotted time frame. The time discrepancy and compliance was glaring for the end-users not to notice the differences.
- Apart from the basic log collection/management functionality, there usually is enough time to showcase QRadar’s other functions such as network flow (layer 4 and layer 7) analysis using the same POC box. This all-in-one feature is seen as one of the key selling points of QRadar.
- Some end-users particularly noted how relatively easy it was to configure rules and alerts on the fly compared to the other solutions.
I used to deploy and manage some of the competing solutions and was completely blown away by what QRadar could do. From a personal opinion (Yes, disclaimer here!), and based on experience, the relative ease by which QRadar can be deployed compared to the others, and the excellent security intelligence coverage that it provides, has made a convert out of me.
Here are five reasons why networks are breached:
1. The end user didn’t think before clicking
This usually happens when the user opens a malware-infected email or browses a compromised website. Some of the security measures that you can use to prevent the threat from spreading are antivirus software and gateway security solutions such as firewall proxies.
2. Weak password / default password in use
Changing the default account usernames and passwords (if applicable) of applications or devices is one best practice method to ensure that your application or device won’t easily be breached. There are a lot of website resources out there that publish the default usernames and passwords for popular products such as routers, firewalls and other software.
3. Insecure configuration
It’s always good to introduce secure ways of accessing your resources over the network. Some of the methods include adding access control mechanisms (ACLs) for key systems and providing a secure communication layer (such as SSL and other encryption methods) between the user and the target service.
4. Use of legacy / unpatched hardware or software
Legacy or unpatched hardware or software often have known vulnerabilities (either published or unpublished) that can be exploited. Patching or updating these systems will help improve your overall security posture.
5. Lack of basic network security protection or segmentation
At a minimum, consider investing on gateway solutions, such as firewalls, intrusion prevention systems (IPS) and VPN gateways, to protect your network. It’s also good to introduce network segmentation, such as adding DMZ’s or honeypot segments to your network.
It’s always a good idea to take these things into consideration when designing or managing your IT network.