IBM QRadar helps track internal company information security threats.

One of the most common ways intruders can penetrate a company’s network is by obtaining company employee data with access to the target network. The data of this user is extracted by a variety of methods, including social engineering, phishing and malware. And since a user with a certain level of access is not suspicious, attackers with his access data can work with impunity on the enterprise network for a long time. At times, such access lasts for weeks or even months.

Now our company has developed a new solution that will avoid such a threat. The solution is called the IBM Security App Exchange. This is a program that extends the capabilities of the IBM QRadar platform. It analyzes the behavioral patterns of all users of the enterprise who have access to the network, as well as users from the side - partners, remote employees, etc. If any of the users begins to perform unusual actions in the company's network environment, the IBM Security App Exchange performs a detailed analysis of the event, or their totality reports a problem.

According to our analysts, about 60% of enterprise network hacks begin with the receipt of insiders, that is, ordinary employees with a certain level of access. “Organizations must have a reliable way to protect against internal threats, regardless of who creates such a threat — deceived employees or cybercriminals with access to enterprise resources,” said Jason Corbin, vice president of IBM Security.
')
This year, IBM, together with the Ponemon Institute, conducted an analysis of a number of attacks carried out by attackers in 2015-2016. The results of the study clearly show the growth of losses for a company that has become a victim of hackers, with subsequent data leakage. The average amount of losses in this case is about $ 4 million. In 2013, this figure was 29% lower. Attacks of hackers are becoming more powerful and complex, they are made more often than before. So, in 2015, the number of such incidents increased by 64%.



The new application allows analysts, based on the logs of actions of various users, to receive early warnings of suspicious outside activity. Thanks to these warnings, information security professionals can quickly detect and solve a problem.

QRadar User Behavior Analytics uses data from existing QRadar logs. Integration with an existing solution, according to our experts, can save time for analysts, since they will not have to deal with third-party programs with an unfamiliar interface. New features are added to the interface of the popular QRadar platform.

QRadar User Behavior Analytics adds three new elements to the core platform: risk analysis profiles, behavioral analysis dashboard and improved data security. Risk analysis profiles are created at the time of the analysis of unusual user actions, with a scoring of such actions. The higher the score, the more likely it is that someone else is using the data of the legitimate user.

The information panel shows all collected data. For the convenience of the user, they are visualized. It displays such actions as an attempt to open an application with a “dangerous” extension in an e-mail sent by an unknown sender, or, for example, calling on a phishing site. The system adds a text note to the logs of such actions, explaining to the observer the possible causes and consequences of unusual user actions with access to enterprise resources.



Soon the IBM Watson cognitive system will also tackle information security. This fall, IBM Watson will become a student of eight educational institutions in the specialty "information security". Watson will begin to study with students at California State Polytechnic University, Pomona, MIT students, New York University, the University of Maryland, and other institutions of higher education. In particular, the University of Maryland, together with IBM, will create the Accelerated Cognitive Cybersecurity Laboratory (ACCL), where students, academics and IBM specialists will deal with various cybersecurity issues.

IBM Watson after completing your training will help solve the most complex problems in this area. Throughout the course, the system will receive for review 15,000 books, reports, articles and other types of information each month. IBM Watson can even get reports on a number of areas of information security in the country. The system will receive information from the X-Force library. The information here is only topical, it has been collected for about 20 years, including data on 8 million spam and phishing attacks, as well as 100,000 documented vulnerabilities.

As part of IBM Watson, Watson for Cyber ​​Security will be provided with a cloud service whose specialization is the detection of new information threats and the search for ways to eliminate them (or eliminate the consequences if the threat itself could not be neutralized).