IBM To Add Generative AI To QRadar
November 13, 2023 Alex Woodie
If you feel that cyber crooks are getting the upper hand, you’re not alone. Studies show cybercrime volume booming while security professionals struggle to connect the dots and keep up. One possible route forward was presented last week by IBM, which announced that it will add generative AI capabilities to its QRadar SIEM tool.
Security information and event management (SIEM) tools are the sharp end of the stick for security-loving organizations, as they are where the hard work of assembling security data from all of the various components in the modern IT stack (including IBM i) and then trying to make sense of the apparent chaos occurs. QRadar, which IBM obtained with its acquisition of Q1 Labs back in 2011, is one of the top products in this category.
Machine learning has long been de rigueur in SIEM work, as it can spot anomalies buried in data that would otherwise fly right by human eyes. Among the ML capabilities QRadar offers is User Behavior Analytics (UBA), which enables the product to combine system and network events with data about user behavior to identify complex interactions that could signal a potential compromise.
But even with ML doing the hard work of scanning through billions of event logs in search of correlations, security professionals are falling behind. As we told you last month, a study by Vectra AI found that security analysts must manually comb thorough about 4,500 alerts per day, which is better than billions but still too much.
Nearly all of the analysts surveyed (97 percent) worry about missing something important, Vectra AI found. Security analysts suffer from “alert overload” because security tool vendors are afraid of not flagging something important, the company says. “The current approach to threat detection is broken,” said Kevin Kennedy, Vectra AI’s senior vice president of products.
IBM came to a similar conclusion in its Global Security Operations Center Study Results report, which it published in March. The study found that, on average, security operations center (SOC) workers spend one-third of their typical workday investigating incidents that are not a real threat. What’s more, four out of five SOC workers say the need to manually investigate threats slows down their response time.
Clearly, there’s a need for better tools that can automate more of the work and take the burden off the SOC’s shoulders. That’s what IBM says it’s doing by adding generative AI capabilities to its QRadar suite.
The GenAI capabilities that IBM announced last week are based on its watsonx product line and will be used to help automate several tasks, including reporting, threat hunting, data interpretation, and data curation. The GenAI capabilities in QRadar will be available in the first quarter of 2024, IBM says.
IBM says handing some of the more mundane tasks over to GenAI will free security analysts to focus on more important work. For example, instead of requiring the security analyst to build reports, the watsonx GenAI capabilities will do it for them. Similarly, QRadar will leverage watsonx’s natural language processing (NLP) capability to automatically generate searches designed to identify the bad guys. The flip side of that is using NLP to generate plain English descriptions of analyses of log data. Finally, the NLP will be used to “interpret and summarize” threat intelligence, which could give SOC workers another leg up on cyber crooks.
“Instead of forcing analysts to work around the complexity of security technologies, we’re designing technology to remove the complexity – weeding out the noise, simplifying the user experience, and empowering analysts to tackle urgent threats with greater speed and confidence,” Kevin Skapinetz, IBM’s vice president of strategy and product management, says in a press release.
IBM says it’s planning a push to apply GenAI across its broad security software and services portfolio. It says it could eventually use GenAI for tasks such as helping security teams find similar incidents, updating affected systems, and even patching vulnerable code.
IBM says it overhauled QRadar with the latest release, and that it’s now “cloud native.” It redesigned the product to run on its own Red Hat OpenShift distribution of Kubernetes. The cloud-based version of the new QRadar suite will be available this quarter, while the on-prem and multi-cloud version will ship next year, IBM says.
Among the capabilities IBM is touting with the new QRadar suite are: support for industry-standard SIGMA security detection rules; federated search and threat hunting capabilities that span cloud and on-prem data sources and integrate with the MITRE ATT&CK knowledgebase; Attack Surface Management (ASM) capabilities; support for industry-standard Security, Orchestration, Automation, and Response (SOAR) playbooks; and a deep partner network composed of 700 pre-built integrations.
Among those integrations, of course, is the IBM i, which is delivered via an IBM-supplied Device Support Module (DSM) called the QRadar DSM for IBM i. IBM i users have an array of options for pushing security event data from the IBM i into QRadar, including manually scraping the security journal, importing security events automatically using Syslog, or using a third-party tool to convert IBM i security events into Common Event Format (CEF) or Log Event Extended Format (LEEF), the customized event format used exclusively by QRadar.
The IBM i server is no longer a computing island protected by a moat of obscurity. As recent cyberattacks have shown, nobody is safe anymore. Better security training and better security tools won’t stop the cyber crooks, but they’re the only things slowing them down.