Jan 05 2022
Security

Review: QRadar Is Ready to Detect, Halt and Analyze Network Threats

As a cornerstone of defense, this SIEM tool is ready to keep college networks of all sizes safe in today’s challenging threat environments.
John Breeden II
by

John Breeden II is an award-winning reviewer with more than 20 years of experience covering technology. Follow him on Twitter @TheLabGuys.

Keeping networks free of threats in higher education is a difficult task. With potentially hundreds of faculty members and thousands of students online, separating good and bad traffic while identifying both legitimate users and potential threats is extremely challenging. With the pandemic forcing many students and staff into remote learning environments, the problem has only gotten worse, and threat actors have been quick to respond with increased attacks.

Two of the biggest problems for cybersecurity teams in higher education are a lack of resources and an inability to coordinate defenses. The IBM Security QRadar Security Information and Event Management (SIEM) solution was designed to help with both of those problems.

MORE ON EDTECH: Establish a long-term security plan for remote staff and faculty in higher ed.

Components for Comprehensive Network Security

While the SIEM solution itself is powerful, it also comes with an entire system of assets that enhances its visibility and usefulness. This includes event collectors, event processors, flow collectors, flow processors and data nodes in addition to the central console.

All those components are designed to fit into any environment. They can be deployed as hardware, software or virtual appliances, and both the software and virtual appliance options can be deployed on-premises, as a service or distributed across hybrid environments.

In addition to its own network of components for monitoring and analyzing traffic and data, QRadar comes ready to automatically connect with more than 450 other security appliances.

In most cases, you can simply point the logs of those devices to the SIEM solution and it will automatically detect and integrate that feed into its activities. This way, universities can coordinate all their defenses in one place and keep watch over the entire enterprise with a much smaller staff than would normally be required.

Click the banner below to unlock premium content exploring network security.

higher ed security insider sign-up higher ed security insider sign-up

Uses Data to Detect Known and Unknown Threats

Once in place, QRadar begins to access a prebuilt set of thousands of security use cases, anomaly detection algorithms, real-time correlation policies and rules to detect both known and unknown threats.

As potential threats are discovered, the SIEM solution will correlate all network activity to determine if the discovered activity is a lone attack or part of a coordinated campaign. You can even import threat feeds using the standard STIX/TAXII format to add even more context to incidents, and IBM includes its own X-Force threat feeds as well.

In addition to collecting insight about logs, traffic flows, anomalies and potential threats across on-premises, Software as a Service, multicloud and hybrid environments, QRadar also presents this information in an easy-to-understand graphical format.

While higher-level technicians will probably want to dig into the raw data, the graphical interface makes it easy for even the most junior technicians to quickly understand the biggest threats to the network and what actions need to be taken to restore security. Thereafter, QRadar helps with post-attack activities to plug vulnerabilities and prevent recurrences. 

Click the banner to learn about Westminster College's new approach to cloud security.

Westminster Case Study Westminster Case Study

A SIEM Solution That Plays Well with Others

In cybersecurity, most companies pitch their products as the best and lobby their customers to remove everything else from their networks. IBM takes a different approach with QRadar and makes it easy to connect with almost any other kind of security device in order to coordinate defenses. Given that many college network defenses have grown up organically over time, this approach works well to protect campus networks.

To test this out, a QRadar instance was installed on a test network with a variety of other security appliances. Once configured, malware was introduced via a variety of paths, including one advanced persistent threat to test QRadar’s ability to coordinate defenses.

Setup of QRadar was surprisingly easy. Many of the security tools from other companies were automatically detected by QRadar and easily integrated into the appliance’s main interface. For those that were not detected, simply pointing the log files at QRadar was enough to trigger their inclusion.

For custom tools or log files generated by unique devices, QRadar provides an editor that makes onboarding those tools a quick process.

LEARN MORE: A proactive approach to avoiding zero-day attacks in higher education.

Once configured, we began to introduce malware to the test network using a variety of methods, from cloud-based incursions to direct introductions using endpoint hardware.

In all cases, the QRadar SIEM solution was able to detect those events and put them all in one place for analysis. It was even able to determine that several attacks were related, even though they were entering the test network from different avenues and were detected using different tools.

Despite the hodgepodge nature of the defenses, QRadar presented the situation in one place and helped to coordinate a unified defense. It also provided context for the attacks, correctly deducing that it was part of an ongoing campaign and showing how to prevent them from breaching defenses in the future.

As such, QRadar would be an invaluable tool and a real force multiplier for overworked IT staff trying to protect higher education networks. Its ease of use and simplicity of operations helps QRadar earn extra credit for its impressive performance.

SPECIFICATIONS

Device Type: Security Information and Event Management solution
Number of Supported Security Devices: 450+
Features: Threat detection, prioritization, investigation and response
Monitored Assets: Endpoints, network devices, cloud applications, threat intelligence, containerized assets, software services and others
Configuration: Hardware, software or virtual appliance

More On

Related Articles

Close

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT

Subscribe Now