IBM’s New Threat Anomaly Detection Finds Malware by Looking Within
The security industry has followed a moat and castle strategy of defense for some time now. Collectively, tens of millions if not hundreds of millions of dollars or more has been spent on placing security technology at the perimeter of our networks to try and keep bad stuff out. Now a new security appliance from IBM is trying to turn that paradigm on its head by finding bad stuff by what we are sending out.
IBM’s new QRadar Network Anomaly Detection appliance analyzes network traffic inside your network to identify anomalies in real time. The new appliance looks at inbound traffic as well, but can spot “zombie” machines inside your network by monitoring the outbound traffic they send at the request of their botnet masters.
This should be an important part of any company’s security strategy. One lesson that has been made clear over the recent past is that many of todays advanced threats and persistent attacks can evade the IDS/IPS systems and firewalls we have put in place. Many security research teams including IBM’s own XForce report that social engineering type of attacks using social media and through mobile devices have exploded over the last 12 months.
Don’t be fooled into thinking that the type of attacks that this technology can discover only happens to large companies. Recent data from Symantec, Verizon and others report that at least 50% of all targeted attacks are aimed at mid-market and smaller companies. So no matter how big or small your company you are subject to being targeted.
These attacks are the types that usually evade traditional perimeter defenses. By discovering the evidence of infected machines, security admins can then take action to prevent further loss while determining how attack was performed.
This is part of a new trend in security we are seeing that acknowledges you are not going to be able to stop every attack that your network and organization may come under. At least recognizing you have been breached or attacked is a first step in dealing with the issue.
The new appliance is built on the QRadar technology that IBM acquired as part of its Q1 acquisition a while back.
IBM also announced several other enhancements to its network security line, among them a hybrid network IPS that leverages both the open source Snort rule set as well as integrating and leveraging the research of the XForce team.
Speaking of the XForce team IBM also recently announced the X-Force IP Reputation Feed which again leverages the research and analysis of the team. The XForce also released their annual Trend and Risk Report.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet.