IBM is opening its QRadar security analytics platform to allow customers to share applications they build, hoping the move will increase IT security in a world of increasingly complex threats.
“We thought opening up the platform so people could share applications would add a huge amount of benefit to the overall user base and capabilities,” Paul Eisner, the company’s director of development, security intelligence and managed security services, said in an interview. “The bad guys are collaborating, so the good guys need to collaborate as well.”
To help developers a toolset has been created that can be accessed through IBM’s developerWorks portal, using new APIs for QRadar. Then the apps can be published on the new IBM Security App Exchange. To help push momentum IBM and several of its partners have created free apps with new capabilities to the platform to seed the exchange.
These include
- the Exabeam User Behavior Analytics app, which integrates user-level behavioral analytics and risk profiling from Exabeam into the QRadar dashboard. This real-time view of user risk allows companies to detect subtle behavioral differences between a normal employee and an attacker using that same credential.
- a new IBM-developed app lets QRadar users pull in any threat intelligence feed using the open standard STIX and TAXII formats, and use this data to create custom rules for correlation, searching, or reporting. For example, users could bring in public collections of dangerous IP addresses from IBM’s X-Force Exchange and create a rule to raise the magnitude of any offense that includes IP addresses from that watch list.
- another app allows QRadar to analyze data from users of Bit9 + Carbon Black endpoint software, improving the ability to detect and respond to endpoint attacks.
- the IBM Incident Overview App allows users to better visualize all of the offenses within QRadar using bubbles, colors and correlation lines. The size and color of the bubble indicates the magnitude of the incident, while lines drawn between bubbles indicate shared IP addresses among the linked incidents. This type of intuitive visualization approach helps security analysts to quickly identify common elements between incidents and better prioritize important incidents.
Other vendors who have developed apps include Resilient Systems and Brightpoint
The open platform comes as part of the new QRadar v. 7.2.6, which also includes improvements in search speed and links to IBM’s BigFix vulnerability manager.
QRadar is a security information and event management (SIEM) platform that competes against Hewlett Packard’s ArcSight, Splunk Enterprise, Intel Corp.’s McAfee Enterprise Security Manager, LogRhythm and many others.
Opening QRadar is part of an IBM [NYSE: IBM] strategy to encourage organizations to share threat information. Earlier this year it opened its X-Force Exchange database of some 700 Terabytes of threat data it has gathered over the years for users to research. To keep it from being downloaded by criminals, users can only search one IP address at a time. IBM said over 1,000 organizations have registered to use the exchange.