IBM QRadar boosts network forensics
IBM needed to ensure that their IBM® QRadar® SIEM platform would seize and retrieve 100% of network data, providing the end user with uncompromised, high-fidelity evidence in the event of a cyberbreach.
Napatech was selected as a strategic partner, bringing the needed best-of-breed technology. This ensured 1) that absolutely all data was captured in real time and 2) that selected data could be promptly retrieved for incident forensics in the event of a breach.
• Guaranteed availability of all evidence
• Ultra-fast data extraction
• Exceptional retention time
• Holistic and intelligent traffic insights
Industry pain points
The average time to identify a malicious attack is 191 days. The corresponding average time to contain an attack is 66 days*. These stats clearly underpin the importance of fast and conclusive threat detection; an activity that demands total traffic visibility at all times. But as most security solutions are designed to spot attacks as they occur in real time, it is often impossible to retrieve the needed evidence – especially if the attack took place months, even years ago. The outcome, as many companies are painfully aware, can be devastating.
In addressing this issue, IBM has created the QRadar SIEM – a state-of-the-art security platform that helps companies to detect anomalies and uncover advanced threats.
When developing the QRadar SIEM, IBM needed to ensure that the platform would seize and store all network data, providing the end user with uncompromised, high-fidelity evidence in the event of an attack.
To achieve this, IBM was searching for an industry collaborator to guarantee 1) that absolutely all data was captured in real time and 2) that selected data could be promptly retrieved for incident forensics in the event of a breach.
IBM needed a partner with a strong track-record, a profound understanding of the industry, and undisputed, best-of-breed technology. Napatech was a natural choice – and the only candidate able to meet all requirements.
“Working with Napatech, we don’t lose any sleep. With the excellent integrity of their engineering team and technology, we have absolute confidence in their ability to deliver a world class product.”
Dr. Russell Couturier, CTO Forensics
IBM Security Division
IBM was already deploying Napatech technology to accelerate their analytics appliance, which ensured that 100% of the network data was captured in real time. To guarantee that the full network history would also be available on demand, the capture-to-disk technology from Napatech was integrated. This ensured that all packets would be recorded with nanosecond accuracy while also allowing quick and easy data extraction. This would enable the QRadar SIEM to promptly reconstruct the complete picture of a given incident; not just provide a semi-accurate outline.
With this solution in place, IBM could deliver a leading-edge security platform with an exceptional level of data integrity – providing end users with assurance and peace of mind that all data would be available at their fingertips whenever needed. Key benefits included:
- Zero packet loss – guaranteed availability of all evidence
- Ultra-fast extraction of critical information
- Holistic and intelligent traffic insights
To optimize system performance and ensure seamless integration across the platform, a number of bespoke enhancements were developed, including:
2x performance improvement
By physically dividing the traffic and transmitting the flows directly to the right CPU cores, a 2x performance improvement was achieved. This facilitated the heavy data analysis required for a forensic investigation.
Unique session ID
A unique session ID was engineered as a mechanism to adjoin all information from the multiple SIEM components, providing an intelligent link between the network packets and the reconstructed information. By associating every packet from a given communication session with a unique ID, specific packets could be instantly retrieved.
By assembling multiple capture-to-disk appliances in one network, we successfully increased the retention time without impacting the search performance. This extended the time window for forensic investigation – while also affording end users a fully scalable storage solution.
In a time of data overload, relevance is everything. The Pandion network recorder enables you to seize all traffic in real time and retrieve only the relevant data on demand.
Napatech Pandion is based on Napatech FPGA SmartNICs available in a range of Ethernet interface options, with reconfigurable storage and Napatech Pandion software.
Pandion builds on more than a decade of industry-proven Napatech FPGA technology and delivers 100% capture and write to disk for leading security analytics and compliance applications.