After a thorough market evaluation in 2020, Data Action (DA), a technology provider for alternative banks, awarded a contract to Vectra, a local security consulting and service specialist, for a Security Information and Event Management (SIEM) platform refresh project.
The SIEM solution chosen, IBM Security® QRadar®, was deployed as virtualized appliances using VMware and IBM FlashSystem® storage. While deploying QRadar on virtualized appliances is common, using high-performance FlashSystem storage controllers for this type of workload is not.
The use of IBM’s propriety IBM FlashCore® Module (FCM) technology to store QRadar data has had a significant impact on the ability of the security operations center (SOC) to analyze security threats. The overall effect on response times has been remarkable, in some cases contributing to a reduction in analysis time from hours to minutes compared to the previous SIEM solution.
For the last 17 years, the Ponemon Institute has released its annual Cost of a Data Breach Report, and in doing so has become one of the leading benchmarking authorities in the cybersecurity industry.
In the 2021 Cost of a Data Breach Report, it states that the estimated overall average cost per data breach rose from USD 3.86 million (2019–20) to USD 4.24 million (2020–2021). While the overall average cost grew, the report also highlighted the difference between organizations with fully deployed security AI and automation (average data breach cost of USD 2.90 million) and organizations without security AI and automation (average data breach cost of USD 6.71 million).
An organization’s cybersecurity strategy comprises many components, but an effective SIEM solution plays a vital role. A SIEM solution helps security teams accurately detect and prioritize threats across the enterprise. It provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.
Intelligent insights and quick response times are only possible though when adequate compute and storage resources are provided. Effective SIEM solutions need to ingest vast quantities of data, often from complex operating environments spanning on-premises and cloud resources. The complex analytics required to gain better insights requires accessing vast quantities of data. In these environments fast response times are only possible using high-performance, low latency storage.
It was for these reasons that in 2020, after a thorough market evaluation, DA deployed QRadar as the organization’s SIEM solution. The solution consisted of virtual appliances within a dedicated VMware cluster and using FlashSystem storage for all data retention.
QRadar is a network security management platform that provides situational awareness and compliance support. QRadar uses a combination of flow-based network knowledge, security event correlation and asset-based vulnerability assessment.
In its Magic Quadrant for Security Information and Event Management report (link resides outside of ibm.com), Gartner lists IBM as a SIEM leader, and it has done so for 12 consecutive years.
The FlashSystem portfolio is IBM’s range of block-storage controllers, with models suited for entry, mid-range and high-end workloads. All models utilize the IBM Spectrum® Virtualize software from the IBM® SAN Volume Controller for the embedded system software. As a result of using the same software, many features normally found only in high-end solutions are also available in the entry and mid-tier models.
At the heart of the IBM FlashSystem 5200, 7200, 7300, 9200 and 9500 models is IBM FlashCore technology.
IBM FlashCore is unique to IBM storage, and unlike solid state drives (SSDs) used in other vendors’ all-flash arrays, the controller design uses a variety of techniques to provide outstanding performance and enhanced resilience.
FCMs are engineered to deliver up to seven times greater flash endurance than an industry-standard, commodity SSD, which translates to fewer issues for clients. It also means that time does not have to be spent dealing with failing SSDs and drive rebuilds.
DA has evolved to become a specialist software and services provider to some of Australia’s leading customer-owned challenger banks, aggregators and the faith-based sector. DA’s flexible platform architecture enables optionality through “plug and play” integrations. DA’s product suite has progressed from core banking platforms into a full banking ecosystem underpinning the company’s purpose—“powering core and digital banking for Australia’s challenger banks.”
DA operates nationally with more than 200 staff based in Adelaide, Sydney, Melbourne and Brisbane and enhances the banking experience of more than 1.6 million Australians through its core banking and digital platforms, powering 300 million customer transactions across 2.6 million accounts every day.
DA’s offering is unique; it configures, migrates, hosts, locally supports, integrates and maintains technology services in a private and public cloud environment. Inherent in this is a proven end-to-end model with a single owner for service delivery, governance and communication. This eliminates integration issues and potential problem ownership associated with the growing complexity and interoperability of a multi-vendor IT environment.
DA’s robust partnership approach ensures that its clients retain the ability to continually enhance their services to members. At present, DA has over 200 partners on its platform to ensure best of breed solutions to drive member value.
DA’s marketplace platform approach allows for flexibility and choice of partners to maintain competitive tension and speed of delivery, and it provides fit for purpose partnerships for its clients. DA’s partnerships team works closely with the product, client and solutions teams to ensure that solutions deliver value to clients and its members.
DA directly manages a large part of its financial services clients’ internet-facing surface. As a result, DA has a unique insight and can observe patterns of threat as they move across the mutual sector.
DA offers a strong and multilayered cybersecurity capability to protect its hosted banking services. DA’s processes ensure rigorous and reliable operation of preventative controls, as well as rehearsed, structured and organization-wide capabilities to detect, respond and recover if an incident occurs.
DA protects its products using a full range of security services and technologies to keep its clients’ businesses and its customers safe. These include web application firewalls, next-generation firewalls and endpoint protection, comprehensive security monitoring, vulnerability management, and regular external penetration testing.
The SIEM is a critical platform for DA, enabling cybersecurity capabilities through:
Without a strong platform DA would have a reduced likelihood of detecting security incidents and reduced effectiveness in responding to identified security incidents. DA would also be unable to meet compliance requirements for the monitoring and retention of security-relevant data.
The SIEM implementation that this project replaced was a hardware appliance-based solution that was approaching end of life.
The key focus areas DA wanted to improve with the refresh were:
QRadar works primarily around the concept of collecting, parsing and analyzing events and flows.
Events are data that indicate something of interest occurred, such as data being allowed through a network firewall, users logging in to systems and databases being accessed. Events are the fundamental data of SIEMs. Events are generated by devices, such as network routers and servers, as well as applications. Logs are databases of event data.
Flows are network packet data obtained by directly tapping into network devices and monitoring the traffic passing through them. Flows contain information such as the source and destination IP address, the amount of data transferred and even the application being used. Flows can be crucial in detecting certain types of attacks. Note that the actual network packet is not captured or stored—only the header, or the first few hundred bytes of a network transmission, are.
To best understand how QRadar processes the data it receives from servers and network devices, think of the operation of IBM Security QRadar system as segmented into three layers:
This segmentation applies to any QRadar deployment structure, regardless of the size, complexity, number or log sources or modules it has installed or attached to it.
As mentioned previously, Gartner listed QRadar as a SIEM leader in its Magic Quadrant for Security Information and Event Management report. QRadar is recognized as a leader for many reasons, but the product’s advanced Index Management is one of its standout features.
The value of indexing is maximized once it is understood what data users are looking for and then enabling indexes for the properties frequently searched. The Index Management feature provides statistics to administrators about what properties are being searched and what searches are using indexes. Administrators can then enable, adjust or even disable indexes to improve overall performance.
Against the benefits that come from enabling indexing for additional properties are also potential drawbacks. Additional indexing affects system performance when data is written and requires additional storage capacity. By using IBM FCMs, both of these drawbacks are effectively mitigated. Designed for high-performance, enterprise environments, FCMs are able to ingest consistently high volumes of data while also applying in-line data compression; by using hardware-accelerated I/O, FCMs are unique in their ability to achieve all of this without any performance penalty.
DA has deployed the QRadar SIEM solution within a dedicated VMware cluster consisting of two dedicated physical servers. Storage requirements for the environment are provisioned from a dedicated IBM FlashSystem 7200 directly attached to the hosts.
While capable of implementation in a fully fault tolerant architecture, the SIEM solution as currently deployed has only highly available log collection and retrieval. The QRadar Processor and QRadar Console appliances do not have redundancy, but as virtual appliances they will have the flexibility of being able to migrate between ESXi hosts.
DA’s SIEM refresh project evaluation included tests that benchmarked the response times of actions typically conducted when investigating cases. With the QRadar solution now fully operational, the actions undertaken during a recent high-priority investigation were recorded. With each action, the following data was noted:
The historic period and data set sizes are published to provide context to the complexity and scale of the analysis being undertaken.
For comparison purposes, the DA cybersecurity team provided relative completion times for which there was an equivalent action within the previous SIEM. While comparing results on both SIEM systems by running side-by-side tests would have been ideal, this was not possible as the previous SIEM solution was decommissioned once QRadar was operational.
While acknowledging the completion times quoted for the previous SIEM solution are estimates, they are still relevant for several reasons:
Most relevantly though, the completion times for all comparable actions on QRadar are orders of magnitude faster than those of the previous SIEM system. It is reasonable to argue that even if a large margin of error is added to estimated completion times listed for the previous SIEM solution, the QRadar actions complete in significantly less time. What previously took hours to complete now takes minutes. Similarly, those reports that took minutes to run are now completing in seconds.
In 2020, DA conducted a project to replace its previous SIEM solution. While every organization’s business planning needs a robust cybersecurity strategy, the importance for an organization providing core banking services for credit unions, banks and other financial institutions cannot be overstated. After a thorough evaluation process, DA awarded a contract to Vectra to replace its existing SIEM solution with QRadar running on a virtualized environment and using FlashSystem storage.
In both initial benchmarking tests and in live usage, the QRadar deployment has been shown to be an extremely effective and powerful tool with which to investigate security-related events. Deploying the QRadar components within a VMware cluster delivers many benefits: a smaller physical footprint and lower power costs with greater flexibility and future scalability. By incorporating FlashSystems storage populated with IBM FCM technology, DA is benefitting from solutions designed for high performance and reliability.
Using a combination of QRadar index optimization capabilities and a high-performance storage platform, DA has been able to significantly reduce common query run times from minutes to seconds. This has resulted in demonstrable improvements across all types of SIEM use cases at DA, including incident response, regular environment reviews and reporting. Faster security event analysis results in improved incident triage and response, which is known to reduce the overall impact. Faster environment reviews reduce the time spent and frustration of security analysts, creating more time for productive work.
Through the adoption of QRadar and IBM FlashCore technology, DA now runs incident analysis and reports in fractions of the time of thwat the previous SIEM solution was capable of. Where the average cost of a data breach is millions of dollars, the business value of any solution that helps deliver faster detection rates is self-evident, delivering potential savings in terms of time and money.
While the deployment of FlashSystem storage controllers equipped with FCMs is a significant factor, it is oversimplistic to claim that is the sole reason for the performance improvements. Performance gains can also be attributable to the QRadar product itself, particularly in respect to its Index Management capabilities. Whatever the causes for the levels of performance improvement, the combination of IBM technologies has been shown in DA’s case to be very effective in meeting the organization’s security goals and objectives.
Former Head of Cybersecurity, Data Action
Simeon Finch (BCompSc, MCSE, VCAP) is the former Head of Cybersecurity at DA, with end-to-end accountability for the cybersecurity team, technologies, compliance processes and strategy.
Simeon has more than 20 years’ experience across a variety of IT functions, including technical leadership, architecture and cybersecurity leadership. Simeon is TOGAF certified and a SABSA Chartered Security Architect and has contributed to large scale projects such as the Federal Government’s Critical Infrastructure Centre around cybersecurity legislation in the energy sector and open banking in financial services.
Lead Cybersecurity Analyst, DA
Lucien Dabrowski is the Lead Cybersecurity Analyst at DA, responsible for security monitoring, incident handling, ensuring delivery of cyber regulatory and compliance requirements as well as the continuous improvement of DA’s cybersecurity maturity to enable the effective prevention, detection, response and recovery from cyberthreats.
Lucien has more than 8 years’ experience in cybersecurity with a background in ICT Infrastructure. He is a SIEM evangelist, having designed, implemented and operated multiple large-scale SIEM platforms. Lucien actively provides mentoring and technology guidance across both DA and the wider community.
Technical Product Specialist, IBM
Brendan Scott (MIT, BEng) is a Technical Product Specialist at IBM, with a primary focus on supporting customers and partners in A/NZ with the IBM Systems Storage portfolio.
Brendan has more than 25 years’ experience across diverse IT roles and industries. In a 10-year career with IBM, Brendan has been maximizing the value of customers and partners using IBM hardware and software solutions by providing technical advice and guidance.
Cybersecurity Solutions Manager, Vectra
Jesse is responsible for the overall adoption, advisory, implementation and ongoing support of security solutions and relevant managed security services. He works closely with Vectra’s security consulting, penetration testing, security operation centre (SOC) and incident response teams to support Vectra's client base in the ANZ region.
DA (link resides outside of ibm.com) is a technology company established as a cooperative in 1986 by a collection of local credit unions and mutual banks in Australia to host core banking services. This proud heritage—of being set up by the mutuals for the mutuals—remains at the heart of DA’s business today.
Vectra (link resides outside of ibm.com) is a leading Australian owned and operated cybersecurity company. Providing specialist consulting services, managed security services and security solutions throughout Asia Pacific since 2001. Vectra team offers a diverse range of experience and capabilities, which in include but not limited to Governance Risk & Compliance (GRC) Consulting, Penetration Testing & Vulnerability Assessment, Endpoint Security, Network Security, Identity Security, Cloud Security, Managed SIEM and Incident Response.
© Copyright IBM Corporation 2022. IBM Corporation, IBM Security, New Orchard Road, Armonk, NY 10504
Produced in the United States of America, April 2022.
FlashSystems, IBM FlashCore, IBM Security, IBM Spectrum, and QRadar trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at ibm.com/legal/copyright-trademark.
VMware, the VMware logo, VMware Cloud Foundation, VMware Cloud Foundation Service, VMware vCenter Server, and VMware vSphere are registered trademarks or trademarks of VMware, Inc. or its subsidiaries in the United States and/or other jurisdictions.
This document is current as of the initial date of publication and may be changed by IBM at any time. Not all offerings are available in every country in which IBM operates.
The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. THE INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT ANY WARRANTY, EXPRESS OR IMPLIED, INCLUDING WITHOUT ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OR CONDITION OF NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements under which they are provided.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT OF ANY PARTY.