Combining IBM technology to better manage cybersecurity

Data Action hosts an IBM QRadar SIEM solution on high-performance IBM FlashSystem storage
IBM Security
10-minute read

After a thorough market evaluation in 2020, Data Action (DA), a technology provider for alternative banks, awarded a contract to Vectra, a local security consulting and service specialist, for a Security Information and Event Management (SIEM) platform refresh project.

The SIEM solution chosen, IBM Security® QRadar®, was deployed as virtualized appliances using VMware and IBM FlashSystem® storage. While deploying QRadar on virtualized appliances is common, using high-performance FlashSystem storage controllers for this type of workload is not.

The use of IBM’s propriety IBM FlashCore® Module (FCM) technology to store QRadar data has had a significant impact on the ability of the security operations center (SOC) to analyze security threats. The overall effect on response times has been remarkable, in some cases contributing to a reduction in analysis time from hours to minutes compared to the previous SIEM solution.

Young woman using a laptop while working in a server room

Common query run times reduced to

seconds

from minutes

Faster security event analysis results in

improved

incident triage and response

Security analytics at speed
Man using tablet at night viewing data

For the last 17 years, the Ponemon Institute has released its annual Cost of a Data Breach Report, and in doing so has become one of the leading benchmarking authorities in the cybersecurity industry.

In the 2021 Cost of a Data Breach Report, it states that the estimated overall average cost per data breach rose from USD 3.86 million (2019-20) to USD 4.24 million (2020-2021). While the overall average cost grew, the report also highlighted the difference between organizations with fully deployed security AI and automation (average data breach cost of USD 2.90 million) and organizations without security AI and automation (average data breach cost of USD 6.71 million).

An organization’s cybersecurity strategy comprises many components, but an effective SIEM solution plays a vital role. A SIEM solution helps security teams accurately detect and prioritize threats across the enterprise. It provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

Intelligent insights and quick response times are only possible though when adequate compute and storage resources are provided. Effective SIEM solutions need to ingest vast quantities of data, often from complex operating environments spanning on-premises and cloud resources. The complex analytics required to gain better insights requires accessing vast quantities of data. In these environments fast response times are only possible using high-performance, low latency storage.

It was for these reasons that in 2020, after a thorough market evaluation, DA deployed QRadar as the organization’s SIEM solution. The solution consisted of virtual appliances within a dedicated VMware cluster and using FlashSystem storage for all data retention.

Businessman by colleague working on computer at workplace
Components of the solution
QRadar capabilities chart

IBM QRadar® capabilities

QRadar

QRadar is a network security management platform that provides situational awareness and compliance support. QRadar uses a combination of flow-based network knowledge, security event correlation and asset-based vulnerability assessment.

In its Magic Quadrant for Security Information and Event Management report (external link), Gartner lists IBM as a SIEM leader, and it has done so for 12 consecutive years.

FlashSystem portfolio

The FlashSystem portfolio is IBM’s range of block-storage controllers, with models suited for entry, mid-range and high-end workloads. All models utilize the IBM Spectrum® Virtualize software from the IBM® SAN Volume Controller for the embedded system software. As a result of using the same software, many features normally found only in high-end solutions are also available in the entry and mid-tier models.

At the heart of the IBM FlashSystem 5200, 7200 and 9200 models is IBM FlashCore technology.

IBM FlashCore is unique to IBM storage, and unlike solid state drives (SSDs) used in other vendors’ all-flash arrays, the controller design uses a variety of techniques to provide outstanding performance and enhanced resilience.

FlashSystem portfolio — features and functionality

The IBM FlashSystem portfolio — features and functionality

Outstanding performance

  • Experience I/O with latency as low as 70 microseconds, helping to remove performance bottlenecks.
  • FCMs use embedded hardware for data reduction. Data reduction occurs as fast as data can be written to the modules; there is no performance impact.
  • Enhance resilience

    FCMs are engineered to deliver up to seven times greater flash endurance than an industry-standard, commodity SSD, which translates to fewer issues for clients. It also means that time does not have to be spent dealing with failing SSDs and drive rebuilds.

    Who is Data Action?
    Coworkers discussing project on digital tablet on stairs of office building

    DA has evolved to become a specialist software and services provider to some of Australia’s leading customer-owned challenger banks, aggregators and the faith-based sector. DA’s flexible platform architecture enables optionality through “plug and play” integrations. DA’s product suite has progressed from core banking platforms into a full banking ecosystem underpinning the company’s purpose — “powering core and digital banking for Australia’s challenger banks.”

    DA operates nationally with more than 200 staff based in Adelaide, Sydney, Melbourne and Brisbane and enhances the banking experience of more than 1.6 million Australians through its core banking and digital platforms, powering 300 million customer transactions across 2.6 million accounts every day.

    DA’s offering is unique; it configures, migrates, hosts, locally supports, integrates and maintains technology services in a private and public cloud environment. Inherent in this is a proven end-to-end model with a single owner for service delivery, governance and communication. This eliminates integration issues and potential problem ownership associated with the growing complexity and interoperability of a multi-vendor IT environment.

    DA’s robust partnership approach ensures that its clients retain the ability to continually enhance their services to members. At present, DA has over 200 partners on its platform to ensure best of breed solutions to drive member value.

    DA’s marketplace platform approach allows for flexibility and choice of partners to maintain competitive tension and speed of delivery, and it provides fit for purpose partnerships for its clients. DA’s partnerships team works closely with the product, client and solutions teams to ensure that solutions deliver value to clients and its members.

    Young woman working at a desktop computer, smiling at the camera and wearing headphones
    The design requirements
    Coworkers talking while working on the computer in the office

    Security at DA

    DA directly manages a large part of its financial services clients’ internet-facing surface. As a result, DA has a unique insight and can observe patterns of threat as they move across the mutual sector.

    DA offers a strong and multilayered cybersecurity capability to protect its hosted banking services. DA’s processes ensure rigorous and reliable operation of preventative controls, as well as rehearsed, structured and organization-wide capabilities to detect, respond and recover if an incident occurs.

    DA protects its products using a full range of security services and technologies to keep its clients’ businesses and its customers safe. These include web application firewalls, next-generation firewalls and endpoint protection, comprehensive security monitoring, vulnerability management, and regular external penetration testing.

    The SIEM refresh project

    The SIEM is a critical platform for DA, enabling cybersecurity capabilities through:

  • Ingesting and processing of a very high volume of activity data from the DA environment.
  • Performing security analytics on that data to try to identify and alert DA to potentially malicious activity in the environment.
  • Comparing activity in the DA environment with known indicators of compromise to alert DA to a potential security breach.
  • Enabling triage of security alerts and forensic investigation to be performed.
  • Storing security event data with high resilience and integrity to fulfill DA’s compliance requirements.
  • Supporting various teams to analyze activity across the environment to assist with operational troubleshooting.
  • Without a strong platform DA would have a reduced likelihood of detecting security incidents and reduced effectiveness in responding to identified security incidents. DA would also be unable to meet compliance requirements for the monitoring and retention of security-relevant data.

    The SIEM implementation that this project replaced was a hardware appliance-based solution that was approaching end of life.

    Businesswoman viewing graphs on digital tablet in business meeting
    Young businesswoman working on a laptop

    The key focus areas DA wanted to improve with the refresh were:

  • Reduce the overhead in data ingestion maintenance by selecting a platform with a strong library of out-of-the-box parsers that matched its data sources.
  • Improve the out-of-the-box security monitoring use cases to reduce its administrative overhead.
  • Choose a platform that had demonstrated ongoing R&D and investment.
  • Improve overall data ingestion resilience.
  • Remove hardware coupling to improve constraints in expanding storage capacity. The cost to expand storage in the legacy platform to relative performance was highly uncompetitive versus current storage technology.
  • Improve complex and large query performance. It was common for a query to take 12 hours, which could hamper response time during a breach. It had diagnosed the constraint to storage performance resulting from running magnetic disks.
  • Improve the ability to perform forensic investigations on older data sets. The backup and recovery capability in the legacy platform was all or nothing, making restoring data outside of the current retention period extremely challenging.
  • QRadar SIEM architecture

    The function of a SIEM

    QRadar works primarily around the concept of collecting, parsing and analyzing events and flows.

    Events are data that indicate something of interest occurred, such as data being allowed through a network firewall, users logging in to systems and databases being accessed. Events are the fundamental data of SIEMs. Events are generated by devices, such as network routers and servers, as well as applications. Logs are databases of event data.

    Flows are network packet data obtained by directly tapping into network devices and monitoring the traffic passing through them. Flows contain information such as the source and destination IP address, the amount of data transferred and even the application being used. Flows can be crucial in detecting certain types of attacks. Note that the actual network packet is not captured or stored — only the header, or the first few hundred bytes of a network transmission, are.

    Functional configuration

    To best understand how QRadar processes the data it receives from servers and network devices, think of the operation of IBM Security QRadar system as segmented into three layers:

  • Data collection

    Data collection is the layer that gathers security data such as events and flows collected from the client network. This layer collects, parses and normalizes data before forwarding it to the next layer for further processing and storage.
  • Data processing

    After data is collected, the processing layer performs real-time processing of event and flow data using QRadar’s Custom Rules Engine (CRE). The CRE is responsible for generating offenses and alerts. This is also the layer in which data is written to storage.

    QRadar’s data processing is conducted in parallel, across multiple processors. An architecture having data stored close to the processor, with searching and correlation taking place across multiple processors in a highly distributed fashion, is a significant contributor to high overall system performance.
  • Data searches

    The top layer is the console and provides the QRadar user interface. The result of data that is collected and processed is presented through dashboards, reports and searches. The console surfaces offenses investigation and can raise alerts. Administrators use the console to manage QRadar.
  • This segmentation applies to any QRadar deployment structure, regardless of the size, complexity, number or log sources or modules it has installed or attached to it.

    IBM QRadar SIEM architecture (with relation to storage)

    IBM QRadar SIEM architecture (with relation to storage)

    Optimizing search performance

    As mentioned previously, Gartner listed QRadar as a SIEM leader in its Magic Quadrant for Security Information and Event Management report. QRadar is recognized as a leader for many reasons, but the product’s advanced Index Management is one of its standout features.

    The value of indexing is maximized once it is understood what data users are looking for and then enabling indexes for the properties frequently searched. The Index Management feature provides statistics to administrators about what properties are being searched and what searches are using indexes. Administrators can then enable, adjust or even disable indexes to improve overall performance.

    Against the benefits that come from enabling indexing for additional properties are also potential drawbacks. Additional indexing affects system performance when data is written and requires additional storage capacity. By using IBM FCMs, both of these drawbacks are effectively mitigated. Designed for high-performance, enterprise environments, FCMs are able to ingest consistently high volumes of data while also applying in-line data compression; by using hardware-accelerated I/O, FCMs are unique in their ability to achieve all of this without any performance penalty.

    DA’s deployment configuration

    DA has deployed the QRadar SIEM solution within a dedicated VMware cluster consisting of two dedicated physical servers. Storage requirements for the environment are provisioned from a dedicated IBM FlashSystem 7200 directly attached to the hosts.

    While capable of implementation in a fully fault tolerant architecture, the SIEM solution as currently deployed has only highly available log collection and retrieval. The QRadar Processor and QRadar Console appliances do not have redundancy, but as virtual appliances they will have the flexibility of being able to migrate between ESXi hosts.

    Performance benchmarking

    DA’s SIEM refresh project evaluation included tests that benchmarked the response times of actions typically conducted when investigating cases. With the QRadar solution now fully operational, the actions undertaken during a recent high-priority investigation were recorded. With each action, the following data was noted:

  • The historic period over which each action’s query was run
  • The size of the data sets analyzed (where relevant)
  • The time taken for the actions to complete
  • The historic period and data set sizes are published to provide context to the complexity and scale of the analysis being undertaken.

    For comparison purposes, the DA cybersecurity team provided relative completion times for which there was an equivalent action within the previous SIEM. While comparing results on both SIEM systems by running side-by-side tests would have been ideal, this was not possible as the previous SIEM solution was decommissioned once QRadar was operational.

    Two business colleagues looking at a dual monitor setup in a large and modern office space discussing technical issues together.
    male computer programmer working late in the office on a new code

    While acknowledging the completion times quoted for the previous SIEM solution are estimates, they are still relevant for several reasons:

  • The estimated completion times are based on the judgment of highly skilled team members who were very familiar with both systems.
  • As part of DA’s SIEM refresh project, QRadar’s relative performance was tested versus the incumbent system — the significant improvement in overall performance was an important factor in the ultimate choice of that product over other potential solutions.
  • Logs and data from the previous SIEM solution have been retained and can be used to verify performance on equivalent actions.
  • Most relevantly though, the completion times for all comparable actions on QRadar are orders of magnitude faster than those of the previous SIEM system. It is reasonable to argue that even if a large margin of error is added to estimated completion times listed for the previous SIEM solution, the QRadar actions complete in significantly less time. What previously took hours to complete now takes minutes. Similarly, those reports that took minutes to run are now completing in seconds.

    Summary
    Two woman sitting in a business meeting in a modern office discussing something over papers and a laptop.

    In 2020, DA conducted a project to replace its previous SIEM solution. While every organization’s business planning needs a robust cybersecurity strategy, the importance for an organization providing core banking services for credit unions, banks and other financial institutions cannot be overstated. After a thorough evaluation process, DA awarded a contract to Vectra to replace its existing SIEM solution with QRadar running on a virtualized environment and using FlashSystem storage.

    In both initial benchmarking tests and in live usage, the QRadar deployment has been shown to be an extremely effective and powerful tool with which to investigate security-related events. Deploying the QRadar components within a VMware cluster delivers many benefits: a smaller physical footprint and lower power costs with greater flexibility and future scalability. By incorporating FlashSystems storage populated with IBM FCM technology, DA is benefitting from solutions designed for high performance and reliability.

    Using a combination of QRadar index optimization capabilities and a high-performance storage platform, DA has been able to significantly reduce common query run times from minutes to seconds. This has resulted in demonstrable improvements across all types of SIEM use cases at DA, including incident response, regular environment reviews and reporting. Faster security event analysis results in improved incident triage and response, which is known to reduce the overall impact. Faster environment reviews reduce the time spent and frustration of security analysts, creating more time for productive work.

    Through the adoption of QRadar and IBM FlashCore technology, DA now runs incident analysis and reports in fractions of the time of thwat the previous SIEM solution was capable of. Where the average cost of a data breach is millions of dollars, the business value of any solution that helps deliver faster detection rates is self-evident, delivering potential savings in terms of time and money.

    While the deployment of FlashSystem storage controllers equipped with FCMs is a significant factor, it is oversimplistic to claim that is the sole reason for the performance improvements. Performance gains can also be attributable to the QRadar product itself, particularly in respect to its Index Management capabilities. Whatever the causes for the levels of performance improvement, the combination of IBM technologies has been shown in DA’s case to be very effective in meeting the organization’s security goals and objectives.

    About Data Action Logo
    About Data Action (DA)

    DAExternal Link is a technology company established as a cooperative in 1986 by a collection of local credit unions and mutual banks in Australia to host core banking services. This proud heritage — of being set up by the mutuals for the mutuals — remains at the heart of DA’s business today.

    Vectra logo
    About Vectra Corporation

    VectraExternal Link is a leading Australian owned and operated cybersecurity company. Providing specialist consulting services, managed security services and security solutions throughout Asia Pacific since 2001. Vectra team offers a diverse range of experience and capabilities, which in include but not limited to Governance Risk & Compliance (GRC) Consulting, Penetration Testing & Vulnerability Assessment, Endpoint Security, Network Security, Identity Security, Cloud Security, Managed SIEM and Incident Response.

    Solution components
    About Data Action Logo
    About Data Action (DA)

    DAExternal Link is a technology company established as a cooperative in 1986 by a collection of local credit unions and mutual banks in Australia to host core banking services. This proud heritage — of being set up by the mutuals for the mutuals — remains at the heart of DA’s business today.

    Vectra logo
    About Vectra Corporation

    VectraExternal Link is a leading Australian owned and operated cybersecurity company. Providing specialist consulting services, managed security services and security solutions throughout Asia Pacific since 2001. Vectra team offers a diverse range of experience and capabilities, which in include but not limited to Governance Risk & Compliance (GRC) Consulting, Penetration Testing & Vulnerability Assessment, Endpoint Security, Network Security, Identity Security, Cloud Security, Managed SIEM and Incident Response.

    Solution components
    Simeon Finch

    Simeon Finch

    Former Head of Cybersecurity, DA

    Simeon Finch (BCompSc, MCSE, VCAP) is the former Head of Cybersecurity at DA, with end-to-end accountability for the cybersecurity team, technologies, compliance processes and strategy.

    Simeon has more than 20 years’ experience across a variety of IT functions, including technical leadership, architecture and cybersecurity leadership. Simeon is TOGAF certified and a SABSA Chartered Security Architect and has contributed to large scale projects such as the Federal Government’s Critical Infrastructure Centre around cybersecurity legislation in the energy sector and open banking in financial services.

    Lucien Dabrowski

    Lucien Dabrowski

    Lead Cybersecurity Analyst, DA

    Lucien Dabrowski is the Lead Cybersecurity Analyst at DA, responsible for security monitoring, incident handling, ensuring delivery of cyber regulatory and compliance requirements as well as the continuous improvement of DA’s cybersecurity maturity to enable the effective prevention, detection, response and recovery from cyberthreats.

    Lucien has more than 8 years’ experience in cybersecurity with a background in ICT Infrastructure. He is a SIEM evangelist, having designed, implemented and operated multiple large-scale SIEM platforms. Lucien actively provides mentoring and technology guidance across both DA and the wider community.

    Brendan Scott

    Brendan Scott

    Technical Product Specialist, IBM

    Brendan Scott (MIT, BEng) is a Technical Product Specialist at IBM, with a primary focus on supporting customers and partners in A/NZ with the IBM Systems Storage portfolio.

    Brendan has more than 25 years’ experience across diverse IT roles and industries. In a 10-year career with IBM, Brendan has been maximizing the value of customers and partners using IBM hardware and software solutions by providing technical advice and guidance.

    Jesse Qiao

    Jesse Qiao

    Cybersecurity Solutions Manager, Vectra

    Jesse is responsible for the overall adoption, advisory, implementation and ongoing support of security solutions and relevant managed security services. He works closely with Vectra’s security consulting, penetration testing, security operation centre (SOC) and incident response teams to support Vectra's client base in the ANZ region.