Combining IBM technology to better manage cybersecurity

For the last 17 years, the Ponemon Institute has released its annual Cost of a Data Breach Report, and in doing so has become one of the leading benchmarking authorities in the cybersecurity industry.

In the 2021 Cost of a Data Breach Report, it states that the estimated overall average cost per data breach rose from USD 3.86 million (2019–20) to USD 4.24 million (2020–2021). While the overall average cost grew, the report also highlighted the difference between organizations with fully deployed security AI and automation (average data breach cost of USD 2.90 million) and organizations without security AI and automation (average data breach cost of USD 6.71 million).

An organization’s cybersecurity strategy comprises many components, but an effective SIEM solution plays a vital role. A SIEM solution helps security teams accurately detect and prioritize threats across the enterprise. It provides intelligent insights that enable teams to respond quickly to reduce the impact of incidents.

Intelligent insights and quick response times are only possible though when adequate compute and storage resources are provided. Effective SIEM solutions need to ingest vast quantities of data, often from complex operating environments spanning on-premises and cloud resources. The complex analytics required to gain better insights requires accessing vast quantities of data. In these environments fast response times are only possible using high-performance, low latency storage.

It was for these reasons that in 2020, after a thorough market evaluation, DA deployed QRadar as the organization’s SIEM solution. The solution consisted of virtual appliances within a dedicated VMware cluster and using FlashSystem storage for all data retention.

QRadar is a network security management platform that provides situational awareness and compliance support. QRadar uses a combination of flow-based network knowledge, security event correlation and asset-based vulnerability assessment.

In its Magic Quadrant for Security Information and Event Management report, Gartner lists IBM as a SIEM leader, and it has done so for 12 consecutive years.

The FlashSystem portfolio is IBM’s range of block-storage controllers, with models suited for entry, mid-range and high-end workloads. All models utilize the IBM Spectrum® Virtualize software from the IBM® SAN Volume Controller for the embedded system software. As a result of using the same software, many features normally found only in high-end solutions are also available in the entry and mid-tier models.

At the heart of the IBM FlashSystem 5200, 7200, 7300, 9200 and 9500 models is IBM FlashCore technology.

IBM FlashCore is unique to IBM storage, and unlike solid state drives (SSDs) used in other vendors’ all-flash arrays, the controller design uses a variety of techniques to provide outstanding performance and enhanced resilience.

• Experience I/O with latency as low as 70 microseconds, helping to remove performance bottlenecks.
  
  
• FCMs use embedded hardware for data reduction. Data reduction occurs as fast as data can be written to the modules; there is no performance impact.

FCMs are engineered to deliver up to seven times greater flash endurance than an industry-standard, commodity SSD, which translates to fewer issues for clients. It also means that time does not have to be spent dealing with failing SSDs and drive rebuilds.

DA has evolved to become a specialist software and services provider to some of Australia’s leading customer-owned challenger banks, aggregators and the faith-based sector. DA’s flexible platform architecture enables optionality through “plug and play” integrations. DA’s product suite has progressed from core banking platforms into a full banking ecosystem underpinning the company’s purpose—“powering core and digital banking for Australia’s challenger banks.”

DA operates nationally with more than 200 staff based in Adelaide, Sydney, Melbourne and Brisbane and enhances the banking experience of more than 1.6 million Australians through its core banking and digital platforms, powering 300 million customer transactions across 2.6 million accounts every day.

DA’s offering is unique; it configures, migrates, hosts, locally supports, integrates and maintains technology services in a private and public cloud environment. Inherent in this is a proven end-to-end model with a single owner for service delivery, governance and communication. This eliminates integration issues and potential problem ownership associated with the growing complexity and interoperability of a multi-vendor IT environment.

DA’s robust partnership approach ensures that its clients retain the ability to continually enhance their services to members. At present, DA has over 200 partners on its platform to ensure best of breed solutions to drive member value.

DA’s marketplace platform approach allows for flexibility and choice of partners to maintain competitive tension and speed of delivery, and it provides fit for purpose partnerships for its clients. DA’s partnerships team works closely with the product, client and solutions teams to ensure that solutions deliver value to clients and its members.

DA directly manages a large part of its financial services clients’ internet-facing surface. As a result, DA has a unique insight and can observe patterns of threat as they move across the mutual sector.

DA offers a strong and multilayered cybersecurity capability to protect its hosted banking services. DA’s processes ensure rigorous and reliable operation of preventative controls, as well as rehearsed, structured and organization-wide capabilities to detect, respond and recover if an incident occurs.

DA protects its products using a full range of security services and technologies to keep its clients’ businesses and its customers safe. These include web application firewalls, next-generation firewalls and endpoint protection, comprehensive security monitoring, vulnerability management, and regular external penetration testing.

The SIEM is a critical platform for DA, enabling cybersecurity capabilities through:

• Ingesting and processing of a very high volume of activity data from the DA environment.
  
  
• Performing security analytics on that data to try to identify and alert DA to potentially malicious activity in the environment.
  
  
• Comparing activity in the DA environment with known indicators of compromise to alert DA to a potential security breach.
  
  
• Enabling triage of security alerts and forensic investigation to be performed.
  
  
• Storing security event data with high resilience and integrity to fulfill DA’s compliance requirements.
  
  
• Supporting various teams to analyze activity across the environment to assist with operational troubleshooting.

Without a strong platform DA would have a reduced likelihood of detecting security incidents and reduced effectiveness in responding to identified security incidents. DA would also be unable to meet compliance requirements for the monitoring and retention of security-relevant data.

The SIEM implementation that this project replaced was a hardware appliance-based solution that was approaching end of life.

The key focus areas DA wanted to improve with the refresh were:

•  Reduce the overhead in data ingestion maintenance by selecting a platform with a strong library of out-of-the-box parsers that matched its data sources.
  
  
• Improve the out-of-the-box security monitoring use cases to reduce its administrative overhead.
  
  
• Choose a platform that had demonstrated ongoing R&D and investment.
  
  
• Improve overall data ingestion resilience.
  
  
• Remove hardware coupling to improve constraints in expanding storage capacity. The cost to expand storage in the legacy platform to relative performance was highly uncompetitive versus current storage technology.
  
  
• Improve complex and large query performance. It was common for a query to take 12 hours, which could hamper response time during a breach. It had diagnosed the constraint to storage performance resulting from running magnetic disks.
  
  
• Improve the ability to perform forensic investigations on older data sets. The backup and recovery capability in the legacy platform was all or nothing, making restoring data outside of the current retention period extremely challenging.

QRadar works primarily around the concept of collecting, parsing and analyzing events and flows.

Events are data that indicate something of interest occurred, such as data being allowed through a network firewall, users logging in to systems and databases being accessed. Events are the fundamental data of SIEMs. Events are generated by devices, such as network routers and servers, as well as applications. Logs are databases of event data.

Flows are network packet data obtained by directly tapping into network devices and monitoring the traffic passing through them. Flows contain information such as the source and destination IP address, the amount of data transferred and even the application being used. Flows can be crucial in detecting certain types of attacks. Note that the actual network packet is not captured or stored—only the header, or the first few hundred bytes of a network transmission, are.

To best understand how QRadar processes the data it receives from servers and network devices, think of the operation of IBM Security QRadar system as segmented into three layers:

• Data collection
  Data collection is the layer that gathers security data such as events and flows collected from the client network. This layer collects, parses and normalizes data before forwarding it to the next layer for further processing and storage.

• Data processing
  After data is collected, the processing layer performs real-time processing of event and flow data using QRadar’s Custom Rules Engine (CRE). The CRE is responsible for generating offenses and alerts. This is also the layer in which data is written to storage.
  
  QRadar’s data processing is conducted in parallel, across multiple processors. An architecture having data stored close to the processor, with searching and correlation taking place across multiple processors in a highly distributed fashion, is a significant contributor to high overall system performance.

• Data searches
  The top layer is the console and provides the QRadar user interface. The result of data that is collected and processed is presented through dashboards, reports and searches. The console surfaces offenses investigation and can raise alerts. Administrators use the console to manage QRadar.

This segmentation applies to any QRadar deployment structure, regardless of the size, complexity, number or log sources or modules it has installed or attached to it.

As mentioned previously, Gartner listed QRadar as a SIEM leader in its Magic Quadrant for Security Information and Event Management report. QRadar is recognized as a leader for many reasons, but the product’s advanced Index Management is one of its standout features.

The value of indexing is maximized once it is understood what data users are looking for and then enabling indexes for the properties frequently searched. The Index Management feature provides statistics to administrators about what properties are being searched and what searches are using indexes. Administrators can then enable, adjust or even disable indexes to improve overall performance.

Against the benefits that come from enabling indexing for additional properties are also potential drawbacks. Additional indexing affects system performance when data is written and requires additional storage capacity. By using IBM FCMs, both of these drawbacks are effectively mitigated. Designed for high-performance, enterprise environments, FCMs are able to ingest consistently high volumes of data while also applying in-line data compression; by using hardware-accelerated I/O, FCMs are unique in their ability to achieve all of this without any performance penalty.

DA has deployed the QRadar SIEM solution within a dedicated VMware cluster consisting of two dedicated physical servers. Storage requirements for the environment are provisioned from a dedicated IBM FlashSystem 7200 directly attached to the hosts.

While capable of implementation in a fully fault tolerant architecture, the SIEM solution as currently deployed has only highly available log collection and retrieval. The QRadar Processor and QRadar Console appliances do not have redundancy, but as virtual appliances they will have the flexibility of being able to migrate between ESXi hosts.

DA’s SIEM refresh project evaluation included tests that benchmarked the response times of actions typically conducted when investigating cases. With the QRadar solution now fully operational, the actions undertaken during a recent high-priority investigation were recorded. With each action, the following data was noted:

• The historic period over which each action’s query was run
  
  
• The size of the data sets analyzed (where relevant)
  
  
• The time taken for the actions to complete

The historic period and data set sizes are published to provide context to the complexity and scale of the analysis being undertaken.

For comparison purposes, the DA cybersecurity team provided relative completion times for which there was an equivalent action within the previous SIEM. While comparing results on both SIEM systems by running side-by-side tests would have been ideal, this was not possible as the previous SIEM solution was decommissioned once QRadar was operational.

While acknowledging the completion times quoted for the previous SIEM solution are estimates, they are still relevant for several reasons:

• The estimated completion times are based on the judgment of highly skilled team members who were very familiar with both systems.
  
  
• As part of DA’s SIEM refresh project, QRadar’s relative performance was tested versus the incumbent system—the significant improvement in overall performance was an important factor in the ultimate choice of that product over other potential solutions.
  
  
• Logs and data from the previous SIEM solution have been retained and can be used to verify performance on equivalent actions.

Most relevantly though, the completion times for all comparable actions on QRadar are orders of magnitude faster than those of the previous SIEM system. It is reasonable to argue that even if a large margin of error is added to estimated completion times listed for the previous SIEM solution, the QRadar actions complete in significantly less time. What previously took hours to complete now takes minutes. Similarly, those reports that took minutes to run are now completing in seconds.

In 2020, DA conducted a project to replace its previous SIEM solution. While every organization’s business planning needs a robust cybersecurity strategy, the importance for an organization providing core banking services for credit unions, banks and other financial institutions cannot be overstated. After a thorough evaluation process, DA awarded a contract to Vectra to replace its existing SIEM solution with QRadar running on a virtualized environment and using FlashSystem storage.

In both initial benchmarking tests and in live usage, the QRadar deployment has been shown to be an extremely effective and powerful tool with which to investigate security-related events. Deploying the QRadar components within a VMware cluster delivers many benefits: a smaller physical footprint and lower power costs with greater flexibility and future scalability. By incorporating FlashSystems storage populated with IBM FCM technology, DA is benefitting from solutions designed for high performance and reliability.

Using a combination of QRadar index optimization capabilities and a high-performance storage platform, DA has been able to significantly reduce common query run times from minutes to seconds. This has resulted in demonstrable improvements across all types of SIEM use cases at DA, including incident response, regular environment reviews and reporting. Faster security event analysis results in improved incident triage and response, which is known to reduce the overall impact. Faster environment reviews reduce the time spent and frustration of security analysts, creating more time for productive work.

Through the adoption of QRadar and IBM FlashCore technology, DA now runs incident analysis and reports in fractions of the time of thwat the previous SIEM solution was capable of. Where the average cost of a data breach is millions of dollars, the business value of any solution that helps deliver faster detection rates is self-evident, delivering potential savings in terms of time and money.

While the deployment of FlashSystem storage controllers equipped with FCMs is a significant factor, it is oversimplistic to claim that is the sole reason for the performance improvements. Performance gains can also be attributable to the QRadar product itself, particularly in respect to its Index Management capabilities. Whatever the causes for the levels of performance improvement, the combination of IBM technologies has been shown in DA’s case to be very effective in meeting the organization’s security goals and objectives.

Former Head of Cybersecurity, Data Action

Simeon Finch (BCompSc, MCSE, VCAP) is the former Head of Cybersecurity at DA, with end-to-end accountability for the cybersecurity team, technologies, compliance processes and strategy.

Simeon has more than 20 years’ experience across a variety of IT functions, including technical leadership, architecture and cybersecurity leadership. Simeon is TOGAF certified and a SABSA Chartered Security Architect and has contributed to large scale projects such as the Federal Government’s Critical Infrastructure Centre around cybersecurity legislation in the energy sector and open banking in financial services.

Lead Cybersecurity Analyst, DA

Lucien Dabrowski is the Lead Cybersecurity Analyst at DA, responsible for security monitoring, incident handling, ensuring delivery of cyber regulatory and compliance requirements as well as the continuous improvement of DA’s cybersecurity maturity to enable the effective prevention, detection, response and recovery from cyberthreats.

Lucien has more than 8 years’ experience in cybersecurity with a background in ICT Infrastructure. He is a SIEM evangelist, having designed, implemented and operated multiple large-scale SIEM platforms. Lucien actively provides mentoring and technology guidance across both DA and the wider community.

Technical Product Specialist, IBM

Brendan Scott (MIT, BEng) is a Technical Product Specialist at IBM, with a primary focus on supporting customers and partners in A/NZ with the IBM Systems Storage portfolio.

Brendan has more than 25 years’ experience across diverse IT roles and industries. In a 10-year career with IBM, Brendan has been maximizing the value of customers and partners using IBM hardware and software solutions by providing technical advice and guidance.

Cybersecurity Solutions Manager, Vectra

Jesse is responsible for the overall adoption, advisory, implementation and ongoing support of security solutions and relevant managed security services. He works closely with Vectra’s security consulting, penetration testing, security operation centre (SOC) and incident response teams to support Vectra's client base in the ANZ region.

DA is a technology company established as a cooperative in 1986 by a collection of local credit unions and mutual banks in Australia to host core banking services. This proud heritage—of being set up by the mutuals for the mutuals—remains at the heart of DA’s business today.

Vectra is a leading Australian owned and operated cybersecurity company. Providing specialist consulting services, managed security services and security solutions throughout Asia Pacific since 2001. Vectra team offers a diverse range of experience and capabilities, which in include but not limited to Governance Risk & Compliance (GRC) Consulting, Penetration Testing & Vulnerability Assessment, Endpoint Security, Network Security, Identity Security, Cloud Security, Managed SIEM and Incident Response.