IBM Verify Antenna

Edit online

IBM® Verify Antenna is a lightweight, self-hosted container that enables the seamless exchange of security events and risk signals by using the OpenID Shared Signals Framework.

The Shared Signals Framework (SSF) is a collaborative approach to cybersecurity threat detection and response. It enables organizations to share and act on threat intelligence in a standardized and automated way. By providing a common language and structure for describing security events, the framework facilitates the exchange of critical information between security systems, tools, and stakeholders.

This approach allows for more effective and efficient detection, prevention, and response to cyberthreats, ultimately improving the overall security posture of participating organizations. The framework is flexible and adaptable, supporting a wide range of use cases and threat scenarios, including phishing, ransomware, advanced persistent threats, and supply chain vulnerabilities.

By using the Shared Signals Framework, organizations can enhance their cybersecurity capabilities, reduce the risk of cyberattacks, and increase their resilience in the face of evolving cyberthreats.

IBM Verify Antenna can serve as both a transmitter and a receiver of security events within SSF.
  • As a transmitter, it ingests events from various sources such as files, databases, audit streams, and so on. It transforms them into standards-based or custom event formats, and transmits them securely, as defined by the framework.
  • As a receiver, IBM Verify Antenna consumes events and converts them into actions on target systems. For example, it can revoke user sessions when it detects risky behavior that is associated with a user or device.
IBM Verify Antenna supports both PUSH and POLL delivery methods.

Runtime overview

The diagram shows the flow of data from the information source to IBM Verify Antenna which transmits the event to the shared signals receiver.
As a transmitter, the IBM Verify Antenna:
  1. Ingests data from an external source.
  2. Converts the data into a standardized security event.
  3. Converts the security event into a security event token (SET), a signed JSON Web Token.
  4. Transmits the SET.
The diagram shows the flow of the event from the shared signals transmitter to IBM Verify Antenna, which performs an action in the Information Source.
As a receiver, the IBM Verify Antenna:
  1. Receives SETs from the transmitter.
  2. Verifies the SET's signature and source.
  3. Performs actions based on the security event that is contained in the SET.

Stream setup

Receivers register themselves on the transmitter. This relationship between the receiver and the transmitter is called a "stream". The stream configuration defines the livery method and event type.
Delivery method
What delivery method to use to deliver the security event token. This is either push or poll.
  • In "push" mode, the transmitter sends an HTTP request to the receiver's endpoint to "push" any new SETs.
  • In "poll" mode, the receiver polls the transmitter's endpoint to check for any new SETs.
  • For more information, see RFC 8935 and RFC 8936.
Event type
What events does the receiver want to receive. These can be event types from profiles such as Continuous Access Evaluation Profile and Risk Incident Sharing and Coordination profile, or any custom event types agreed upon by both transmitter and receiver.
The diagram shows the interaction between the receiver and the transmitter.

IBM Verify Antenna Components

The IBM Verify Antenna container image consists of multiple internal components.

As a transmitter, IBM Verify Antenna ingests data from multiple sources, transforms it into security events, and transmits them to interested receivers. The transmitter has these components:
Ingester
Collects data from multiple sources.
Processor
Processes the ingested data. In this case, it takes the data from the ingester and converts it into a standardized security event. This transformation is executed with a customizable JavaScript per ingester source.
Transmitter
Prepares and transmits the security events. The security event is signed and converted into a Security Event Token (SET).
  • For PUSH streams, the transmitter sends the relevant SETs.
  • For POLL streams, the transmitter stores the SETs and waits for the receiver to POLL. When the receiver polls the transmitter for events, the transmitter returns the stored SETs. For polling, the receiver must acknowledge the receipt of each SET. For SETs that have not been acknowledged, the transmitter resends them in the next polling cycle.
The diagram shows the flow of data from the data source to IBM Verify Antenna, which process and converts the data to a security event. The event is then transmitted to the shared signals receiver.
As a receiver, IBM Verify Antenna registers a stream with a transmitter and either polls for events or waits for events to be pushed based on the delivery method. The events are validated, and then an action can be taken. The receiver has these components.
Receiver
Receives pushed SETs or polls the transmitter for SETs. The SET is validated and persisted before the receiver sends back an acknowledgment for the SET.
Processor
For each event type received, a customizable JavaScript can be executed to read the event and perform an action. This customizable JavaScript is per event type.
The diagram shows the interaction between the shared signals transmitter and IBM Verify Antenna, which then performs and action on the target data source