Under its “open” approach, the new SIEM is built to support a common, shared language for detection rules — Sigma, allowing clients to import new, crowdsourced detections directly from the security community as the threats evolve.
The use of open source technologies brings a promise of “federated search and threat hunting capabilities,” allowing searching and investigating threats across all cloud and on-premises data sources in a “single, unified way, without moving data from its original source,” IBM said.
However, cloud-native approach in itself might not be enough for IBM to compete with existing players. “IBM has no advantage with the cloud-native architecture alone as vendors like Devo, Google, Microsoft, and Splunk have pursued a similar strategy,” said Jon Oltsik, an analyst at ESG. “IBM must compete on feature/functionality, but it has a good story to tell that includes openness, data federation, support for standards, a partner ecosystem, etc.”
New SIEM uses AI and automation
The new SIEM introduces, and borrows, several AI capabilities to automate threat detection and investigation processes. A few AI-powered capabilities on the new SIEM include alert prioritization, threat investigation, and adaptive detection.
Home-grown AI algorithms are used to de-prioritize noise and automate grouping, contextualizing, and escalating high-priority alerts. Threat investigation also uses AI engines to run automated searches across connected systems, generating a visual attack timeline, MITRE ATT&CK mappings, and recommended actions. Adaptive detection refers to the automatic updating of detection rules as and when intelligence arrives.
“The AI technologies within QRadar SIEM have been developed within IBM and refined over the course of several years, trained on millions of alerts from thousands of clients, as well as external threat context and historical analyst response patterns,” Meenan said. “Some of these AI capabilities were also developed in collaboration with IBM’s cybersecurity services team, which manages security operations for thousands of clients around the world.”