IBM Security QRadar

 View Only

IBM QRadar SIEM & XDR Connect add support for Amazon Security Lake & AWS Verified Access

By Gaurav Sharma posted Tue November 29, 2022 02:23 PM


As more customers move to the cloud, the cyber-security landscape has become increasingly complex. It is now, more than ever, that teams across organizations need to work together to detect and prevent bad actors.

IBM Security and AWS have collaborated very effectively in the past and continue to do so. IBM QRadar SIEM customers can integrate natively with 9 AWS services, in addition to the over 700 integrations with hybrid security products and infrastructure available across the IBM QRadar XDR product suite.

Further enhancing this suite of integrations, we are happy to announce that we will support the newly released Amazon Security Lake and AWS Verified Access services.

Amazon Security Lake

Amazon Security Lake is a new security data lake that allows AWS customers to have access to their AWS log and event data centralized and in a consistent format across multiple services. When subscribed to Amazon Security Lake, customers will be able to use it as an alternative integration method with IBM QRadar SIEM and leverage its advanced threat detection and correlation. Amazon Security Lake will provide a way for customers to consolidate VPC flow logs, CloudTrail management events, Route 53 Resolver query logs, S3 data events, Lambda function execution activity and Security findings from 8 AWS services via SecurityHub. Additionally, many other third party security logs and findings will be available to IBM QRadar via the Amazon Security Lake. IBM has also added support for our federated search capability for Amazon Security Lake to our IBM QRadar XDR Connect product, so historic information based in Security Lake can be queried for threat hunting or investigations.

The security community hadn’t had an agreed upon data model for logs and alerts for years, but each vendor would typically develop their own. This was until Open CyberSecurity Schema Framework (OCSF) was introduced, developed and supported by AWS, Splunk, IBM Security and 15 other leading security and IT vendors, developed and released a common schema of data representation earlier this year. Amazon Security Lake implements OCSF as a core part of the product to simplify compatibility with other solutions. For those interested, I would highly recommend reading my colleague’s blog here.

IBM QRadar XDR Connect threat hunting query of Amazon Security Lake with OCSF format data

IBM QRadar XDR Connect translated results of OCSF data from Amazon Security Lake

AWS Verified Access

In the last few years, the “work from anywhere” model has made IT security more challenging. Companies wish to grant flexibility to their employees, without compromising on the security of their applications. To tackle this new use case, AWS is introducing a new service called AWS Verified Access. AWS Verified Access will allow secure access to applications in AWS without using a VPN, while still leveraging Zero Trust principles and validating every request, irrespective of the user’s network or location. IBM QRadar SIEM is adding support for AWS Verified Access logs and events into our product as a new resource for our threat analytics and correlation.

AWS Verified Access logs will support the OCSF format, embracing the principals of open security standards. These logs will be ingested and parsed by IBM QRadar SIEM, giving customers visibility into every access request, then attempts to prevent and detect security incidents.