IBM Security QRadar

 View Only

SysFlow v1.0.0 is here, with new integrations with IBM QRadar

By Korinne Alpers posted Tue December 15, 2020 02:22 PM

  
We are excited to launch v1.0.0 of the SysFlow integration and content extension for QRadar. SysFlow is an open source framework for securing containers and Linux-based systems. SysFlow builds all the plumbing required for system telemetry, and provides a scalable, container-native platform for analytics on cloud and enterprise environments. In this release, we introduce new integrations with IBM QRadar so that users can gather contextual insights for threat hunting and full visibility into their compute workloads. 




What is SysFlow?
At its core, SysFlow is a data format for creating security and performance analytics. This new format lifts raw system event information into an abstraction that describes process behaviors, and their relationships with containers, files, and network activity. The telemetry format drastically reduces endpoint event collection rates and naturally links these entities together to provide context for analytics, provenance, and broad visibility into container workloads.



Why did we make SysFlow? 
Much of the reasoning behind building SysFlow can be boiled down to two points: 
  1. We needed a host-level monitoring source that is container-aware, but couldn't find a solution that offered full visibility into system workloads without a massive data footprint. 
  2. We needed a common standard for how container behaviors should be represented, since the security monitoring market is largely dominated by proprietary tooling. This means that admins are often sourcing monitoring data from multiple agents, in order to satisfy visibility and regulatory requirements. 



What are some key benefits of using SysFlow?
  • Detect runtime threats and malicious activities
    SysFlow enables detection of attacks and misbehaviors at the workload and host levels. When integrated with a SIEM like QRadar, users can observe attack TTPs and automate workflows for incidence response, threat hunting, and forensic use cases.
  • Deep visibility into Kubernetes for performance and security monitoring
    SysFlow provides container-aware, flow-centric semantics for continuous system telemetry by capturing process control flows, file interactions, and network communications.
  • Lightweight and extendable
    SysFlow’s semantic compression enables rule and behavioral analytics while preserving relevant data. Security teams can focus on high-priority risks immediately, as SysFlow filters out noisy alerts and proactively aggregates security-relevant behaviors in the collected data streams. With open-source APIS, tools, and flexible deployment options, users can integrate SysFlow and extend their existing security stack.
  • Open and common standards
    Though moving to the cloud has overall standardized approaches to development and operations, the security monitoring market is still largely fragmented and lacking open standards for representing container behaviors. SysFlow seeks to alleviate these issues and act as a “single pane of glass” by providing a common data model and pluggable data analytics pipeline architecture. This open-source telemetry format is community-driven and non-proprietary, which makes it suitable for cloud-wide monitoring and adoption.



What's new in SysFlow v1.0.0

For this release, we focused on ways that security teams can easily deploy SysFlow, as well as ingest SysFlow data into a SIEM like QRadar. 
Below you'll find new integrations that are part of this release: 
  • SysFlow Processor (open-source)
    Analyze and enrich streaming SysFlow data at the edge. 
  • SysFlow deployments (open-source) 
    New deployment scripts for deploying SysFlow on Docker, Kubernetes, and OpenShift. 

SysFlow v1.0.0 with QRadar tracks the 0.2 releases in the open source projects.



Want to learn more? 
Repos & QRadar documentation
Open source community
Videos
0 comments
27 views

Permalink