IBM Security QRadar

 View Only

IBM Security QRadar and Amazon Security Lake

By Olga Hout posted Tue May 30, 2023 04:24 PM


IBM Security and AWS have a strong history of collaboration and interoperability between we’re excited to make Amazon Security Lake support available in our QRadar portfolio. 

IBM QRadar SIEM customers can already integrate natively with 9 AWS services delivered via a variety of AWS data collectors such as Kinesis or Cloudwatch Events. In addition to the over 700 integrations with hybrid security products and infrastructure available across the IBM QRadar Threat Management portfolio.

Amazon Security Lake
Amazon Security Lake is a new security data lake allowing AWS customers to access their AWS log and event data centrally and consistently across multiple services. 

When subscribed to Amazon Security Lake, customers can use it as an alternative integration method with IBM QRadar SIEM and leverage its advanced threat detection and correlation. Amazon Security Lake will provide a way for customers to consolidate CloudTrail management events, Route 53 Resolver query logs.

Additionally, many other third-party security logs and findings will be available to IBM QRadar via the Amazon Security Lake. IBM has also added support for a Unified Analyst Experience (UAX) capability for Amazon Security Lake, so historical information based in Security Lake can be for threat hunting or investigation.  This functionality leverages the innovative federated search capability of STIX Shifter from the Open Cybersecurity Alliance.

AWS Security Lake Features

Some key ways that Security Lake helps centralize, manage, and subscribe to security-related log and event data include:

    • Variety of supported log and event sources.
      Security Lake collects security logs and events from multiple sources, including on-premises, AWS services, and third-party services.

    • Data transformation and normalization
      Security Lake automatically partitions incoming data from natively supported AWS services and converts it to a storage- and query-efficient Parquet format. It also transforms data from natively supported AWS services to the Open Cybersecurity Schema Framework (OCSF) open-source schema.

    • Multiple levels of access for subscribers.
      Subscribers consume data stored in Security Lake and it automatically creates and exchanges the credentials needed between Security Lake and the subscriber.

    • Multi-account and multi-Region data management.
      You can centrally enable Security Lake across all Regions where it's available and across multiple AWS accounts.

    • Configurable and customizable.
      You can specify which sources, accounts, and Regions you want to configure log collection for.

To learn more, please visit the AWS Security Lake user guide.

IBM Security and OCSF

The security community had yet to have an agreed-upon data model for logs and alerts for years, but each vendor would typically develop their own. This was until Open Cybersecurity Schema Framework (OCSF) was introduced, developed, and supported by AWS, Splunk, IBM Security, and 15 other leading security and IT vendors, developed and released a common schema of data representation in August of 2022. Amazon Security Lake implements OCSF as a core part of the product to simplify compatibility with other solutions.

IBM QRadar XDR Connect threat hunting query of Amazon Security Lake with OCSF format data.

IBM QRadar XDR Connect translated results of OCSF data from Amazon Security Lake.

What is OCSF

 Open Cybersecurity Schema Framework is an open-source effort to create a common schema for security events across the cybersecurity ecosystem.

What Problems does OCSF solve 

One of the primary challenges of cybersecurity analytics is that there is no common and agreed-upon format and data model for logs and alerts. There are *many* models that exist, including some open ones like STIX, OSSEM, and the Sigma taxonomy. The challenge to date is that none of these have become widely adopted by products for logging and event purposes, and thus they require a lot of manual work to get value from. With OCSF, we are now at a moment where we have that critical mass as well as a genuine willingness to tackle these challenges.

Ways to get involved

OCSF is a public project hosted on GitHub, with a governance committee made of participants throughout the industry, with the initial working list of categories.

Please, let me know if your team will be using these integrations. Your feedback is what fuels our continuous development.