IBM Security QRadar Network Threat Analytics v1.1
For those who value network security (or cyber security in general), you’ll be happy to know that IBM Security QRadar Network Threat Analytics (NTA) has just released a significant update to the app and its analytics, UI and overall capabilities. NTA v1.1 is available for download from the X-Force App Exchange and is available to all QRadar customers. As with the previous release, after being installed NTA will automatically start analyzing and baselining your network flow or IBM Security QRadar Network Insights (QNI) data to build detailed models of what is normal for your network so that it can automatically detect new or deviating behaviors.
NTA v1.1 adds additional analytics along with finding / event generation to leverage the power of network analytics across the QRadar platform.
The NTA v1.1 release includes additional analytics that further analyze the initial set of behavioral analytics results to monitor activity over time and across related network sessions to refine and provide higher fidelity NTA findings and events. NTA findings are new to the v1.1 release and represent activity that doesn’t align with what is expected for network communications between devices. That activity will continue to be monitored over time with the analytics continually updating the finding as new information of interest becomes available. And if the finding score exceeds a configurable threshold, events will be generated enabling these results to be used by both rules and other analytics to enhance your detection and response capabilities.
NTA v1.1 provides a completely new UI, workflow and user experience
The additional analytics and findings in NTA v1.1 provide new insights into new or unusual activity on your network. To enable analysts to visualize, understand and investigate what is happening on your networks we’ve created a completely new UI.
The Dashboard
When you pivot into NTA you’ll now see a dashboard showing an overview of your network activity, analytics status, most common / least common applications, communications by country, along with a timeline of your network finding activity and a prioritized table of findings.
From this dashboard, you can drill down into any of the findings listed or click the blue Network Data button in the upper right to pivot into a comprehensive view of all network activity.
Finding detail and drill down
Clicking the Finding ID or arrow on any row in the Findings table on the dashboard will take you into the detailed analytics results and network activity associated with that finding. An NTA finding is associated with a set of IP Addresses and their application activity.
At the top you’ll see a summary of the network connection along with a breakout of the analytics scoring by category for the most significant activity observed for this finding and Mitre ATT&CK sub-techniques when the behavior observed potentially aligns with those techniques. Further down you’ll see a list of flow sessions associated with this finding that show the specifics for each session along with identifiers of the different categories of activity that are deviating for each network session.
Drilling down into the analytics for each network session / flow
Clicking the flow ID or arrow on any of these rows takes you to the detailed analysis of that specific network session.
Here you’ll see a summary of key information associated with this network session along with a timeline of activity. Below the timeline is a table listing the individual flow records for this particular session.
Analytics by Flow Record
Your ability to drill down continues by selecting one of the flow records in the table.
Here you’ll see a summary of the activity associated with this flow record and its analytics score, a graph with horizontal bars that show what attributes were considered to be outliers (purple bars) or within their normal ranges but contributing factors in terms of new or unexpected activity (green bars). Below this you’ll see the detailed list of attributes, their values and what the expect set or range of values is based on your network baseline.
Pivot further as part of your investigation
As your investigation continues, you have several options available.
You can select to view your network data in either Network Activity or Analyst Workflow, based on the UI you are using. Or you can broaden your investigation by viewing all data associated with a particular network flow / session by Flow ID, IP, source network or destination network.
Network analysis and threat hunting
For analysis and threat hunting beyond just the findings identified by NTA, clicking on the “View Network Data” button on the dashboard takes you to a comprehensive view of your network activity with powerful options to filter and pivot through what is happening across your networks.
Detecting and responding to network threats on your network
NTA v1.1 adds some amazing new capabilities to the QRadar platform. I would encourage all QRadar customers to download and install NTA as part of your deployment to gain better visibility into what is happening on your network and detect subtle threat activity that could otherwise be missed. And if you don’t currently utilize network flows or QNI data as one of your QRadar data sources, this is a great opportunity to forward flows from your network devices to QRadar or deploy QNI for even deeper network visibility.