IBM rebuilds QRadar for hybrid clouds and AI workloads

IBM has announced rebuilding its security information and event management (SIEM) offering, QRadar, with a cloud-native architecture to help organizations scale their hybrid cloud and AI workloads.

The new offering combines IBM's existing SIEM skeleton within the QRadar suite with new generative AI and threat detection capabilities for improved data ingestion, and search and analytics scaling.

"We rebuilt our new cloud-native SIEM from the ground up, starting with Red Hat Open Shift as the underlying data architecture and leveraging a high-performance data warehousing technology for log management," said Chris Meenan, vice president of product management at IBM Security. "Current QRadar customers will now be offered a way to modernize their security operations with a data foundation that is built specifically for the needs of hybrid multi-cloud environments."

IBM QRadar Cloud-Native SIEM will initially be delivered as SaaS by the end of the year, with plans to deliver software for on-premises and multicloud environments in 2024.

Cloud-native SIEM for interoperability

IBM's new SIEM -- built on Red Hat OpenShift for cloud-agnostic deployment -- is designed to be open on a "foundational level," which allows for interoperability with multiple cloud vendors and their tools. This is achieved by leveraging open source and open standards for core functions including threat detection rules and search languages.

"IBM's open approach is absolutely critical for allowing clients to take advantage of cloud-native benefits across hybrid multi-cloud environments," Meenan said. "Other vendors offer an architecture based more on a single cloud approach, which makes it so that the security analytics, integrations, and search options work well within their native cloud, but are difficult to implement across a dispersed, hybrid cloud environment."

Under its "open" approach, the new SIEM is built to support a common, shared language for detection rules -- Sigma, allowing clients to import new, crowdsourced detections directly from the security community as the threats evolve.

The use of open source technologies brings a promise of "federated search and threat hunting capabilities," allowing searching and investigating threats across all cloud and on-premises data sources in a "single, unified way, without moving data from its original source," IBM said.

However, cloud-native approach in itself might not be enough for IBM to compete with existing players. "IBM has no advantage with the cloud-native architecture alone as vendors like Devo, Google, Microsoft, and Splunk have pursued a similar strategy," said Jon Oltsik, an analyst at ESG. "IBM must compete on feature/functionality, but it has a good story to tell that includes openness, data federation, support for standards, a partner ecosystem, etc."

New SIEM uses AI and automation

The new SIEM introduces, and borrows, several AI capabilities to automate threat detection and investigation processes. A few AI-powered capabilities on the new SIEM include alert prioritization, threat investigation, and adaptive detection.

Home-grown AI algorithms are used to de-prioritize noise and automate grouping, contextualizing, and escalating high-priority alerts. Threat investigation also uses AI engines to run automated searches across connected systems, generating a visual attack timeline, MITRE ATT&CK mappings, and recommended actions. Adaptive detection refers to the automatic updating of detection rules as and when intelligence arrives.

"The AI technologies within QRadar SIEM have been developed within IBM and refined over the course of several years, trained on millions of alerts from thousands of clients, as well as external threat context and historical analyst response patterns," Meenan said. "Some of these AI capabilities were also developed in collaboration with IBM's cybersecurity services team, which manages security operations for thousands of clients around the world."

As part of the announcement, IBM revealed its plans to release generative AI-based security capabilities via QRadar Suite in early 2024, which will be primarily built on watsonx, the company's AI and data platform.

"Given its experience with Watson and IBM's overall commitment to AI corporate wide, I believe its generative AI capabilities will be strong, but this is a confusing area for customers," said Oltsik. "IBM needs to educate the market with thought leadership and then make it seamless for customers to implement GAI."

IBM will continue supporting its current QRadar SIEM offering, while also offering customers a transition option to the new cloud-native SIEM.