IBM® Security QRadar® Network Anomaly Detection enhances IBM intrusion prevention system (IPS) solutions by providing greater insight into network behavior and abnormal activity to better identify security threats. By correlating IPS alerts, vulnerabilities, network traffic and threat intelligence, IBM Security QRadar Network Anomaly Detection helps deliver a more complete, three-dimensional view of your organization’s network activity and security risks.

IBM Security QRadar Network Anomaly Detection:

  • Provides increased network visibility and threat detection by analyzing network flows, IPS, infrastructure logs and user activity events in near real time to monitor and flag abnormal behavior.
  • Delivers automated dashboards and reports to provide insight and help save time.
  • Provides automated asset profiling that tracks assets by IP address and user identity data.
  • Uses workflow management to track threats and support resolution by creating offenses that contain a complete summary of the problem.

Provides increased network visibility and threat detection

  • Correlates IPS events, network traffic, vulnerabilities, user activity and threat intelligence in near real time.
  • Performs activity baselining and anomaly detection for virtually any interest level, increasing the ability to detect stealthy breaches where evidence of a compromise might be slight.
  • Offers a high degree of granularity and flexibility in anomaly detection using straightforward parameters for the learning and trigger periods.
  • Provides advanced threat intelligence from IBM X-Force® and third-party feeds.

Delivers automated dashboards and reports

  • Includes predefined dashboards that can be customized and shared with other users.
  • Compiles information such as event and flow searches, network activity and offenses.
  • Provides ready-made reports; enables creation of custom reports; allows modification of existing report templates.
  • Runs reports on an ad-hoc basis or automatically on a periodic or custom schedule.

Provides automated asset profiling

  • Automatically builds an asset database of hosts on the network and identifies services running on each host.
  • Maps user information to asset profiles, which creates deep contextual knowledge about the environment.
  • Collects and normalizes vulnerability data to monitor and correlate network activity, helping to reduce false positives and adjust incident scores.

Uses workflow management to track threats and support resolution

  • Creates incident records that contain a complete problem summary and all contextual and related data.
  • Allows tagging of incidents for further investigation; sends email notifications when incidents are updated; dismisses closed incidents.
  • Enables external ticketing systems to add information or close any resolved incidents.