SIEM Based Intrusion Detection with Q1Labs Qradar

Attackers continue to become more skilled in their ability to penetrate organization's networks. Defenders need intelligent systems which provide meaningful data to detect advanced attacks. SIEM solutions are great tools for any security team. However, getting the most out of a SIEM solution requires focus on reporting, correlating and analyzing events across security systems. This is especially important when looking at intrusion detection. Today's attacks routinely bypass signature based systems and, therefore, require additional data sources beyond simply detecting specific attack traffic. Spending the time and effort to fully develop the correlation and reporting aspects of a SIEM can dramatically improve a team's ability to detect a compromise. While this paper focuses on Q1Labs Qradar, the intent is to provide rules and alerts which could also be used in other environments.