How to Integrate IBM QRadar and Safeguarded Copy to Enhance Cyber Resiliency
Early detection of threats is possible with IBM QRadar and Safeguarded Copy (a feature within IBM FlashSystem). Combining these tools for early detection enables swift recovery of data in the event of a cyber attack.
IBM’s feature for immutable snapshots is Safeguarded Copy. This feature automatically creates efficient immutable copies/snapshots according to a schedule. These snapshots are stored by the system and are not connected to servers, which creates a logical air gap from threats. Copies cannot be changed or deleted outside of a planned schedule. This type of failsafe protects against potential staff mistakes. Early detection of an attack or threat helps speed recovery even more.
IBM Security QRadar is a SIEM and threat management system that monitors activities and looks for signs indicating the start of an attack. Signs include events such as logins from unusual IP addresses or logins outside of business hours. A somewhat new feature to showcase is how IBM QRadar can proactively signal Safeguarded Copy to create a protected backup at the first sign of a threat.
An integration between QRadar and Safeguarded Copy protects storage data with a threat detection mechanism supported by the collection of an audit log stream from multiple sources. QRadar’s log engine is used to normalize received log events. Various system-defined properties, as well as custom properties are populated with the information from these audit events.
Subsequently, a QRadar administrator applies various rules to analyze the information received on the normalized log events. Applying the rule to the normalized event helps us understand whether the application is under threat. This early threat detection is used to trigger a response to the storage system in order to invoke a Safeguarded Copy action. The initialization of Safeguarded Copy could be done using API or CLI commands.
To sum up, in the event of an attack, the attack is seen on the system and QRadar can make use of the application logging, and then based on the logging, can trigger a flow to safeguard the application volumes as well as the data with a Safeguarded Copy on IBM FlashSystem.
Nowadays, traditional approaches to data protection have recovery timelines that are too long for modern needs. Setting rules in your SIEM that trigger the creation of an instantaneous immutable copy of a single volume or group of volumes, is a great shield against the inevitable threats knocking on your door.
IBM’s redpaper on this subject goes way deeper into how to configure these tools to aid in your cyber resilience strategy.