I.B.M. Turns to Big Data Algorithms for Computer Security

As oxymorons go, “corporate security” falls somewhere in between “wedded bliss” and “light beer.”

Businesses spend billions of dollars each year on firewalls, applications and antivirus software in a desperate attempt to ward off hackers and yet, even the companies, like Symantec and RSA, that sell “security solutions” can’t keep themselves hacker-free.

The crux of the problem is that businesses have taken a piecemeal approach to security. They use antivirus software to weed out malware and firewalls to keep the bad guys out, but none of these systems communicate with each other in an intelligible way. When meaningful messages do emerge, it’s often too late — trade secrets are long gone or customers’ credit card data has already been compromised.

I.B.M. is now the latest company to attempt to take a more holistic approach to corporate security using “Big Data.” On Wednesday, the company will roll out QRadar, its new security intelligence platform, to track corporate vulnerabilities in real time and cross-reference unusual activity with I.B.M.’s X-Force database, the world’s largest repository of threat and hacker information.

According to I.B.M., I.T. managers using I.B.M.’s platform will now be able to see — in seconds — if someone has gained access to a proprietary database after repeated log-in failures, or if an employee, or perhaps a botnet, is transmitting corporate information to a Gmail account or to a country the company does not do business in. Using I.B.M.’s X-Force database, I.T. managers can see if an employee is sending that information to personal e-mail because that person is going on vacation, or if something more nefarious is going on.

I.B.M. is hardly the first company to tackle security in real time. A number of companies already do this. Solera Networks, AccessData and Niksun all market similar services that look for patterns or telltale signs among large amounts of unstructured data in order to flag vulnerabilities before a security breach occurs, or spot a breach as it is happening.

But I.B.M. has the advantage of being the world’s largest supplier of I.T. systems. I.B.M. acts as the eyes and ears for more than 4,000 clients and witnesses more than 13 billion security “events” a day. The company thinks it can use those insights to spot viruses and the warning signs of an attack before they occur.

“Significant attacks don’t happen out of the blue,” says Brendan Hannigan, I.B.M.’s general manager of security systems. “A bank robber picks a target and conducts extensive surveillance before they rob a bank. The same is true in technology. There are a variety of things hackers need to do before they go after specific assets.”

In the evolving threat landscape, companies can average as many as a hundred million potentially devastating “security events” a day. An event could constitute one too many failed log-in attempts, or evidence that an employee’s computer is communicating with a database unrelated to the person’s immediate job function. But without the appropriate context, it is nearly impossible for I.T. managers to know the difference between an anomaly and an attack.

“We’re hitting 10 million security incidents a day. That’s not a lot,” said Virgil Vaduva, an enterprise security architect for a large retailer and I.B.M. client. (He asked not to name the company because he did not have permission to identify it.) “Larger organizations can hit hundreds of millions of events per day. There’s no way humans can sift through that amount of data. QRadar can sift through that in seconds.”

QRadar grew out of I.B.M.’s strategic acquisition in October of Q1 Labs, a security intelligence company run by Mr. Hannigan. The acquisition gave I.B.M. access to a powerful new analytics tool and gave Q1 Labs access to a wealth of data from a broad range of companies around the world that, in turn, made its analytical capabilities that much stronger. As part of the acquisition, I.B.M. moved more than 2,000 employees out of their jobs into a new security division run by Mr. Hannigan.

“Businesses tackle security in bits and pieces, but nobody has been able to pull the thread from beginning to end,” Mr. Hannigan said. “This is the first time companies will have a truly holistic sense of what’s going on.”