Cloud Pak for Security – Is it worth it?

About 12 months ago IBM released their Cloud Pak offerings to the marketplace as part of the first strategic direction in the move away from the traditional Perpetual licensing model. Whilst I think this was a few years late, its good to see that they are starting to move in the right direction.

Which brings us to Cloud Pak for Security. IBM started offering Cloud Pack for Security about 8 months ago in its Version 1 offering and it was a monumental flop…. They offered what they thought was a great offering encompassing:

  • Data Explorer – Federated search across data lakes
  • Threat Intelligence Insights – Centralized STIX and TAXII environment.
  • Resilient – Quite a good SOAR product.

Whist this was a great introductory offering, it had a few dependencies around having an existing SIEM environment as well as a docker/container environment that covered all areas of your business. Whist this sounds ideal, in practical terms, it was not relevant to customers’ needs.

WELCOME to Cloud Pak for Security – VERSION 2

IBM took some feedback from customers and came up with an offering that works… partially. Now when you get Cloud Pak for Security, they include the product that is REALLY good QRadar! Not only that, there are no longer any limitations on EPS (Events Per Second) and FPM (Flows per minute) that all of us Security professionals have been looking for.

FINALLY!!!! I don’t have to limit the log sources, filter the logs, create relays and separate collection and appliance infrastructure. Now all I have to worry about is building the Use Cases I need as a security professional. Oh wait, I also get the data explorer, threat intelligence insights and resilient??? Fantastic!

So now:

  • I don’t have to build an open source STIX and TAXII server that constantly needs adjustment.
  • I don’t have to worry about building a centralized data lake, I just use the ones I have.
  • I have a SOAR system, integrated to my Security intelligence and all I need to do is define the rules.

Sounds too good to be true and yes it can be, although there are a few considerations before you launch into your new Cloud Pak journey.

IBM’s licensing model for Cloud Pak is just as confusing as the old PVU system they introduced in the 80’s, instead now it’s called MVS, which is an acronym for Managed Virtual Servers. Although the definition of this is not the literal meaning of a “Managed Virtual Server” it is the IBM definition. How to work out how many MVS you need? You only need to do a simple calculation:

  1. Count up your servers (Internal and Cloud based)
  2. Multiply the total of servers by 31.

The total is the number of MVS you need.

Now you are fully up to date on the MVS model and what’s included in Cloud Pak for Security, the real question everyone is thinking is: “IS IT WORTH IT?”

There are 2 different scenarios to consider:

  1. I have lots of servers although they don’t do a lot, our advice – go buy the products individually.
  2. I have a few servers that make lots of noise, our advice – Cloud Pak is the go.

In addition, the security controls (Firewalls, Proxy, Load Balancers and all related security control points) are not included in the calculation, so if you have lots of security controls and minimal servers then Cloud Pak packs a punch in value for money. QRadar, Resilient, STIX/TAXII, Data Explorer and a few more things (coming soon from IBM) are all wrapped up in a single product.

So, if you want to build a security practice from the ground up, Cloud Pak is a viable option to look at.

If you have issues managing log and data loads within the business – Cloud Pak is probably viable.

If you have bucket loads of servers spread across a geographical region and have heavily invested in federated data lakes, centralized SIEM and existing SOAR then Cloud Pak isn’t initially viable, although when you want to change one the major tech components. it should be on your evaluation list.