Light Dark
August 19, 2016 By Chris Meenan 3 min read
Intelligence & Analytics
Incident Response

There’s a maxim popular with military planners that states, “No battle plan survives contact with the enemy.” Essentially, it’s because the enemy has a vote in what happens and can often be quite clever in circumventing the best laid plans.

The same can be said about cybersecurity and incident response. It is nearly impossible to be completely prepared to stop every possible security event that could happen. But that doesn’t mean organizations shouldn’t try.

As Dwight Eisenhower once noted, things may not go according to plan, but “planning is indispensable.” It helps you think through the right preventative security measures you should deploy, consider how to best detect potential threats and ultimately take action to respond to the prioritized offenses that need to be remediated.

Sift Through the Noise With SIEM

Security incidents rarely emerge fully formed with flashing lights to alert you of their presence. More often, they start to appear as a set of indicators or separate smaller events. It isn’t uncommon for mid- to large-sized organizations to experience thousands, if not millions, of security events in a single day. So what’s your plan to find the signal amid the noise?

A good first step is to use a security information and event management (SIEM) solution. A security plan that includes SIEM helps to reduce the number of variables in play and focus response efforts. For example, the IBM QRadar Security Intelligence Platform, powered by the Sense Analytics Engine, collects a massive amount of data, such as list logs, network flows, vulnerability data, external threat intelligence feeds and more, to formulate security intelligence that helps teams focus their efforts on a prioritized list of offenses — the events and incidents that require immediate action.

Take Action With an Incident Response Platform

Now that you have a prioritized list of offenses, what’s your plan for taking action? What are the next steps? Who is on the response team and how will they communicate? Are you required to issue privacy breach notifications?

A purpose-built incident response platform (IRP) can help your security team orchestrate a precise and rapid response. Serving as a single, central hub for managing responses, the IRP enables clear communication across the organization and delivers focused insight on the next steps required to contain and resolve the incident.

The IRP should also quickly and easily integrate with your existing security and IT investments. The importance of this integration is magnified when you consider the evolution of the security operations center (SOC) and the increased number of security tools organizations have available to them. An unchecked proliferation of point products simply isn’t sustainable. Likewise, the traditional emphasis on only prevention or detection solutions — the core operational components of a security program — isn’t enough to effectively secure an organization.

Watch the on-demand webinar: Tap into the Power Response with Resilient and IBM QRadar

IBM Gets Resilient

That’s why IBM acquired Resilient Systems earlier this year. The integration between the QRadar platform and Resilient’s incident response platform bridges the gap between security operations and incident response. It creates the industry’s first end-to-end security operations and response platform.

The integration allows security teams to easily escalate prioritized incidents directly into the Resilient IRP. The IRP pulls in the characteristics and artifacts from QRadar and then provides a detailed step-by-step response plan specific to the type of incident being managed so the security team knows exactly what to do. Additionally, the incident record is automatically enriched with external threat intelligence and is updated as new artifacts or indicators of compromise are discovered.

The QRadar and Resilient integration has significant benefits:

  • It reduces the mean time to resolution. By streamlining the incident detection and response process, security teams are more efficient at quickly containing the damage from a breach. It also increases their ability to break the attack chain.
  • It ensures a consistent response. The current security skills gap makes it difficult to find and retain IT security professionals. Deploying and integrating a SIEM and IRP platform ensures that you have the processes in place to deliver the same quality response to each and every incident of a specific nature. There is no institutional knowledge lost as changes in staff occur.
  • It allows security staff to be more effective. By automating time-consuming tasks, such as looking up artifacts or threat intelligence and migrating them from the SIEM to the IRP, security teams spend less time swiveling from system to system and can focus on interpreting the threat intelligence, understanding the details and context of the situation, and ultimately taking action and responding.

To better understand how integrating SIEM and IRP represents a new best practice for SOCs and security teams, join industry experts from Bloor Research and IBM for an engaging on-demand webinar, “Tap into the Power Response with Resilient and IBM QRadar.”

 |  |  |  | 
Chris Meenan
VP, Product Management, IBM Security

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature