A New Paradigm for Optimizing and Automating the Security Operations Center (SOC) IBM’s QRadar Suite of Products Brings New Capabilities For Security

The cyber-threat landscape is changing. The facts on the ground are that state actors and cyber criminals are automating cyber-attacks, malware is becoming more sophisticated and lethal, the speed of attacks are also growing, and organization’s exposed and attackable assets are exponentially expanding with hybrid clouds and with billions of Internet of Things devices attaching to the networks. The defense perimeter has become non-existent in our digital era.

The reality of our current environment is that business security teams running SOCs are understaffed, overloaded and are facing an asymmetrical threat. They need urgent help!

IBM has responded to these digital challenges with a new array of security solutions designed to unify and accelerate the security analyst experience across the full incident lifecycle, called the IBM QRadar Suite, where businesses, small, medium, and large, can select and customize products from the suite that specially fit their unique situations and threats.

Please see: https://ibm.biz/BdPhwQ

There are three core design elements of the QRadar Suite that immediately garnered my attention that bring immediate advantages to SOC operators to help ameliorate cyber-threats:

• ?Unified Analyst Experience: Refined in collaboration with hundreds of real-world users, the suite features a common, modernized user interface across all products: designed to dramatically increase analyst speed and efficiency across the entire attack chain. It is embedded with enterprise-grade AI and automation capabilities that have been shown to speed alert investigation and triage by 55% in the first year.
• ?Cloud Delivery, Speed & Scale: Delivered as a service on AWS, QRadar Suite products allow for simplified deployment, visibility and integration across cloud environments and data sources. The suite also includes a new, cloud-native log management capability optimized for highly efficient data ingestion, rapid search, and analytics at scale.
• Open Foundation, Pre-Built Integrations: The suite brings together the core

technologies needed across threat detection, investigation, and response - built around an open foundation, an extensive partner ecosystem, and more than 900 pre-built integrations that provide strong interoperability between IBM and third-party toolsets.

In the running of a SOC, a unified analyst experience is fundamental to security performance. The complexity of current security toolsets the SOC may have, disconnected data (structured and unstructured) and an overload of false/positive noise/alerts that make it hard for any analyst to focus on the real and priority threats. These realities were highlighted in a report by statistics derived from a new global survey of Security Operation Center professionals, conducted by Morning Consult and sponsored by IBM Security[RB2]?. The survey found that:

• SOC professionals are unable to review 51% of alerts they should during a typical workday.
• 81% of SOC professionals say they are slowed down by manual Investigation - the #1 factor identified.
• SOC professionals spend 1/3 of their workday investigating incidents that aren’t a real threat.
• Nearly half of SOC professionals say the average time to detect and respond to a security incident has increased in the past 2 years.

?As I elaborated in detail in my Homeland Security Today article on SOC management last year “Using SOCs and Cybersecurity Hubs To Prioritize Security Operations In a Critical Era” Using SOCs and Cybersecurity Hubs to Prioritize Security Operations in a Critical Era - HS Today , SOCs provide an operational risk management structure for businesses and organizations to organize, monitor and respond to cybersecurity threats. SOCS are responsible for procuring and implementing hardware, software, database, patch management, the correlation of logs from all the devices/solutions/applications under scope, and anything required for implementing cybersecurity solutions.

?The Functional SOC Activities for an analyst and SOC team are many and challenging. They are responsible for Operations Management that can include running a Security Information and Event Management solution (SIEM), Security orchestration, automation, and response (SOAR), Web Application Firewalls (WAF), Extended Detection And Response?(EDR/XDR) for a cross-platform approach to endpoint detection and response, Privilege Identity Management Solution (PIM), Anti-Advanced Persistent Threat Protection (Anti-APT), and Anti-Phishing and Anti-Malware software. The complexity and manual oversight of these tools can be overwhelming and very difficult to manage and orchestrate.

For the SOC analyst and SOC team, the good news is that the IBM Security QRadar has created a single, modernized user interface across all products that is embedded with advanced AI and automation that empowers analysts to work with greater speed, efficiency, and precision across their core toolsets. The new IBM Security QRadar Suite includes EDR/XDR, SIEM, SOAR, and a new cloud-native log management capability – all built around a common user interface, shared insights, and connected workflows. This allows the SOC operators to overcome the complexity of tools, and more speedily respond to qualified incidents.

SOC operators must monitor alerts and events reported and record the incidents, classify, and recommend remedial action. These tasks can now be assisted by the QRadar integrated user interface that can continually assess and prioritize security alerts based on risk, and supplements these alerts with additional data on the threat, and apply AI to the accuracy of alerts and help eliminate false positives that take away focus from the real threats. It also includes recommendations and connected workflows to help speed up their overall response to the threat.

AI is an enabling component of the IBM Security QRadar Suite, with capabilities that have been shown to significantly improve the speed and accuracy of SOC operations. One particularly helpful technology they’ve created is an “alert triage” function, which automatically prioritizes or closes alerts for analysts using AI models trained on prior analyst response patterns, along with external threat intelligence and broader contextual insights from across detection toolsets. hat is critically important as analysts are often burdened to determine what is a real threat or a false positive. AI synthesizes that capability and allows SOC operators to “triage” and tend to serious breach possibilities. Much like an ER room at a hospital, they can prioritize what needs serious attention first. ?IBM’s Managed Security Services team used this AI?capability to automate more than 70% of alert closures and reduce its alert triage timelines by 55% on average within the first year of implementation.

AI automation is critical for containing and acting rapidly on threats. A study from the IBM Cost of a Data Breach? report with Ponemon Institute (2022) found that organizations with fully deployed security automation detected and contained an incident 2.5 months faster vs. organizations that didn’t deploy security AI/automation (249 days vs. 323 days). Additional findings from the IBM Institute for Business Value study discovered that cybersecurity AI adopters say AI helps reduce days to detect cybersecurity incidents by as much as 50% and that AI helps reduce hours to investigate cybersecurity incidents by as much as 29%. IBV: AI & Automation

Because of the precarious cyber-threat environment, speed is critical when it comes to limiting the damage of attacks. The growing availability of ready-made attack kits, a commercialized black market for stolen data, and intensifying activity of organized crime and state actors targeting industries has heighted the challenge of protecting data.

Investigation of threats is often a process that takes significant time and attention from security analysts. IBM’s security suite added an automation capability that can speed this up, with the system automatically starting some of the initial investigation steps for analysts. This capability "identifies high-priority incidents that may warrant investigation, and automatically initiates investigation by fetching associated artifacts and gathering evidence via data mining across environments.” The system also puts these results together into a timeline and attack graph of the incident and recommends actions to speed their response.

With the sophisticated and stealthy nature of today’s attacks, threat hunting has also become a fundamental role for security teams.

Threat hunting involves security experts proactively searching for signs of existing attacks that may have already made their way into the network unnoticed. But searching for these “indicators of compromise” can be complex and time consuming given the volume and variety of data sources they need to sift through. One way that IBM’s QRadar Suite is helping with this is using an open source threat hunting language, with a“ federated search” capability that helps threat hunters discover stealthy attacks and indicators of compromise across their environments, without moving data from its original source.

In summary the IBM QRadar suite of products augmented via artificial intelligence is a unifying enabler for analysts in three key areas of SOC optimization:

·????????alert triage (threat detection; contextualizing threats and reducing false positives),

·????????threat investigation (looking into the threats the system has detected to see what is affected/needs to be done)

·????????threat hunting (proactively searching for clues about unknown threats, sophisticated attacks that may have made it into the network undetected).

??Cloud Delivery, Speed & Scale are fundamental to optimize security in the cloud. The movement of government agencies and?business data to the cloud and hybrid clouds is trending. Forecasters are estimating that 92% of data processing workloads will be located in cloud data. With Internet Of Things And Big Data, 92% Of Everything We Do Will Be In The Cloud (forbes.com) How and where data is secured, has become a key concern among security administrators and that is why operating in clouds and hybrid clouds has become increasingly attractive.

?Both government and industry are building larger data repositories and sharing data centers to keep up with storage and analytic needs.?Consider that there are?2.5 quintillion bytes of data?created each day and that the world’s production of data doubles every two years.?How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read (forbes.com) The ability to securely store, prioritize, analyze and share (and scale) that data is fundamental?to operations and commerce.?Because of those functional requirements, storing data in the cloud or hybrid clouds is more than prudent.

The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats).?When viewed from a SOC perspective, optimized security in the cloud mitigates the risk of attackers getting key access to data.

IBM’s QRadar suite of offerings provides SOC analysts with a comprehensive view of risks and threats and optimizes implementation of the forementioned tools. Their solutions extend visibility to cloud solutions and platforms via the collection and rapid analysis of events. And their solutions are cloud agnostic and can be integrated with AWS, Azure, Salesforce, Office 365, and on prem infrastructure. The QRadar product suite also provides SOC operators with the ability to detect misconfigurations, expose shadow IT and unsanctioned tools. In addition, the suite also includes a new, cloud-native log management capability optimized for highly efficient data ingestion, rapid search, and analytics at scale.

?Operating in the cloud with open source capabilities is beneficial to SOCs. I have espoused the importance of open source for global cybersecurity in my writings. For business, open source is a catalyst for orchestration in an environment where data and applications are often in multiple locations including the cloud,?multi-cloud, hybrid cloud, and mainframes. Agile open-source platform cocreation enables legacy and new systems to support digital business interface that span the entire IT landscape wherever data and applications may reside.

?As SOCs have likely invested in sets of security tools and IT functions, it is important for any new procurements to be able to orchestrate with the existing legacy technologies. Open source helps enable such functions. The QRadar Suite leverages open foundation and pre-built Integrations. Their product offerings utilize open technologies and standards across the portfolio and can orchestrate alongside hundreds of pre-built integrations with IBM Security ecosystem partners. Their model enables deeper shared insights and automated actions across third party clouds, point products, and data lakes, which can reduce deployment and integration times from months to days or weeks, reducing both risks and cost to businesses and organizations.

In summary, the evolving threat challenges that are facing businesses and organizations can be overwhelming to any SOC team. IBM’s QRadar Suite of products brings new capabilities for security analysts, a SOC team, and ultimately businesses to be secure and thrive in an era of digital risk. The QRadar Suite of products is a new paradigm for cybersecurity.

?In my 2021 IBM blog Open Source: A catalyst for modernization & innovation? Open source: A catalyst for modernization & innovation??- IBM Blog I noted that open-source collaboration has led to scalable and more secure applications for computing, especially via Linux (still the choice of most code development), Java,?Node.js, and other?enterprise platforms.?

?IBM has been a trailblazer when it comes to the use and encouragement of open source.?Over the years, IBM?has helped create and lead the?Linux Foundation,?Apache Foundation,?Eclipse Foundation,?Cloud Foundry,?Docker?(with Google),?Open Stack (infrastructure-as-a-service),?OpenWhisk?(serverless platform) that have served as vibrant catalysts for the developer community.?Open-source platforms are also impacting emerging tech practice areas of artificial intelligence, blockchain, the Internet of Things, deep learning, and quantum computing.?Looking forward?to?“Industry 4.0”, IBM has become a force in directing the?Cloud Native Computing Foundation?(Kubernetes),?Hyperledger?(blockchain),?CODAIT (the Center for Open?Source, Data and AI Technology),?MAX?(Model Asset Exchange for deep learning),?MQTT?(leading protocol for connecting IoT devices),?and?Qiskit, an open–source quantum computing framework.?

?In our emerging tech era, open source will especially play an integral role in the future as IT infrastructures are modernized. Open source is a contributing catalyst for innovation as we address the challenges of the digital era.?The QRadar Suite is designed to capitalize on that innovation.

IBM partners with industry thought leaders to share their opinions and insights on current technology trends. The opinions in this article are my own, and do not necessarily reflect the views or strategies of IBM.

Chuck Brooks is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also an Adjunct Faculty at Georgetown University’s Graduate Cybersecurity Risk Management Program where he teaches courses on risk management, homeland security technologies, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named “Cybersecurity Person of the Year for 2022” by The Cyber Express, and as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated,?as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC, and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica "Who's Who in Cybersecurity" He was also named one of the Top 5 Executives to Follow on Cybersecurity by Executive Mosaic, He is a GovCon Expert for Executive Mosaic/GovCon Wire, He is also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, and a Contributor to Skytop Media, and to FORBES. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.