Automate Security Investigation and Remediation With External Threat Intelligence
Imagine a battlefield in the Napoleonic War, the smell of gunpowder and anxious humanity rife in the air. It was in such circumstances that triage was invented to help address the overwhelming amount of work to sort and prioritize under pressure.
Now imagine the ones and zeroes of data and threat intelligence as the elements to be triaged rather than wounded soldiers. Security teams are overwhelmed by the combination of a flood of cybersecurity alerts and the lack of resources required to triage, investigate and mitigate these threats. This can result in major data breaches that can be damaging financially and even lead to executive management departures.
Technology has improved, however, both in health care and cybersecurity. Incident triage now has the benefit of analytics and automation.
A good security intelligence solution helps security teams identify threats in their environment. A good threat intelligence solution helps prioritize these threats within context of the external environment, and a good incident response solution streamlines the workflow to save time. A great security solution seamlessly wraps all three together to speed time to action and reduce overall risk to the organization.
From within the IBM QRadar Security Intelligence Platform, a security analyst investigating an incident without an integrated threat intelligence solution has to move outside the platform. Whether that means searching the internet or digging through a different portal or database, it results in an interrupted workflow and compromises efficiency.
With a solution like RiskIQ PassiveTotal, security analysts have direct access to that external context through IBM QRadar itself. This enables security teams to respond to incidents more efficiently and reduce the overall cybersecurity risk to the organization.
RiskIQ’s PassiveTotal App for IBM QRadar brings in internet infrastructure data, giving IP addresses in QRadar the full context of the internet by combining PassiveDNS, WHOIS, SSL certificates, web components, host pairs and RiskIQ’s proprietary data sets in real time.
Benefits of Threat Intelligence
Four features were created to enable actionable threat intelligence from RiskIQ within QRadar:
- Contextual metadata: Using a hover context menu and right-click pivot search, users of IBM QRadar can now quickly gain a deeper understanding of potential threats from external IP addresses.
- Automatic offense triage: By inspecting source IP addresses from within open offenses, RiskIQ’s PassiveTotal application can help analysts immediately know if any are flagged as malicious. To do this, the application routinely collects all open offenses, extracts the relevant IP addresses and queries the PassiveTotal API.
- Analyst feedback loops: Classifying domains and IP addresses into four categories — malicious, suspicious, non-malicious and unknown — lets analysts create a feedback loop with QRadar. This feedback is constantly updated with the latest threat data using reference lists for all categories (excluding unknown).
- Personalized content: The RiskIQ application supports pivoting between QRadar and the PassiveTotal platform by including dashboard widgets showing recent search history for the analyst’s personal account and the enterprise team. This saves time since users can click on the value listed in history and jump instantly from QRadar directly into a PassiveTotal search result.
Learn More and Download the PassiveTotal App
The PassiveTotal app for QRadar provides an integration that personalizes SIEM and allows for automated triage.
RiskIQ helps eight of the 10 largest financial institutions in the U.S. and five of the nine leading internet companies in the world — including well-known social media and ride-sharing apps — respond to external threats. Along with these companies, customers of both QRadar and PassiveTotal can install the application by visiting the IBM Security App Exchange from within their local QRadar instance and learn more from the IBM DeveloperWorks community.
You can learn more about the partnership between PassiveTotal and IBM QRadar by watching the on-demand webinar, “IBM Security App Exchange Spotlight: Immerse Your Security in Threat Intelligence.”
If you have any questions or feedback on the app, please send a message to firstname.lastname@example.org.