Imagine a battlefield in the Napoleonic War, the smell of gunpowder and anxious humanity rife in the air. It was in such circumstances that triage was invented to help address the overwhelming amount of work to sort and prioritize under pressure.

Now imagine the ones and zeroes of data and threat intelligence as the elements to be triaged rather than wounded soldiers. Security teams are overwhelmed by the combination of a flood of cybersecurity alerts and the lack of resources required to triage, investigate and mitigate these threats. This can result in major data breaches that can be damaging financially and even lead to executive management departures.

Technology has improved, however, both in health care and cybersecurity. Incident triage now has the benefit of analytics and automation.

Boosting Efficiency

A good security intelligence solution helps security teams identify threats in their environment. A good threat intelligence solution helps prioritize these threats within context of the external environment, and a good incident response solution streamlines the workflow to save time. A great security solution seamlessly wraps all three together to speed time to action and reduce overall risk to the organization.

From within the IBM QRadar Security Intelligence Platform, a security analyst investigating an incident without an integrated threat intelligence solution has to move outside the platform. Whether that means searching the internet or digging through a different portal or database, it results in an interrupted workflow and compromises efficiency.

With a solution like RiskIQ PassiveTotal, security analysts have direct access to that external context through IBM QRadar itself. This enables security teams to respond to incidents more efficiently and reduce the overall cybersecurity risk to the organization.

RiskIQ’s PassiveTotal App for IBM QRadar brings in internet infrastructure data, giving IP addresses in QRadar the full context of the internet by combining PassiveDNS, WHOIS, SSL certificates, web components, host pairs and RiskIQ’s proprietary data sets in real time.

Benefits of Threat Intelligence

Four features were created to enable actionable threat intelligence from RiskIQ within QRadar:

  • Contextual metadata: Using a hover context menu and right-click pivot search, users of IBM QRadar can now quickly gain a deeper understanding of potential threats from external IP addresses.
  • Automatic offense triage: By inspecting source IP addresses from within open offenses, RiskIQ’s PassiveTotal application can help analysts immediately know if any are flagged as malicious. To do this, the application routinely collects all open offenses, extracts the relevant IP addresses and queries the PassiveTotal API.
  • Analyst feedback loops: Classifying domains and IP addresses into four categories — malicious, suspicious, non-malicious and unknown — lets analysts create a feedback loop with QRadar. This feedback is constantly updated with the latest threat data using reference lists for all categories (excluding unknown).
  • Personalized content: The RiskIQ application supports pivoting between QRadar and the PassiveTotal platform by including dashboard widgets showing recent search history for the analyst’s personal account and the enterprise team. This saves time since users can click on the value listed in history and jump instantly from QRadar directly into a PassiveTotal search result.

Immerse Yourself in Threat Intelligence – Watch the on-demand webinar

Learn More and Download the PassiveTotal App

The PassiveTotal app for QRadar provides an integration that personalizes SIEM and allows for automated triage.

RiskIQ helps eight of the 10 largest financial institutions in the U.S. and five of the nine leading internet companies in the world — including well-known social media and ride-sharing apps — respond to external threats. Along with these companies, customers of both QRadar and PassiveTotal can install the application by visiting the IBM Security App Exchange from within their local QRadar instance and learn more from the IBM DeveloperWorks community.

You can learn more about the partnership between PassiveTotal and IBM QRadar by watching the on-demand webinar, “IBM Security App Exchange Spotlight: Immerse Your Security in Threat Intelligence.”

If you have any questions or feedback on the app, please send a message to [email protected].

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today