Imagine a battlefield in the Napoleonic War, the smell of gunpowder and anxious humanity rife in the air. It was in such circumstances that triage was invented to help address the overwhelming amount of work to sort and prioritize under pressure.

Now imagine the ones and zeroes of data and threat intelligence as the elements to be triaged rather than wounded soldiers. Security teams are overwhelmed by the combination of a flood of cybersecurity alerts and the lack of resources required to triage, investigate and mitigate these threats. This can result in major data breaches that can be damaging financially and even lead to executive management departures.

Technology has improved, however, both in health care and cybersecurity. Incident triage now has the benefit of analytics and automation.

Boosting Efficiency

A good security intelligence solution helps security teams identify threats in their environment. A good threat intelligence solution helps prioritize these threats within context of the external environment, and a good incident response solution streamlines the workflow to save time. A great security solution seamlessly wraps all three together to speed time to action and reduce overall risk to the organization.

From within the IBM QRadar Security Intelligence Platform, a security analyst investigating an incident without an integrated threat intelligence solution has to move outside the platform. Whether that means searching the internet or digging through a different portal or database, it results in an interrupted workflow and compromises efficiency.

With a solution like RiskIQ PassiveTotal, security analysts have direct access to that external context through IBM QRadar itself. This enables security teams to respond to incidents more efficiently and reduce the overall cybersecurity risk to the organization.

RiskIQ’s PassiveTotal App for IBM QRadar brings in internet infrastructure data, giving IP addresses in QRadar the full context of the internet by combining PassiveDNS, WHOIS, SSL certificates, web components, host pairs and RiskIQ’s proprietary data sets in real time.

Benefits of Threat Intelligence

Four features were created to enable actionable threat intelligence from RiskIQ within QRadar:

  • Contextual metadata: Using a hover context menu and right-click pivot search, users of IBM QRadar can now quickly gain a deeper understanding of potential threats from external IP addresses.
  • Automatic offense triage: By inspecting source IP addresses from within open offenses, RiskIQ’s PassiveTotal application can help analysts immediately know if any are flagged as malicious. To do this, the application routinely collects all open offenses, extracts the relevant IP addresses and queries the PassiveTotal API.
  • Analyst feedback loops: Classifying domains and IP addresses into four categories — malicious, suspicious, non-malicious and unknown — lets analysts create a feedback loop with QRadar. This feedback is constantly updated with the latest threat data using reference lists for all categories (excluding unknown).
  • Personalized content: The RiskIQ application supports pivoting between QRadar and the PassiveTotal platform by including dashboard widgets showing recent search history for the analyst’s personal account and the enterprise team. This saves time since users can click on the value listed in history and jump instantly from QRadar directly into a PassiveTotal search result.

Immerse Yourself in Threat Intelligence – Watch the on-demand webinar

Learn More and Download the PassiveTotal App

The PassiveTotal app for QRadar provides an integration that personalizes SIEM and allows for automated triage.

RiskIQ helps eight of the 10 largest financial institutions in the U.S. and five of the nine leading internet companies in the world — including well-known social media and ride-sharing apps — respond to external threats. Along with these companies, customers of both QRadar and PassiveTotal can install the application by visiting the IBM Security App Exchange from within their local QRadar instance and learn more from the IBM DeveloperWorks community.

You can learn more about the partnership between PassiveTotal and IBM QRadar by watching the on-demand webinar, “IBM Security App Exchange Spotlight: Immerse Your Security in Threat Intelligence.”

If you have any questions or feedback on the app, please send a message to [email protected].

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read