Imagine a battlefield in the Napoleonic War, the smell of gunpowder and anxious humanity rife in the air. It was in such circumstances that triage was invented to help address the overwhelming amount of work to sort and prioritize under pressure.

Now imagine the ones and zeroes of data and threat intelligence as the elements to be triaged rather than wounded soldiers. Security teams are overwhelmed by the combination of a flood of cybersecurity alerts and the lack of resources required to triage, investigate and mitigate these threats. This can result in major data breaches that can be damaging financially and even lead to executive management departures.

Technology has improved, however, both in health care and cybersecurity. Incident triage now has the benefit of analytics and automation.

Boosting Efficiency

A good security intelligence solution helps security teams identify threats in their environment. A good threat intelligence solution helps prioritize these threats within context of the external environment, and a good incident response solution streamlines the workflow to save time. A great security solution seamlessly wraps all three together to speed time to action and reduce overall risk to the organization.

From within the IBM QRadar Security Intelligence Platform, a security analyst investigating an incident without an integrated threat intelligence solution has to move outside the platform. Whether that means searching the internet or digging through a different portal or database, it results in an interrupted workflow and compromises efficiency.

With a solution like RiskIQ PassiveTotal, security analysts have direct access to that external context through IBM QRadar itself. This enables security teams to respond to incidents more efficiently and reduce the overall cybersecurity risk to the organization.

RiskIQ’s PassiveTotal App for IBM QRadar brings in internet infrastructure data, giving IP addresses in QRadar the full context of the internet by combining PassiveDNS, WHOIS, SSL certificates, web components, host pairs and RiskIQ’s proprietary data sets in real time.

Benefits of Threat Intelligence

Four features were created to enable actionable threat intelligence from RiskIQ within QRadar:

  • Contextual metadata: Using a hover context menu and right-click pivot search, users of IBM QRadar can now quickly gain a deeper understanding of potential threats from external IP addresses.
  • Automatic offense triage: By inspecting source IP addresses from within open offenses, RiskIQ’s PassiveTotal application can help analysts immediately know if any are flagged as malicious. To do this, the application routinely collects all open offenses, extracts the relevant IP addresses and queries the PassiveTotal API.
  • Analyst feedback loops: Classifying domains and IP addresses into four categories — malicious, suspicious, non-malicious and unknown — lets analysts create a feedback loop with QRadar. This feedback is constantly updated with the latest threat data using reference lists for all categories (excluding unknown).
  • Personalized content: The RiskIQ application supports pivoting between QRadar and the PassiveTotal platform by including dashboard widgets showing recent search history for the analyst’s personal account and the enterprise team. This saves time since users can click on the value listed in history and jump instantly from QRadar directly into a PassiveTotal search result.

Immerse Yourself in Threat Intelligence – Watch the on-demand webinar

Learn More and Download the PassiveTotal App

The PassiveTotal app for QRadar provides an integration that personalizes SIEM and allows for automated triage.

RiskIQ helps eight of the 10 largest financial institutions in the U.S. and five of the nine leading internet companies in the world — including well-known social media and ride-sharing apps — respond to external threats. Along with these companies, customers of both QRadar and PassiveTotal can install the application by visiting the IBM Security App Exchange from within their local QRadar instance and learn more from the IBM DeveloperWorks community.

You can learn more about the partnership between PassiveTotal and IBM QRadar by watching the on-demand webinar, “IBM Security App Exchange Spotlight: Immerse Your Security in Threat Intelligence.”

If you have any questions or feedback on the app, please send a message to [email protected].

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…