Light Dark
December 14, 2015 By Mark Ehr 3 min read
Intelligence & Analytics
Advanced Threats

I’ve worked in security for more than 15 years, and in that time I’ve worked with hundreds of customers and practitioners, helping them solve tricky security problems so they can prevent, detect and respond to threats with high levels of efficiency. One of the reasons that I love (and sometimes despise) working in cybersecurity is that it changes literally every day — sometimes every hour!

I vividly remember one incident that occurred a few years ago during a visit to the security operations center (SOC) of a large bank that had deployed IBM’s QRadar. While I was there, a distributed denial-of-service (DDoS) attack began, which had the entire security team scrambling to counter it before it affected critical bank websites. The team did track down the source of the attack and block the IPs within a couple of hours, but a lack of efficiency and automation resulted in a delayed response.

The days of manual root cause analysis and blocking, which can take hours of time and extensive manual labor, are over. That is exactly the reason IBM has added even more efficiency, automation, out-of-the-box content and collaboration capabilities to the latest release of QRadar, V7.2.6.

A Look at QRadar’s Capabilities

Let’s run through this scenario with QRadar V7.2.6’s new capabilities. QRadar’s rule engine detects attacks in many ways, including correlation of the attacker’s source IPs with blacklisted IPs acquired from an external threat feed or by triggering network behavioral anomaly rules.

The QRadar rule(s) can invoke an automated response such as blocking the attacking IPs on the wire, killing the DDoS attack within minutes. Security analysts, alerted to the offense via the QRadar console, can then collaborate with peers via X-Force Exchange and share data on the attack to help others. We call this collaborative defense.

View the webinar to learn more about new features in IBM Security QRadar

Today, the bad guys are innovating faster than the good, and they aren’t just kids hacking away from a dorm room or their parent’s basement. They are well-funded, highly specialized organizations that run their criminal enterprises like businesses. Many are a product of the Internet generation and are extremely adept at using social tools to collaborate via the Dark Web.

The X-Force team recently delivered an interesting and scary webinar on the evolution of threats. Cybercriminals sell their technology to each other and even offer it as malware-as-a-service or exploit kits, available via subscription to lesser skilled individuals for a few bitcoins. This has created a very low barrier to entry at one end of the spectrum and a set of highly sophisticated malware and advanced persistent threats (APTs) on the top end. The scary part is attackers only need to find one or two holes in our defenses and all those security investments and hard work is for naught.

How QRadar Can Save Time and Boost Efficiency

QRadar V7.2.6 includes significant advances in threat detection and response, improved investigative workflows and even more automation to help our customers prevent, detect and respond to threats by increasing staff efficiency and decreasing response times.

My favorite way to communicate the value of what we’re doing is to tell our story in terms of what real people can do with the technology. Here are five ways QRadar is currently helping organizations remain secure.

  1. It is rapidly and automatically detecting advanced threats like APTs and malware outbreaks using powerful analytics such as behavior-based anomaly detection, leveraging that data to drive automated responses such as blocking IPs, shunning users and blacklisting domains. This automatically fixes security exposures with little or no human intervention required.
  2. QRadar combines forensics data, including full packet capture, with real-time threat detection so that it can be used in the context of ongoing investigations. It helps to track down perpetrators while the crime is being committed rather than days or months after the fact.
  3. The solution leverages collaboration tools to enable customers to work directly with peers in the industry and other security experts. It provides a common platform for knowledge sharing to help detect emerging threats like zero-day attacks and other indicators of compromise (IOCs) as they occur.
  4. QRadar also provides a mechanism with which IBM engineers and business partners can quickly and easily build and deliver new security intelligence capabilities through a curated app market, the IBM Security App Exchange.
  5. Finally, the platform centralizes, normalizes and prioritizes vulnerability data from many sources, correlating it with a rich set of external and internal data including threat feeds, network activity monitoring and detected IOCs. It then uses that data to determine which machines represent the highest risk to the business. By feeding that data directly into the patching process as an actionable set of high-priority patches, security holes are closed within hours or minutes.

We’re all extremely excited about the new security breakthroughs we’ve made in the new QRadar V7.2.6 release.

To Learn More

If you would like to learn more, please watch my webinar, “5 Ways to Get Even More from Your IBM Security QRadar Investment in 2016.” In it, I’ll dive even deeper into this and many more topics.

 | 
Mark Ehr
Product Manager, IBM Security

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature