There’s a maxim popular with military planners that states, “No battle plan survives contact with the enemy.” Essentially, it’s because the enemy has a vote in what happens and can often be quite clever in circumventing the best laid plans.

The same can be said about cybersecurity and incident response. It is nearly impossible to be completely prepared to stop every possible security event that could happen. But that doesn’t mean organizations shouldn’t try.

As Dwight Eisenhower once noted, things may not go according to plan, but “planning is indispensable.” It helps you think through the right preventative security measures you should deploy, consider how to best detect potential threats and ultimately take action to respond to the prioritized offenses that need to be remediated.

Sift Through the Noise With SIEM

Security incidents rarely emerge fully formed with flashing lights to alert you of their presence. More often, they start to appear as a set of indicators or separate smaller events. It isn’t uncommon for mid- to large-sized organizations to experience thousands, if not millions, of security events in a single day. So what’s your plan to find the signal amid the noise?

A good first step is to use a security information and event management (SIEM) solution. A security plan that includes SIEM helps to reduce the number of variables in play and focus response efforts. For example, the IBM QRadar Security Intelligence Platform, powered by the Sense Analytics Engine, collects a massive amount of data, such as list logs, network flows, vulnerability data, external threat intelligence feeds and more, to formulate security intelligence that helps teams focus their efforts on a prioritized list of offenses — the events and incidents that require immediate action.

Take Action With an Incident Response Platform

Now that you have a prioritized list of offenses, what’s your plan for taking action? What are the next steps? Who is on the response team and how will they communicate? Are you required to issue privacy breach notifications?

A purpose-built incident response platform (IRP) can help your security team orchestrate a precise and rapid response. Serving as a single, central hub for managing responses, the IRP enables clear communication across the organization and delivers focused insight on the next steps required to contain and resolve the incident.

The IRP should also quickly and easily integrate with your existing security and IT investments. The importance of this integration is magnified when you consider the evolution of the security operations center (SOC) and the increased number of security tools organizations have available to them. An unchecked proliferation of point products simply isn’t sustainable. Likewise, the traditional emphasis on only prevention or detection solutions — the core operational components of a security program — isn’t enough to effectively secure an organization.

Watch the on-demand webinar: Tap into the Power Response with Resilient and IBM QRadar

IBM Gets Resilient

That’s why IBM acquired Resilient Systems earlier this year. The integration between the QRadar platform and Resilient’s incident response platform bridges the gap between security operations and incident response. It creates the industry’s first end-to-end security operations and response platform.

The integration allows security teams to easily escalate prioritized incidents directly into the Resilient IRP. The IRP pulls in the characteristics and artifacts from QRadar and then provides a detailed step-by-step response plan specific to the type of incident being managed so the security team knows exactly what to do. Additionally, the incident record is automatically enriched with external threat intelligence and is updated as new artifacts or indicators of compromise are discovered.

The QRadar and Resilient integration has significant benefits:

  • It reduces the mean time to resolution. By streamlining the incident detection and response process, security teams are more efficient at quickly containing the damage from a breach. It also increases their ability to break the attack chain.
  • It ensures a consistent response. The current security skills gap makes it difficult to find and retain IT security professionals. Deploying and integrating a SIEM and IRP platform ensures that you have the processes in place to deliver the same quality response to each and every incident of a specific nature. There is no institutional knowledge lost as changes in staff occur.
  • It allows security staff to be more effective. By automating time-consuming tasks, such as looking up artifacts or threat intelligence and migrating them from the SIEM to the IRP, security teams spend less time swiveling from system to system and can focus on interpreting the threat intelligence, understanding the details and context of the situation, and ultimately taking action and responding.

To better understand how integrating SIEM and IRP represents a new best practice for SOCs and security teams, join industry experts from Bloor Research and IBM for an engaging on-demand webinar, “Tap into the Power Response with Resilient and IBM QRadar.”

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today