There’s a maxim popular with military planners that states, “No battle plan survives contact with the enemy.” Essentially, it’s because the enemy has a vote in what happens and can often be quite clever in circumventing the best laid plans.

The same can be said about cybersecurity and incident response. It is nearly impossible to be completely prepared to stop every possible security event that could happen. But that doesn’t mean organizations shouldn’t try.

As Dwight Eisenhower once noted, things may not go according to plan, but “planning is indispensable.” It helps you think through the right preventative security measures you should deploy, consider how to best detect potential threats and ultimately take action to respond to the prioritized offenses that need to be remediated.

Sift Through the Noise With SIEM

Security incidents rarely emerge fully formed with flashing lights to alert you of their presence. More often, they start to appear as a set of indicators or separate smaller events. It isn’t uncommon for mid- to large-sized organizations to experience thousands, if not millions, of security events in a single day. So what’s your plan to find the signal amid the noise?

A good first step is to use a security information and event management (SIEM) solution. A security plan that includes SIEM helps to reduce the number of variables in play and focus response efforts. For example, the IBM QRadar Security Intelligence Platform, powered by the Sense Analytics Engine, collects a massive amount of data, such as list logs, network flows, vulnerability data, external threat intelligence feeds and more, to formulate security intelligence that helps teams focus their efforts on a prioritized list of offenses — the events and incidents that require immediate action.

Take Action With an Incident Response Platform

Now that you have a prioritized list of offenses, what’s your plan for taking action? What are the next steps? Who is on the response team and how will they communicate? Are you required to issue privacy breach notifications?

A purpose-built incident response platform (IRP) can help your security team orchestrate a precise and rapid response. Serving as a single, central hub for managing responses, the IRP enables clear communication across the organization and delivers focused insight on the next steps required to contain and resolve the incident.

The IRP should also quickly and easily integrate with your existing security and IT investments. The importance of this integration is magnified when you consider the evolution of the security operations center (SOC) and the increased number of security tools organizations have available to them. An unchecked proliferation of point products simply isn’t sustainable. Likewise, the traditional emphasis on only prevention or detection solutions — the core operational components of a security program — isn’t enough to effectively secure an organization.

Watch the on-demand webinar: Tap into the Power Response with Resilient and IBM QRadar

IBM Gets Resilient

That’s why IBM acquired Resilient Systems earlier this year. The integration between the QRadar platform and Resilient’s incident response platform bridges the gap between security operations and incident response. It creates the industry’s first end-to-end security operations and response platform.

The integration allows security teams to easily escalate prioritized incidents directly into the Resilient IRP. The IRP pulls in the characteristics and artifacts from QRadar and then provides a detailed step-by-step response plan specific to the type of incident being managed so the security team knows exactly what to do. Additionally, the incident record is automatically enriched with external threat intelligence and is updated as new artifacts or indicators of compromise are discovered.

The QRadar and Resilient integration has significant benefits:

  • It reduces the mean time to resolution. By streamlining the incident detection and response process, security teams are more efficient at quickly containing the damage from a breach. It also increases their ability to break the attack chain.
  • It ensures a consistent response. The current security skills gap makes it difficult to find and retain IT security professionals. Deploying and integrating a SIEM and IRP platform ensures that you have the processes in place to deliver the same quality response to each and every incident of a specific nature. There is no institutional knowledge lost as changes in staff occur.
  • It allows security staff to be more effective. By automating time-consuming tasks, such as looking up artifacts or threat intelligence and migrating them from the SIEM to the IRP, security teams spend less time swiveling from system to system and can focus on interpreting the threat intelligence, understanding the details and context of the situation, and ultimately taking action and responding.

To better understand how integrating SIEM and IRP represents a new best practice for SOCs and security teams, join industry experts from Bloor Research and IBM for an engaging on-demand webinar, “Tap into the Power Response with Resilient and IBM QRadar.”

More from Intelligence & Analytics

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read

Ex-Conti and FIN7 Actors Collaborate with New Backdoor

15 min read -   April 27, 2023 Update This article is being republished with modifications from the original that was published on April 14, 2023, to change the name of the family of malware from Domino to Minodo. This is being done to avoid any possible confusion with the HCL Domino brand. The family of malware that is described in this article is unrelated to, does not impact, nor uses HCL Domino or any of its components in any way. The malware is…

15 min read