Planning Your Response: Top Three Reasons to Integrate Your SIEM With an Incident Response Platform

August 19, 2016
| |
3 min read

There’s a maxim popular with military planners that states, “No battle plan survives contact with the enemy.” Essentially, it’s because the enemy has a vote in what happens and can often be quite clever in circumventing the best laid plans.

The same can be said about cybersecurity and incident response. It is nearly impossible to be completely prepared to stop every possible security event that could happen. But that doesn’t mean organizations shouldn’t try.

As Dwight Eisenhower once noted, things may not go according to plan, but “planning is indispensable.” It helps you think through the right preventative security measures you should deploy, consider how to best detect potential threats and ultimately take action to respond to the prioritized offenses that need to be remediated.

Sift Through the Noise With SIEM

Security incidents rarely emerge fully formed with flashing lights to alert you of their presence. More often, they start to appear as a set of indicators or separate smaller events. It isn’t uncommon for mid- to large-sized organizations to experience thousands, if not millions, of security events in a single day. So what’s your plan to find the signal amid the noise?

A good first step is to use a security information and event management (SIEM) solution. A security plan that includes SIEM helps to reduce the number of variables in play and focus response efforts. For example, the IBM QRadar Security Intelligence Platform, powered by the Sense Analytics Engine, collects a massive amount of data, such as list logs, network flows, vulnerability data, external threat intelligence feeds and more, to formulate security intelligence that helps teams focus their efforts on a prioritized list of offenses — the events and incidents that require immediate action.

Take Action With an Incident Response Platform

Now that you have a prioritized list of offenses, what’s your plan for taking action? What are the next steps? Who is on the response team and how will they communicate? Are you required to issue privacy breach notifications?

A purpose-built incident response platform (IRP) can help your security team orchestrate a precise and rapid response. Serving as a single, central hub for managing responses, the IRP enables clear communication across the organization and delivers focused insight on the next steps required to contain and resolve the incident.

The IRP should also quickly and easily integrate with your existing security and IT investments. The importance of this integration is magnified when you consider the evolution of the security operations center (SOC) and the increased number of security tools organizations have available to them. An unchecked proliferation of point products simply isn’t sustainable. Likewise, the traditional emphasis on only prevention or detection solutions — the core operational components of a security program — isn’t enough to effectively secure an organization.

Watch the on-demand webinar: Tap into the Power Response with Resilient and IBM QRadar

IBM Gets Resilient

That’s why IBM acquired Resilient Systems earlier this year. The integration between the QRadar platform and Resilient’s incident response platform bridges the gap between security operations and incident response. It creates the industry’s first end-to-end security operations and response platform.

The integration allows security teams to easily escalate prioritized incidents directly into the Resilient IRP. The IRP pulls in the characteristics and artifacts from QRadar and then provides a detailed step-by-step response plan specific to the type of incident being managed so the security team knows exactly what to do. Additionally, the incident record is automatically enriched with external threat intelligence and is updated as new artifacts or indicators of compromise are discovered.

The QRadar and Resilient integration has significant benefits:

  • It reduces the mean time to resolution. By streamlining the incident detection and response process, security teams are more efficient at quickly containing the damage from a breach. It also increases their ability to break the attack chain.
  • It ensures a consistent response. The current security skills gap makes it difficult to find and retain IT security professionals. Deploying and integrating a SIEM and IRP platform ensures that you have the processes in place to deliver the same quality response to each and every incident of a specific nature. There is no institutional knowledge lost as changes in staff occur.
  • It allows security staff to be more effective. By automating time-consuming tasks, such as looking up artifacts or threat intelligence and migrating them from the SIEM to the IRP, security teams spend less time swiveling from system to system and can focus on interpreting the threat intelligence, understanding the details and context of the situation, and ultimately taking action and responding.

To better understand how integrating SIEM and IRP represents a new best practice for SOCs and security teams, join industry experts from Bloor Research and IBM for an engaging on-demand webinar, “Tap into the Power Response with Resilient and IBM QRadar.”

Chris Meenan
Product Manager for QRadar, IBM Security

Chris Meenan is a Product Manager working on the QRadar Security Intelligence Product within the IBM Security division. He has over 10 years experience in pr...
read more