There’s a maxim popular with military planners that states, “No battle plan survives contact with the enemy.” Essentially, it’s because the enemy has a vote in what happens and can often be quite clever in circumventing the best laid plans.

The same can be said about cybersecurity and incident response. It is nearly impossible to be completely prepared to stop every possible security event that could happen. But that doesn’t mean organizations shouldn’t try.

As Dwight Eisenhower once noted, things may not go according to plan, but “planning is indispensable.” It helps you think through the right preventative security measures you should deploy, consider how to best detect potential threats and ultimately take action to respond to the prioritized offenses that need to be remediated.

Sift Through the Noise With SIEM

Security incidents rarely emerge fully formed with flashing lights to alert you of their presence. More often, they start to appear as a set of indicators or separate smaller events. It isn’t uncommon for mid- to large-sized organizations to experience thousands, if not millions, of security events in a single day. So what’s your plan to find the signal amid the noise?

A good first step is to use a security information and event management (SIEM) solution. A security plan that includes SIEM helps to reduce the number of variables in play and focus response efforts. For example, the IBM QRadar Security Intelligence Platform, powered by the Sense Analytics Engine, collects a massive amount of data, such as list logs, network flows, vulnerability data, external threat intelligence feeds and more, to formulate security intelligence that helps teams focus their efforts on a prioritized list of offenses — the events and incidents that require immediate action.

Take Action With an Incident Response Platform

Now that you have a prioritized list of offenses, what’s your plan for taking action? What are the next steps? Who is on the response team and how will they communicate? Are you required to issue privacy breach notifications?

A purpose-built incident response platform (IRP) can help your security team orchestrate a precise and rapid response. Serving as a single, central hub for managing responses, the IRP enables clear communication across the organization and delivers focused insight on the next steps required to contain and resolve the incident.

The IRP should also quickly and easily integrate with your existing security and IT investments. The importance of this integration is magnified when you consider the evolution of the security operations center (SOC) and the increased number of security tools organizations have available to them. An unchecked proliferation of point products simply isn’t sustainable. Likewise, the traditional emphasis on only prevention or detection solutions — the core operational components of a security program — isn’t enough to effectively secure an organization.

Watch the on-demand webinar: Tap into the Power Response with Resilient and IBM QRadar

IBM Gets Resilient

That’s why IBM acquired Resilient Systems earlier this year. The integration between the QRadar platform and Resilient’s incident response platform bridges the gap between security operations and incident response. It creates the industry’s first end-to-end security operations and response platform.

The integration allows security teams to easily escalate prioritized incidents directly into the Resilient IRP. The IRP pulls in the characteristics and artifacts from QRadar and then provides a detailed step-by-step response plan specific to the type of incident being managed so the security team knows exactly what to do. Additionally, the incident record is automatically enriched with external threat intelligence and is updated as new artifacts or indicators of compromise are discovered.

The QRadar and Resilient integration has significant benefits:

  • It reduces the mean time to resolution. By streamlining the incident detection and response process, security teams are more efficient at quickly containing the damage from a breach. It also increases their ability to break the attack chain.
  • It ensures a consistent response. The current security skills gap makes it difficult to find and retain IT security professionals. Deploying and integrating a SIEM and IRP platform ensures that you have the processes in place to deliver the same quality response to each and every incident of a specific nature. There is no institutional knowledge lost as changes in staff occur.
  • It allows security staff to be more effective. By automating time-consuming tasks, such as looking up artifacts or threat intelligence and migrating them from the SIEM to the IRP, security teams spend less time swiveling from system to system and can focus on interpreting the threat intelligence, understanding the details and context of the situation, and ultimately taking action and responding.

To better understand how integrating SIEM and IRP represents a new best practice for SOCs and security teams, join industry experts from Bloor Research and IBM for an engaging on-demand webinar, “Tap into the Power Response with Resilient and IBM QRadar.”

More from Intelligence & Analytics

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…

What Can We Learn From Recent Cyber History?

The Center for Strategic and International Studies compiled a list of significant cyber incidents dating back to 2003. Compiling attacks on government agencies, defense and high-tech companies or economic crimes with losses of more than a million dollars, this list reveals broader trends in cybersecurity for the past two decades. And, of course, there are the headline breaches and supply chain attacks to consider. Over recent years, what lessons can we learn from our recent history — and what projections…

When Logs Are Out, Enhanced Analytics Stay In

I was talking to an analyst firm the other day. They told me that a lot of organizations purchase a security information and event management (SIEM) solution and then “place it on the shelf.” “Why would they do that?” I asked. I spent the majority of my career in hardware — enterprise hardware, cloud hardware, and just recently made the jump to security software, hence my question. “Because SIEMs are hard to use. A SIEM purchase is just a checked…

4 Most Common Cyberattack Patterns from 2022

As 2022 comes to an end, cybersecurity teams globally are taking the opportunity to reflect on the past 12 months and draw whatever conclusions and insights they can about the threat landscape. It has been a challenging year for security teams. A major conflict in Europe, a persistently remote workforce and a series of large-scale cyberattacks have all but guaranteed that 2022 was far from uneventful. In this article, we’ll round up some of the most common cyberattack patterns we…