Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum impact.

However, the move to cloud and the associated expansion of the attack surface is now substantially adding to the complexities of the landscape. The 2022 IBM Security X-Force Cloud Threat Landscape Report found the continued expansion of hybrid cloud environments to be a significant challenge for security teams. X-Force observed a 28% increase in new cloud vulnerabilities compared to the year prior. Further, vulnerable public-facing applications running in a cloud environment have become common targets for attackers, and it can be difficult for organizations to catalogue all applications running in the environment to ensure that all remained patched.

This in turn causes three things to happen:

  1. More data: The need to collect more security telemetry data to provide the necessary visibility. As most of this data is being generated in cloud platforms, it is driving up costs and complexity, especially as shifting data between clouds isn’t free.
  2. More tools: The deployment and use of even more security tooling to provide protection, visibility and response into the new cloud infrastructure (e.g., CWPP, ITDR, CDR, etc.). In many cases, security teams are literally handed new security tools from DevSecOps or the CIO due to expediency (“Hey, this works for technology X”), or for financial reasons (“Hey, this is free for cloud Y”).
  3. More UX complexity and more alerts: More tools, more data, more moving parts result in more headwinds for security teams to keep ahead of the attackers. They are faced with additional integration and configuration work, as well as new UXs to become experts in, as they pivot from one to the other to chase down threats. According to the 2023 IBM Global Security Operations Center Study, surveyed SOC professionals said they only review 49% of alerts they should during a typical workday, and nearly two-thirds of those are low priority or false positives. Further, 81% of those surveyed say they are slowed down by manual investigation — their most common drag on threat response time.

Finally, cost is increasingly a factor in decisioning. All organisations are looking for ways to control costs by leveraging existing investments and leveraging capabilities that are ‘included,’ as well as increasing the productivity of their teams. Unfortunately, exponentially increasing data volumes, additional security tooling, and traditional tooling with complex and costly licensing models are providing significant headwinds.

It’s of no surprise 63% of organizations seek to improve their security operation center’s ability to detect and respond.

The DNA needed in a modernized SOC for the hybrid cloud

To address these challenges we need to rethink some of the priorities that drove our decisions to where we are today.

Firstly, we need to design for the analyst experience. Historically, our industry has been very tool driven, which was the priority at the time. But now we need to focus on our teams, their productivity, their job satisfaction. We need to reduce the UX complexity they have to deal with (variety, languages, vocabulary).

Secondly, we need to leverage built-in AI, automation and expertise to scale the experts and heroes we have in our security teams today. You know the ones — they just make everything work, they can chase down threats across all the complex infrastructure. They are the ones you rely on when urgent actions and answers are needed. Automation and AI sit at the core of what’s needed to achieve this. AI-enabled technology can do the heavy lifting for analysts, supporting everything from threat investigation to recommended remediation actions. Both the days to detection and hours to investigation of a cybersecurity incident can be dramatically reduced with AI adoption, by as much as 50% and 29%, respectively, according to the IBM Institute for Business Value.

Finally, we need to enable open systems and community collaboration. The reality of the cloud world is that security is going to be federated across multiple systems. Organisations need the choice as to what security systems they will leverage, in a way that doesn’t add complexity or burden their teams with proprietary ecosystems and content. Open standards that foster collaboration integration and threat detection content is increasingly an absolute must. According to the SANS Institute, 66% of security teams surveyed say they are prioritising integrations to help improve their security operations.

Announcing IBM Security QRadar Suite

QRadar has been a market-leading SIEM for over 15 years now with numerous innovations in analytics with NDR, UEBA, AI (Watson for Cyber). Now, the new IBM Security QRadar Suite has been extended to also include EDR/XDR and SOAR, as well as new cloud-native log analytics capabilities (Log Insights) to enable cost-effective collection, analysis, visualisation, and blazingly fast search of data at cloud scale and ease. Unifying these capabilities onto a single, modular platform, enabling step-wise adoptions, to provide users with a complete TDIR system. As each solution is adopted it adds capabilities, context, insights and automation to the analyst experience with little incremental training or integrations.

Watch the IBM Security QRadar Suite Demo

In addition to enabling all the core capabilities security teams need, the new QRadar Suite has been designed specifically around the DNA needs we discussed previously required for a modernized SOC securing the hybrid cloud:

Open systems and community collaboration

The new QRadar Suite is not only built on an open hybrid cloud platform (OpenShift) that enables a cloud-native elastic, resilient architecture and choice of where and how to (e.g., Licensed software or SaaS), but also leverages open standards throughout.

For example, all the products in the QRadar Suite support correlating security findings from third parties as well as federated search, enabling organisations to leverage tools they have today and the choice of what ones they leverage in the future, all without having to move their data. The suite also leverages MITRE and SIGMA natively in threat detection, investigation and response — enabling security teams to move seamlessly at the speed of the community to keep up with attackers.

Built-in AI, automation and expertise

The suite is embedded with AI and automation innovations that have been shown to speed alert and prioritisation by 55% in the first year, on average, improve response times by x8, and speed up investigations by x60. In addition, the suite also includes continuously updated threat detection and response content from the X-Force team with insights gathered from working with thousands of customers globally.

The suite also includes a new innovative automated investigation capability that will automatically investigate an alert across multiple systems (leveraging federated search, threat intelligence and SIGMA), no matter where it came from, and bring together the findings, as well as recommended response actions onto a single, easily consumable timeline for an analyst to review and execute quickly.

Designed for the analyst experience

The QRadar Suite has been architected around a unified analyst experience that assists security analysts throughout their investigation, response and threat hunting workflows across EDR/XDR, SIEM, SOAR and Security Log Management (SLM). This new unified experience works across not only the IBM QRadar Suite but also over 40 third-party technologies as it is based on open standards and federated search. The experience has been designed alongside our security teams and experts and is infused with their expertise and insights to bring them the ‘What?’, ‘Who?’, ‘Where?’, ‘When?’, and the important ‘What should I do next?’ they need in a simple, easy-to-consume workflow.

Built specifically for the demands of today’s and tomorrow’s security operations and hybrid cloud environments, the QRadar Suite helps SOC analysts make better decisions quicker while strengthening their threat detection and response capabilities. Organizations looking to modernize their SOCs can feel more confident and supported in the face of uncertainty and complexity.

Learn more about the QRadar Suite here.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…