A Look At IBM QRadar XDR: The Future of Modern SOC
We’re now living in a time where advanced threats can intelligently infiltrate organizations at speed and cause maximum destructions at will. If you’ve been following cyber-security news, you’ll know that in 2021 and at the start of 2022, we’ve seen damaging cyber supply chain attacks, advanced ransomware attacks, and powerful nation-state attacks. With such events happening in the cyber security world, threat detection and response have become a “business-critical activity.” It’s never been more crucial for security teams to extend their threat detection and response capabilities across networks, endpoints, and clouds.
Many security analysts spend more time juggling between different consoles of point products, sifting through structured and unstructured data from multiple sources, and doing a lot of manual work to correlate and consolidate findings than they do detecting, responding, and eliminating a threat. Because of that, mean-time-to-detect (MTTD) tends to become higher than it’s supposed to be at times, allowing the threat to stay hidden within internal networks for long and cause more damage. That typically happens if an organization uses multiple security point products that do not communicate with one another and have an integrated workflow that puts analysts’ productivity first. What security analysts need the most is a new generation of Extended Detection and Response (XDR) technology that enables them to quickly detect and effectively respond to threats across networks, endpoints, and cloud workloads. IBM’s QRadar Extended Detection and Response (XDR) solution makes this possible by extending the detection and response capabilities in Endpoint Detection and Response (EDR) technology to include network and log-based security analytics in a single integrated solution.
Let’s also not forget that modern-day analysts are not just monitoring endpoints and on-prem workloads. They also have to monitor security events around cloud-native workloads sitting on your Kubernetes or Openshift clusters and public cloud environments. So, the XDR solution you’ll acquire should be cloud-aware (and ideally cloud-native), too.
What is an XDR?
Extended Detection and Response (XDR) enables organizations to go beyond typical detection capabilities by providing a holistic yet seamless and integrated view of threats across the entire technology landscape and enhanced capabilities in response and eliminating threats. Multiple studies by leading cyber security vendors find that organizations will benefit from moving from point solutions, different consoles, and manual processes to an open, integrated, intelligent architecture. This kind of architecture is called extended detection and response (XDR). According to Gartner, Extended Detection and Response (XDR) is “a SaaS-based, vendor-specific, security threat detection and incident response tool that natively integrates multiple security products into a cohesive security operations system that unifies all licensed components.” Unlike Endpoint Detection and Response (EDR) solutions which mainly focus on protecting endpoints, XDR is designed to cover the entire attack surface across endpoints, networks, and cloud workloads. Ideally, an XDR solution should be an open architecture built to integrate multiple point tools and effectively unify security operations. XDR should also offer advanced analytics for threat detection efficacy and process automation for security operations. This means using XDR, your analysts should be able to pull and correlate threat data and context from different sources on a single console and perform automation-driven response activities via an integrated workflow.
So, what is IBM QRadar XDR?
IBM QRadar XDR is an open and connected threat detection and response solution, enabling security teams to act faster with seamless, integrated workflow. It is a comprehensive XDR solution built on IBM Cloud Pak® for Security platform, with deployment on-premises, on the cloud, or as a service to meet your unique requirements. With the acquisition of AI-driven cyber security technology leader, ReaQta and utilizing Cloud Pak for Security’s existing superior capabilities, IBM is unifying its threat detection under the QRadar XDR brand, leveraging its long and successful history in cyber security operations. IBM QRadar XDR is also built out of the very idea of IBM’s Zero Trust Security Approach to protecting your organization against cyber security threats.
In regards to endpoint detection, complementing your endpoint security would be IBM’s AI-Driven Threat Hunting and Live-Hypervisor based monitoring capabilities from IBM ReaQta. By leveraging AI and automation directly on the endpoint, IBM ReaQta can perform early detection of Ransomware behaviour and actively mitigates threats in real-time.
However, IBM QRadar XDR capability goes beyond endpoint detection and response. Here are four core values of IBM QRadar XDR;
Connected
IBM QRadar XDR is connected. It connects to security data where it resides, at an EDR, SIEM, or NDR tool from a third party or IBM. It also connects to clouds as well. IBM provides modular and open security suites for end-to-end visibility, detection and investigation, and response across the entire cyber kill chain. It supports integration with existing tools or IBM’s native capabilities without moving the data. For example, while integrating with AWS CloudWatch, you won’t need to pipe CloudWatch logs to QRadar XDR’s log storage. However, you’ll be able to query CloudWatch and pull critical event data related to a threat (without moving raw data). IBM XDR line-up includes native capabilities such as SIEM, SOAR, NDR, and a new offering, XDR Connect. If you’re already an IBM user, you will be able to leverage existing IBM capabilities as well.
Unified
IBM QRadar XDR is designed to provide a seamless user experience across teams and unify security operations. There is no more jumping between multiple point products and consoles for case management, data querying, enriching, investigating, triage, playbook simulations, and response tasks. It provides you with a powerful collaboration platform for security team members on the case to communicate and share information transparently and efficiently. It provides integrated workflows to help speed up alert triage, threat hunting, investigation, and response.
Intelligent
AI-driven threat management capabilities allow the analyst to be quickly and effectively detect, investigate, and respond to threats. The purpose-built AI combined with pre-built playbooks will maximize the analysts’ productivity by automating the process of enriching, correlating, and investigating threats. It can also help with automatic root cause analysis and MITRE ATT&CK mapping, effectively improving the speed of investigation by 60x with automated triage and contextual intelligence.
Open
IBM has always been a staunch advocate and supporter of open-source projects. As such, IBM Qradar is designed to be a future-proof architecture to avoid lock-in. It is a solution that leverages threat intelligence, open-source technology, and open standards for increased visibility and faster threat detection. Developed with open standards, Qradar XDR connects with existing tools in your environment to enrich data and get contextual awareness. IBM is also a leading contributor to Open Cyber Security Alliance (OCA) and supports threat hunting languages like Kestrel.
A Day in the Life of IBM QRadar XDR-powerd Analyst
Let’s take a look at an example of how IBM QRadar XDR can speed up an investigation process, and mitigate a threat. In this scenario, you’re an analyst who has just detected a PowerShell attack using IBM QRadar XDR powered by Cloud Pak For Security.
Once you’re in IBM QRadar web console, you will have a holistic view of security events that are related to detected threats, presented to you in a single pane of glass. QRadar XDR allows you to detect attacks like this with a single click across third-party systems such as Splunk SIEM and IBM native capabilities. It enables the analyst to quickly discover this attack in an endpoint and get the context from log data from different sources. You can then search for any indicator of compromise (IOC) from enriched event data. An IOC could be anything such as IP address extracted from an EC2 instance on AWS, or a filename or hash file detected related to the threat which was picked up by your EDR.
Once you’ve gotten critical findings, you can add them to the case as artifacts for further analysis and easily share them with the rest of the investigation team so that they will be as informed as you are.
When working with cases, unified workflows help speed up and streamline the entire detection and remediation process. You will have access to a well-presented view of alerts in a simple triage process console.
If you jump into a case view, you’ll find that QRadar XDR makes analysts even more efficient. You’ll see the next steps you need to take, a list of all the evidence and Indicator of Compromise (IOCs) collected, enriched by top-notch threat intelligence and purpose-built AI, and a summary of all MITRE attack techniques that have been detected, providing you a complete view of threat activity.
With a single click, you can dive into the timeline view, where all threat activities have been automatically brought together and presented in a timeline, to review all the evidence as required. This allows analysts to go back in time and replay threat activities and review them as they go deeper into an investigation.
Now let’s talk about remediation. QRadar XDR includes full Security Orchestration, Automation and Response (SOAR) capabilities that allow comprehensive security playbooks to be easily created and executed for more involved and active mitigation, including incident response across the organization. Using security playbooks, you can perform tasks automatically or manually when investigating or responding to a threat.
In Summary, IBM QRadar XDR enables security teams to detect, investigate, and respond to threats faster by being connected, unified, intelligent, and open. Empowered by IBM QRadar XDR, your security team and analysts will be combat-ready for modern-day cyber security threats that are targeting your organization from a modern, self-driving security operations center (SOC). For many organisations moving workloads to public and hybrid environments, IBM QRadar XDR streamlines threat investigation and security operations across endpoints, on-prem and cloud environments without having to move data.
Suppose you want to know more about IBM QRadar XDR and how it can empower your security analysts to detect, investigate, and respond to modern-day advanced cyber security threats. In that case, you can visit IBM website and read about QRadar XDR, and contact an IBM representative for a talk.
Jayden Kyaw Htet Aung
Twitter: @JaydenAung
LinkedIn: https://www.linkedin.com/in/jaydenaung/
Blog: https://jaydenaung.com
