Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum impact.

However, the move to cloud and the associated expansion of the attack surface is now substantially adding to the complexities of the landscape. The 2022 IBM Security X-Force Cloud Threat Landscape Report found the continued expansion of hybrid cloud environments to be a significant challenge for security teams. X-Force observed a 28% increase in new cloud vulnerabilities compared to the year prior. Further, vulnerable public-facing applications running in a cloud environment have become common targets for attackers, and it can be difficult for organizations to catalogue all applications running in the environment to ensure that all remained patched.

This in turn causes three things to happen:

  1. More data: The need to collect more security telemetry data to provide the necessary visibility. As most of this data is being generated in cloud platforms, it is driving up costs and complexity, especially as shifting data between clouds isn’t free.
  2. More tools: The deployment and use of even more security tooling to provide protection, visibility and response into the new cloud infrastructure (e.g., CWPP, ITDR, CDR, etc.). In many cases, security teams are literally handed new security tools from DevSecOps or the CIO due to expediency (“Hey, this works for technology X”), or for financial reasons (“Hey, this is free for cloud Y”).
  3. More UX complexity and more alerts: More tools, more data, more moving parts result in more headwinds for security teams to keep ahead of the attackers. They are faced with additional integration and configuration work, as well as new UXs to become experts in, as they pivot from one to the other to chase down threats. According to the 2023 IBM Global Security Operations Center Study, surveyed SOC professionals said they only review 49% of alerts they should during a typical workday, and nearly two-thirds of those are low priority or false positives. Further, 81% of those surveyed say they are slowed down by manual investigation — their most common drag on threat response time.

Finally, cost is increasingly a factor in decisioning. All organisations are looking for ways to control costs by leveraging existing investments and leveraging capabilities that are ‘included,’ as well as increasing the productivity of their teams. Unfortunately, exponentially increasing data volumes, additional security tooling, and traditional tooling with complex and costly licensing models are providing significant headwinds.

It’s of no surprise 63% of organizations seek to improve their security operation center’s ability to detect and respond.

The DNA Needed in a Modernized SOC for the Hybrid Cloud

To address these challenges we need to rethink some of the priorities that drove our decisions to where we are today.

Firstly, we need to design for the analyst experience. Historically, our industry has been very tool driven, which was the priority at the time. But now we need to focus on our teams, their productivity, their job satisfaction. We need to reduce the UX complexity they have to deal with (variety, languages, vocabulary).

Secondly, we need to leverage built-in AI, automation and expertise to scale the experts and heroes we have in our security teams today. You know the ones — they just make everything work, they can chase down threats across all the complex infrastructure. They are the ones you rely on when urgent actions and answers are needed. Automation and AI sit at the core of what’s needed to achieve this. AI-enabled technology can do the heavy lifting for analysts, supporting everything from threat investigation to recommended remediation actions. Both the days to detection and hours to investigation of a cybersecurity incident can be dramatically reduced with AI adoption, by as much as 50% and 29%, respectively, according to the IBM Institute for Business Value.

Finally, we need to enable open systems and community collaboration. The reality of the cloud world is that security is going to be federated across multiple systems. Organisations need the choice as to what security systems they will leverage, in a way that doesn’t add complexity or burden their teams with proprietary ecosystems and content. Open standards that foster collaboration integration and threat detection content is increasingly an absolute must. According to the SANS Institute, 66% of security teams surveyed say they are prioritising integrations to help improve their security operations.

Announcing IBM Security QRadar Suite

QRadar has been a market-leading SIEM for over 15 years now with numerous innovations in analytics with NDR, UEBA, AI (Watson for Cyber). Now, the new IBM Security QRadar Suite has been extended to also include EDR/XDR and SOAR, as well as new cloud-native log analytics capabilities (Log Insights) to enable cost-effective collection, analysis, visualisation, and blazingly fast search of data at cloud scale and ease. Unifying these capabilities onto a single, modular platform, enabling step-wise adoptions, to provide users with a complete TDIR system. As each solution is adopted it adds capabilities, context, insights and automation to the analyst experience with little incremental training or integrations.

Watch the IBM Security QRadar Suite Demo

In addition to enabling all the core capabilities security teams need, the new QRadar Suite has been designed specifically around the DNA needs we discussed previously required for a modernized SOC securing the hybrid cloud:

Open Systems and Community Collaboration

The new QRadar Suite is not only built on an open hybrid cloud platform (OpenShift) that enables a cloud-native elastic, resilient architecture and choice of where and how to (e.g., Licensed software or SaaS), but also leverages open standards throughout.

For example, all the products in the QRadar Suite support correlating security findings from third parties as well as federated search, enabling organisations to leverage tools they have today and the choice of what ones they leverage in the future, all without having to move their data. The suite also leverages MITRE and SIGMA natively in threat detection, investigation and response — enabling security teams to move seamlessly at the speed of the community to keep up with attackers.

Built-In AI, Automation and Expertise

The suite is embedded with AI and automation innovations that have been shown to speed alert and prioritisation by 55% in the first year, on average, improve response times by x8, and speed up investigations by x60. In addition, the suite also includes continuously updated threat detection and response content from the X-Force team with insights gathered from working with thousands of customers globally.

The suite also includes a new innovative automated investigation capability that will automatically investigate an alert across multiple systems (leveraging federated search, threat intelligence and SIGMA), no matter where it came from, and bring together the findings, as well as recommended response actions onto a single, easily consumable timeline for an analyst to review and execute quickly.

Designed for the Analyst Experience

The QRadar Suite has been architected around a unified analyst experience that assists security analysts throughout their investigation, response and threat hunting workflows across EDR/XDR, SIEM, SOAR and Security Log Management (SLM). This new unified experience works across not only the IBM QRadar Suite but also over 40 third-party technologies as it is based on open standards and federated search. The experience has been designed alongside our security teams and experts and is infused with their expertise and insights to bring them the ‘What?’, ‘Who?’, ‘Where?’, ‘When?’, and the important ‘What should I do next?’ they need in a simple, easy-to-consume workflow.

Built specifically for the demands of today’s and tomorrow’s security operations and hybrid cloud environments, the QRadar Suite helps SOC analysts make better decisions quicker while strengthening their threat detection and response capabilities. Organizations looking to modernize their SOCs can feel more confident and supported in the face of uncertainty and complexity.

Learn more about the QRadar Suite here.

More from Intelligence & Analytics

Your BOFs Are gross, Put on a Mask: How to Hide Beacon During BOF Execution

8 min read - In this post, we’ll review a simple technique that we’ve developed to encrypt Cobalt Strike’s Beacon in memory while executing BOFs to prevent a memory scan from detecting Beacon. Picture this — you’re on a red team engagement and your phish went through, your initial access payload got past EDR, your beacon is now living in memory and calling back to you. The hard part is over, time to do some post-exploitation. You fire up your trusty BOF toolkit and…

8 min read

How Do Some Companies Get Compromised Again and Again?

3 min read - Hack me once, shame on thee. Hack me twice, shame on me. The popular email marketing company, MailChimp, suffered a data breach last year after cyberattackers exploited an internal company tool to gain access to customer accounts. The criminals were able to look at around 300 accounts and exfiltrate data on 102 customers. They also accessed some customers’ AIP keys, which would have enabled them to send email campaigns posing as those customers. This data breach attack wasn’t especially noteworthy…

3 min read

Going Up! How to Handle Rising Cybersecurity Costs

4 min read - The average cost of cybersecurity systems, solutions and staff is increasing. As noted by research firm Gartner, companies will spend 11% more in 2023 than they did in 2022 to effectively handle security and risk management. This puts companies in a challenging position: If spending stays the same, IT environments are at risk. If they budget more for cybersecurity, funding for other projects may fall through. The result? Businesses must balance rising cybersecurity costs with finite budget resources. What’s Driving…

4 min read

ITG10 Likely Targeting South Korean Entities of Interest to the Democratic People’s Republic of Korea (DPRK)

7 min read - In late April 2023, IBM Security X-Force uncovered documents that are most likely part of a phishing campaign mimicking credible senders, orchestrated by a group X-Force refers to as ITG10, and aimed at delivering RokRAT malware, similar to what has been observed by others. ITG10's tactics, techniques and procedures (TTPs) overlap with APT37 and ScarCruft. The initial delivery method is conducted via a LNK file, which drops two Windows shortcut files containing obfuscated PowerShell scripts in charge of downloading a…

7 min read