IBM TechXchange Security Technology Alliance Program User Group

Security Technology Alliance Program User Group

This online group is intended for new and existing IBM Security Technology Partners who would like to keep up to date with the latest advice and best practices for IBM Security integration.

 View Only

Integrating with IBM Security products – An Introduction

By Russell Warren posted Mon May 23, 2022 03:44 PM

  
In this article we will describe the IBM Security products from a technology partner viewpoint. We will show you where you can integrate with our solutions to provide joint value to our customers. Pointers to more detailed material will be provided so you can gain more technical insight. You can also reach out to us in this community to ask questions, obtain helpful insights and learn more about IBM Security.

The IBM Security approach 
One of our fundamental approaches across our security solutions is to provide integration points and support to enable technology products, services-based solutions and customer developed extensions for our IBM security products. Our customers use many security products and require this integration to simplify securityoperations, better leverage their investment in these products and provide more effective security defenses. Many of our products use open technologies to achieve this integration, such as:
  • Open Cybersecurity Alliance's STIXShifter and Kestryl for threat hunting
  • MITRE Att&ck framework
  • Sigma
  • OASIS STIX
  • FIDO Alliance
  • ELKStack -A stack that comprises of three popular projects: Elasticsearch, Logstash, and Kibana and provides an open-source approach for monitoring event logsWe provide documentation and Web-basedenablement material.
We provide personal technical support to work with our partners to define and develop your integration. You will get free access to our products for development, test, and support of your integration solution. We host a customer-facing technology alliance solutions directory, which lists integrated solutions, and the IBM Security Application Exchange, which provides customers the ability to download and install jointly tested integrated solutions. 

QRadar (SIEM- Security Incident and Event Management)

Overview of integration opportunities with IBM Security products
IBM Security has a broad set of security solutions that span SIEM, SOAR, Data Security, Mobile Security, and Network Security. In this section, we will highlight the use cases and integration points for specific IBM Security products. At the end of this article is a list of pointers to more detailed material.

QRadar (SIEM- Security Incident and Event Management)
SIEMs ingest data from many data sources and correlate, automate actions and present security incidents to security administrators for analysis and actions. Security Operations rely heavily on a SIEM to synthesize the high volume of security events into asmaller set of prioritized incidents that need to be investigated. These are the areas you can integrate with the SIEM:
  • Data Integration - Get the data in, parsed, and categorized. This step will enable the SIEM to understand your security events and enable SIEM operations to correlate security data across data sources.This is the place to start your integration with QRadar.
  • Content - Make that data useable for the customer. This type of integrationprovides content above and beyond your security events that are very valuable for security administrators. Data such as lists of key resources, known malicious actors and behavioral analysis are examples of this type of data.
  • Applications - Drive deep integration use-cases with a userinterface driven application. In this integration, you can present your security information within the QRadar user interface, providing a seamless method for security operations to leverage your products value; added with context QRadar has, with an integrated user experience. Widgets, commands, and additional contextual data are examples of the types of things you can add.

SOAR(Security orchestration, automation, and response)
SOARs pull in security events from SIEMS, network operations, threat detection systems and many other security tools and connects disparate security tools, teams and infrastructures for enhanced process-based operations.The incident response teams use the SOAR to drive and manage workflows to investigate, repair and respond to security events. These are the areas you can integrate with the SOAR:

•An application is a collection of SOAR components, code executables or both that represent an end-to-end function that customize and enhance the SOAR product capabilities.•A SOAR component is a rule, workflow, Python script, function, custom field, data table or message destination. You create these components in the SOAR platform.
•A code executable is remote code you provide that can access and return external data, interact or integrate with other security systems, or simply be a utility that performs a specific action.
•An app is a collection of SOAR components, code executables or both that represent an end-to-end function that customize and enhance the SOAR product capabilities.
•A SOAR component is a rule, workflow, Python script, function, custom field, data table or message destination. You create these components in the SOAR platform.
•A code executable is remote code you provide that can access and return external data, interact or integrate with other security systems, or simply be a utility that performs a specific action.

Maas360(Endpoint Management)

Endpoint management provides for secure access of many types of endpoints to reduce risk and a satisfying end-user experience.
  • You can write a custom integration application which will leverage a Webservices API with Python scripts. Your new program will allow you to identify devise using your application and to extract data from MaaS360 and import that data into your native systems for analysis. This information can be digested and used by company administrators providing actionable intelligence.

Guardium(Data Security)

Comprehensive data security and compliance solutions for zero trust and the modern data environment.
  • The Guardium universal connector enables Guardium to get data from potentially any data source's native activity logs without using S-TAPs. The Guardium Universal Connector includes support for MongoDB, MySQL, and Amazon S3, requiring minimal configuration. Users can easily develop plug-ins for other data sources, and install them in Guardium. The Guardium universal connector supports many platforms and connectivity options. It supports pull and push modes, multi-protocols, on-premises, and cloud platforms.
  • For the data sources with pre-defined plug-ins, you configure Guardium to accept audit logs from the data source. For data sources that do not have pre-defined plug-ins, you can customize the filtering and parsing components of audit trails and log formats. The open architecture enables reuse of prebuilt filters and parsers, and creation of shared library for the Guardium community. 
  • The Guardium universal connector identifies and parses the received events, and converts them to a standard Guardium format. The output of the Guardium universal connector is forwarded to the Guardium sniffer on the collector, for policy and auditing enforcements. The Guardium policy, as usual, determines whether the activities are legitimate or not, when to alert, and the auditing level per activity.
QRadar XDR (Threat management)

This solution provides a single unified workflow across multiple security tools. With multiple security tools being used in customer security operations, there is a need for an open approach to enable multi-vendor, multi-products to be effectively leveraged and reduce the complexity of security operations.This solution integrates your Endpoint Detection and Response, SIEM, Network Detection and Response, security orchestration and response (SOAR) and threat intelligence solutions.These are the areas you can integrate with the QRadar XDR:

  • Take part in federated searches. This integration helps ourclients eliminate data silos and derive more value out of their current security tools
  • Share Asset & Risk Information. This integration helps ourclients understand their IT and the overall security posture of their organization

Reference Material for Additional Information

Development Centers

We provide a set of development centers for our products. These development centers provide you detailed information on how to integrate with our products. Samples and examples are also provided for a number ofour integrations. Here are the locations of these development centers:

Product 

Development Center Link 

QRadar 

QRadar Development Center 

SOAR 

SOAR Development Center 

Maas360 

Maas360 Development Center 

QRadar XDR 

QRadar XDR Development Center 


Additional Reference Material 

 

Guardium 

       

      with the SIEM:Data Integration-Get the data in, parsed,and categorized. This step will enable the SIEM to understand your security events and enable SIEM operations to correlate security data across data sources.This is the place to start your integration with QRadar.Content-Make that data useable for the customer. This type of integrationprovides content above and beyond your security events that are very valuable for security administrators. Data such as lists of key resources, known malicious actors and behavioral analysis are examples of this type of data.Applications -Drive deep integration use-cases with a userinterface driven application. In this integration, you can present your security information within the QRadar user interface, providing a seamless method for security operations to leverage your products value; added with context QRadar has, with an integrated user experience. Widgets, commands, and additional contextual data are examples of the types of things you can add


      ------------------------------
      Russell Warren
      0 comments
      19 views

      Permalink

      https://community.ibm.com/community/user/blogs/russell-warren/2022/05/23/integrating-with-ibm-security-products-an-introduc