IBM QRadar SOAR

IBM QRadar

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only
Back to discussions
Expand all | Collapse all

Upcoming apps and playbook design covered in the latest tech session

  • 1.  Upcoming apps and playbook design covered in the latest tech session

    Posted Tue April 02, 2019 12:09 PM
    Edited by Connor Costello Fri April 12, 2019 08:32 AM

    Thanks for attending our latest Tech Session on using 3rd-party apps and integrations to enhance your incident response plan. We had a great time covering how security teams can leverage dynamic playbook design and integrations to get the most out of their incident response plan. We've summed up the highlights of the tech session below so please feel free to leave comments or questions for us. We look forward to hearing your feedback.

     

    A full replay of the tech session can be downloaded here in the Community Library as well as the slides used. For more tech sessions this year, keep checking out the Events tab in the Community to get access to more technical webinars on the Resilient platform. Here's a quick recap-

     

    Solutions to the common challenges a SOC faces (from a people and process perspective):

     

    In my first blog post "3 Keys to Building a Scalable Incident Response Automation and Orchestration Plan", I gave my recommendations for building a robust and consistent response plan. Capturing that response plan is the solution to one of the main challenges faced by Security Operation Center (SOC) teams; Lack of defined, repeatable, and validated process. The full list of common challenges we talked about during the webinar are:

     

    • Lack of defined, repeatable, and validated process
    • Excessive manual and repetitive effort
    • Too much volume

     

    During the discussion, I outlined the top solutions to help address these common challenges:

     

    • Capture – Operationalize your processes
    • Integrate – Tie your systems together
    • Prioritize – Implement feedback loops and tuning efforts

     

    Please watch the replay of the tech session for an in-depth explanation of the tactics involved for each of these solutions, and to enhance the people and process involved in your incident response plan.

     

    -Brenden



    ------------------------------
    Brenden Glynn
    CISSP, GCIH
    Incident Response Business Consultant
    IBM Resilient
    ------------------------------


  • 2.  RE: Upcoming apps and playbook design covered in the latest tech session

    Posted Tue April 02, 2019 01:49 PM

    Using technology to impact a response plan:

    Like I said in the tech session, I love the picture provided below because it shows the diversity of products that are available within the marketplace to suit specific needs.


    I know that some of the images are too small to see, but it paints the picture that there is no lack of opportunity to deploy technology as part of your SOC solution.

    The integration technology that I like to talk about is typically on the outskirts of the security mix but still important. They involve ticketing systems which may have been historically used by IT to manage the upgrade of laptops, broken software, things they have to fix. The nice thing is that those systems are in place and should be leveraged as part of any strategy.

    Companies have already made significant investments in systems already in place, and you should be leveraging those systems so you're not re-inventing the wheel as part of your security program.

    Upcoming Apps and Integrations:

    Part of integrating with the Resilient platform involves existing tools that you have in place. The first upcoming app involves a ticketing system that companies may already have in place. ServiceNow is one of the sources of truth that Brenden spoke about and helps leverage the other organizations within your company to enhance your response plan. Here's a general overview of how it works:


    To hear more about the features of this integration please watch the full replay of the tech session.

    In the next couple of weeks, we will be delivering another integration that we've called "DataFeeder". We've received requests for different views of data from our customers, and have provided the ability to feed data from the Resilient database into these target databases (it also includes ElasticSearch):


    In a quick tour of the IBM Security App Exchange I showed how to navigate the site and find the integrations that best fit your incident response plan needs.

    Final thoughts and answers to your questions:
    A few people were wondering where to find the slides we used so we've attached them to this discussion post.

    Q: For the ServiceNow integration do you know if there's any functionality for querying from ServiceNow?

    What I do know about ServiceNow is that it operates bidirectionally with Resilient. There is specific functionality that's defined as of right now. If you create an incident it will be bidirectional in either platform. If you create tasks based on the incidents, you can add tasks and comments from the platforms.

    ServiceNow has a concept of workflows, and these workflows that have already been created can be leveraged as part of your communication strategy to IT or other internal security teams.

    Thanks for your questions!

    -Ray

    ------------------------------
    ==========================
    Raymond Suarez
    Product Management, Resilient
    IBM Security
    ==========================
    ------------------------------

    Original Message


Related Content