IBM Security QRadar

 View Only

IBM Security's Cost of a Data Breach report and QRadar content

By Gladys Koskas posted Wed July 27, 2022 04:29 PM


Hey guys

I was waiting for it, I'm sure you were too, the Cost of a data breach report 2022 is out !  

Some of the statistics in the report blew my mind, but I really find it worth reading so I will try to not spoil you :) 
I still would like to extract a few numbers out of it, so we can discuss detection content together.

Attack vectors

The report compares the average time to identify a breach with or without a security AI and automation (in the context of the report, we are talking about "enabling security technologies that augment or replace human intervention in the identification and containment of incidents and intrusion attempts").
For companies not having such systems, the breach identification time is evaluated to an average of 235 days, the number goes down to 181 for those who are fully deployed.

Now let's look at the top 3 common attack vectors responsible of data breaches:

That's actually 50% of the cases, this means that if you implement the correct monitoring for these 3 access points you greatly increase your chances of reacting faster.

I know that you like to have clear and straight infos, so here is a table where you can find the content packs and blogs that can help you deal with these 3 vectors of attack.

Attack Vector

Content Extensions



Stolen Credentials

User Behavior Analytics

The User Behavior Analytics app provides the help that only a machine learning tool can provide when it is about risk profiling into a unique network configuration and behaviour.

Maturing UBA Deployments Part 1: Access & Authentication

Maturing UBA Deployments Part 2: User Access, Network, and Flow Anomalies

IBM Security QRadar Network Anomaly Content Extension

The Network Anomaly extension recently added some rules to detect impossible travel behaviour, lateral movement or suspicious account behaviour as an example.


IBM QRadar Content Extension for Amazon AWS

At the time I am writing, the AWS content extension contains rules related to authentication monitoring, they might be located in the Hybrid-Cloud content extension in a few weeks.

Detect suspicious activity in your AWS, Azure, VMware and O365 environments


IBM QRadar Phishing and Email Content Extension

Don't forget to check out the sets of Custom Properties packs on the App Exchange (Microsoft Exchange, Cisco Ironport, Proofpoint, Postfix, Lastline)

IBM Security QRadar Phishing and Email Content Extension

IBM QRadar Security Threat Monitoring Content Extension

The Threat monitoring content extension contains a custom function that can help detect 1792 homoglyph characters.

Homoglyph detection with QRadar

Cloud Misconfiguration

IBM Security QRadar Content Extension for Hybrid Cloud Use Cases

According to the report, nearly half of organizations experienced a data breach in the cloud. The Hybrid-Cloud extension is a good starting point with AWS, Azure, Google, O365 and VMware, all in one pack!

Detect suspicious activity in your AWS, Azure, VMware and O365 environments


Now let's be honest, you wouldn't believe it is me behind the keyboard if I was not talking about ransomware! 

The cost of ransomware attack (not including the cost of the ransom itself, but everything related to it) is slightly higher than the average of other attacks.
Even if the cost is lower than last year, the number of attacks keeps increasing, as I was mentioning in Q1, 21% of the attacks responded by X-Force last year were related to ransomware.
Ransomware breaches also took 49 days longer than average to identify and contain.

What I got from this report is that it still takes a lot of time to identify threats in general, and that preparation to respond is crucial. The risk zero doesn't exist in our space, so the best we can is to ensure that the doors are locked as much as we can to slow down the attack, and be ready for what is coming.
The steps I detailed in the blog "
Ransomware: Get ready to respond !" are valid for way more than ransomware, so their implementation is really worth the investment.

Of course I have to mention again the importance of the Endpoint Content extension, the team is always trying to find new ways to detect malicious and suspicious behaviour on Windows and Linux devices, there is a link to a blog dedicated to this pack associated to ransomware detection (
Anatomy of a ransomware attack).

Here is the link to the report, I really enjoyed reading it, I hope you will like it too ! 

In case you need assistance to deal with any of this, you can connect with the IBM Security X-Force Incident Response team, who is available to assist 24×7, at US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034. 

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.