Scaling the SOC with the IBM QRadar Suite:
Leveraging Automation in QRadar SOAR to Meet the Ever-Growing Threat Landscape
Kaamil El-Rayess, Sr. Product Manager, QRadar SOAR
Anshul Garg, Sr. Product Marketing Manager, QRadar SOAR
The IBM QRadar Suite
The world of Cyber Security professionals is overwhelmed with ever-changing technologies, rapidly expanding threats, difficulty finding talent, and a constant barrage of alerts and cases. The result of all of this is a major struggle to adapt security operations quickly enough to ensure effective detection and response .
According to our 2023 Global SOC Study by Morning Consult:
- Nearly half of organizations say that the average time to detect and respond to a security incident has increased over the past 2 years.
- Half of all alerts are never investigated.
- SOC personnel spend one third of their typical workday investigating and validating incidents that are not a real threat.
Fortunately, there is a better way with better tools to manage the chaos. IBM Security has recently launched the modernized QRadar Suite for threat detection and response, designed to unify the security analyst experience and accelerate SecOps across the entire incident lifecycle.
To accomplish this, the QRadar Suite is embedded with enterprise-grade AI and automation throughout the portfolio to helps to dramatically improve SOC efficiency from detection, to correlation, to automated response.
Response Capabilities that Move the Needle: QRadar SOAR powered by UAX
When it comes to response, QRadar Suite shines with SOAR powered by a new Unified Analyst Experience (UAX). QRadar SOAR (Security Orchestration Automation and Response) enables SecOps teams to scale their analyst workflows by better managing their relentless stream of cyber security alerts, findings, and cases all in one place. Built into the heart and soul of SOAR with UAX are two distinct drivers of this scalability and efficiency. What are they?
Figure 1: QRadar SOAR powered by UAX brings a vast array of enterprise-wide data to analysts’ fingertips in one single screen.
The first core factor is the “single pane of glass” experience which gives analysts direct access to a broad range of enterprise-wide data and enables them to orchestrate their response across their entire technology stack from one platform. And the second major driver of SOC efficiency is a robust automation layer which helps remove much of the heavy lifting of investigations and response actions from the analyst’s shoulders, and increases analyst focus to improve response time.
And the analyst’s focus is one of the biggest benefits SOAR solves for. By being that single control plane from which they can remediate threats throughout their enterprise, SOAR eliminates much of the tremendously costly context switching which they would otherwise have to constantly endure. Instead of managing cases in a bevy of different security tools (e.g., network, endpoint detection, email, etc.), SOAR provides one single case queue utilizing our vast and growing catalog of integrations. And, in addition to enabling the management of alerts in a single place, those integrations also allow analysts to act upon those third-party systems to accomplish such tasks as gathering supporting evidence, quarantining a malicious attachment, blocking a host, or revoking a user’s access, etc.
Figure 2: A single control plane and case queue brings together alerts and incidents from across the organization's IT stack, and enables analysts to investigate and take action on any of them from one place.
Playbook Designer: Democratizing SecOps Automation
Layered onto this unified control plane and broad integrations library is a powerful automation engine called Playbook Designer which itself is also purpose-built to reduce SecOps workloads both upstream (creating and implementing automations) and downstream (investigating and remediating threats). Playbook Designer allows teams to develop playbooks that are as simple or as complex, as automated or as manual, as your use cases require.
And teams can develop playbooks for an endless variety of use cases. Some examples include automated case enrichment, privacy breach response, phishing, malware, and other endless possibilities. Whether you are building new capabilities for upstream or downstream processes, the QRadar SOAR platform offers features that are laser-focused on the users involved in each of those stages of the SecOps lifecycle. Be it the security architect, engineer, or advanced analysts developing playbooks and building automations, or the L1 and L2 analysts who are triaging alerts or escalating and investigating cases. QRadar SOAR seeks to make all their jobs dramatically easier to help the entire team scale.
Figure 3: Playbook Designer provides a highly intuitive canvas and drag and drop user experience that enables SOC teams to more easily create manual and/or automated playbooks utilizing our vast library of integrations as well as your own custom scripts.
To help Security Architects and Advanced Analysts adopt and more easily implement automation, we have focused on highly impactful features. Here are some examples:
- A more low-code/no-code user experience for playbook creation to democratize automation development and increase adoption.
- Drag & drop UX for playbook nodes, including integration functions, custom scripts, condition points, timers, manual tasks, and sub-playbooks.
- Data Navigator, a schema-based interface to help configure playbook functions without the need for scripting or coding knowledge.
- Dynamic playbooks enable new playbooks to be employed in a case and associated tasks to be managed and organized as new evidence is uncovered and the response pivots accordingly.
- Sub-playbooks, to create reusable playbook blocks for commonly associated functions, and to edit those blocks centrally with changes propagating wherever used.
- Vast library of over 300 integrations and their associated functions from the most popular security solutions in the market.
- Robust import/export capabilities to make it easier to use pre-made playbooks from content libraries and to deploy playbooks where needed.
- Playbook progress views to easily understand what is happening in your case and where intervention may be needed.
Ready for a Demo? New Capabilities in QRadar SOAR’s Latest Release:
In addition to these core capabilities within QRadar SOAR mentioned above, we would also like to tell you about new features in our latest release:
- Visual playbook progress: Built to be used in conjunction with the existing task list view, a visual representation of the playbook flow will help analysts understand the current case status at a glance. Users can quickly see what has been completed or not yet started, is currently in progress, and where errors have occurred.
- Data Navigator for playbook functions and scripts: When configuring new function and script playbook nodes, the inputs and outputs of those nodes can be set through a simple clickable interface instead of needing to write scripts to extract the required data elements.
Figure 4: Visual playbook progress shows the analyst at a glance which items have been completed, are in progress, have not yet started, or have encountered errors so they can quickly and easily determine where they may need to intervene.
While today’s SOAR playbooks are a great way to enable security teams implement automation, these capabilities will only keep improving. QRadar SOAR’s journey toward a low code/no-code automation future continues to accelerate, as does our mission to help our customers achieve the most efficient SOC possible.
We firmly believe that major gains and scaling benefits for the entire SOC can be achieved through combined improvements across the SecOps spectrum. And this holistic view of SecOps and the key product capabilities we have introduced over the past 1-2 years have won QRadar SOAR many recognitions, including coveted LEADER status in the Kuppinger Cole SOAR Compass.
We look forward to sharing more with you all in the very near future as we continue to launch powerful new capabilities, and we hope to have the opportunity to speak with you and your teams. Please sign-up for a demo to learn more.
#Highlights#Highlights-home