It's difficult to protect something you can't see. 
That's why our team is proud to announce yet another product integration within our Threat Management portfolio—IBM Security QRadar SIEM and IBM Security Randori Recon.

The what

Integrating Randori with QRadar SIEM unlocks two primary use cases for security analysts:

1. The detection of a new target by Randori
2. The increase in the temptation of an existing target

When detecting a new target, Randori helps customers identify potential Shadow IT by alerting in QRadar SIEM whenever Recon finds a new asset associated with their organization. Customers can then compare the asset in the alert to their asset database to ensure it is properly managed and monitored across their IT and cybersecurity program. In addition, Randori will include risk insights about the asset in the alert – such as CVEs associated with the asset, a risk score, and guidance on mitigating the risk of exploitation. This information can be used to trigger actions and investigations for the SOC analyst and security team.

When the temptation score of a target has increased, Randori uses its patent-pending Target Temptation scoring mechanism to alert customers when an asset on their perimeter is suddenly riskier than it was before. Target Temptation instantly analyzes and ranks exposed assets by attackability to help give a more accurate view of that asset’s actual risk. In an instance where a particular asset suddenly becomes riskier (think: VMWare during Log4j), Randori will increase the Target Temptation score of that asset – which triggers an alert in QRadar SIEM – indicating to the customer security team that there is something interesting to investigate related to that asset. 

The why

This integration brings value by equipping the SOC manager with the ability to proactively secure the environment based on an attacker's point of view. Our customers will be able to prioritize their findings and pinpoint an attacker's top targets by providing information that helps defenders better understand their intentions, capabilities, and opportunities and then to take action using guidance from SOAR.

Randori continuously monitors your organization’s perimeter, looking for new assets and changes in your attack surface. This integration will help our customers identify issues fast and take action—before attackers strike.
 

Among some of the values identified by Randori are:

• the software associated with the target
• the IP address(es) and hostname(s) where the target is located
• notes from our R&D team about the software we have discovered
• whether the target is public or internal (i.e., accessible only inside a customer's network)
• an impact score—user-provided value—indicating the asset's importance to the business
• Target's priority—high, medium, low

The how

To get started with this integration, follow the steps in our documentation.
I invite you to learn more about Randori's functionality and how it can benefit your company's security.


Thank you for reading,

Olga Hout
Product Integrations Manager