IBM Security SOAR

SIEM360 & SOAR equals IT-Security-Management360

By Ralph Belfiore posted Mon May 24, 2021 10:32 AM

  

Detection

With SIEM360, the countless traces of movement within a complex IT landscape are first of all intelligently assessed, brought into context and made visible.
Supplemented by the organizational context and specific threshold values, critical events (possible IT security incidents) can be identified more quickly.

Offenses-NewUI

Critical events are particularly important if they would affect an important business process!

Rules-MITRE-Mapping

The challenge in the “recognition” phase is to create the necessary transparency. This requires team work, recurring coordination, learning curves, hands-on, trial & error and perseverance. The better the organizational processes can be coordinated with the technical measures, the more resiliently the discovered results can be processed.

MITRE-TTPs-Rule-Mapping

Response

As soon as the central SIEM360 has reached a high level of maturity for the detection of possible IT security incidents, experience shows that the next step follows.
Derived from this, the following question usually arises: What should happen now if a high priority alarm is detected?

The answer is: the real work is only just beginning!

SIEM-high-maturity-level

SIEM360 & SOAR (Security Orchestration Automated Response)

Now it is a matter of a structured, documented and traceable processing of these alarms. It's about acting quickly and reducing repetitive tasks.

IBM-QRadar-SOAR-Plugin

This minimizes the duration and impact of a possible incident. Automation allows the team in this phase to focus on the important tasks and save time.

SOAR-Activity-Feed

A preliminary stage for automating an incident can be a simple playbook, which in the first step can still be processed manually but in a structured and comprehensible manner. If the result is satisfactory, an automatic workflow can be integrated for this playbook in the next step.

SOAR-open-cases

The response process and the creation of playbooks also require the same intensive approach and team work as was already studied in the detection process.
Unfortunately there is no shortcut for it!


What is a playbook?

In short: a dynamic battle plan for countermeasures. A playbook provides instructions, techniques, and procedures for resolving an incident. It is dynamic because feedback and newly acquired knowledge can flow back in at any time and can be adapted to new conditions at any time.

SOAR-Playbooks

A playbook is typically created through whiteboarding. The entire process / development process, with all its tasks and dependencies, can be visualized with classic methods such as PAPs, structured charts or pseudocode. The technical implementation in a SOAR platform is then "only" the free choice.

Playbook-Details

A well-engineered security SOAR platform provides all modern tools, modules and tools for implementation, or is flexibly expandable.

SOAR-Apphost-Apps

The route is the goal!

IBM Security SOAR is a logical consequence of expanding a mature SIEM360 scenario. The synergy of both IT security solutions helps to optimally balance time, money, skills and resources. This SOAR solution can help relieve IT departments and initiate countermeasures automatically.

X-Force-App-Exchange-SOAR
#Highlights-home
#Highlights
0 comments
2283 views

Permalink