IBM launches QRadar Security Suite at RSA 2023 – TechToday

At the RSA conference, IBM launched a platform-focused expansion of its QRadar security product, designed as a one-stop shop to accelerate response and provide a unified framework for security operations centers. Called the QRadar Suite, the cloud-native service extends capabilities through threat detection, investigation and response technologies, according to the company.

The service has an integrated dashboard user experience and artificial intelligence automation for threat analysis and responses. It is designed to address the ongoing bad arithmetic around security operations centers: a threat landscape that is only expanding; more sophisticated attackers; plus an endemic shortage of human sentries to protect corporate perimeters and kill chains.

“Today’s Security Operations Center teams are protecting a rapidly expanding digital footprint that spans hybrid cloud environments, creating complexity and making it difficult to keep pace with accelerating attack speeds,” according to IBM , who also said the products are specifically meant to help. strengthen security operations center teams dealing with labor-intensive alert investigation and response processes, manual analysis, and the proliferation of tools, data, touchpoints, API and other potential vulnerabilities.

XDR, SIEM and SOAR

Following the lead of one of the pipers of RSA 2023 (unified platforms on security from multiple vendors), IBM said QRadar Suite includes extended detection and response, or XDR, as well as security intelligence and event management, and orchestration, automation and security response. or SOAR It also includes a new cloud-native records management capability, all built around a common user interface, shared knowledge and connected workflows.

Emily Mossburg, Deloitte’s global cyber leader, said SOAR is about automating workflow, while SIEM is about the collection of security logs and events, and rules and policies to define analysis in addition to this “I would consider SOAR to be global security flow management. Vendors are pushing it to help simplify the entire security operation and reduce the level of effort associated with working with incidents and investigating,” he said.

He said it’s about addressing a perennial shortage of security analysts. “There’s an element to balancing the talent gap and I think the reality is that there’s a cost element to that. Organizations can’t spend more on protecting themselves than the revenue they bring in. If you had human eyes on the glass all the time, you couldn’t afford security.”

IBM said its QRadar SIEM has a new unified analyst interface that provides shared insights and workflows with broader security operations toolsets. IBM said it plans to make QRadar SIEM available as a service on Amazon Web Services by the end of the second quarter of 2023.

AI, the sine qua non of security?

During RSA, many companies talked about the virtues of AI in security, especially with the increase in alerts in SOCs and the shortage of human agents, especially in mid-sized companies that may be more vulnerable to phishing attacks.

IBM Managed Security Services said it is using AI to automate more than 70 percent of alert closures and reduce its alert triage times by 55 percent on average in the first year of implementation, according to the company.

IBM said QRadar uses AI to:

• Triage: The company said that to prioritize and respond to alerts, QRadar includes AI trained on previous analyst response patterns, along with external threat intelligence from IBM X-Force and broader contextual insights of all the detection toolkits.
• Investigation: AI models identify high-priority incidents and automatically initiate investigation and generate a timeline and attack graph of the incident based on the MITER ATT&CK framework, and recommend actions to expedite response.
• Hunting: QRadar uses an open source threat hunting language and federated search capabilities to identify attacks and indicators of compromise across environments, without moving data from its original source.

System design elements include a UX across all products to facilitate increased analyst speed and efficiency through the kill chain and AI capabilities. It is cloud-based and delivered on AWS and includes a cloud-native log management capability.

“Faced with a growing attack surface and shrinking time to attack, speed and efficiency are critical to the success of security teams with limited resources,” said Mary O’Brien, CEO from IBM Security, in a statement. “IBM has designed the new QRadar suite around a unique, modernized user experience, integrated with sophisticated artificial intelligence and automation to maximize security analyst productivity and accelerate their response at every step of the supply chain. ‘attack,” he added.

Matt Olney, director of threat intelligence and interdiction at Cisco’s Talos threat intelligence unit, said it really is an exciting time in AI, and a system that supports human analysts is ideal. But he worries that while AI will get faster, it may not be better, suggesting that AI in the service of security poses a paradoxical conundrum. “We’re training AI on the Internet, so we’re creating things that can solve all these solved problems, but if we haven’t bothered to solve the problems we won’t be able to use AI to do it,” he said.

Cisco showed an early conceptual version of its AMES AI model for security, which will move toward a natural language interface. Olney expressed concern that security AI systems could end up eliminating lower-level or Tier-1 security jobs, potentially limiting companies’ ability to fill higher-level SOC analyst positions where problems are creatively solved, generating data that would improve AI. “So when we start training AI, what are we going to retrain it in, if we’ve ended up wiping out these people?”

Platforms vs. Single Marketers: A False Dichotomy?

Mossburg said the platform trend follows an industry tipping point on full display at RSA. “For too long, we’ve focused on the best of breed, the best mousetrap, and it’s become complex and difficult to manage. It makes sense to have 100 of the best mousetraps if you don’t have time to set- them? We need to move to a certain level of simplicity so we can really manage what we have. We’re going to see more of that over the next five years. We’re going to see significant consolidation,” he predicted.

Olney said there are advantages to having a unified environment. “There’s a lot to think about when making decisions about what to invest in, so you really want to look for what gives you the most visibility and what integrates well with the current level of sophistication that your security staff has. Ultimately, tools are very important, useful and necessary, but ultimately it’s the people who will define the success of your security program,” he said.

He listed the benefits of having a unified environment. “You have a better relationship with vendors, a lot of leverage when you’re negotiating and it’s easier to train people. Also, your support contracts are usually unified and that helps with funding,” Olney said.

One downside: How likely is it that a company will excel in all toolsets? “If I’m advising a client, I’ll say you need to have a very solid understanding of what your security needs are before you go looking for a security product,” Olney said, adding that companies should find a solution that gives them maximum visibility and the most secure controls they can apply to protect their network when actively engaging with their adversary.

The bottom line is that security is hard, he said.

“You can’t buy something from a vendor, plug it in and say I’m safe now. That’s not how this game works. It has to be complementary between the right people with the right skill sets combined with the tools and capabilities appropriate and bring them together,” he added.