Modernized

security operations
Security operations
needs major improvement
The move to cloud and IT modernization
has expanded the attack surface, creating
increased security complexity

Poor visibility Disconnected tools Keeping up with attackers Information overload

2 out of 3 organizations’ 80% of organizations 29% of security operations 52% of security
external attack surface use at least 10 disparate processes are immature environments have
has expanded in the solutions to manage and need reengineering become more difficult
last year
2
security hygiene
2 before they can to manage over the last
be automated
1

two years
2

51% of organizations struggle to detect

and respond to advanced threats 1
Current SecOps Modernized SecOps

Technology focused ► Analyst focused

Dependent on experts and heroes ► Scale with expertise and AI

Proprietary ecosystems ► Community collaboration

Modernize security operations
with greater speed and visibility
The evolution of the IBM Security QRadar Suite
Designed around the analyst experience
Enable better decisions quickly
Know your Accelerate your threat detection using a common, streamlined,
attack surface and response capabilities Unified Analyst Experience (UAX)

Federated Gain accurate insights quickly

ASM EDR Log Insights SIEM SOAR
and XDR Access Streamline workflow with automation and AI
designed for analysts, continuously updated
threat X-Force threat detection and
response expertise

Work with what you already have

Unified Analyst Experience
and expand to where you want to go
Risk-driven prioritization | Built-in expertise | AI-driven outcomes
Built to meet you where you are using an
X-Force Threat Intelligence and Expertise open modular platform, standards, and
ecosystem, with bi-directional integrations
including federated search
Open Platform. Open Integration. Open Threat Intelligence.
Designed around the analyst experience
Enable better decisions quickly using a common set
of Unified Analyst Experience (UAX) capabilities

Traditional Experience Unified Analyst Experience

– What?
8+ security UI’s 1 common UX – When?
90%+ analyst time
Take saved on investigating
30+ hours of tool training Continuous learning – Where? an incident2
action
2+ days of response time < 30-minute response time1 – Who?
Manual investigation Automated investigation – How?
“ I equate the UAX to
five additional FTEs,
it was easier to get better
data out of my tools with AI,
than investing in more people.
It made my people
faster and better at
their job.” 1

Enrich, correlate, Automated investigation and Federated search

and prioritize response recommendations and threat hunting
Gain accurate insights quickly
powered by X-Force expertise and AI
Streamline your Security Operations Center with automated
and intelligent detection and response
Keep up with the threats Accelerate triage and action Respond faster with
Continuously updated X-Force
and community threat
with Threat Investigator
Leverage AI to rapidly
automation and orchestration
Respond x7 faster with
85%
prevention and detection investigate and prioritize dynamic playbooks that reduction in incident
response time
1
intelligence and AI that detects high fidelity alerts based combine people, process
and responds autonomously in on credibility, relevance, and technology
near real-time to previously and severity of risk
unseen threats

75%
reduction in risk of
a security incident
2
Work with what you already have
and expand to where you want to go
An open approach with federated search gives you flexibility
to access data where it is, or consolidate when necessary

“QRadar can be deployed

3,000+Open Sigma SIEM rules and quickly start working
550+ Log adapters and apps for QRadar SIEM from day one.”1

300+ QRadar SOAR integrations “The extensive information

40+Federated search sources captured in QRadar
provides insights and time
10+ Threat intelligence sources savings for users beyond
the security team.”2

150+ Open ecosystem vendors

Accelerate your security, starting where you need to
Examples
Start where you need, and easily expand
for additional capabilities
• Wide set of integrations
available to work with
existing solutions to
allow stepwise adoption

• Broader adoption of IBM

solutions adds capabilities,
Start with what you have, context, insights and
and add what you need automation to the analyst
experience with little
incremental training
or integrations

• Available as licensed
software or SaaS
AI and automation
in the threat lifecycle

IBM Security 9
Predict, prevent, and respond to modern threats

AI and automation infused threat lifecycle

Identify Protect Detect Triage Investigate Respond
Automatically scan Take automated Assess the risk of React faster Automatically Employ dynamic
your attack surface action like your threats in real-time to urgent investigate cases playbooks in
for hidden assets, analysts would, using AI models to incidents that warrant it, with incident
vulnerable systems through ML- recognize deviations using alert data mining, risk response that
and exploitable powered alert from baseline in log severity scoring assessment, and adapt to threat
misconfigurations automation and flow data powered by ML timeline generation context

IBM Security IBM Security IBM Security IBM Security IBM Security IBM Security
Randori Recon QRadar EDR QRadar SIEM QRadar SIEM QRadar SIEM QRadar SOAR
Network Threat Unified Analyst Threat
Analytics Experience Investigator

IBM Security 10
Predict, prevent, and respond to modern threats
IBM Security Randori Recon
ASM
Continuously identify
external facing assets
that are visible to
attackers – and prioritize
high-risk exposures
Deliver the attackers
perspective
Help clients of all sizes better
see what attackers see, before
the damage is done
Accelerate offensive
security services
Help clients test their defenses
and incident response teams
with continuous and
automated red teaming
Saves 15 hours of work
a week by eliminating the
guesswork of triaging and
prioritizing vulnerabilities
www.randori.com/case-studies/armellini
Enhance Extended Detection
and Response (XDR)
Help clients detect and
respond to threats faster with
real-time insights of assets and
weaknesses on their perimeter
Identify

Identify risky assets faster

with IBM Security Randori
Randori’s discovery engine continuously performs automatic
discovery of software exposures, both actively and passively

How it works
– Discrete automated activities discover entities associated
with an organization, like a hostname
– Certain discoveries trigger additional activities for deeper discovery
as applicable, like a screenshot
– Large Language Models (LLMs) enhance descriptions of discovered services

In the roadmap
– Tuned, generative AI incorporates real-time threat intelligence
to improve risk scoring and prioritization IBM Security
Randori Recon

IBM Security 12
IBM QRadar EDR

Remediate known Gain a clear line of sight Automate your response Move from reactive to proactive
Regain full control over all Our continuously learning AI Get ahead of attackers with
and unknown endpoint
endpoint and threat activity. detects and responds easy-to-create detection and
threats in near real- Designed to be undetectable, autonomously in near real-time response use cases that return
time with intelligent NanoOS provides deep to previously unseen threats, results in seconds; Deploy use
automation and AI, visibility into processes and and helps with guided remediation cases without interrupting
apps running on endpoints and automated alert handling endpoints uptime
attack visualization
storyboards, and
automated alert
management

MITRE ATT&CK Prevented 24 ransomware attacks in just three

Evaluations months, and tracked and remediated dozens
MITRE ENGENUITY
ATT&CK EVALUATIONS
MITRE ENGENUITY
ATT&CK EVALUATIONS
MITRE ENGENUITY
ATT&CK EVALUATIONS – 100% real-time detection, of other incidents using QRadar EDR
Enterprise Enterprise Enterprise
without delay, across
thekill chain ibm.com/case-studies/international-shipping-company
– No configuration changes
Protect

Human-like reactions to EDR

alerts, at automation-speed
Our Cyber Assistant performs automated alert management, helping
reduce the number of false positives by 90%, and reacting 31x faster1

How it works
– The agent on the endpoint uses machine learning to detect when processes exhibit abnormal
and potentially malicious activity, catching unknown threats like zero day attacks

– Cyber Assistant makes intelligent alert response recommendations using graph analytics and a one-shot
learning algorithm, learning from the decisions your analysts have made on similar alerts in the past

– It’s trained only using data from your environment, and the level of response is configurable;
It can recommend appropriate responses, or automatically close benign alerts and create allow lists
– For transparency, it displays the full list of alerts it has determined to be similar and
documents actions it takes, such as modifying an impact score

In the roadmap IBM Security

QRadar EDR
– In the future, Cyber Assistant will be available for on-premise deployments

IBM Security 1On average, results from customer study; Actual results will vary based on client configurations and conditions 14
IBM QRadar Log Insights

Gain complete visibility Real-time insights Fast investigation, Performance

and quick setup
with cloud scale log
Gain enhanced security insights
ingestion, rapid search, with improved visibility across
powerful visualization data sources and repositories
and federated threat using hundreds of
ready-made connectors
hunting and collaboration
fast answers
Leverage a modern, cloud-
native data warehouse and
intuitive query language, KQL,
to easily handle large dataset
queries in seconds
at scale
Collaborate and leverage
existing data stores with
federated search and
integrated case management

Powered by Open
Open Standards and Source Cybersecurity
Schema
Framework
IBM Security QRadar SIEM

Run your business
in the cloud and
on-prem with visibility
and security analytics
built to stay ahead
Near real-time threat
detection
Leverage AI to rapidly investigate
and prioritize high fidelity alerts
based on credibility, relevance,
and severity of risk
Increased analyst
productivity
A unified analyst experience,
co-created with security experts,
helps you act faster with added
context and less screen switching
Simplified deployment
and management with SaaS
Take the complexity and
management out of running
a SIEM associated with
on-prem solutions

of advanced threats

354 Reviews – G2 Crowd

“IBM Security offers a solid

base where we have 100%
13x 11x
Powered by
Open Security Standards visibility and transparency,
which helps us solve threats
SIEM Leader SIEM Leader in a very short timeframe.”
Open Gartner Magic Quadrant G2 - Klaus Glatz, CDO, Andritz
Cybersecurity
Schema
Framework
16
ibm.com/case-studies/andritz/
Detect

Spot hidden trends

in network activity
Continuously analyze network communications to detect new
or unusual behaviors that can indicate threat activity

How it works
– Hierarchical cluster analysis with histogram-based outlier scoring algorithms
create a unique set of models for each network, allowing analysts to better detect
and assess changes in behavior
– Multi-tiered analytics reduce false positives and scale to any environment,
enhancing productivity and providing actionable insights for analysts

In the roadmap
– User-configurable sensitivity of detection per host or application,
allowing rapid response for critical assets
IBM Security
– Supervised training collects user feedback to continually improve analytics Network Threat Analytics
and detection capabilities across your environment

IBM Security 17
Triage

Gain more confidence with incident

severity scoring using ML
Easily and intuitively understand how the UAX case was prioritized
for your attention so you can respond with confidence and speed

How it works
– The Machine Learning (ML) model automatically recommends responses to the alert,
including close, escalate, review, merge, and suppress
– It’s pre-trained on 4M alerts from nearly 1,000 customers, then trained further
post-deployment enabling recommendations tailored to each client environment

In the roadmap
– The models (a combination of Random Forest, XGBoost, ANN and Ensemble)
will learn from, and adapt to, explicit and implicit actions
IBM Security
– In the future, we’ll make recommendations on groups of correlated alerts Unified Analyst Experience

IBM Security 18
IBM QRadar UAX

Take threat detection and Go beyond the endpoint with Act quickly with AI driven Take action quickly with
response beyond the OOTB integrations with cloud prioritization, automated confidence with
platform, SaaS, email, identity investigations, integrated threat recommended actions
endpoint to include cloud, intelligence and hunting and context
and data security systems
email, network, user and
data into a a single
correlated view to see
and stop threats faster

Outcome

OOTB detection, correlation, Improved

and enrichment team efficiency
Powered by
Open Standards and Source
AI driven high-fidelity 8x faster investigations
incident data
Investigate

Automatically trigger
smart investigations
Threat Investigator reduces analyst fatigue through automation,
and provides summary information and recommendations
all in one place

How it works
– Run federated searches to data mine across connected systems, checking against
enrichment sources and SIGMA detection rules, leading to an iterative investigation
process of using analytics to trace the threat and reassess risk
– Visualize and break down the attack end-to-end with MITRE mapping
– Provides the analyst with recommended actions, leveraging algorithmic decision
support systems to speed up remediation

In the roadmap
IBM Security
– Provide a one click action to respond as a recommendation Threat Investigator
– Provide playbook recommendations for SOAR clients

IBM Security 20
IBM QRadar SOAR - Summary
Streamline your SOC Modern case
management experience
with an automated
Identify in a single pane the who,
and intelligent response what, how, and actions taken on
using the industry’s most a security investigation and
open and interoperable incident response
SOAR platform
Details Tasks Breach Notes
300+ 180+
available integrations out-of-the-box templates
for privacy regulations
Reduce analyst workload Streamline response with
automation and intelligence
Automated threat Respond x7 faster with
investigations and dynamic playbooks that
accelerated threat hunting combine people, process
and technology
Members Attachments Artifacts
85%
reduction in incident
response time¹
Respond

Use intelligence to automate highly

custom response
SOAR helps drive faster responses through consolidation and customization
of inputs, in an intuitive case management experience, with dynamic
playbooks that adapt as incident conditions evolve

How it works
– Compose playbooks based on granular triggers driven by hundreds of integrations,
or use an extensive library of existing playbooks and premium data breach
response content
– Automations that can run or stop based on the incident profile
and client-defined processes
– Meet time-sensitive regulatory reporting requirements, and avoid expensive financial
penalties with automated data breach response

In the roadmap
– Generate playbooks via AI IBM Security
QRadar SOAR
– Leverage Granite LLMs to provide case summary in a human readable format
– Threat assistant for Q&A and threat summaries
IBM Security 22
Extend your QRadar SIEM
SIEM with SOAR: Accelerate
your response time
– Respond to alerts quickly
with automatic case
creation and a single view
of all relevant QRadar SIEM
offense details within your
SOAR case
– Leverage dynamic playbooks
and orchestrate remediation
steps, take action with 300+
partner extensions
SIEM with EDR: Gain deep
endpoint intelligence
– Build comprehensive
threat context without
having to go through
thousands of event logs
– Search and visualize
QRadar EDR telemetry
data automatically on the
QRadar dashboard, with
ability to prioritize globally
– Integrate QRadar EDR
with QRadar SIEM with no
impact to your EPS count
Pakistan’s Askari Bank
builds a new SOC and
relies on IBM QRadar
automation and
analytics to keep
ibm.com/case-studies/askari-bank
cyberthreats at bay
– The bank’s SOC has reduced – SOC personnel use
the number of security dynamic playbooks to
incidents from roughly resolve incidents in five
700 per day to fewer than minutes on average,
20 with the help of QRadar compared to 30 minutes
SIEM’s ability to weed out prior to implementing
false positives QRadar SOAR
“With QRadar, we now have the efficiency and flexibility
to adapt to a cyberthreat landscape that’s constantly
changing, no matter how fast we grow.”
- Chief Information Security Officer
Askari Bank
Extend your QRadar SOAR
SOAR with SIEM: Accelerate
your response time
– Streamline your workflow
with a single view of all
relevant QRadar SIEM
offense details within your
SOAR case, gain
intelligence real-time from
700+ partner extensions
– Proactively secure and
continuously refine your
detection mechanisms in
QRadar SIEM by learning
from SOAR processes
SOAR with EDR: Automate
endpoint remediation
– Automatically open cases
with endpoint alerts and
enrich threat investigations
– Organize rapid
simultaneous responses
across the endpoint
ecosystem such as
isolating an endpoint to
protect against malware
Pakistan’s Askari Bank
builds a new SOC and
relies on IBM QRadar
automation and
analytics to keep
ibm.com/case-studies/askari-bank
cyberthreats at bay
– The bank’s SOC has reduced – SOC personnel use
the number of security dynamic playbooks to
incidents from roughly resolve incidents in five
700 per day to fewer than minutes on average,
20 with the help of QRadar compared to 30 minutes
SIEM’s ability to weed out prior to implementing
false positives QRadar SOAR
“With QRadar, we now have the efficiency and flexibility
to adapt to a cyberthreat landscape that’s constantly
changing, no matter how fast we grow.”
- Chief Information Security Officer
Askari Bank
 Thousands of open integrations at the center of your ecosystem

… …

Open source and

Open
Cybersecurity
open community Schema
Framework