Professional Documents
Culture Documents
security operations
Security operations
needs major improvement
The move to cloud and IT modernization
has expanded the attack surface, creating
increased security complexity
two years
2
75%
reduction in risk of
a security incident
2
Work with what you already have
and expand to where you want to go
An open approach with federated search gives you flexibility
to access data where it is, or consolidate when necessary
• Available as licensed
software or SaaS
AI and automation
in the threat lifecycle
IBM Security 9
Predict, prevent, and respond to modern threats
IBM Security IBM Security IBM Security IBM Security IBM Security IBM Security
Randori Recon QRadar EDR QRadar SIEM QRadar SIEM QRadar SIEM QRadar SOAR
Network Threat Unified Analyst Threat
Analytics Experience Investigator
IBM Security 10
Predict, prevent, and respond to modern threats
ASM
Continuously identify
external facing assets Saves 15 hours of work
that are visible to a week by eliminating the
guesswork of triaging and
attackers – and prioritize prioritizing vulnerabilities
high-risk exposures
www.randori.com/case-studies/armellini
How it works
– Discrete automated activities discover entities associated
with an organization, like a hostname
– Certain discoveries trigger additional activities for deeper discovery
as applicable, like a screenshot
– Large Language Models (LLMs) enhance descriptions of discovered services
In the roadmap
– Tuned, generative AI incorporates real-time threat intelligence
to improve risk scoring and prioritization IBM Security
Randori Recon
IBM Security 12
IBM QRadar EDR
Remediate known Gain a clear line of sight Automate your response Move from reactive to proactive
Regain full control over all Our continuously learning AI Get ahead of attackers with
and unknown endpoint
endpoint and threat activity. detects and responds easy-to-create detection and
threats in near real- Designed to be undetectable, autonomously in near real-time response use cases that return
time with intelligent NanoOS provides deep to previously unseen threats, results in seconds; Deploy use
automation and AI, visibility into processes and and helps with guided remediation cases without interrupting
apps running on endpoints and automated alert handling endpoints uptime
attack visualization
storyboards, and
automated alert
management
How it works
– The agent on the endpoint uses machine learning to detect when processes exhibit abnormal
and potentially malicious activity, catching unknown threats like zero day attacks
– Cyber Assistant makes intelligent alert response recommendations using graph analytics and a one-shot
learning algorithm, learning from the decisions your analysts have made on similar alerts in the past
– It’s trained only using data from your environment, and the level of response is configurable;
It can recommend appropriate responses, or automatically close benign alerts and create allow lists
– For transparency, it displays the full list of alerts it has determined to be similar and
documents actions it takes, such as modifying an impact score
IBM Security 1On average, results from customer study; Actual results will vary based on client configurations and conditions 14
IBM QRadar Log Insights
Powered by Open
Open Standards and Source Cybersecurity
Schema
Framework
IBM Security QRadar SIEM
Run your business Near real-time threat Increased analyst Simplified deployment
detection productivity and management with SaaS
in the cloud and
Leverage AI to rapidly investigate A unified analyst experience, Take the complexity and
on-prem with visibility and prioritize high fidelity alerts co-created with security experts, management out of running
and security analytics based on credibility, relevance, helps you act faster with added a SIEM associated with
built to stay ahead and severity of risk context and less screen switching on-prem solutions
of advanced threats
How it works
– Hierarchical cluster analysis with histogram-based outlier scoring algorithms
create a unique set of models for each network, allowing analysts to better detect
and assess changes in behavior
– Multi-tiered analytics reduce false positives and scale to any environment,
enhancing productivity and providing actionable insights for analysts
In the roadmap
– User-configurable sensitivity of detection per host or application,
allowing rapid response for critical assets
IBM Security
– Supervised training collects user feedback to continually improve analytics Network Threat Analytics
and detection capabilities across your environment
IBM Security 17
Triage
How it works
– The Machine Learning (ML) model automatically recommends responses to the alert,
including close, escalate, review, merge, and suppress
– It’s pre-trained on 4M alerts from nearly 1,000 customers, then trained further
post-deployment enabling recommendations tailored to each client environment
In the roadmap
– The models (a combination of Random Forest, XGBoost, ANN and Ensemble)
will learn from, and adapt to, explicit and implicit actions
IBM Security
– In the future, we’ll make recommendations on groups of correlated alerts Unified Analyst Experience
IBM Security 18
IBM QRadar UAX
Take threat detection and Go beyond the endpoint with Act quickly with AI driven Take action quickly with
response beyond the OOTB integrations with cloud prioritization, automated confidence with
platform, SaaS, email, identity investigations, integrated threat recommended actions
endpoint to include cloud, intelligence and hunting and context
and data security systems
email, network, user and
data into a a single
correlated view to see
and stop threats faster
Outcome
Automatically trigger
smart investigations
Threat Investigator reduces analyst fatigue through automation,
and provides summary information and recommendations
all in one place
How it works
– Run federated searches to data mine across connected systems, checking against
enrichment sources and SIGMA detection rules, leading to an iterative investigation
process of using analytics to trace the threat and reassess risk
– Visualize and break down the attack end-to-end with MITRE mapping
– Provides the analyst with recommended actions, leveraging algorithmic decision
support systems to speed up remediation
In the roadmap
IBM Security
– Provide a one click action to respond as a recommendation Threat Investigator
– Provide playbook recommendations for SOAR clients
IBM Security 20
IBM QRadar SOAR - Summary
Streamline your SOC Modern case Reduce analyst workload Streamline response with
management experience automation and intelligence
with an automated
Identify in a single pane the who, Automated threat Respond x7 faster with
and intelligent response what, how, and actions taken on investigations and dynamic playbooks that
using the industry’s most a security investigation and accelerated threat hunting combine people, process
open and interoperable incident response and technology
SOAR platform
Details Tasks Breach Notes Members Attachments Artifacts
How it works
– Compose playbooks based on granular triggers driven by hundreds of integrations,
or use an extensive library of existing playbooks and premium data breach
response content
– Automations that can run or stop based on the incident profile
and client-defined processes
– Meet time-sensitive regulatory reporting requirements, and avoid expensive financial
penalties with automated data breach response
In the roadmap
– Generate playbooks via AI IBM Security
QRadar SOAR
– Leverage Granite LLMs to provide case summary in a human readable format
– Threat assistant for Q&A and threat summaries
IBM Security 22
Extend your QRadar SIEM Pakistan’s Askari Bank
builds a new SOC and
SIEM with SOAR: Accelerate SIEM with EDR: Gain deep
your response time endpoint intelligence
relies on IBM QRadar
automation and
– Respond to alerts quickly – Build comprehensive analytics to keep
with automatic case threat context without ibm.com/case-studies/askari-bank
creation and a single view having to go through cyberthreats at bay
of all relevant QRadar SIEM thousands of event logs
offense details within your
SOAR case – Search and visualize – The bank’s SOC has reduced – SOC personnel use
QRadar EDR telemetry the number of security dynamic playbooks to
– Leverage dynamic playbooks data automatically on the incidents from roughly resolve incidents in five
and orchestrate remediation QRadar dashboard, with 700 per day to fewer than minutes on average,
steps, take action with 300+ ability to prioritize globally 20 with the help of QRadar compared to 30 minutes
partner extensions SIEM’s ability to weed out prior to implementing
– Integrate QRadar EDR false positives QRadar SOAR
with QRadar SIEM with no
impact to your EPS count
“With QRadar, we now have the efficiency and flexibility
to adapt to a cyberthreat landscape that’s constantly
changing, no matter how fast we grow.”
- Chief Information Security Officer
Askari Bank
Extend your QRadar SOAR Pakistan’s Askari Bank
builds a new SOC and
SOAR with SIEM: Accelerate SOAR with EDR: Automate
your response time
relies on IBM QRadar
endpoint remediation
automation and
– Streamline your workflow – Automatically open cases
with a single view of all analytics to keep
with endpoint alerts and ibm.com/case-studies/askari-bank
relevant QRadar SIEM cyberthreats at bay
enrich threat investigations
offense details within your
– Organize rapid
SOAR case, gain
simultaneous responses – The bank’s SOC has reduced – SOC personnel use
intelligence real-time from
across the endpoint the number of security dynamic playbooks to
700+ partner extensions
ecosystem such as incidents from roughly resolve incidents in five
– Proactively secure and isolating an endpoint to 700 per day to fewer than minutes on average,
continuously refine your protect against malware 20 with the help of QRadar compared to 30 minutes
detection mechanisms in SIEM’s ability to weed out prior to implementing
QRadar SIEM by learning false positives QRadar SOAR
… …