By Jackie Lehmann 6 min read
March 2, 2023

How a leading SIEM solution like IBM Security QRadar can accelerate your threat detection and investigation. [1]

With cybersecurity threats on the rise, it’s important to ensure your organization has a full view of your environment. A threat detection and response solution can generate high-fidelity alerts that allow security analysts to focus on what really matters and respond quickly and effectively.

According to the X-Force Threat Intelligence Index 2023, the most common threat actions on objective were the deployment of backdoors (21%), ransomware (17%) and business email compromise (6%). While backdoor deployments—which enable remote access to systems—were the most common type of attacker action, the silver lining is that 67% of the backdoor cases failed to advance as ransomware attacks as defenders were able to disrupt the backdoor before ransomware was deployed.

IBM Security® QRadar® SIEM enables analysts to monitor cloud environments alongside the rest of your security enterprise data to provide prioritized high-fidelity alerts with real-time threat detection using the latest threat intelligence and built-in use cases (rules). In this demo blog, I will walk you through how a security analyst would typically investigate a threat found by QRadar SIEM and designate it for remediation.

Monitoring dashboard for potential threats

The fastest and easiest way to get started is by focusing on the threats that matter most using the Offenses tab:

This overview dashboard above shows key stats about the current alerts in this company’s IT environment (which are called “offenses” in QRadar SIEM). Looking at the table of offenses, the first column shows them by either priority or magnitude score. Offenses are created by QRadar’s automated threat detection processes, which analyzes events in near real-time to discover what is happening. QRadar SIEM can analyze events from two types of sources:

  1. Logs: These are events that happened at a specific point in time and are written to a log file by an application. QRadar SIEM can analyze logs files from over 700 data sources.
  2. Network flows or flows: These are network activities between two hosts on a network. They are captured by QRadar SIEM’s built-in Network Detection and Response (NDR) add-on. Flows are more reliable than log data since they represent actual real-time data and cannot be modified.

Now, let me filter the offenses assigned to me and kick off my investigation. 

Investigating and correlating multiple events

From the Offenses overview page, I can see everything that QRadar SIEM has correlated and prioritized:

If I look at the offense description, I can see two things. First, this looks like a potential insider threat—it is definitely something I want to click on to investigate further:

The second thing I notice is the event chaining. The description demonstrates how QRadar is not only analyzing individual suspicious log events, but also comparing them to other events and collecting and correlating them into a single offense.

Assessing the magnitude of an offense

While investigating, I can also see key details about this offense in the screen above. These include what the source and destination IPs were, which MITRE ATT&CK tactics and techniques have been detected, and what use cases were triggered in relation to this offense, as well as the magnitude score breakdown. 

The magnitude score is how QRadar SIEM uniquely calculates the offense priority, which helps the security analyst focus on the most important offenses first. As shown in the screen below, it is comprised of three factors:

  1. Credibility: How much do I trust the source? (20% of magnitude score)
  2. Relevance: How pertinent this will be specifically to my environment? (50% of magnitude score)
  3. Severity: How bad this will be if it actually occurs? (30% of magnitude score) 

This offense has a magnitude score of five, which is a medium offense. So, I’ll want to continue the investigation by reviewing the events. Let’s see if QRadar SIEM found a username associated with any of this.

Searching and filtering events

By clicking on the events, QRadar SIEM shows me the query builder tool where I see a populated view of the events associated with this offense.  Here I can continue to drill into the events, filter them or, if needed, modify the AQL query to expand or narrow the number events.

I’m now going to use some of the quick-filter capabilities on the left to see if any usernames have been detected within the events related to this offense. I can see that there are a few names. Let’s take a look at the user, JBlue:

As seen above, I can now view JBlue’s activity. I immediately notice privilege escalation, failed and successful logins, and so on. It looks like JBlue is up to something. I’m going to pivot into our User Behavior Analytics (UBA) tool to do some more digging on JBlue.

Running User Behavior Analytics (UBA)

On the UBA Overview page below, I can see information specifically around insider threat risks in this organization’s environment. Let’s break this page down a little further:

Over on the left is the risky Monitored users list. Here, UBA ranks by highest risk scores (which are based on several analytics in QRadar SIEM). Multiple dedicated machine learning (ML) models determine normal versus anomalous behavior for each user based on their own activity and that of their learned peer group. The peer group ML model helps UBA detect behavior outside of what is deemed normal peer group behavior. 

Across the top is the status of my environment, how many users are being monitored and how UBA found them (imported users or discovered through event analysis). I can import users through traditional CSV (Comma Separated Values) or using LDAP (Lightweight Directory Access Protocol) to identify a user based on their related attributes across log sources. In the area at the top, far right, UBA shows how many of the UBA-related rules (use cases) I currently have turned on, and the status of my ML models. 

So now, let’s double-click to find out what’s going on with the user JBlue.

Quickly completing an investigation to trigger an effective response

Below is JBlue’s User details page, which provides me with the details on what JBlue has been doing:

Right away, I see two use cases on the screen below that matched for this session, which is a red flag to me:

When I can click on this first use case—”dormant account used”—I see there are TCP events associated with a German IP. For this scenario, I know this company does not do business there and that JBlue is a programmer in our Colorado Springs office.

Now I can add my notes and notify the response team to kick off the required remediation steps, perhaps with the help of a Security Orchestration and Automated Response (SOAR) solution like IBM Security QRadar SOAR:

Conclusion

We’ve just demonstrated how QRadar SIEM can help with real-time threat detection and, at the same time, ease the security analyst workload. For more information about what IBM Security QRadar SIEM can do for your business, you can request a demo or check our webpage.

Read the full 2023 IBM Security X-Force Threat Intelligence Index and view the Threat Intelligence Index Action Guide for insights, recommendations and next steps.

 

[1] Gartner 2022 Gartner® Magic Quadrant™ for Security Information and Event Management, October 2022

Categories

Security
Jackie Lehmann
Program Director, Product Marketing, QRadar

More from Security
September 20, 2023

Spear phishing vs. phishing: what’s the difference?

5 min read - The simple answer: spear phishing is a special type of phishing attack. Phishing is any cyberattack that uses malicious email messages, text messages, or voice calls to trick people into sharing sensitive data (e.g., credit card numbers or social security numbers), downloading malware, visiting malicious websites, sending money to the wrong people, or otherwise themselves, their associates or their employers. Phishing is the most common cybercrime attack vector, or method; 300,479 phishing attacks were reported to the FBI in 2022.…

September 18, 2023

IBM Tech Now: September 18, 2023

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 84 On this episode, we're covering the following topics: The IBM Security X-Force Cloud Threat Landscape Report The introduction of IBM Intelligent Remediation Stay plugged in You can check out the IBM Blog Announcements…

September 13, 2023

Data breach prevention: 5 ways attack surface management helps mitigate the risks of costly data breaches

5 min read - Organizations are wrestling with a pressing concern: the speed at which they respond to and contain data breaches falls short of the escalating security threats they face. An effective attack surface management (ASM) solution can change this. According to the Cost of a Data Breach 2023 Report by IBM, the average cost of a data breach reached a record high of USD 4.45 million this year. What’s more, it took 277 days to identify and contain a data breach. With…

September 6, 2023

What is the vulnerability management process?

5 min read - Modern enterprise networks are vast systems of remote and on-premises endpoints, locally installed software, cloud apps, and third-party services. Every one of these assets plays a vital role in business operations—and any of them could contain vulnerabilities that threat actors can use to sow chaos. Organizations rely on the vulnerability management process to head off these cyberthreats before they strike. The vulnerability management process is a continuous process for discovering, prioritizing, and resolving security vulnerabilities across an organization's IT infrastructure. Security vulnerabilities defined…