March 2, 2023 By Jackie Lehmann 6 min read

How a leading SIEM solution like IBM Security QRadar can accelerate your threat detection and investigation. [1]

With cybersecurity threats on the rise, it’s important to ensure your organization has a full view of your environment. A threat detection and response solution can generate high-fidelity alerts that allow security analysts to focus on what really matters and respond quickly and effectively.

According to the X-Force Threat Intelligence Index 2023, the most common threat actions on objective were the deployment of backdoors (21%), ransomware (17%) and business email compromise (6%). While backdoor deployments—which enable remote access to systems—were the most common type of attacker action, the silver lining is that 67% of the backdoor cases failed to advance as ransomware attacks as defenders were able to disrupt the backdoor before ransomware was deployed.

IBM Security® QRadar® SIEM enables analysts to monitor cloud environments alongside the rest of your security enterprise data to provide prioritized high-fidelity alerts with real-time threat detection using the latest threat intelligence and built-in use cases (rules). In this demo blog, I will walk you through how a security analyst would typically investigate a threat found by QRadar SIEM and designate it for remediation.

Monitoring dashboard for potential threats

The fastest and easiest way to get started is by focusing on the threats that matter most using the Offenses tab:

This overview dashboard above shows key stats about the current alerts in this company’s IT environment (which are called “offenses” in QRadar SIEM). Looking at the table of offenses, the first column shows them by either priority or magnitude score. Offenses are created by QRadar’s automated threat detection processes, which analyzes events in near real-time to discover what is happening. QRadar SIEM can analyze events from two types of sources:

  1. Logs: These are events that happened at a specific point in time and are written to a log file by an application. QRadar SIEM can analyze logs files from over 700 data sources.
  2. Network flows or flows: These are network activities between two hosts on a network. They are captured by QRadar SIEM’s built-in Network Detection and Response (NDR) add-on. Flows are more reliable than log data since they represent actual real-time data and cannot be modified.

Now, let me filter the offenses assigned to me and kick off my investigation. 

Investigating and correlating multiple events

From the Offenses overview page, I can see everything that QRadar SIEM has correlated and prioritized:

If I look at the offense description, I can see two things. First, this looks like a potential insider threat—it is definitely something I want to click on to investigate further:

The second thing I notice is the event chaining. The description demonstrates how QRadar is not only analyzing individual suspicious log events, but also comparing them to other events and collecting and correlating them into a single offense.

Assessing the magnitude of an offense

While investigating, I can also see key details about this offense in the screen above. These include what the source and destination IPs were, which MITRE ATT&CK tactics and techniques have been detected, and what use cases were triggered in relation to this offense, as well as the magnitude score breakdown. 

The magnitude score is how QRadar SIEM uniquely calculates the offense priority, which helps the security analyst focus on the most important offenses first. As shown in the screen below, it is comprised of three factors:

  1. Credibility: How much do I trust the source? (20% of magnitude score)
  2. Relevance: How pertinent this will be specifically to my environment? (50% of magnitude score)
  3. Severity: How bad this will be if it actually occurs? (30% of magnitude score) 

This offense has a magnitude score of five, which is a medium offense. So, I’ll want to continue the investigation by reviewing the events. Let’s see if QRadar SIEM found a username associated with any of this.

Searching and filtering events

By clicking on the events, QRadar SIEM shows me the query builder tool where I see a populated view of the events associated with this offense.  Here I can continue to drill into the events, filter them or, if needed, modify the AQL query to expand or narrow the number events.

I’m now going to use some of the quick-filter capabilities on the left to see if any usernames have been detected within the events related to this offense. I can see that there are a few names. Let’s take a look at the user, JBlue:

As seen above, I can now view JBlue’s activity. I immediately notice privilege escalation, failed and successful logins, and so on. It looks like JBlue is up to something. I’m going to pivot into our User Behavior Analytics (UBA) tool to do some more digging on JBlue.

Running User Behavior Analytics (UBA)

On the UBA Overview page below, I can see information specifically around insider threat risks in this organization’s environment. Let’s break this page down a little further:

Over on the left is the risky Monitored users list. Here, UBA ranks by highest risk scores (which are based on several analytics in QRadar SIEM). Multiple dedicated machine learning (ML) models determine normal versus anomalous behavior for each user based on their own activity and that of their learned peer group. The peer group ML model helps UBA detect behavior outside of what is deemed normal peer group behavior. 

Across the top is the status of my environment, how many users are being monitored and how UBA found them (imported users or discovered through event analysis). I can import users through traditional CSV (Comma Separated Values) or using LDAP (Lightweight Directory Access Protocol) to identify a user based on their related attributes across log sources. In the area at the top, far right, UBA shows how many of the UBA-related rules (use cases) I currently have turned on, and the status of my ML models. 

So now, let’s double-click to find out what’s going on with the user JBlue.

Quickly completing an investigation to trigger an effective response

Below is JBlue’s User details page, which provides me with the details on what JBlue has been doing:

Right away, I see two use cases on the screen below that matched for this session, which is a red flag to me:

When I can click on this first use case—”dormant account used”—I see there are TCP events associated with a German IP. For this scenario, I know this company does not do business there and that JBlue is a programmer in our Colorado Springs office.

Now I can add my notes and notify the response team to kick off the required remediation steps, perhaps with the help of a Security Orchestration and Automated Response (SOAR) solution like IBM Security QRadar SOAR:

Conclusion

We’ve just demonstrated how QRadar SIEM can help with real-time threat detection and, at the same time, ease the security analyst workload. For more information about what IBM Security QRadar SIEM can do for your business, you can request a demo or check our webpage.

Read the full 2023 IBM Security X-Force Threat Intelligence Index and view the Threat Intelligence Index Action Guide for insights, recommendations and next steps.

 

[1] Gartner 2022 Gartner® Magic Quadrant™ for Security Information and Event Management, October 2022

Was this article helpful?
YesNo

More from Security

Data protection strategy: Key components and best practices

8 min read - Virtually every organization recognizes the power of data to enhance customer and employee experiences and drive better business decisions. Yet, as data becomes more valuable, it's also becoming harder to protect. Companies continue to create more attack surfaces with hybrid models, scattering critical data across cloud, third-party and on-premises locations, while threat actors constantly devise new and creative ways to exploit vulnerabilities. In response, many organizations are focusing more on data protection, only to find a lack of formal guidelines and…

What you need to know about the CCPA draft rules on AI and automated decision-making technology

9 min read - In November 2023, the California Privacy Protection Agency (CPPA) released a set of draft regulations on the use of artificial intelligence (AI) and automated decision-making technology (ADMT). The proposed rules are still in development, but organizations may want to pay close attention to their evolution. Because the state is home to many of the world's biggest technology companies, any AI regulations that California adopts could have an impact far beyond its borders.  Furthermore, a California appeals court recently ruled that…

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters