Threat management
IBM® Security Risk Manager provides a unified view where you manage threat data, asset data in which the threats were detected, and indicators of comprise (IOCs). The broader view of threat data helps you to easily identify and analyze the critical risks for prioritizing mitigation activities. Threat and asset data are imported into the Risk Manager repository from multiple products.
Risk area mapping for threats
Threats are the events that occurred on an asset at a specific time. For example, a threat can include threat events from IBM Security QRadar®, or policy violations and activity monitoring alert violations from IBM Security Guardium®.
The threats that are imported from the source products are automatically mapped to the
appropriate risk areas. A risk area is a logical group of threats of similar nature. Risk Manager provides a set of standard risk areas. You can
change the existing threat mapping by assigning different risk areas. Unmapped threats are shown as
Unassigned. You can then assign appropriate risk areas for
the unmapped threats. You can also create a risk area and assign threats to it according to your
business needs.
When the risk engine runs, the risk score of a risk area is computed based on the set configurations and depicted by using a 3-scale model, high, medium, or low scale. The aggregated risk area scores are plotted on the dashboard by using the percentage calculation in terms of probability of risk occurrence versus the business impact when the risk occurs. The dashboard helps you to focus on the most critical risk areas for implementing appropriate remediation to reduce the identified risks.
Risk area mapping for threat activity reports
The threat activity reports from TruSTAR include IOCs. IOCs are the evidence of malicious activities that occurred on a system or network, for example, suspicious URLs or email addresses.
The imported threat reports are automatically mapped to the appropriate predefined risk areas based on the report tags. A risk area is a logical group of threat activity reports of similar nature. The risk engine uses the IOCs data to compute the prioritization of threat activity reports based on the category and severity levels of IOCs. The prioritized threat reports are plotted on the dashboard in the form of risk areas. Visualizing the data on the dashboard helps you to focus on the most critical IOCs for implementing appropriate remediation to reduce the identified risks.