At the RSA conference, IBM launched a platform-centric expansion to its QRadar security product, designed as a one-stop shop to accelerate response and offer a unified framework for security operations centers. Called QRadar Suite, the cloud-native service expands capabilities across threat detection, investigation and response technologies, according to the company.
The service has an integrated dashboard user experience and artificial intelligence automation for parsing threats and responses. It’s designed to address the ongoing bad arithmetic around security operations centers: a threat landscape that is only expanding; more sophisticated attackers; plus an endemic shortage of human sentries to guard enterprise perimeters and kill chains.
“Today’s Security Operation Center teams are protecting a fast-expanding digital footprint that extends across hybrid cloud environments – creating complexity and making it hard to keep pace with accelerating attack speeds,” according to IBM, which also said the products are specifically meant to help buttress security operations center teams facing labor-intensive alert investigations and response processes, manual analysis and the proliferation of tools, data, points of engagement, APIs and other potential vulnerabilities.
XDR, SIEM and SOAR
Keeping pace with one of the pied pipers of RSA 2023 — unified platforms over multi-vendor security — IBM said QRadar Suite includes extended detection and response, or XDR, as well as security information and event management, and security orchestration, automation and response, or SOAR. It also includes a new cloud-native log management capability — all built around a common user interface, shared insights and connected workflows.
Emily Mossburg, Deloitte’s global cyber leader, said SOAR is about automating the workflow, while SIEM is the collection of security logs and events, and rules and policies to define analysis on top of that. “I would consider SOAR to be security worldflow management. The vendors are sort of pushing it to help simplify the whole security operation and drive down the level of effort associated with working through incident and researching,” she said.
She said it comes down to dealing with a perennial shortage of security analysts.“There’s an element of balancing out the talent gap and I think the reality is that there’s a cost element to this. Organizations can’t spend more on protecting themselves than the revenue they bring in. If you had human eyes on glass on everything all the time you couldn’t afford security.”
IBM said its QRadar SIEM has a new unified analyst interface that provides shared insights and workflows with broader security operations toolsets. IBM said it plans to make QRadar SIEM available as a service on Amazon Web Services by the end of Q2 2023.
AI, the sine qua non of security?
During RSA, many companies talked about the virtues of AI in security, particularly with the increase in alerts into SOCs and the paucity of human agents, particularly in mid-sized businesses that are perhaps more vulnerable to phishing attacks.
IBM Managed Security Services said it is using AI to automate more than 70% of alert closures and reduce its alert triage timelines by 55% on average within the first year of implementation, according to the company.
IBM said QRadar uses AI to:
- Triage: The company said that to prioritize and respond to alerts, QRadar includes AI trained on prior analyst response patterns, along with external threat intelligence from IBM X-Force and broader contextual insights from across detection toolsets.
- Investigation: AI models identify high-priority incidents and automatically begin investigating and generate a timeline and attack graph of the incident based on the MITRE ATT&CK framework, and recommend actions to speed response.
- Hunting: QRadar uses open-source threat hunting language and federated search capabilities to ID attacks and indicators of compromise across environments, without moving data from its original source.
The design elements of the system include a UX across products meant to make it easier to increase analyst speed and efficiency across the kill chain and AI capabilities. It is cloud-based and delivered on AWS and includes cloud-native log management capability.
“In the face of a growing attack surface and shrinking attack timelines, speed and efficiency are fundamental to the success of resource-constrained security teams,” said Mary O’Brien, general manager, IBM Security, in a statement. “IBM has engineered the new QRadar Suite around a singular, modernized user experience, embedded with sophisticated AI and automation to maximize security analysts’ productivity and accelerate their response across each step of the attack chain,” she added.
Matt Olney, director, threat intelligence and interdiction at Cisco’s Talos threat intelligence unit, said it’s indeed an exciting time in AI and a system that supports human analysts is ideal. But he worries that, while AI will be faster, it may not be better, and suggests AI in the service of security poses a paradoxical conundrum. “We are training AI on internet, so we are creating things that can solve all these solved problems, but if we haven’t bothered to solve the problems we won’t be able to use the AI to do it,” he said.
Cisco showcased an early conceptual version of its AMES AI model for security, which will move toward a natural language interface. Olney voiced concerns that security AI systems could eventually eliminate lower level or Tier 1 security jobs, potentially hobbling enterprises’ ability to fill higher level SOC analyst positions where problems get solved creatively, generating data that would improve AI. “So when we start training AI, what are we going to train it on that’s new, if we’ve ended up eliminating these people?”
Platforms versus single vendors: a false dichotomy?
Mossburg said the platforming trend follows an inflection point in the industry on full display at RSA. “For a long time, we have focused on best-of-breed, the best mousetrap and it has gotten complex and hard to manage. Does it make sense to have 100 of the best mouse traps if you don’t have time to set them? We need to move to some level of simplicity so we can actually manage this thing that we have. We will see more of this for the next five years. We will see significant consolidation,” she predicted.
Olney said there are advantages to having a unified environment. “There are a lot of things to think about when making decisions about what to invest in, so really you want to look for what gives you the most visibility and what integrates well with the current level of sophistication your security staff has. Ultimately the tools are super important and useful and necessary, but ultimately it’s the people that are going to define the success of your security program,” he said.
He enumerated the advantages of having a unified environment. “You have a better relationship with vendors, a lot of sway when you are negotiating, and it’s easier to train people. Also, your support contracts are usually unified and that helps with financing,” Olney said.
A drawback: how likely is it for one company to excel at all toolsets? “If I’m advising a customer, I’ll say you have to have a really solid understanding of what your security needs are before you go looking for a security product,” said Olney, adding that enterprises should find a solution that gives them maximum visibility and the most secure controls they can apply to secure their network when they are actively engaging with their adversary.
The bottom line is security is hard, he said.
“You can’t just buy something from a vendor, plug it in and say I’m secure now. That’s not how this game works. It has to be complementary between right people with right skills sets combined with right tools and capabilities and put those together,” he added.