IBM clients using QRadar can leverage Artificial Intelligence (AI) through QRadar Advisor with Watson to automate routine Security Operations Center (SOC) tasks, find commonalities across investigations and provide actionable feedback to analysts, freeing them to focus on more important elements of their investigation, increasing analyst efficiency.
Cargills Bank is a great example of leveraging QRadar Advisor to reduce investigation times and improve analyst productivity. Cargills wanted to enhance their existing defensive capabilities while helping analysts keep up to date on the massive quantities of security data available, including not only internal systems but external data like threat intelligence, research papers blogs and other unstructured, security-related data. In addition to deploying QRadar Security Information and Event Management (SIEM), Cargills deployed IBM QRadar Advisor with Watson. With the help of IBM Business Partners, Cargills deployed QRadar Advisor in under a day, in shortly thereafter, their security analysts quickly identified an isolated a malware infection.
Ramprasath R, founder and Director of Secbounty Services, one of the IBM Business Partners involved with the Cargills deployment, said “With Watson, analysts received in minutes all of the information they needed to conduct an investigation in a single pack, including the name of the person and the malware involved, as well as the attacker’s IP address, URL and domain name. To get all of that information manually would take hours, with searching multiple forums to correlate the IP address with the identity of the attacker and the kind of malware.”
With QRadar Advisor, IBM clients can align attacks to the MITRE ATT&CK framework, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. This enables analysts to understand the source and impact of attacks, allowing them to craft incident response plans aimed at stopping the attack at one or more points along the attack chain. This allows them to respond quickly and efficiently to attacks that are in progress.
QRadar also enables analysts to craft and execute custom federated searches, which do not require the data to be moved before it is searched. These are performed using graphical means through the QRadar user interface, and analysts can also build powerful queries manually using QRadar’s Ariel Query Language (AQL).
In the 2020 Magic Quadrant for Security Information and Event Management, Gartner stated: “QRadar offers strong support for incident investigation by providing context enrichment from internal and external sources, suggesting next steps based on attacker actions and prioritizing alerts for further action.1”
Schedule a QRadar Assessment with one of our Specialist