IBM Security Master Skills University IBM QRadar Analyst Workflow — David Chun – Offering Manager Rick McCaskill – Design Manager Shane Stewart – Development Lead September 22, 2020 Agenda Overview (15 min) Demo (20 min) Roadmap (10 min) Q&A (15 min) IBM Security / © 2020 IBM Corporation Rick McCaskill Shane Stewart David Chun Rick, Shane, David 2 IBM QRadar Analyst Workflow Overview IBM Security / © 2020 IBM Corporation 3 Introducing IBM QRadar Analyst Workflow Streamlined offense management Accelerate triage processes with easy to understand insights and deep dives into your security data. New modern user interface Built using IBM Carbon design language with an emphasis on usability and accessibility. Consolidated investigation experience Easily triage, investigate, and search on IOCs from a single user interface. IBM Security / © 2020 IBM Corporation 4 How Analyst Workflow fits into the bigger picture IBM Security / © 2020 IBM Corporation Builds on existing QRadar core Incrementally enhanced through a continuous delivery model Integrates with preexisting apps and other IBM Security offerings Used in parallel with existing “classic” QRadar UI 5 IBM QRadar Analyst Workflow Impact of Analyst Workflow on an investigation scenario IBM Security / © 2020 IBM Corporation 6 Investigation scenario QRadar has fired a rule for excessive firewall connection deny requests for internal-to-external connections. This is a default out-of-box rule for QRadar. The backdrop: An endpoint was infected by EMOTET through a phishing email, and EMOTET is trying to get through to its command-and-control server. The firewall has successfully been blocking these connection attempts. These connection deny requests have triggered the rule. IBM Security / © 2020 IBM Corporation 7 Analyst workflow with “classic” QRadar UI IBM Security / © 2020 IBM Corporation 8 How Analyst Workflow changes the picture Analyst Workflow brings key investigation information into the analyst’s workspace, rather than requiring the analyst to hunt down the information elsewhere. What does this mean? The analyst sees threat intelligence, asset information, rule details, risk indicators, and more without needing to leave the offense. IBM Security / © 2020 IBM Corporation 9 IBM QRadar Analyst Workflow Demo IBM Security / © 2020 IBM Corporation 10 IBM Cloud Pak for Security An open multicloud platform to gain security insights, take action faster, and modernize your architecture Modular security capabilities Threat Management Data Security Identity & Access Management Open Security Ecosystem Platform services • Data connection • Case management • Automation • Asset enrichment • Orchestration • Development tools Open and integrated hybrid multicloud platform SIEM tools IBM Security / © 2020 IBM Corporation EDR tools On premise Cloud repositories Data lakes Database protection Hybrid Cloud Network protection Additional point solutions Multicloud 11 Unifying threat management with IBM Security Visibility Connect to on-premise and cloud data sources and customize dashboards for broad visibility IBM Security / DRAFT / © 2019 IBM Corporation Detection Isolate threats and reduce false positives Investigation Run federated searches and collaborate through integrated Case Management Response Respond faster with out of the box playbooks, built-in orchestration and automation, including Ansible 12 Thank you Follow us on: ibm.com/security securityintelligence.com ibm.com/security/community xforce.ibmcloud.com @ibmsecurity youtube.com/ibmsecurity © Copyright IBM Corporation 2020. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM’s current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.