IBM QRadar SOAR: Introduction and High Level Architecture - Part 1

[Music] greetings everyone my name is prier and I along with v take great pleasure in welcoming you to all our boot camp focusing on karur stands for security orchestration Automation and response before we dive into the presentation let's have a look at the agenda our agenda today will guide us through key topics and discussion and ensuring a structured and insightful session so we'll cover the overview of sore key components high level architecture we'll also look at the integration workflow and we'll walk through a malare use case we'll talk about impact and benefits and understand curar

sore and its key features and Concepts we'll make some assumptions here uh you purchase a fundamental grasp of ID security and are familiar with basic concepts of sim and sore since you're looking at the kar s stands for security orchestration Automation and response GNA description of s typically consist of these three components security orchestration automation threat intelligence and incident response into a single platform so a s solution must have these components Cur sore is not just a solution it's a strategic approach that empowers organizations to tackle the you know ever evolving landscape of threats with

agility and precision with curar s we are entering a realm where you know security operations are elevated to new heights leveraging orchestration and automation to respond to incidents at machine speed this is all about integrating tools those are available in your environment streamlining workflows how fast you can respond and brezing the gap between detection and action throughout the session we will uncover the core principles benefits of curar sore helping you understand how it can be a game changer in your cyber security strategy let's have a look at the components of sore as we have discussed

so these are the main components of a sore consist of orchestration automation response and threat intelligence so let's have a look at each of the components individually with an example so what is orchestration orchestration involves coordinating and managing various security tasks and processes across different tools and systems those are most most ly available within your organization for example when a new security threat is detected curar s can automatically gather additional information from various sources such as threat intelligence feeds logs and historical data it then triggers predefined workflows that direct the appropriate actions like isolating affected

systems or notifying the incident response team so that's a part of the orchestration automation what is automation automation involves automating repetitive and manual tasks to increase efficiency and accuracy in the cyber security space automation takes care of routine actions allowing Security Professionals to focus on higher value tasks which require human expertise rather than spend spending too much of time taking care of the repetitive jobs for example let's consider a situation where an alert indicates a potential malware infection with automation curar s can instantly isolate the infector machine from the network run a malare scan gather

forensic data for analysis all without human intervention response so what is security response response is about taking appropriate action to mitigate the impact of security incidents in the past it often involved manual intervention that were time consuming also error prone curar accelerates response by automating actions based on predefined workflows or playbooks for example in case of a data Bridge let's just assume that there is a datab base in your organization curar s can automatically trigger a sequence of actions such as notifying stakeholders escalating the incident to the appropriate teams initiating forensic analysis and even generating

a detail incident report so e covered orchestration automation response now what is threat intelligence where threat intelligence comes into picture when we're talking about Cur s or any sore platform right so threat intelligence plays a pivotal role in the effectiveness of sore by providing contextual information needed to make informed decisions and automated response it enriches the data that curar s platforms used to detect analyze and respond to security incidents so for example let's let's take an example to understand how threat intelligence comes in picture right imagine a uh financial institution that uses Cur or S

detects uh detects a suspicious Network traffic originating from a specific IP address okay so here is uh where threat intelligence comes into play so first thing it's going to do is enragement curar s platform can queries external threat intelligence feeds and databases using the suspicious IP address as a search parameter it can also retries information about the IP address's reputation historical activities non malware connections and also any such affiliations with threat actors next contextual analysis after enagement the threat intelligence data can reveal the IP address is you know associated with a known botn net or

CNC that targets financial institution additionally uh it can also give you some information about you know previously linked to data breaches or any such ferent activities next probably the automated response based on the enrichment and contextual analysis so armed with this enriched information from enrichment step and the contextual analysis steps right curar so platform can automatically trigger a response flow it can isolates the affected system from the network initiate imalo scan or alot the incident Response Team it doesn't stop there by the way so it can also do threat mitigation so curar s platform goes

further by automatically blacklisting the Malaysia CP address in the fir rules preventing any F the communication from that particular Source can also obviously generate a detailed you know incident report for analysis so that's about this core components of sore which makes up the solutioning part orchestration automation response and threat intelligence now let's have a look at the you know high level architecture of Cur so how it makes up all the components and the solution so if you see the green portion of the screen Cur IRP modules IRP stands for incident response platform so we have

security we have action and we have privacy so these are the three modules which makes up the solution okay so these are the three modeles which goes into the licensing security provides security module provides industry standard work flows threat intelligence feeds organizational sop standard operating procedures and and Community Based practices action module is responsible to automate processes enrich andent details which you talked about a little bit ear last screen and gather forensics and also do medication privacy model privacy model is basically gives you Global breach regulations contractual obligations third party requirements again organizational Sops based

on the Privacy practices right so these are the three models and privacy privacy updates is it's get enhanced or released in every release of the sore so EV evolving you know modules so it keeps on updating or announce enhancement comes every now and then with the release of the different different uh versions and the the these three modules will be packed into an intuitive UI for easier you know navigation or simless navigation to the incident response or management of the life cycle management of an incident provides a collaboration provides uh it's very enti UI to

integrate different different uh tools and solutions that you have in your environment and we have X Force exchange right we have X Force exchange which host a you know hundreds of uh integration solution in terms of apps that you can install on the S platform now on top if you can see automated escalations so these are the input mechanisms alert input sources that can possibly send an alert to Cur or S to generate an incidence in terms so Sims Sims can you know uh forward alerts to sore which in turns create an incident on sore

and based on the incident type it triggers the responses like curar Sim so curar Sim if detected based on the rule it generates an offense offense get escalated based on if you have some rule there it can automatically escalate or manual escalation can also be done so based on the escalation it will automatically generate a response and even try to do the mitigation email so we'll talk about how you can configure a dedicated email for your Q radar s where if anyone or any machine can send an email regarding any suspicious activity that can also

turn into an incident on Cur s entry wizard itself on the S platform you can do you can do uh I mean using the entry user you can enter information and create an incident directly on the platform itself web form is also available can and then ticketing tool also you can any I mean if you are using any ticketing tool that can also be integrated to you know generate incidents on Cur so so there are very various mechanic using which you can uh probably generate an incident on sore now let's have a look at the

you know information workflow how it flows the information how where it comes where it goes how cured our s uh try to mitigate the incident so this is the core module so if you see the blue blue one is the whole platform with an action moduel let's say okay so platform is enabled with an action model now inputs and escalations so we have taken three known Sims the first is curar axite and slung These Are the SIMS which are collecting logs probably you can see application logs firewall logs DSP logs so all the Sims are

gathering this information and based on the rules let's say write in offense okay so these are the input escalations so and then based on the logs that are being forwarded to The Sims and what whatever the rules that are configured on the same platform right So eventually they're going to generate an alert or if you're are talking about Cur that offense okay now that offense is is going to come into sore and becomes an incident what next next comes the action moduel of the Cur so which will do the automatic enragement the way we talked

about in the core component discussion right now automatic how automatic Arrangement happens right so by default you'll be provided with a you know uh preconfigured um threat intelligent sources on the UI it's as easy as just click off a button to enable those threat sources probably we might need API key or something like that we'll talk about we'll talk about that in detail in upcoming session how to do that also how to add you know custom threat intelligence sources to the S platform we'll we'll discuss that in detail in upcoming sessions right now automatic enragement

happens from those threat intelligence sources like x4s right and then once that automatic enragement happens contextual information gathering happens it can also do a manual Arrangement let's say you know apart from you have different different solutions you have different different solution in your organization so in case of a in case of a you know malware incident so you might take that hashes of the malware and it will obviously the auto automatic enrichment will happen automatically but if you want to go one step ahead and then you know there is a solution sitting in your premises

or any Cloud premises that you have access to that you want to query right so you can also do that for you know extended enrichment on the objects or that malware so that can be done right so let's say fari you can query fari to get more information on that uh malor hash and then add it to the cura so that can be also done next based on the uh uh forensic analysis gathering information gathering enrichment contextual information gathering everything is done then that can be remediated automatically based on the response configured or it can

also goes one step ahead and then you know involve any other team let's say it help task or someone some time to you know just have a look at this incident further before we go ahead and close this right so that can be done let's have a let's have a look at the use case Mal outbreak so what happens let's say I'll assume that in this example let's take an example that you're using Cur our same platform right so basically Cur same we we call it Cur just Cur so meant same so you're using cure

radar and then you know cure generation offense called say I detected a Mal what not to be done what next now that you have S obviously integrated with curar then curar will automatically escalate that malware incident or offense into curar s and based on the SOP so whatever your organizational sop during the maturity phase you're obviously you know there are default set of you know incident that can be handled by Cur based on the incident type which is malware in this case Cur is going to automatically trigger uh the generate the phases how you are

supposed to you know uh respond to those uh incident within a different phases what needs to be done that will be done automatically uh in this case maler plant so I'm just telling you about the workflow or the information flow how it happen right so we you'll see this in action in upcoming session when we'll do demo malet plant from fishing attack okay so let's just say you're using curar and incident uh offense came into curar s becomes an incident Action module triggers automatic enragement happens from thre threat data threat sources for example X Force

then action plan based on the action plan right so based on the automatic arment armed with those in inform from the contexual enragement automatic enragement cureo previously known as resident right so it generates a malware specific incident response Playbook maybe quarantine infected system reimage machine post incident review these are all tasks so what are tasks so we'll we'll talk about that shortly the quarantine infected system is a task someone it's to done uh do it uh reimage machines this can all be automated or can be manual task if you want right so this will happen

and then eventually it will try to Resolute by blocking the fishing attack Source or mal uh that malware source so someone drop a malware plant or some malware plant from fishing attack so so whatever so the source of the fishing attack will be blocked automatically so this is all done without any human intervention by the way now let's see how curar s impacts or benefits your environment once it goes in there so you have you have a sock you have been you have different different Sops cyber security sop incident handling Sops right and you have

been doing manual task all of that and then once s goes into the environment sits in the heart of your sock and then gets integrated with different solution how it impacts how it benefits the you know overall cyber security landscape obviously it's going to improve the sock efficiency right in Terps of the manual Sops that takes time of your racis andalis time that's going to happen respond faster of course uh responding analyst responding to an incident versus machine responding to an incident makes there is a great difference close skill gaps skill gaps in the context

right not everyone is a aware about every each and every type of incidents in the world right so the platform with the machine uh knowledge right so it knows a lot of things that we also don't know right so that that that is also there now once it goes into the platform or the environment 85% reduction in incident response time was found okay on an average 5 minutes of remediation time and privacy regulations 180 plus built-in privacy regulations in case of a data Bridge let's say the data is you know data caters to different different

Regulators regulatory bodies over the scattered over the different different GEOS what kind of rules are there what kind of rules can be you know uh applicable to those data while uh doing the remediation steps all those are taken care by the system or the solution so Cur asur and if you want to have a look at the case studies and solution brief about the you know the metrix that is seen on the screen you can just go in there the link that I've given uh you can find it there case studies and solution brief all

right so we are very proud to announce you know that IBM curar s The Playbook designer has won the Red Dot design award in the interface and and user experience design category so once we experience that we'll able to tell it right so the Red Dot award is considered highly prestigious in the design and Innovation Community internationally recognized eulate that signifies exceptional product design and Innovation and winning a red dot award signifies a high level of quality creativity and excellence and design okay and often seen as a mark of Distinction and achievement within the industry

it's like in the movie you know winning an Oscar award so Cur asur won the prestigious Red Dot award in the year 2022 that is last year all right so with this I'll hand over this session to my colleague Vin we'll take it forward thank you