Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™

ESG TECHNICAL VALIDATION

IBM Cloud Pak For Security

Modernizing Security Visibility and Response in a Hybrid Multi- Cloud World

By Alex Arcilla, Senior Validation Analyst
MAY 2021

ESG Technical Validations

The goal of ESG Technical Validations is to educate IT professionals about information technology solutions for companies of all types and sizes. ESG Technical Validations are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objectives are to explore some of the more valuable features and functions of IT solutions, show how they can be used to solve real customer problems, and identify any areas needing improvement. The ESG Validation Team’s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments.

Introduction

This ESG Technical Validation documents testing of IBM Cloud Pak for Security, with a goal of verifying how it can help organizations to maximize both the effectiveness and efficiency of incident response, threat remediation, and risk management within their existing security operations workflows.

Background

ESG research has found that 75% of organizations surveyed consider their IT environments more or significantly more complex than they were two years ago. The reasons that respondents provided for this increase in complexity include higher data volumes (38%), an increasing and changing cybersecurity landscape (35%), and the need to use both on-premises data centers and public cloud providers (29%). 1
Figure 1. Top Ten Reasons for Increasing Complexity in IT Environments

What do you believe are the biggest reasons your organization’s IT environment has become more complex? (Percent of respondents, N=496, five responses accepted)

Source: Enterprise Strategy Group

To protect against the increased exposure of vulnerabilities and potential threats that IT complexity can lead to, many organizations have implemented a number of point tools such as security information and event management (SIEM); security orchestration, automation, and response (SOAR); endpoint detection and response (EDR); and threat intelligence. Yet, correlating findings from these multiple tools to gain a holistic view typically requires security operations center (SOC) analysts to navigate multiple interfaces, uncover relevant data, and “cut and paste” such data across multiple tools before determining the nature of the threat and the appropriate resolution.
While integrating tools can remove some of this manual work, obtaining up-to-date end-to-end visibility and control can still be challenging. Ingesting the same data into individual tools can be costly and time consuming. Integrating tools with one another can be complicated. By the time these efforts are completed, any insights gained are most likely out of date. Also, integration may not provide the breadth and depth of visibility needed to bolster an organization’s security posture.

IBM Cloud Pak for Security

IBM Cloud Pak for Security is an open platform, deployed on-premises or in a private or public cloud and SaaS, that enables organizations to achieve end-to-end visibility and control of their security posture without the need to “rip and replace” existing security tools and migrate data from existing repositories (see Figure 2). IBM Cloud Pak for Security can act as the “unified console,” integrating existing tools and data repositories to gain end-to-end visibility from a single console. No longer do organizations need to “cut and paste” findings from multiple interfaces of disparate tools and data sources to correlate findings and derive remediation actions.
Figure 2. IBM Cloud Pak for Security

Source: Enterprise Strategy Group

To unify overall end-to-end visibility so that response and remediation actions are coordinated and effective, IBM Cloud Pak for Security offers the following capabilities:
• User Behavior Analytics: Continuously monitor user activity to gain visibility into behavioral anomalies, indicating insider threats that can introduce or exacerbate threats and vulnerabilities.
• Threat Intelligence Insights: Gain contextual understanding of threats using multiple siloed data sources (deployed on-premises and in the cloud) simultaneously and leverage machine learning (ML) and analytics to reveal key insights, anomalous behavior, and hidden threats.
• SOAR: Respond to and remediate complex cyber-threats faster and more efficiently by leveraging SOAR to orchestrate incident response actions with playbooks and automate repetitive tasks in any given SecOps workflow. Streamline the process of creating and editing playbooks with Playbook Designer, an intuitive graphical user interface (GUI)-based playbook builder.
• Data Explorer: Conduct federated investigations to uncover threats and incidents of compromise (IOCs) across disparate IBM and third-party data sources, located on-premises or in the public cloud.
• Risk Manager: Construct a “threat footprint” showing potential risks across multiple domains, investigate factors contributing to areas of risk, and generate trend analyses to determine how past remediation actions reduced areas of risk.
• Threat Investigator (preview): Drive faster and more accurate response with automated investigations that leverage AI to determine threat priorities.
While IBM Cloud Pak for Security offers these capabilities, organizations can implement them modularly as they see fit. As an open platform, IBM Cloud Pak for Security enables integration via open-source connectors of third-party tools and data sources. Enabling organizations to leverage existing third-party tools helps to maximize the value they extract from tools already embedded in security operations processes.

ESG Technical Validation

ESG performed evaluation and testing of IBM Cloud Pak for Security at IBM’s facilities in Houston, TX. Testing was designed to demonstrate how a SOC analyst can gain end-to-end visibility, detect threats and vulnerabilities, conduct in-depth investigations, and respond to such threats in a streamlined and efficient manner. In this test bed, IBM Cloud Pak for Security was connected to third-party data sources (Amazon CloudWatch, Splunk, and Carbon Black) as well as IBM QRadar SIEM and IBM Guardium Insights.2

Threat Hunting

Searching for threats can be daunting when having to gather and correlate data points from multiple tools. This takes time away from actually mitigating those threats, such as database infiltration and ransomware download. To stay ahead of these threats, organizations can leverage IBM Cloud Pak for Security to determine which threats require prioritized attention to minimize their potential negative effects throughout the organization.

ESG Testing

ESG considered a use case in which keystrokes of a specific user, “Bill,” were stolen when accessing non-corporate email messages, resulting in the download of BLADABINDI malware. The attacker then used Bill’s credentials to access a credit card database.3
ESG first navigated to the User Behavior Analytics dashboard. We noted that all dashboards, both out-of-the-box and custom, could be accessed via a drop-down menu on any given SOC analyst’s dashboard currently in view. Providing this unified access can help SOC analysts to discover, examine, and analyze data more efficiently than searching for and correlating relevant data between interfaces of separate point tools.
We then examined the compiled data, imported from IBM Security QRadar SIEM, of all user activity across the organization and found that Bill’s activity had been flagged, noted by the upward trendline next to Bill’s name (see left-hand side of Figure 3). After clicking on this line item, we viewed details showing the extent of the threat introduced by the malware. While we saw that Bill’s risky activity increased suddenly after no other activity registered via the line chart, we also noted that IBM Cloud Pak for Security automatically created a case (right-hand side of Figure 3) to address the detected increase in risky activity. We could also see all the events that occurred as a result of Bill’s actions, along with the associated security risk score.
Figure 3. Examining the Extent of Infiltrated Threat with User Behavior Analytics

Source: Enterprise Strategy Group

ESG noted that all previously described information was available in one screen to help the SOC analyst understand the extent of this threat before determining the appropriate remediation. We also saw how the different ways of looking at the available data—from a trending, timeline, descriptive, and risk assessment perspective—could help the SOC analyst to assess the severity of the threat.
ESG also examined how the BLADABINDI malware could have also been discovered automatically via IBM Threat Intelligence Insights (see Figure 4).
Figure 4. Discovering Threat via IBM Threat Intelligence Insights

Source: Enterprise Strategy Group

We navigated to the IBM Threat Intelligence Insights module and saw that it displayed the top relevant threats for the day, as indicated by the threat score and the found indicators of compromise (IoCs). The BLADABINDI threat was already detected and noted as the top threat. After clicking on the tile related to the BLADABINDI threat, we saw that IBM Cloud Pak for Security had discovered the threat based on the automated scan of linked IBM-related and third-party data sources, such as IBM Security QRadar SIEM and Splunk (see right hand side of Figure 4). The threat summary included an explanation of the threat, the IoCs, and recommendations for addressing the threat. A case was automatically created: QRadar ID 47.
Up to this point, ESG observed how IBM Cloud Pak for Security leveraged automation to identify the threat and learn the extent to which it has compromised the organization’s security to date. ESG then moved into another phase of threat hunting to see the potential damage initiated by the downloaded malware. We located the IP address of a database flagged as an artifact of the case generated automatically by Bill’s actions: 10.10.9.56. We right clicked on this line item and selected Run Query in Data Explorer (see Figure 5). We then landed on another screen that automatically created a script to find that specific IP address and generated 4,500 results from five different data sources.
Figure 5. Running Data Explorer to Discover Effects of BLADABINDI Malware on Overall Security

Source: Enterprise Strategy Group

To narrow the 4,500 results down to a manageable number, we turned on the Analytics tool on the results page to categorize the raw data (see Figure 6). We confirmed that Bill’s actions indeed were flagged as suspicious and global searches were being performed on the organization’s credit card databases (which indicates someone trying to access all credit card numbers on file). To search for any results that noted unusual activity from Bill involving credit card databases, we searched on “Bill” as the user account ID and “select* from creditcards” as the action taken.
Figure 6. Investigating Severity of Threat Introduced with BLADABINDI Malware

Source: Enterprise Strategy Group

As a result of this search, ESG found two relevant results (shown in Figure 7). When we expanded the details of one result, we found that a potential bad actor had been using the user account ID “Bill” to access an internal credit card database using an external IP address. However, IBM Security Guardium Insights flagged it only as a policy violation. No breach had occurred. To ensure that a SOC analyst team could reference this knowledge, we proceeded to add this information as an artifact to the existing case automatically created earlier: QRadar ID 47.
Figure 7. Adding Artifact to Existing Case

Source: Enterprise Strategy Group

Why This Matters

Hunting for potential threats needs to be done quickly and effectively to prevent them from breaching an organization’s security. Navigating between separate point tools and data sources only slows down efforts to maintain an effective security posture.
ESG validated that IBM Cloud Pak for Security helps organizations to identify threats as quickly as possible without the need to navigate multiple tools and their interfaces. We observed how the platform acts as the “single source of truth” by integrating data from IBM and third-party tools and data sources into a unified view. We also saw how IBM Cloud Pak for Security enables SOC analysts to identify and verify the existence of threats using different views and dashboards, maintaining a consistent view throughout the platform. With IBM Cloud Pak for Security, ESG recognizes how the platform can decrease the time to identify and prioritize the threats to address while increasing end-to-end visibility of overall security.

Incident Response

Once threats have been discovered, it is imperative for the SOC analyst to know how and where to start to mitigate or eliminate them before any business-affecting damage occurs within the organization’s IT environment. IBM Cloud Pak for Security can guide a SOC analyst through the incident response (IR) process with playbooks, based on past actions taken with similar events. IBM’s platform also leverages automation to reduce repetitive tasks, enabling the analysts to focus on those tasks that add the most value.

ESG Testing

ESG first viewed how existing cases, either manually or automatically created, are displayed and categorized by level of action taken: Initial, Engage, Detect/Analyze, Respond, and Post Incident (see Figure 8). With this view, ESG saw how a SOC analyst team can prioritize work by noting at which stage of the SOC workflow each case stands.
Figure 8. Tile View of Cases to be Addressed, by Stage of Response

Source: Enterprise Strategy Group

We clicked on the tile, QRadar ID 47, under the Engage column to return to the case related to the BLADABINDI threat (see Figure 9). As we noted previously, this case was automatically created by IBM Security QRadar SIEM. We also saw related cases should the SOC analyst need to reference them while addressing this case. Under the Task tab, we found a list of tasks to be completed, categorized by workflow stage (see left-hand side of Figure 9). These tasks were initially added to the case via a previously created playbook that IBM Cloud Pak for Security used to deal with this and similar cases.
Figure 9. Case Description and Tasks to be Completed

Source: Enterprise Strategy Group

As we examined these screens, ESG noted that IBM Cloud Pak for Security’s SOAR capabilities began to address this specific case. A SOC analyst did not have to wait until receiving an alert that the BLADABINDI malware was already threatening the organization’s security. As soon as the malware was downloaded, we observed that the platform already applied a playbook designed for malware and began to complete tasks to isolate and remove this threat. Without any manual intervention, 12% of the tasks assigned to this case were already completed, indicated by those tasks already crossed off the list.
In the previous section, ESG found that one case related to the BLADABINDI malware did not yet result in a breach. However, what if an actual security breach occurred? ESG observed that it is simple to edit a playbook based on data already compiled by IBM Cloud Pak for Security. We clicked on the Breach module on the page detailing our existing case, QRadar ID 47, to create a playbook (see Figure 10). We could indicate how data privacy was compromised, the data types at risk (such as credit card data), and specific states or countries in which the threat appeared. Not only did we create a playbook to handle similar cases, but we also added new tasks to the existing list to be completed to contain the threat. We noted that using a template simplifies the creation and editing of such playbooks.
Figure 10. Creating a Playbook using the “Breach” Module

Source: Enterprise Strategy Group

Why This Matters

To ensure that threats do not become breaches, standard procedures that can be executed without manual intervention help in bolstering an organization’s security posture by minimizing overall response and remediation time.
ESG validated that organizations can leverage the SOAR capabilities of IBM Cloud Pak for Security automatically and consistently respond to and remove threats when discovered. We observed how the platform can automatically create cases for uncovered threats, determine task lists to remediate, and execute select tasks without manual intervention via playbooks. With IBM Cloud Pak for Security, organizations can stay ahead of the potential damage threats can inflict upon an organization’s security.

Data Security

To complete an organization’s end-to-end visibility of its security posture, it is critical to assess its data security and compliance landscape, especially to identify threats that can potentially propagate throughout the IT environment. With Risk Manager, organizations can assess their business risk by gathering information across data sources, including SIEM, IAM, and data security tools to provide a broad risk landscape.

ESG Testing

ESG navigated back to the task list associated with our case, QRadar ID 47, and focused on a single task, “Check risk on all databases” (see Figure 11). We right clicked to open up Risk Manager and determine if other databases are at risk. The risk heat map (bubble chart) showed that the probability of data exfiltration was high. We also analyzed risk trends and found that the organization’s ability to minimize the overall risk to databases has become worse, as the line chart indicated that risk percentages had increased over a short period of time. We saw how the trending analysis can assist a SOC analyst to determine how effective past corrective actions have helped to decrease an organization’s overall risk profile. This could guide the analyst on how to improve responses to similar issues should they arise again.
Figure 11. Assessing Risk Posture of Organization’s Databases

Source: Enterprise Strategy Group

ESG then examined a specific Oracle database out of the current IT asset inventory to assess any vulnerabilities that may exist (see bottom half of Figure 11). We saw that IBM Cloud Pak for Security automatically generated a list of such vulnerabilities. We noted that this can be valuable to a SOC analyst to proactively address these vulnerabilities before they compromise this database’s security.

Why This Matters

Assessing overall risk profiles and the organization’s ability to mitigate risk ensures security in the long-term. How organizations respond to threats over time determines how well organizations can maintain an effective and consistent security posture.
ESG validated that organizations can use IBM Cloud Pak for Security to assess its overall security risk in real time since it can access data from any source integrated with the platform. By leveraging trend analyses, organizations can see how effective their security policies and responses have been over time, pinpoint areas of potential risk, and receive guidance automatically on existing vulnerabilities they may have overlooked. With IBM Cloud Pak for Security, organizations can decrease overall security risk proactively.

The Bigger Truth

The more complex the IT environment, the more that organizations need to bolster their security posture, as vulnerabilities and threats are always looming. While leveraging multiple point tools and data sources may address individual security concerns, this approach lacks a unified, consistent, and end-to-end view of an organization’s security posture. Even if attempts were made to integrate these IT resources via in-house development, the result is a patchwork of tools and data that provide some semblance of end-to-end visibility and control.
With IBM Cloud Pak for Security, deployed either on-premises or via SaaS, organizations can identify threats quickly and respond effectively without the need to navigate and switch between multiple interfaces. IBM designed the platform to simplify how organizations deploy a zero trust architecture across the enterprise. Throughout our testing, ESG validated that the platform can:
  • Locate threats without the need to correlate data manually from multiple tools and data sources.
  • Prioritize threats to address and remediate so that an organization is less susceptible to breaches and attacks.
  • Automate and orchestrate the necessary steps to respond to threats and breaches quickly, minimizing the need for manual intervention.
  • Assess and improve the organization’s risk profile over time.
Throughout our testing, ESG clearly observed that IBM Cloud Pak for Security can help organizations to decrease time to identify and respond to threats by eliminating the need to manually navigate multiple tools, correlate findings, and derive the appropriate response, while fortifying the overall security posture. We also verified that organizations could maximize the value extracted from third-party tools and data sources, as IBM Cloud Pak for Security enables simple integrations to avoid any “rip and replace.”
While ESG can verify the potential benefits that IBM Cloud Pak for Security can offer organizations, we suggest that you evaluate closely the extent to which you can integrate third-party security tools and data sources, already deployed within your IT environment, with IBM’s platform. Should you wish to continue to use these existing IT resources, it would help to examine and test how much value can be extracted from these integrations.
ESG confirmed that IBM Cloud Pak for Security enables organizations to bolster overall security with the breadth and depth of end-to-end visibility and control it provides. For organizations that wish to increase the efficiency and effectiveness of security operations workflows related to threat hunting, incident response, and risk management, we strongly suggest that you consider IBM Cloud Pak for Security on your short list.
Gain insights into threats and risks and respond faster with automation. Explore the integrated security platform.
LEARN MORE

This ESG Technical Validation was commissioned by IBM and is distributed under license from ESG.

Source: ESG Research Report, 2021 Technology Spending Intentions Survey, Jan 2021.

IBM Security Guardium Insights helps organizations to construct a comprehensive view of their data security and compliance landscapes.

BLADABINDI is a backdoor threat. If it infiltrates an organization, it stealthily downloads and installs malware onto affected systems.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.