Written by Kevin Kadow, Nexum Security Specialist & Sarah Lantz, Nexum Security Engineer
Many Security Operations Centers struggle with fully utilizing the many tools they have at their disposal. Managing the visibility within all those tools can be even more complicated. Between the numerous alerts provided by Security Information and Event Management (SIEM) solutions, then needing to find the cause of the alerts within the original tools and dig into the full details (which may lead to even more digging across open-source intelligence and threat intelligence tools), the process of threat hunting can be extremely difficult and time-consuming.
IBM’s Cloud Pak for Security (CP4S) consolidates alerts from a variety of sources with its AI-powered software – creating a single pane of glass for your workflow which allows for faster development and reduced processing time.
Quicker Searches with Data Explorer
Disparate logs can present a challenge for analysts needing to search through them quickly. Data Explorer (the federated search feature of CP4S) eliminates the need for multiple tools or doing proactive threat hunting. With Data Explorer, you can write a search query once and get results not only from IBM QRadar (and other traditional SIEMs), but also from Endpoint Detection and Response (EDR), Data Lake, and cloud providers such as Azure or Amazon Web Services.
Regardless of the threat management system in your environment, Data Explorer performs searches in the following ways:
- With Structured Threat Information eXpression (STIX) already in your environment, the STIX 2 query language in Data Explorer will be familiar to you.
- If you are not using STIX 2, the query builder will help guide you
- If you are currently using QRadar, you can continue to use QRadar AQL (Ariel Query Language) to search your QRadar instances
Insights Across Your Entire Network
Configuration of these sources relies on what CP4S has termed “Data Sources” and configuration screens to guide you through the process. Generally, if an Application Programming Interface (API) is available, CP4S will handle the data transformation across the different platforms and bring it all back to a standardized STIX format for investigation. With a couple of API keys, you could be up and running – performing alert investigation across multiple sources to get a real grasp on what has occurred in your network.
CP4S leverages IBM’s investment into the continued development of RedHat OpenShift, an open-source container platform that makes CP4S very robust. OpenShift also provides more prebuilt administrative tools compared to Kubernetes clusters, making administration easier overall. You can even leverage the IBM Cloud to host your CP4S instance.
Reliable Data Source Licensing
Another major advantage of CP4S is the data source licensing model. Instead of emphasizing the rate of logging, it focuses on how many data sources are being leveraged. Traditional SIEMs give estimates of how many messages or logs each device would generate and then base the price on the log rate itself. This usually leads to going over budget because of lower estimates than what ended up being appropriate for your environment. A data source license model means consistent pricing with increases only when you are ready to expand your investment in the platform (after seeing the ease of the federated searches improve analyst workflow and reduce mean time to resolution).
Nexum’s IBM Certified Engineers
Our team at Nexum has a close vendor partnership with IBM. We have several dedicated engineers who are trained specifically in CP4S with experience across multiple industries. They will assess, identify, and remediate gaps in your security posture with IBM’s CP4S – providing the ease and speed of a single pane of glass when it comes to threat hunting.
Contact us here for more information.
Follow us on LinkedIn to stay up-to-date with Nexum’s engineers.