What is IBM Security App Exchange & A Look At Carbon Black's Response App
This series of blogs has been created with the intention of shedding some light on a still rather underused area of the IBM X-Force Exchange, and that is the Security App Exchange. The Security App Exchange has a whole host of applications that add a significant amount of helpful functions and content into three of IBMs most prevalent security solutions, QRadar, BigFix and X-Force Exchange.
The first blog in this series will cover what exactly the App Exchange is, and how it can benefit your organisation, with subsequent blogs covering specific Apps and Content that we believe add huge benefits to any deployment.
The App Exchange is a community-based sharing hub, which gives customers and other users the chance to share product applications, features and enhancements. As a user of the App Exchange you can access content from multiple vendors as well as IBM, and use them to help extend the QRadar capabilities.
There is a whole host of useful content on the App Exchange, which when configured to integrate with QRadar can provide an even more in-depth view into the activity within your environment. Content found on the App Exchange can include the following:
- Saved Searches
- Custom Rules
- Custom Properties
- Log Sources
- Log Source Extensions
- Custom QID Map Entries
- Reference Data Collection
- Historical Correlation Profiles
- Custom Functions
- Custom Actions
As you can see, the content within the App Exchange covers a wide variety of needs, whether you need a new Dashboard for your Carbon Black integration, or whether your organisation is GPG13 compliant and you need a set of prebuilt reports for QRadar which will help you to prove your compliance.
Each of the summary pages for the content has everything you need to know about the application, helping you to decide if it is what you’re looking for. Including a description of the content, screenshots and videos to show you exactly how the new content will look in your environment, a contents section which lists the exact details of the package, a compatibility indicator to help you identify if the additional content will run on the version of QRadar you currently have, an Additional Information section which details when it was uploaded, the current version, how many downloads it has and even a link to the documentation which will help you to get the additional content added quickly and easily, and finally a support link so you can email the Carbon Black Support team should you have any issues.
Hopefully this short blog has given you an insight into what the App Exchange is and just how it could help you to improve visibility and everyday usage of three of IBMs biggest solutions. Over the coming weeks there will be further blogs posted highlighting some of the “must-have” applications and additional content.
IBM Security App Exchange – Carbon Black Response App
We will begin the deep-dive into the App Exchange by continuing to look at Carbon Black. Carbon Black provide endpoint security for organisations across the globe, and are one of the leading technologies in this sector. As organisations start to deploy more and more technologies within their network, it is becoming increasingly vital that these solutions integrate together seamlessly, giving security personnel the easiest and quickest view into the security posture of their environment.
As with many security products, Carbon Black is capable of producing Syslog and forwarding this to QRadar as part of an integration, however thanks to the App Exchange, this integration has become even more powerful, by making many of the features found within Carbon Black, available from the QRadar interface.
The Carbon Black Response App for QRadar, gives administrators the ability to leverage some of the most powerful features from Carbon Blacks Endpoint Detection and Response solution. Integration of the application gives users the ability to see, detect, and take action on suspicious endpoint activity, directly from the QRadar console. Many features that were previously only found within the Carbon Black console, can now be run directly from the QRadar console, such as process searches, endpoint isolation and system statuses.
The addition of the Carbon Black QRadar application, gives the user the following features:
- 1 Application
- 1 Custom Property
- 1 Dashboard
- 5 Saved Searches
Integrating QRadar and Carbon Black in this manner, gives IT security staff, a single pane of glass view into their environment, and can allow them to be more proactive from a single interface, saving the exhaustive task of constantly swapping interfaces. Adding the application into QRadar, gives the user a separate tab by which to manage the Carbon Black work, this tab contains a number of following sub-tabs, which give you access to the capabilities:
- Process Search
- Watch List Hits
- Download Sensors
- Hash Ban
With the aforementioned tabs being made available within QRadar, it makes it possible for the security personnel to harness the power of Carbon Black immediately from within QRadar, meaning the time to secure a security breach can be drastically reduced.
Hopefully this final part has given you an insight into the powerful integration between QRadar and Carbon Black that can be achieved through the Carbon Black Response App. Installation is simple, and a guide on how to do this can be obtained from the Summary page for the application on the App Exchange.