This tutorial explains how to use the SecurityHQ Incident Response Platform to visualize, prioritize, connect and respond to specific security needs:
SecurityHQ is a global Managed Security Service Provider, delivering superior engineering-led solutions to clients around the world. Fuelled by their next-Gen Security Operations Centres, powered by Gartner’s #1 rated SIEM with User Behaviour Analytics, SOAR, and Intelligence, SOC’s are driven by an army of 250+ expert analysts available 24/7, 365 days a year.
By combining dedicated security experts, cutting-edge technology, and processes, SecurityHQ clients receive an enterprise-grade experience that ensures that all IT virtual assets, cloud, and traditional infrastructures, are protected.
What You Will Learn:
SecurityHQ Incident Response Platform
SecurityHQ’s Incident Management & Analytics Platform is at the heart of all their services so that they work in collaboration with their customers, to instantly visualize, prioritize, connect and respond to specific security needs.
This is the key window/portal for the customer to log in through, and to gain access to the artefacts and data that has been documented for their account.
You can read about the many features of the Incident Management Platform on SecurityHQ’s website. As well as view its latest updates. But in this guide, we take a look at how the user can take advantage of the SecurityHQ platform to view their security posture via ‘Time Scatter’, ‘Actor’, or by ‘Action’.
To start, this is what the main page looks like for a customer logging in. Please note that some elements that would usually be shown on this page have been redacted for confidentiality.
All features on this platform are configured to provide answers to the key questions that SecurityHQ’s customers want to know. The most important question being, ‘What does my Security Posture look like?
That’s exactly what the ‘My Security Posture’ section on the dashboard provides the answer to by delivering visual insights into the customer’s own security posture over the course of a given time frame. All of this is based on the incident data that the platform has submitted for the customer. Depending on the managed services the customer uses.
By default, the duration of ‘Last 01 Month’ is selected above. But other values for the duration can also be selected. For example, the user can view incidents over the last month, last week, or even the last 24 hours by just toggling the top menu and clicking.
Once selected, the entire section is set to that value of the duration and, no matter whether you are visualizing ‘Time Scatter’ or analyzing the visualization by ‘Actor – Action’, or ‘By Action’ alone, the duration selected will stay for the last three months, as selected below.
The customer, if required, can also select a customized duration. As shown below, larger durations can be selected. Here we have selected just over a year to analyze Jan 1st, 2020 until March 14th, 2021.
If this customized period is applied, then the widget title will change to ‘Customer Filter’, and the platform will fetch the data for the duration selected.
This feature is very insightful for the customer to understand how their security posture has developed in recent times, or during a specific period. The data from this may lead to further questions for the Security Operations Centre (SOC) team and encourage customer engagement with the SOC to improve security posture.
This platform is presented to the customer to help them engage with their own security data. And to work seamlessly with the backend SOC teams assigned for their account.
In essence, the time scatter analytics visualizations are to provide a visual que. And as you can see below the causes for each incident. As shown, the number of informational incidents is quite high during the presented period below. This could be something that the customer may want to get more details of and dive into in more depth.
Let’s say that the last month of the duration is selected, we can see that a significantly higher number of incidents occurred during this period.
Those incidents can then be visited, and the customer is instantly provided with the details into what kind of incidents those were, what reasons or factors lead to these security incidents, and then put in place the right measures, and see what measures have been taken by the SOC team.
This needs the user to engage with the SOC teams. And this is easily made by leaving a comment in the ‘Activity Log’ and sending this comment to the incident management team for them to analyze and respond.
See The ‘Actors’ Behind the Incidents
The next useful visualization a customer can view on this main page, are the insights of the actors behind security incidents. Actors are classified into three groups, Internal Actors, External Actors, and Unknowns.
Unknowns are the actors that could not be categorized into internal or external groupings.
All of these visualizations are interactive, and the customer can click on a selected/required category to drill down further. A click on the external category shows the external actors, their identities revealed, with the IPs now visible.
Each segment can be viewed to see what the IP is of each actor, how many incidents there are, and what these incidents are contributable to. If requires, the user can click on a particular IP/actor slice and all the incidents which have that IP presented to the customer.
These details help the customer to understand what has led to a particular security incident, and what security measures have been taken. The user can go back by clicking on the centre of the widget, for an overall view of threats.
See The ‘Action’ Behind The Incidents
The third category is to visualize the same data via the action behind the security incident. Actors basically use different kinds of threat vectors, and their intent can differ behind each attack/activity. That is also an important aspect for the customer, as well as the SOC to keep a tab on.
The key question answered here is, mainly, ‘What kind of activities are prominent in my account?’.
This tool answers this by showing the specific types of Actors. For example, if we take the image below, the top five categories for this account show a lot of hacking actions on the customer’s web apps. Followed by that is a high number of activities in the malware category. And there are also a couple of compliance and configuration changes that also led to security incidents.
Each of these categories can be clicked upon. And from this, the incidents are filtered down.
On the provided list of security incidents, there is a widget (bottom right) to present the severity of actor types. The types are categorized into ‘Critical’, ‘Major’, ‘Minor’, and ‘Informational’. Here all three incidents happen to be ‘Informational’.
But if you go to a larger category, for instance, the bar labelled ‘Malware PUP’, you can see that there are 22 Minor incidents and 1 Informational Incident.
Whenever this widget shows, this is a tool to filter down, so if the customer wants to view only the informational incidents, he can click on that category, and only those incidents for that category will be filtered.
These three features are intended to serve as a good starting point for the customer to understand their current security posture and to better comprehend the recent period of incidents.
Fully Integrated With IBM Gartner Magic Quadrant
Now, moving back to the application on the interface’s menu, a key element for the customer to access is the QRadar interface. One-click on the QRadar menu and the user will be taken to the IBM QRadar interface that has been embedded.
The credentials to be entered here are the same as the platform credentials, and the QRadar interface will be presented to the customer.
SecurityHQ services and features, such as Managed Data Security, powered by IBM Guardium, can be accessed to help clients protect critical data, prevent leaks, and ensures compliance across heterogeneous environments, including databases, data warehouses and big data environments.
Or, Managed Detection & Response (MDR) can be used to help customers visualize and understand the malicious or anomalous activity. Analyze, prioritize and respond to threats in rapid time, safeguard data, people and processes.
SecurityHQ Response Mobile App for Android and IOS puts the power of SecurityHQ’s Global Security Operation Centre in the client’s hands.
The new app has significantly advanced the accessibility and visibility of SecurityHQ services and provides a considerable competitive advantage in terms of customer experience and engagement, so that users can do everything that they are able to do on the platform, now from their phone.
Including the ability to:
- Track the status of security incidents at any time, while working remotely.
- Prioritize and escalate threats.
- Respond to threats.
- Create and search for tickets.
- Receive real-time alerts and notifications for security incidents.
- Call designated SOC team.
- Receive crucial notifications with the click of a button.
When the user clicks on the ‘Mobile Access’ button, this page provides instructions for the enrolment of the mobile app, against the web platform. That way, customers can see all their SecurityHQ services, and access all required features, while on the move.
SecurityHQ is a global Managed Security Service Provider. They help the customers to instantly visualize, prioritize, connect and respond to specific security needs via their Incident Response & Analytics Platform.