What is our primary use case?
IBM X-Force is a SaaS version. X-Force is integrated with a Security Intelligence Platform, but it's a SaaS version.
In short, we use a platform called the a Security Intelligence Platform based on IBM Qradar SIEM, which is what we enrich from the X-Force engine so that we actually get threat intel from IBM X-Force. We also different leverage on content packs that we download from X-Force. We have thousands of rules that come out of the box with QRadar, which is the SIEM platform. But we need to leverage X-Force to get real time threats feeds and have an understanding of what will be happening, and get advisory on issues such as vulnerability numbers, malware names, MD5 hashes, IP addresses, and other characteristics to see if we have been compromised. We can check for
- CVE or breach or malware threat to obtain more details regarding that coverage.
How has it helped my organization?
IBM X-Force has shortened our lifecycle for cyber security investigations. Threat analysis activity can take a lot of time. Providing this service to customers require a quick turn around time . So besides using it in my data center, I have multi-tenants SOC environment , with tenants belonging to other Customers that I monitor. So if a customer comes to me and says, "what does it exactly mean for us?" I can quickly leverage a tool that helps me to get quick visibility, quick understanding, quick investigation, quick drill down, and be able to close their offenses and issues as quick as I can.
X-Force has the ability to integrate with other solutions such as Cisco Threat Grid cloud. It's quite intergrable so you can actually integrate and get all the threat intel such geography , blaclisted domains , hashes to watch out for , IP , malware and URL information. Access to all this gives you some intelligence into what you're trying to investigate and what you will be trying to understand.
What is most valuable?
The most valuable features I found include :
The ability to add a vulnerability report
Support for STIX and TAXII
Threat Feed Manager- While viewing X-Force reports, users can enrich IP, URL and malware reports using threat intelligence
So suppose you're investigating an a possible threat and you just found that there is an offense that is saying, one of your users had access to some honey port defined address You can quickly leverage X-Force to help you by doing an X-Force exchange look-up quickly.
If you have an aspect of interest, such as an email, file , vulnerability data for, you can leverage X-Force to understand this in-depth.
What needs improvement?
Focusing on collecting tactical indicators of compromise (IOCs) like ,domains, IP addresses and hashes sin not enough– teams need to map or act . We need More context on phishing , malware , botnets and Additional IOCs. We need highly actionable insights
For how long have I used the solution?
I have been using IBM X-Force for more than 36 months.
What do I think about the stability of the solution?
It is very stable. I've been comparing it with quite a number of other solutions. I also have seen , RSA Live , Cisco Threat Grid among others. RSA has a very interesting platform called the RSA Live, which also provides threat protection feeds, warning feeds, and API integrations, like what X-Force does.
Basically, X-Force gives me a lot of comfort. I can quickly do my threat hunting activities in a few minutes and am able to find relevant threat details to help me understand a possible threat and the associated risk.
What do I think about the scalability of the solution?
IBM X-Force Exchange is a cloud-based threat intelligence platform ,that allows you to consume, share and act on threat intelligence. It enables you to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.
Highly Scalable because of its SaaS offering approach
How are customer service and technical support?
We're getting very good tech support. Very great support, actually.
They is a community, so we make us of XFE community before we go to the support. Probably something can help you there, but if not, you then have to call support.
How was the initial setup?
The initial setup is pretty straightforward.
Having been personally involved with the Security Threat Intelligent platform deployments. I would say For big deployments, like in the financial services sector, they could be a lot of integrations.
Integration with X-Force takes less than a day , more time will be spent on Downloading X-Force Rule Content for your Security Intelligence platform.
Deploying my security intelligence platform will take roughly six hours, but to have everything in place takes about two days - to have every log source integrated and every flow source integrated probably takes one more week.
After setting up your Base Security Intelligence platform, then go for your basic configs such as defining the network hierarchy. Add your log sources for events and flows. Add your applications of interest. Then integrate X-Force.
What was our ROI?
There has definitely been a good ROI. It takes away the pain and the headache of having large teams working on issues for days. Working in the security area can be a pain if you cannot find closure to issues in the required time .
What's my experience with pricing, setup cost, and licensing?
IBM has now gone the route they term Cloud Pak for Security . The IBM Cloud Pak for Security platform follows a modular pricing approach based on the size of a customer environment you are looking to secure.It gives a bit of flexibility
They have Fixed-for-term monthly fee, or a one-time fee with annual support ,Planned system expansion and costs, or one up-front price for unlimited scale over the term of your contract. The choice is yours.
I am Yet to come to terms with the MVS sizing approach beign used
What other advice do I have?
I would definitely recommend IBM X-Force. If you want to get threat intel and protection feed, and you require to integrate with other Threat Intel Feeds through STIX & TAXII go for XFE.
If you are looking to get early warning and timely feeds, and you require faster investigation times with enrichment of your Security Intelligence platforms relevant intel that speaks to what is current and want to protect your environment from, you will have to leverage a trusted threat intelligence platform equivalent to that of X-Force .
If you want to speed your security threat identification with what you call actionable threat intel that will seamlessly integrate with your other security tools, you need to ensure that you leverage X-Force.
On a scale of one to ten, I would rate IBM X-Force an eight.
Which deployment model are you using for this solution?
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?