In this video, we show a Proof of Concept, showing the
high level overview and actions easily done by a customer to further harden
their security posture with QRadar, Copy Services Manager, and Safeguarded
Copy. The video shows a live attack on a DS8k, with QRadar
detecting these suspicious behaviors and then immediately invoking a Python
Script (or Ansible) to then pause replication, and do an Ad-hoc,
immediate Safeguarded Copy snapshot, as well as raise an alert for the security
team to investigate. This demo also opens further discussions on using
similar playbooks for an immediate restoration and recovery playbooks.
Here are links to the publicly available code and paper
that goes into more depth: