This was originally published in November 2011 on q1labs.com (which has been integrated into ibm.com and securityintelligence.com).
This is part 5 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
You know what Security Intelligence is, how it’s innovative, what it can deliver, and what kind of expertise you need. Now you’re eager to realize some of those benefits. How quickly can you expect to see a return? The answer is: much faster than you think.
SIEM is the anchor tenant of Security Intelligence, and let’s be honest – SIEM hasn’t always had a sterling reputation in the information security world. Many SIEM products are poorly designed, ill-suited to scale, or comprised of non-integrated components that lead to headaches. Bottom line: many SIEMs are a pain to configure and manage – and tough to achieve rapid ROI.
Today’s Security Intelligence solutions learned from the mistakes of the past and are delivering value in days. Here’s how:
Fast installation. The better Security Intelligence offerings have removed significant complexity and time from the installation process by delivering fully packaged appliances with the operating system, database and security intelligence software pre-installed. That way, customers avoid the delays associated with server provisioning and application installation and set-up.
Out-of-the-box rules and reports. Unlike first-gen SIEM products that were merely frameworks, modern Security Intelligence solutions ship with extensive out-of-the-box rules, report templates, dashboards and searches to get users up and running fast. This has a huge impact not only on time to value, but also on the implementation cost of a solution.
Identifying risks immediately. Once a modern Security Intelligence solution goes live in a customer’s environment, it often finds critical risks in the first few hours. Here are some common examples based on Q1 Labs’ field experience:
- Botnet infections. Although many security technologies struggle to detect this type of malware, SI solutions often find botnets as soon as they start receiving network telemetry. The best solutions provide out-of-the-box integration with outside intelligence sources, such as lists of known botnet command-and-control (C&C) servers. They then analyze flow and event data, and if they see a hit to a server on that list, they know an infection exists somewhere internally. The infection can sometimes be found with log data alone, but usually it is only found with Layer 7 flow data. Most SIEM and Security Intelligence solutions today don’t offer pre-packaged integration with outside intelligence sources to monitor bad IP addresses, so if this is important to you, make sure that your solution does.
- Network misconfigurations causing security risks. True Security Intelligence solutions provide both post-exploit and pre-exploit capabilities, the latter of which can detect significant security misconfigurations before assets are compromised. For example, one retail organization’s Security Intelligence solution found an open port on its network perimeter, which affected systems with vulnerabilities that could have allowed compromise of all its store locations. This risk was discovered the same day the solution was deployed.
- Devices accidentally scanning the Internet. Q1 Labs has sometimes found misconfigurations with antivirus update servers, causing them to attempt to update the entire Internet with AV signatures rather than just scanning and updating internal servers. Ironically, the AV update server itself often becomes badly outdated – because it’s trying to update millions of systems in the public Internet before it ever reaches its own IP address to perform updates. (Unlikely as this sounds, it happens more often than you’d think.)
- Network misconfigurations causing inefficiencies. Sometimes the customer has other devices misconfigured, causing them to probe the internal network and leading the Security Intelligence solution to identify this activity as a security risk. In this case, the Security Intelligence solution provides ancillary operational benefits by highlighting such misconfigurations.
Automating and simplifying audit preparation. If you’ve ever had the privilege of preparing for a compliance audit, you know it can be a hugely labor-intensive project. The good news is that Security Intelligence solutions have now automated much of the manual data gathering. Some even provide hundreds of pre-defined report templates – covering compliance mandates like PCI DSS, HIPAA, Sarbanes-Oxley, NERC and others – that automatically pull the necessary data from all relevant sources, and present it in a useful format. Take PCI, for example, which requires affected businesses to perform regular auditing of firewall rules. One Fortune 200 retailer was spending one half of a person-day per device to review and document its firewall configurations (and remediate any vulnerabilities). Multiply this by the hundreds to thousands of devices they use, and it’s clear that the Security Intelligence solution they deployed to automate this work delivered a great deal of value, virtually overnight.
Ultimately the strongest proof is the voice of a customer, and here’s what Matt Klaus of Genworth Financial shared in this case study webinar:
We do a monthly summary of all our data. Right now that’s a manual process. We go into each tool distinctly and we pull out what we need to pull out. We’re in the process of automating that with our production instance of Q1 Labs [QRadar]… which was one of the primary reasons we chose Q1 Labs. That will cut our time from about five days down to about one, if not less. It drastically reduces the time that we need to kick off an investigation of something serious, where time is really critical.
Q1 Labs for us has been a huge time saver. Its implementation was quick and easy, and we’re definitely seeing some added benefit, [even] as new a customer as we are.
Welcome to the new generation of IT security: Security Intelligence. We think you’ll be pleasantly surprised!