This was originally published in September 2011 on q1labs.com (which has been integrated into ibm.com and securityintelligence.com).
This is part 3 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
In previous posts, we examined what Security Intelligence (SI) is and how modern SI solutions differ from the previous generation of products. Now let’s look at some practical questions about Security Intelligence products.
Many IT professionals and business executives have a skewed perception of what SI solutions – with SIEM as the anchor tenant – deliver, and what they require. Unlike first-generation SIEM and log management products, which earned a reputation for high complexity and cost, today’s Security Intelligence offerings are designed for rapid implementation, a short learning curve and low ongoing staffing requirements.
A fundamental difference between first-gen products and modern ones is whether they are built as toolkits or more finished solutions. Early SIEM vendors advanced the false claim that every deployment needed to be so customized that it made little sense to provide any out-of-the-box value. Everything useful would be built from scratch using the toolkit and a massive dose of professional services. Current solutions, however, prove that pre-packaged functionality and extensive customizability are not mutually exclusive. Let’s examine what today’s SI offerings bring.
While any user will benefit from network security experience, successful solutions have innovated around the three tenets of Security Intelligence – Intelligence, Integration and Automation – to make it easier for all users to get productive quickly. Here’s how:
- Writing correlation rules used to be a complex endeavor, and still is with legacy SIEM products. But modern Security Intelligence products boil this down. If you’ve filtered email in your favorite email client or Web app, you can write correlation rules in a respectable SI product. And you can still build sophisticated, multi-step rules for global and local correlation.
- SI solutions also save users time by allowing them to define value lists (e.g., IP addresses or user names) that are used as variables within rules, filters and reports – saving them from having to manually update lists in many places. The more innovative products even allow these lists to be populated programmatically.
- The integration capabilities delivered out-of-the-box today are a huge enabler of end user productivity. Normalization of the data from hundreds of sources prevents customers (and consultants) from having to become experts in each third-party vendor’s data schema. For example, a compliance mandate might require documenting authentication events (failed login’s, successful login’s, successful login’s followed by a privilege escalation, etc.). With Security Intelligence, customers no longer have to track that manually across dozens of assets, each with its own data schema.
- Security Intelligence solutions also automate many of the tedious manual tasks that used to take so much time and drive up the total cost of ownership. They can auto-discover network resources, auto-tune settings, and offer appliance form factors for easy deployment.
- Numerous out-of-the-box reports are provided for different audiences, including senior executives and auditors. Security and networking staff no longer need to spend excessive time just building reports.
One large customer, a Fortune 200 financial institution, uses only four people to manage a worldwide SI deployment that monitors billions of daily events, and those individuals also manage several other security products. The company has dramatically improved its security and risk posture without adding any security headcount.
Another customer, Arkansas Children’s Hospital, saw an increase in the speed and efficiency of its two person security response team after deploying a modern SI solution.
Ultimately, any Security Intelligence user will need some training and time to make full and effective use of the software. SI solutions, after all, are sophisticated enterprise software. But a modern Security Intelligence product lowers the bar for new users and ultimately becomes a force multiplier – enabling order-of-magnitude productivity increases in security operations.
What have you observed with regard to staffing requirements for SI products?