Becoming an Agile Cyber-Ninja: Implementing SIEM the Right Way in 2017

When it comes to security information and event management (SIEM) solutions, you get out what you put in. Choosing the right method for organizing the teams that deploy and implement the SIEM, use cases and all, is an important decision. When it comes to organizing the projects and services related to the security of your enterprise, you need to stick to what you know — right? Not necessarily.

Making the switch to Agile may enable your organization to achieve a more rapidly enhanced security posture. The world of security moves fast, and black-hat hackers prey on organizations with sticky feet.

In 2017, being secure means being agile. At the core of any SIEM is the concept of the use case, the set of rules about what patterns and anomalies we are looking for and prioritizing on an enterprise network. Staying agile and keeping these rules and searches up to date and relevant enable us to focus on today’s primary threat vectors, not those from six months ago.

Traditional Versus Agile: QRadar Face-Off

You might assume that Agile is just for software developers, but security analysts can use it to implement a SIEM. Let’s look at an example of Agile security services in action.

IBM QRadar, which earned recognition in the Gartner Magic Quadrant and Forrester Wave, made for a good test case on a recent project. During the project, the SIEM team switched from a traditional Waterfall methodology to Agile.

Here’s what I saw from both sides of the fence. For each area of concern, we’ll first analyze the old approach and then look at how the switch to Agile affected organizational security.

Client Collaboration

  • Traditional: The client basically dropped a big book of what it expected to get out of QRadar on the delivery team’s desk and then went back to fighting fires. OK, it wasn’t quite that bad, but collaboration was not incentivized by management, and this began to create a divided work environment, making it difficult for analysts to use security intelligence to break down silos and create a single-pane view.
  • Agile: The client got involved from the start and throughout the QRadar implementation process, and the required resources were made available on a dynamic basis to meet Agile sprint goals. This way, the client got to see and feel the product rather than waiting long days, weeks or months to see what QRadar could do.

Getting Requirements Right

  • Traditional: Requirements were thoughtfully established and then given to service delivery teams. Requirements changed and security considerations moved on. Slowly, what was being delivered lost touch with what was needed.
  • Agile: Requirements were considered on an ongoing basis, and the product was demonstrated at regular intervals to enable the customer to see where it was meeting expectations and where it could benefit from a different approach.

Team Connectivity

  • Traditional: Different teams worked on the product and in the QRadar environment with little or no communication. We may not have seen how planned changes in the network and security ecosystem affected the product until it was alive and kicking.
  • Agile: Agile product owners got insight into multiple products and changes to the security environment in the enterprise during demonstrations and sync-ups. Potential clashes could be proactively mitigated, eliminating unnecessary delays and keeping motivation high.

Time to Value

  • Traditional: Delivery would have occurred at the end date of the project, no earlier.
  • Agile: QRadar came alive in iterations, giving the fastest possible value by working quickly with the highest-priority incidents rather than waiting for the minutiae of arcane documentation to be completed before realizing value.

Find the Fun in Security

You have probably noticed a pattern by now. With the flexibility and availability of many Agile tools, SIEM is no sweat for a team of motivated and empowered individuals. This project ended with a well-tuned and powerful SIEM, as well as a sense of exponential progress for a team that had found the fun in security.

This is just one example of how a team could work together to adopt Agile and QRadar to beat expectations and create a state of security intelligence. To begin thinking about what your company can do with a powerful SIEM and an empowering way of working, ask yourself the following questions:

  1. Could your organization benefit from closer collaboration between service providers and your enterprise’s security teams and higher-level business units?
  2. Do you find your security priorities changing on a monthly or even weekly basis?
  3. Do you wish you could realize the potential of new products faster and stay on pace with cybercriminals?

If the answer to any of these is yes, it might be time to start thinking about adopting Agile and taking your product implementations to the next level.

Read the white paper: Transitioning from SIEM to Total Security Intelligence

Contributor'photo

Alexander M. Paterson

Security Intelligence Consultant, IBM

Alexander M. Paterson is a Security Intelligence Consultant for IBM UK. His deep technical and industry specific...