September 27, 2011 By John Burnham 3 min read

How Much Staffing and Expertise Do Security Intelligence Solutions Require?

Image attribution: http://bit.ly/n4EsIM under http://bit.ly/qkEUr7

This is part 3 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”

 

In previous posts, we examined what Security Intelligence (SI) is and how modern SI solutions differ from the previous generation of products.  Now let’s look at some practical questions about Security Intelligence products.

Many IT professionals and business executives have a skewed perception of what SI solutions – with SIEM as the anchor tenant – deliver, and what they require.  Unlike first-generation SIEM and log management products, which earned a reputation for high complexity and cost, today’s Security Intelligence offerings are designed for rapid implementation, a short learning curve and low ongoing staffing requirements.

A fundamental difference between first-gen products and modern ones is whether they are built as toolkits or more finished solutions.  Early SIEM vendors advanced the false claim that every deployment needed to be so customized that it made little sense to provide any out-of-the-box value.  Everything useful would be built from scratch using the toolkit and a massive dose of professional services.  Current solutions, however, prove that pre-packaged functionality and extensive customizability are not mutually exclusive.  Let’s examine what today’s SI offerings bring.

While any user will benefit from some network security experience, successful solutions have innovated around the three tenets of Security Intelligence – Intelligence, Integration and Automation – to make it easier for all users to get productive quickly.  Here’s how:

Intelligence

  • Writing correlation rules used to be a complex endeavor, and still is with legacy SIEM products.  But modern Security Intelligence products boil this down.  If you’ve filtered email in your favorite email client or Web app, you can write correlation rules in a respectable SI product.  And you can still build sophisticated, multi-step rules for global and local correlation.
  • SI solutions also save users time by allowing them to define value lists (e.g., IP addresses or user names) that are used as variables within rules, filters and reports – saving them from having to manually update lists in many places.  The more innovative products even allow these lists to be populated programmatically.

Integration

  • The integration capabilities delivered out-of-the-box today are a huge enabler of end user productivity.  Normalization of the data from hundreds of sources prevents customers (and consultants) from having to become experts in each third-party vendor’s data schema.  For example, a compliance mandate might require documenting authentication events (failed login’s, successful login’s, successful login’s followed by a privilege escalation, etc.).  With Security Intelligence, customers no longer have to track that manually across dozens of assets, each with its own data schema.

Automation

  • Security Intelligence solutions also automate many of the tedious manual tasks that used to take so much time and drive up the total cost of ownership.  They can auto-discover network resources, auto-tune settings, and offer appliance form factors for easy deployment.
  • Numerous out-of-the-box reports are provided for different audiences, including senior executives and auditors.  Security and networking staff no longer need to spend excessive time just building reports.

One large customer, a Fortune 200 financial institution, uses only four people to manage a worldwide SI deployment that monitors billions of daily events, and those individuals also manage several other security products.  The company has dramatically improved its security and risk posture without adding any security headcount.

Another customer, Arkansas Children’s Hospital, saw an increase in the speed and efficiency of its two person security response team after deploying a modern SI solution.  Watch the video to hear directly from Chris Wilkins.

Ultimately, any Security Intelligence user will need some training and time to make full and effective use of the software.  SI solutions, after all, are sophisticated enterprise software.  But a modern Security Intelligence product lowers the bar for new users and ultimately becomes a force multiplier – enabling order-of-magnitude productivity increases in security operations.

What do you think?  What have you observed with regard to staffing requirements for SI products?

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today