How Much Staffing and Expertise Do Security Intelligence Solutions Require?

Image attribution: under

This is part 3 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”


In previous posts, we examined what Security Intelligence (SI) is and how modern SI solutions differ from the previous generation of products.  Now let’s look at some practical questions about Security Intelligence products.

Many IT professionals and business executives have a skewed perception of what SI solutions – with SIEM as the anchor tenant – deliver, and what they require.  Unlike first-generation SIEM and log management products, which earned a reputation for high complexity and cost, today’s Security Intelligence offerings are designed for rapid implementation, a short learning curve and low ongoing staffing requirements.

A fundamental difference between first-gen products and modern ones is whether they are built as toolkits or more finished solutions.  Early SIEM vendors advanced the false claim that every deployment needed to be so customized that it made little sense to provide any out-of-the-box value.  Everything useful would be built from scratch using the toolkit and a massive dose of professional services.  Current solutions, however, prove that pre-packaged functionality and extensive customizability are not mutually exclusive.  Let’s examine what today’s SI offerings bring.

While any user will benefit from some network security experience, successful solutions have innovated around the three tenets of Security Intelligence – Intelligence, Integration and Automation – to make it easier for all users to get productive quickly.  Here’s how:


  • Writing correlation rules used to be a complex endeavor, and still is with legacy SIEM products.  But modern Security Intelligence products boil this down.  If you’ve filtered email in your favorite email client or Web app, you can write correlation rules in a respectable SI product.  And you can still build sophisticated, multi-step rules for global and local correlation.
  • SI solutions also save users time by allowing them to define value lists (e.g., IP addresses or user names) that are used as variables within rules, filters and reports – saving them from having to manually update lists in many places.  The more innovative products even allow these lists to be populated programmatically.


  • The integration capabilities delivered out-of-the-box today are a huge enabler of end user productivity.  Normalization of the data from hundreds of sources prevents customers (and consultants) from having to become experts in each third-party vendor’s data schema.  For example, a compliance mandate might require documenting authentication events (failed login’s, successful login’s, successful login’s followed by a privilege escalation, etc.).  With Security Intelligence, customers no longer have to track that manually across dozens of assets, each with its own data schema.


  • Security Intelligence solutions also automate many of the tedious manual tasks that used to take so much time and drive up the total cost of ownership.  They can auto-discover network resources, auto-tune settings, and offer appliance form factors for easy deployment.
  • Numerous out-of-the-box reports are provided for different audiences, including senior executives and auditors.  Security and networking staff no longer need to spend excessive time just building reports.

One large customer, a Fortune 200 financial institution, uses only four people to manage a worldwide SI deployment that monitors billions of daily events, and those individuals also manage several other security products.  The company has dramatically improved its security and risk posture without adding any security headcount.

Another customer, Arkansas Children’s Hospital, saw an increase in the speed and efficiency of its two person security response team after deploying a modern SI solution.  Watch the video to hear directly from Chris Wilkins.

Ultimately, any Security Intelligence user will need some training and time to make full and effective use of the software.  SI solutions, after all, are sophisticated enterprise software.  But a modern Security Intelligence product lowers the bar for new users and ultimately becomes a force multiplier – enabling order-of-magnitude productivity increases in security operations.

What do you think?  What have you observed with regard to staffing requirements for SI products?

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…