How Much Staffing and Expertise Do Security Intelligence Solutions Require?

Image attribution: under

This is part 3 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”


In previous posts, we examined what Security Intelligence (SI) is and how modern SI solutions differ from the previous generation of products.  Now let’s look at some practical questions about Security Intelligence products.

Many IT professionals and business executives have a skewed perception of what SI solutions – with SIEM as the anchor tenant – deliver, and what they require.  Unlike first-generation SIEM and log management products, which earned a reputation for high complexity and cost, today’s Security Intelligence offerings are designed for rapid implementation, a short learning curve and low ongoing staffing requirements.

A fundamental difference between first-gen products and modern ones is whether they are built as toolkits or more finished solutions.  Early SIEM vendors advanced the false claim that every deployment needed to be so customized that it made little sense to provide any out-of-the-box value.  Everything useful would be built from scratch using the toolkit and a massive dose of professional services.  Current solutions, however, prove that pre-packaged functionality and extensive customizability are not mutually exclusive.  Let’s examine what today’s SI offerings bring.

While any user will benefit from some network security experience, successful solutions have innovated around the three tenets of Security Intelligence – Intelligence, Integration and Automation – to make it easier for all users to get productive quickly.  Here’s how:


  • Writing correlation rules used to be a complex endeavor, and still is with legacy SIEM products.  But modern Security Intelligence products boil this down.  If you’ve filtered email in your favorite email client or Web app, you can write correlation rules in a respectable SI product.  And you can still build sophisticated, multi-step rules for global and local correlation.
  • SI solutions also save users time by allowing them to define value lists (e.g., IP addresses or user names) that are used as variables within rules, filters and reports – saving them from having to manually update lists in many places.  The more innovative products even allow these lists to be populated programmatically.


  • The integration capabilities delivered out-of-the-box today are a huge enabler of end user productivity.  Normalization of the data from hundreds of sources prevents customers (and consultants) from having to become experts in each third-party vendor’s data schema.  For example, a compliance mandate might require documenting authentication events (failed login’s, successful login’s, successful login’s followed by a privilege escalation, etc.).  With Security Intelligence, customers no longer have to track that manually across dozens of assets, each with its own data schema.


  • Security Intelligence solutions also automate many of the tedious manual tasks that used to take so much time and drive up the total cost of ownership.  They can auto-discover network resources, auto-tune settings, and offer appliance form factors for easy deployment.
  • Numerous out-of-the-box reports are provided for different audiences, including senior executives and auditors.  Security and networking staff no longer need to spend excessive time just building reports.

One large customer, a Fortune 200 financial institution, uses only four people to manage a worldwide SI deployment that monitors billions of daily events, and those individuals also manage several other security products.  The company has dramatically improved its security and risk posture without adding any security headcount.

Another customer, Arkansas Children’s Hospital, saw an increase in the speed and efficiency of its two person security response team after deploying a modern SI solution.  Watch the video to hear directly from Chris Wilkins.

Ultimately, any Security Intelligence user will need some training and time to make full and effective use of the software.  SI solutions, after all, are sophisticated enterprise software.  But a modern Security Intelligence product lowers the bar for new users and ultimately becomes a force multiplier – enabling order-of-magnitude productivity increases in security operations.

What do you think?  What have you observed with regard to staffing requirements for SI products?

more from Intelligence & Analytics

IOCs vs. IOAs — How to Effectively Leverage Indicators

Cybersecurity teams are consistently tasked to identify cybersecurity attacks, adversarial behavior, advanced persistent threats and the dreaded zero-day vulnerability. Through this endeavor, there is a common struggle for cybersecurity practitioners and operational teams to appropriately leverage indicators of compromise (IOCs) and indicators of attack (IOAs) for an effective monitoring, detection and response strategy. Inexperienced security […]