How Quickly Can You Realize ROI on Your Security Intelligence Deployment?

This is part 5 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”

You know what Security Intelligence  is, how it’s innovative, what it can deliver, and what kind of expertise you need.  Now you’re eager to realize some of those benefits.  How quickly can you expect to see a return?  The answer is: much faster than you think.

SIEM is the anchor tenant of Security Intelligence (Gartner agrees), and let’s be honest – SIEM hasn’t always had a sterling reputation in the information security world.  Many SIEM products are poorly designed, ill-suited to scale, or comprised of non-integrated components that lead to headaches.  Bottom line: many SIEMs are a pain to configure and manage – and tough to achieve rapid ROI.

Today’s Security Intelligence solutions learned from the mistakes of the past and are delivering value in days.  Here’s how:

Fast installation. The better Security Intelligence offerings have removed significant complexity and time from the installation process by delivering fully packaged appliances with the operating system, database and security intelligence software pre-installed.  That way, customers avoid the delays associated with server provisioning and application installation and set-up.

Out-of-the-box rules and reports. Unlike first-gen SIEM products that were merely frameworks, modern Security Intelligence solutions ship with extensive out-of-the-box rules, report templates, dashboards and searches to get users up and running fast.  This has a huge impact not only on time to value, but also on the implementation cost of a solution.

Identifying risks immediately. Once a modern Security Intelligence solution goes live in a customer’s environment, it often finds critical risks in the first few hours.  Here are some common examples based on Q1 Labs’ field experience:

  • Botnet infections. Although many security technologies struggle to detect this type of malware, SI solutions often find botnets as soon as they start receiving network telemetry.  The best solutions provide out-of-the-box integration with outside intelligence sources, such as lists of known botnet command-and-control (C&C) servers.  They then analyze flow and event data, and if they see a hit to a server on that list, they know an infection exists somewhere internally.  The infection can sometimes be found with log data alone, but usually it is only found with Layer 7 flow data.  Most SIEM and Security Intelligence solutions today don’t offer pre-packaged integration with outside intelligence sources to monitor bad IP addresses, so if this is important to you, make sure that your solution does.
  • Network misconfigurations causing security risks. True Security Intelligence solutions provide both post-exploit and pre-exploit capabilities, the latter of which can detect significant security misconfigurations before assets are compromised.  For example, one retail organization’s Security Intelligence solution found an open port on its network perimeter, which affected systems with vulnerabilities that could have allowed compromise of all its store locations.  This risk was discovered the same day the solution was deployed.
  • Devices accidentally scanning the Internet. Q1 Labs has sometimes found misconfigurations with antivirus update servers, causing them to attempt to update the entire Internet with AV signatures rather than just scanning and updating internal servers.  Ironically, the AV update server itself often becomes badly outdated – because it’s trying to update millions of systems in the public Internet before it ever reaches its own IP address to perform updates.  (Unlikely as this sounds, it happens more often than you’d think.)
  • Network misconfigurations causing inefficiencies. Sometimes the customer has other devices misconfigured, causing them to probe the internal network and leading the Security Intelligence solution to identify this activity as a security risk.  In this case, the Security Intelligence solution provides ancillary operational benefits by highlighting such misconfigurations.

Automating and simplifying audit preparation. If you’ve ever had the privilege of preparing for a compliance audit, you know it can be a hugely labor-intensive project.  The good news is that Security Intelligence solutions have now automated much of the manual data gathering.  Some even provide hundreds of pre-defined report templates – covering compliance mandates like PCI DSS, HIPAA, Sarbanes-Oxley, NERC and others – that automatically pull the necessary data from all relevant sources, and present it in a useful format.  Take PCI, for example, which requires affected businesses to perform regular auditing of firewall rules.  One Fortune 200 retailer was spending one half of a person-day per device to review and document its firewall configurations (and remediate any vulnerabilities).  Multiply this by the hundreds to thousands of devices they use, and it’s clear that the Security Intelligence solution they deployed to automate this work delivered a great deal of value, virtually overnight.

Ultimately the strongest proof is the voice of a customer, and here’s what Matt Klaus of Genworth Financial shared in this case study webinar:

“We do a monthly summary of all our data.  Right now that’s a manual process.  We go into each tool distinctly and we pull out what we need to pull out.  We’re in the process of automating that with our production instance of Q1 Labs [QRadar]… which was one of the primary reasons we chose Q1 Labs.  That will cut our time from about five days down to about one, if not less.  It drastically reduces the time that we need to kick off an investigation of something serious, where time is really critical.” “Q1 Labs for us has been a huge time saver.  Its implementation was quick and easy, and we’re definitely seeing some added benefit, [even] as new a customer as we are.”

Welcome to the new generation of IT security: Security Intelligence.  We think you’ll be pleasantly surprised!

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…