How Quickly Can You Realize ROI on Your Security Intelligence Deployment?

This is part 5 of an ongoing series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”

You know what Security Intelligence  is, how it’s innovative, what it can deliver, and what kind of expertise you need.  Now you’re eager to realize some of those benefits.  How quickly can you expect to see a return?  The answer is: much faster than you think.

SIEM is the anchor tenant of Security Intelligence (Gartner agrees), and let’s be honest – SIEM hasn’t always had a sterling reputation in the information security world.  Many SIEM products are poorly designed, ill-suited to scale, or comprised of non-integrated components that lead to headaches.  Bottom line: many SIEMs are a pain to configure and manage – and tough to achieve rapid ROI.

Today’s Security Intelligence solutions learned from the mistakes of the past and are delivering value in days.  Here’s how:

Fast installation. The better Security Intelligence offerings have removed significant complexity and time from the installation process by delivering fully packaged appliances with the operating system, database and security intelligence software pre-installed.  That way, customers avoid the delays associated with server provisioning and application installation and set-up.

Out-of-the-box rules and reports. Unlike first-gen SIEM products that were merely frameworks, modern Security Intelligence solutions ship with extensive out-of-the-box rules, report templates, dashboards and searches to get users up and running fast.  This has a huge impact not only on time to value, but also on the implementation cost of a solution.

Identifying risks immediately. Once a modern Security Intelligence solution goes live in a customer’s environment, it often finds critical risks in the first few hours.  Here are some common examples based on Q1 Labs’ field experience:

  • Botnet infections. Although many security technologies struggle to detect this type of malware, SI solutions often find botnets as soon as they start receiving network telemetry.  The best solutions provide out-of-the-box integration with outside intelligence sources, such as lists of known botnet command-and-control (C&C) servers.  They then analyze flow and event data, and if they see a hit to a server on that list, they know an infection exists somewhere internally.  The infection can sometimes be found with log data alone, but usually it is only found with Layer 7 flow data.  Most SIEM and Security Intelligence solutions today don’t offer pre-packaged integration with outside intelligence sources to monitor bad IP addresses, so if this is important to you, make sure that your solution does.
  • Network misconfigurations causing security risks. True Security Intelligence solutions provide both post-exploit and pre-exploit capabilities, the latter of which can detect significant security misconfigurations before assets are compromised.  For example, one retail organization’s Security Intelligence solution found an open port on its network perimeter, which affected systems with vulnerabilities that could have allowed compromise of all its store locations.  This risk was discovered the same day the solution was deployed.
  • Devices accidentally scanning the Internet. Q1 Labs has sometimes found misconfigurations with antivirus update servers, causing them to attempt to update the entire Internet with AV signatures rather than just scanning and updating internal servers.  Ironically, the AV update server itself often becomes badly outdated – because it’s trying to update millions of systems in the public Internet before it ever reaches its own IP address to perform updates.  (Unlikely as this sounds, it happens more often than you’d think.)
  • Network misconfigurations causing inefficiencies. Sometimes the customer has other devices misconfigured, causing them to probe the internal network and leading the Security Intelligence solution to identify this activity as a security risk.  In this case, the Security Intelligence solution provides ancillary operational benefits by highlighting such misconfigurations.

Automating and simplifying audit preparation. If you’ve ever had the privilege of preparing for a compliance audit, you know it can be a hugely labor-intensive project.  The good news is that Security Intelligence solutions have now automated much of the manual data gathering.  Some even provide hundreds of pre-defined report templates – covering compliance mandates like PCI DSS, HIPAA, Sarbanes-Oxley, NERC and others – that automatically pull the necessary data from all relevant sources, and present it in a useful format.  Take PCI, for example, which requires affected businesses to perform regular auditing of firewall rules.  One Fortune 200 retailer was spending one half of a person-day per device to review and document its firewall configurations (and remediate any vulnerabilities).  Multiply this by the hundreds to thousands of devices they use, and it’s clear that the Security Intelligence solution they deployed to automate this work delivered a great deal of value, virtually overnight.

Ultimately the strongest proof is the voice of a customer, and here’s what Matt Klaus of Genworth Financial shared in this case study webinar:

“We do a monthly summary of all our data.  Right now that’s a manual process.  We go into each tool distinctly and we pull out what we need to pull out.  We’re in the process of automating that with our production instance of Q1 Labs [QRadar]… which was one of the primary reasons we chose Q1 Labs.  That will cut our time from about five days down to about one, if not less.  It drastically reduces the time that we need to kick off an investigation of something serious, where time is really critical.”

“Q1 Labs for us has been a huge time saver.  Its implementation was quick and easy, and we’re definitely seeing some added benefit, [even] as new a customer as we are.”

Welcome to the new generation of IT security: Security Intelligence.  We think you’ll be pleasantly surprised!

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…