As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology and cyber risks.
To meet these security demands, security teams must focus on three critical transformations:
- Evolution from closed vendor ecosystems to open, collaborative, community-powered defense
- Scaling security expertise with AI and automation
- Evolution from tool-focused defense to analyst-powered outcomes
One of the most effective steps toward modernizing a security operations program is upgrading the core SIEM platform. As the central nervous system for SOC teams, the SIEM collects, correlates and analyzes data from across the IT environment to detect threats. Optimizing this capability by implementing a cloud-native SIEM or augmenting an on-premises system lays the digital foundation needed to scale security efforts.
With a high-fidelity view of security alerts and events via an upgraded SIEM, organizations gain the visibility and context required to identify and respond to cyber risks no matter the source. Prioritizing improvements here accelerates the transformation of siloed security practices into an integrated, intelligence-driven function poised to address both current and emerging challenges.
Open defense: Finding the real “threat needles” hidden in the “security-data haystack”
The explosion of data has increased the attack surface—a most significant side effect that has costly ripple effects. More data. More alerts. More time needed to sift through alerts.
The SIEM plays a critical role in analyzing this data—however, the reality of sending this volume of data to the SIEM for analysis is becoming increasingly challenging, particularly across multiple clouds. In some cases, sending all of the data is not necessary. With the evolution of cloud, and identity and data security tools in the cloud, there is often only a need to collect alerts from these systems and import those into the SIEM, as opposed to ingesting all data.
Today’s SIEMs should be designed around open standards and technologies so they can easily collect only key insights, while still providing the security team with access to the underlying telemetry data when needed.
In many cases, no such detection is required; in other cases, a security team only needs to collect data to do further specific threat analysis. In these cases, a SIEM with real-time data collection, data warehousing capabilities designed for analysis of cloud-scale data, optimized for real-time analytics and sub-second search times is the solution. Organizations need access to their data on-premises and in the cloud without dealing with vendor and data locking.
This open approach to SIEM helps organizations leverage existing investments in data lakes, logging platforms and detection technologies. It also ensures that organizations have the flexibility they need to choose the right data retention and security tools as their security infrastructure matures.
However, increased visibility into the data is only one part of the solution. Security teams need accurate and current detection logic to find threats because security teams are currently facing challenges in their skills to detect threats in a timely manner. Incorporating regularly updated threat intelligence enables the analyst to accelerate their threat detection. And, leveraging a common, shared language for detection rules like SIGMA, allows clients to quickly import new, validated detections directly crowdsourced from the security community as threats evolve.
AI and automation to accelerate threat detection and response
Most organizations are detecting malicious behaviors in a SIEM or other threat-detection technologies such as EDR, but in fact, SOC professionals get to less than half (49%) of the alerts that they’re supposed to review within a typical workday, according to a recent global survey. Leveraging automation and AI ensures transparency and provenance in recommendations and insights that can help security teams address high-priority alerts and deliver desired outcomes.
To do this, a SIEM needs to employ innovative risk-based analytics and automated investigation powered by graph analytics, threat intelligence and insights, federated search, and artificial intelligence. Effective SIEM platforms must leverage artificial intelligence to augment human cognition. Self-tuning capabilities reduce noisy alerts to focus analyst attention where it’s needed most. Virtual assistance can help handle routine triage to allow security experts to pursue strategic initiatives and robust machine learning models can uncover hidden attack patterns and incidents that rules-based systems miss. Some of the most advanced SIEMs enrich and correlate findings from across an organization’s environment so analytics are automatically focused on the attacks that matter most.
In order to build the required trust with security teams, a SIEM needs to provide transparency and provenance in its recommendations and insights. By including explainability into how each assessment was made, security analysts can have the confidence to trust recommendations and act more quickly and decisively on threats in their environment.
Another aspect vendors need to consider when developing a SIEM for today is the shift of moving the decisions and response actions to the analysts performing initial alert analysis from the responder. In many cases, they are looking to fully automate where balance of risk is right for the organization. Such processes and decisions are traditionally coordinated and tailored appropriately in a separate SOAR system, and in some cases with a different team. Today’s SIEM needs to be able to enable a more agile shift left to incorporate full SOAR capabilities in the SIEM workflow and UX. This approach enables organizations to almost fully automate response processes based on their balance of risk and, where needed, introduce the security team into the process to verify the recommended actions.
Evolving from tool-focused to analyst-focused defense
Early SIEM platforms centered on collecting and correlating vast streams of security data. These first-generation systems excelled at log aggregation but overloaded analysts with excessive alerts rife with false positives. Attempting to keep pace, teams added new tools to manage incidents, track threats and automate tasks. But this tech-driven approach created complex, fragmented environments that diminished productivity.
Modern SIEM solutions shift focus to the human analyst’s experience throughout the threat lifecycle. Rather than produce more data points, next-generation platforms leverage AI to find signals in the noise. Cloud-based analytics uncover hard-to-identify attack patterns to feed predictive capabilities and enrich findings from across an organization’s environment so analysts can focus on the attacks that matter most. To effectively work inside the analyst workflow, open architectures and integrated system visibility must be embedded in every SIEM.
In the instance of a modern SIEM, the tools and technologies work to serve the analyst—and not the other way around.
Introducing the new cloud-native IBM QRadar SIEM— thoughtfully engineered to help analysts succeed
At IBM, we recognize that having the most powerful technology means nothing if it burdens the analyst with complexity. We also recognize that SIEM technologies have often promised to be the “single pane of glass” into an organization’s environment—a promise that our industry needs fulfilled.
That’s why we built the new cloud-native QRadar SIEM with the analyst in mind. QRadar SIEM leverages a new user interface that fuses the primary workflows from threat intelligence, SIEM, SOAR and EDR into a single, seamless workflow. Not only does this deliver significant productivity improvements but it also removes the burden of switching between tools, dealing with false positives and inefficient workflows. When analysts have the right tools and context, they can move with speed and precision to stop sophisticated attacks.
This new cloud-native edition of QRadar SIEM not only builds on the data collection and threat detection of the current QRadar SIEM edition, but it also includes all the elasticity, scalability and resiliency properties of a cloud-native architecture. With openness, enterprise-grade AI and automation, and a focus on the analyst, QRadar SIEM (Cloud-Native SaaS) can help maximize your security team’s time and talent, ultimately delivering better security outcomes.
Explore the new cloud-native QRadar SIEM
VP, Product Management, IBM Security