Co-authored by Matt Carle.

There’s nothing like a little real-world input to help security technology providers focus on the problems their clients face. Matt Carle and Chris Collard, offering managers for IBM Security, exchanged thoughts after a recent trade show appearance. The two experts discussed audience reactions to material they presented on security analytics and intelligence. What follows is a basic overview of what they heard and learned.

Two Experts Discuss Security Intelligence

Chris: Matt, we’ve spoken a lot this week about the ever-changing threat and security intelligence landscape. How do you weigh the feedback we’ve obtained, and what new things are you planning to stay ahead of these trends?

Matt: Obviously, as clients have confirmed, there is definitely a shift underway with more and more businesses willing to dip their toes into cloud-delivered security solutions. They want more deployment options and additional flexibility to include hybrid and cloud options.

What we clearly heard was that many of companies are adopting widely dispersed deployments. They have both physical and virtual installations and they are moving more and more to SaaS. One critical feature required for these deployments is multitenant management. SOC, administrators, MSS providers and managers of geographically diverse deployments all need the ability to manage installations centrally. It’s critical.

Chris: No doubt. Inside any shared infrastructure, you absolutely need the ability to intelligently manage and effectively control how individual tenants can impact the performance of the overall system. This goes for larger deployments with many satellite offices and deployments where infrastructure is shared among multiple tenants.

Read the Nucleus Research Guidebook: IBM QRadar on Cloud

Integration and Interoperability

Matt: The other big trend we heard is the need for interoperability.

Chris: And by that you mean how well one solution talks to or integrates with other solutions — the idea of open APIs.

Matt: Bingo. Our clients and partners absolutely require the ability to integrate all log, device and security intelligence sources into a unified view of their threat landscape. Even though we support 400-plus integrations out-of-the-box, there’s always that one additional that is required.

Chris Yeah, that’s really important. Often the kind of skills necessary to integrate these sources doesn’t directly relate to the core mission. Making these integrations easy allows clients to stay focused on monitoring the environment and using the information, as opposed to just collecting and storing it for reporting purposes.

Matt: Exactly. It’s really a question of where you want to — and, more importantly, where you need to — spend the bulk of your time: adding new data sources or scouring those data sources for anomalies and threats?

Shooting for the Clouds

Matt: We also heard several questions about QRadar on Cloud. How are you addressing the cloud?

Chris: It is a big focus area. It’s an exciting time to be a cloud provider. We’re seeing an incredible amount of interest and some very specific questions about how to move full production workloads into the cloud.

Matt: As opposed to primarily test or development workloads?

Chris: Yes. More and more organization are moving their application stacks out of their own facilities and moving bigger parts of these workloads into the cloud. The establishment of secure transmission, storage and other cloud standards means that it’s now a question of how much of your workload you want to move to the cloud, not if. We have seen this in the field and have research that has identified client drivers and the kinds immediate benefits that clients can expect from moving to a SaaS platform.

Matt: And where does this end? With all workloads exclusively in the cloud?

Chris: I don’t think so. While there is certainly a growing trend towards cloud migration, this migration won’t be overnight. It won’t be a light switch moment for all companies. The need for on-premises labs and data facilities will remain well into the foreseeable future. Coming back to the point that you raised earlier, the goal is to have the widest degree of deployment options available for current and future needs, both on-premises and off.

Matt: What about geographical restrictions? How do you see those limiting growth and adoption? What are the plans for expanding beyond our current U.S., European and Latin American data centers?

Chris: I don’t really see it as a limitation per se, but more of a basic requirement. Where country or company rules dictate that client data must not leave the country, cloud offerings simply need to be able to meet these needs in-region. I really think that those with the strongest global footprint are best positioned to meet these country-specific needs.

Unlocking the Full Threat Picture

Chris: Okay. Switching gears, our session attendees expressed a lot of interest in our app store ecosystem. I am interested in your key takeaways, as this will equally benefit both on-premises and cloud clients.

Matt: Well first off, how cool are we? I’m really excited to see all the activity and growth within the IBM Security App Exchange, in terms of both the number of downloads and the growing number of partner apps. There’s definitely a big opportunity for new apps that reach further into the business itself and integrate core business context into the platform. I would include as examples IPAM platforms, CMDBs and even identity and access management systems, all of which provide extremely valuable business insight that helps analysts during investigations and augment the core detection and analytics capabilities of the platform.

Chris: Very cool. I would love to see more of the kinds of intelligence that can be gleaned from existing system configuration data. It’s really critical to unlocking the full threat picture. Often it’s only by mapping and correlating these complex data streams into trends that you can detect what the naked eye would otherwise miss.

One last thing: If you have not yet had a chance, download and check out the “Guidebook on IBM QRadar on Cloud” from Nucleus Research. It provides an excellent set of use cases and success stories based on a number of real-world security intelligence and analytics SaaS deployments. You can also hear the author of the research report, Seth Lippincott, discuss his findings in the exclusive on-demand webinar, “How Moving Security to the Cloud Can Help you Keep Pace with the Dynamic Threat Environment.”

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today