Security Intelligence and Analytics: A Look Forward

Co-authored by Matt Carle.

There’s nothing like a little real-world input to help security technology providers focus on the problems their clients face. Matt Carle and Chris Collard, offering managers for IBM Security, exchanged thoughts after a recent trade show appearance. The two experts discussed audience reactions to material they presented on security analytics and intelligence. What follows is a basic overview of what they heard and learned.

Two Experts Discuss Security Intelligence

Chris: Matt, we’ve spoken a lot this week about the ever-changing threat and security intelligence landscape. How do you weigh the feedback we’ve obtained, and what new things are you planning to stay ahead of these trends?

Matt: Obviously, as clients have confirmed, there is definitely a shift underway with more and more businesses willing to dip their toes into cloud-delivered security solutions. They want more deployment options and additional flexibility to include hybrid and cloud options.

What we clearly heard was that many of companies are adopting widely dispersed deployments. They have both physical and virtual installations and they are moving more and more to SaaS. One critical feature required for these deployments is multitenant management. SOC, administrators, MSS providers and managers of geographically diverse deployments all need the ability to manage installations centrally. It’s critical.

Chris: No doubt. Inside any shared infrastructure, you absolutely need the ability to intelligently manage and effectively control how individual tenants can impact the performance of the overall system. This goes for larger deployments with many satellite offices and deployments where infrastructure is shared among multiple tenants.

Read the Nucleus Research Guidebook: IBM QRadar on Cloud

Integration and Interoperability

Matt: The other big trend we heard is the need for interoperability.

Chris: And by that you mean how well one solution talks to or integrates with other solutions — the idea of open APIs.

Matt: Bingo. Our clients and partners absolutely require the ability to integrate all log, device and security intelligence sources into a unified view of their threat landscape. Even though we support 400-plus integrations out-of-the-box, there’s always that one additional that is required.

Chris Yeah, that’s really important. Often the kind of skills necessary to integrate these sources doesn’t directly relate to the core mission. Making these integrations easy allows clients to stay focused on monitoring the environment and using the information, as opposed to just collecting and storing it for reporting purposes.

Matt: Exactly. It’s really a question of where you want to — and, more importantly, where you need to — spend the bulk of your time: adding new data sources or scouring those data sources for anomalies and threats?

Shooting for the Clouds

Matt: We also heard several questions about QRadar on Cloud. How are you addressing the cloud?

Chris: It is a big focus area. It’s an exciting time to be a cloud provider. We’re seeing an incredible amount of interest and some very specific questions about how to move full production workloads into the cloud.

Matt: As opposed to primarily test or development workloads?

Chris: Yes. More and more organization are moving their application stacks out of their own facilities and moving bigger parts of these workloads into the cloud. The establishment of secure transmission, storage and other cloud standards means that it’s now a question of how much of your workload you want to move to the cloud, not if. We have seen this in the field and have research that has identified client drivers and the kinds immediate benefits that clients can expect from moving to a SaaS platform.

Matt: And where does this end? With all workloads exclusively in the cloud?

Chris: I don’t think so. While there is certainly a growing trend towards cloud migration, this migration won’t be overnight. It won’t be a light switch moment for all companies. The need for on-premises labs and data facilities will remain well into the foreseeable future. Coming back to the point that you raised earlier, the goal is to have the widest degree of deployment options available for current and future needs, both on-premises and off.

Matt: What about geographical restrictions? How do you see those limiting growth and adoption? What are the plans for expanding beyond our current U.S., European and Latin American data centers?

Chris: I don’t really see it as a limitation per se, but more of a basic requirement. Where country or company rules dictate that client data must not leave the country, cloud offerings simply need to be able to meet these needs in-region. I really think that those with the strongest global footprint are best positioned to meet these country-specific needs.

Unlocking the Full Threat Picture

Chris: Okay. Switching gears, our session attendees expressed a lot of interest in our app store ecosystem. I am interested in your key takeaways, as this will equally benefit both on-premises and cloud clients.

Matt: Well first off, how cool are we? I’m really excited to see all the activity and growth within the IBM Security App Exchange, in terms of both the number of downloads and the growing number of partner apps. There’s definitely a big opportunity for new apps that reach further into the business itself and integrate core business context into the platform. I would include as examples IPAM platforms, CMDBs and even identity and access management systems, all of which provide extremely valuable business insight that helps analysts during investigations and augment the core detection and analytics capabilities of the platform.

Chris: Very cool. I would love to see more of the kinds of intelligence that can be gleaned from existing system configuration data. It’s really critical to unlocking the full threat picture. Often it’s only by mapping and correlating these complex data streams into trends that you can detect what the naked eye would otherwise miss.

One last thing: If you have not yet had a chance, download and check out the “Guidebook on IBM QRadar on Cloud” from Nucleus Research. It provides an excellent set of use cases and success stories based on a number of real-world security intelligence and analytics SaaS deployments. You can also hear the author of the research report, Seth Lippincott, discuss his findings in the exclusive on-demand webinar, “How Moving Security to the Cloud Can Help you Keep Pace with the Dynamic Threat Environment.”

Share this Article:
Chris Collard

Offering Manager for QRadar SaaS, Cloud and MSS, IBM

Chris is an information security professional with over 15 years of experience managing information systems and services. He is a Certified Information Systems Security Professional (CISSP) and holds a Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance.