How to Improve Threat Detection & Simplify Security Operations

How to Improve Threat Detection and
Simplify Security Operations
Joseph Blankenship, Senior Analyst
May 8, 2017

We work with business and
technology leaders to develop
customer-obsessed strategies
that drive growth.
3© 2017 FORRESTER. REPRODUCTION PROHIBITED.

Agenda
› Faster Detection And Response Is A Priority
› Better Monitoring And Detection
› Solving The People Problem
› Augmenting Security With Intelligent Automation
› Wrap-Up

Faster Detection And Response Is A Priority

Security Monitoring Continues To Be A Priority
› Current monitoring solutions are not
delivering
• 96% of enterprises cite improving security
monitoring to be a top priority
Source: Forrester Business Technographics Global Security 2016

53% of firms
were breached in
the past 12
months.
44% of Enterprise Firms Suffered 2+ Breaches in 2016

We Spend A Lot Of Time Doing The Little Things
› Security teams spend too much time on
day-to-day tasks
• 65% of enterprises state that tactical
activities taking up too much time is a
challenge

Security Analysis Is A Manual Activity
Source: Forrester’s Security Operations Center (SOC) Staffing

Too Many Alerts / Too Few Analysts
Source: Forrester’s Security Operations Center (SOC) Staffing

Alert Handling Is Broken

The lack of speed and agility when
responding to a suspected data breach
is the most significant issue facing
security teams today.
Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.

Better Monitoring And Detection

We Need A New Set Of Tools
› Effective security analytics tools:
• Use data science to detect anomalous behavior
• Utilize internal and external threat intelligence
• Examine historical data
• Detect data exfiltration
• Provide increased security context for responders
• Enable investigations and response

Security Analytics Enables Better Detection
Source: Forrester’s Vendor Landscape: Security Analytics (SA)

Evolution of Security Analytics
Perimeter Defense
• Focus on network security
• Event filtering and basic correlation
• Log management and retention
• Events per second: <5,000
• Storage: gigabytes
• Manual breach response
• High false positive rate, limited scalability
Compliance
• Reporting
• Information sources: various log formats
(still log focused)
• Advanced correlation
• Signature-based alerting
• Increasing devices: >1,000
• Events per second: >10,000
• Storage: terabytes
• Focus on threat detection and response,
breach response still slow, highly
dependent on security analyst skills
Enterprise Security Intelligence
• Log management
• Feeds from applications, databases,
endpoints
• Threat detection
• More robust IAM integration
• Advanced analytics with additional
security context
• User and network behavior
• Feeds from additional sources: multiple
log sources, NetFlow, reputation data,
threat intelligence feeds
• Huge number of devices: >5,000
• Events per second: >100,000
• Storage: petabytes – Big Data
infrastructure
• Near real-time breach response, same
day remediation
Sophistication,volume,velocityandcomplexity
1995 – 2000 (SEM)
2005 – 2014 (SIM)
2014+ Security Analytics

Forrester Wave: Security Analytics Q1 2017
› Focused on 11 top security analytics vendors
› Criteria evaluated includes:
• Data sources supported
• Threat and malicious behavior detection
• Use of threat intelligence
• Dashboards, reporting, and visibility
• User experience and customer satisfaction
• Workflow and automation
• Strategy and roadmap
Forrester’s The Forrester Wave™: Security Analytics Platforms, Q1 2017 Report

Solving The People Problem

Security Staffing Remains A Top Concern
› Security teams are understaffed
• 62% of enterprises report not having enough security staff
Image: www.flickr.com/photos/dt10111/2901811351

Finding Skilled Security Staff Is Also A Challenge
Image: www.flickr.com/photos/dt10111/2901811351
65% of enterprises state finding employees
with the right skills is a challenge

Solving The People Problem
› It’s time to face facts:
• We can’t train and recruit enough security staff to fill the need
• Our current teams are stretched thin
› Solving the people problem requires:
• Guided investigation
• Process orchestration
• Increased intelligence
• Automation

Augmenting Security With Intelligent
Automation

#1 SOC Productivity Tool

Analysts Also Swivel Chair Between Tools

Automation Isn’t A Four Letter Word
› Historically, security pros have shied away from automation
• Risk of stopping legitimate traffic or disrupting business
• Need for human analyst to research and make decisions
› Other aspects of business have automated for years
• Security is playing catch-up
› Automation tools can increase efficiency and productivity
• Elevate less experienced analysts
• Free analyst time
• React faster

Add Intelligence To Security
› Intelligent tools provide analysts with:
• Additional context
• Guided investigations
• Recommended actions
› Security teams benefit from:
• Better decisions
• Faster investigations
• Consistent processes

Wrap-Up
› Security teams lack the speed and agility to stop breaches
• Inadequate tools and slow, manual processes impede progress
› We have to address the people problem
• Security automation and orchestration tools augment human analysts
› Security analytics is enabling increased automation
• Faster, better decision making makes automated actions possible

FORRESTER.COM
Thank you
Joseph Blankenship
www.forrester.com/Joseph-Blankenship
@infosec_jb

IBM QRadar:
The story of a security analytics platform
Patrick Vandenberg
Program Director, IBM Security
@ptvandenberg

30 IBM Security
COGNITIVE, CLOUD,
and COLLABORATION
Interpret, learn and process
shared security intelligence,
that is designed by and for
humans, at a speed and scale
like never before
INTELLIGENCE, INTEGRATION,
and ORCHESTRATION
Leverage analytics to collect
and make sense of massive
amounts of real-time data flow,
prioritize events, and detect
high-risk threats in real-time
The next era of security
PERIMETER
CONTROLS
Deploy static defenses
to guard or limit the flow
of data, including firewalls
antivirus software and
web gateways

31 IBM Security
The need: coordinated foundational Security Operations capabilities
THREAT
INTELLIGENCE
External data feeds
on malicious
entities
THREAT
HUNTING
Searching
cyber
investigations
SECURITY
ANALYTICS
Aggregation,
automated detection,
and use cases
INCIDENT
RESPONSE
Orchestrated
security response

32 IBM Security
Event Correlation
and Log Management
IBM QRadar Security Intelligence
SIEM LAYER
Incident Response
Orchestration
Cognitive Security
Threat Intelligence
Hunting
User and Entity Behavior
ABOVE THE SIEM
New Security Operations Tools
BELOW THE SIEM
IBM QRadar – An integrated ‘Above SIEM’ solution for the SOC
IBM
Security
App
Exchange

33 IBM Security
Cognitive
Security
User Behavior
Analytics
Easily and
quickly deployed
solution for Insider
threats available
from the
App Exchange
delivering insights
and value in
minutes
Incident
Response
Build and
execute an
automated
incident
response
plans
App Exchange
and EcoSystem
Open collaborative
app exchange
and platform
enabling easily
deployable secure
apps on QRadar
fast tracking
security operations
rollout and delivering
real agility
QRadar
on Cloud
Flexible solution
that can deploy as
either a true SaaS
offering or combine
with hybrid cloud
environments to
improve visibility
into cloud-based
applications
Network
Forensics
Incident
forensics
and packet
captures
CyberTap
ClientNeeds
Vulnerability
and Risk
Management
Real-time
vulnerability
scanning and
threat based
prioritization
Platformevolutionbasedonclientneeds
IBM QRadar – Client inspired innovation
2013 2014 2015 2015 2016 2016 2017
Innovative
cognitive
solution to
address
SOC
workload
and skill
shortages
deployed
quickly and
easily from
the App
Exchange

34 IBM Security
We have integrated Watson for Cyber Security with IBM QRadar
to accelerate Cognitive Security for our clients
Send to Watson for Security
Internal Security Events
and Incidents
External Security
Knowledge
IBM QRadar Security Intelligence Platform Watson for Cyber Security
QRadar sends Watson a
pre-analyzed security incident
Watson automatically provides
response back to Security
Analyst on probability of threat
and best practices, resulting in
substantial time savings

35 IBM Security
Advanced Threat
Detection
Insider Threat
Securing the
Cloud
Risk and Vuln
Management
A cognitive security operations platform for tomorrows threats
Critical Data
Protection
Compliance
Incident
Response
Fast to deploy, easy to manage,
and focused on your success

ibm.com/security
securityintelligence.com
xforce.ibmcloud.com
@ibmsecurity
youtube/user/ibmsecuritysolutions
© Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any
statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International
Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others.
Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper
access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be
considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful,
comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems,
products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party.
FOLLOW US ON:
THANK YOU

How to Improve Threat Detection & Simplify Security Operations

More Related Content

What's hot

Similar to How to Improve Threat Detection & Simplify Security Operations

More from IBM Security

Recently uploaded

How to Improve Threat Detection & Simplify Security Operations