Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to Improve Threat Detection & Simplify Security Operations

1,408 views

Published on

Over 74% of global enterprise security professionals rate improving security monitoring as a top priority. Monitoring must be done efficiently within a security operations center (SOC) to combat increased threats and a limited supply of trained security analysts.

While the vendor landscape for security solutions is rapidly evolving, many early point solutions and first generation SIEMs are not keeping pace with the changing needs of security operations. A new class of platforms has emerged that combine advanced analytics and flexible deployment options. Join this exclusive webinar featuring Forrester Research to learn:


Characteristics of modern security platforms that have evolved from point solutions and basic SIEMs

Criteria to consider when evaluating vendors and solutions

The advantages of an integrated security platform that incorporates cognitive capabilities and augmented intelligence

Published in: Technology
  • Be the first to comment

How to Improve Threat Detection & Simplify Security Operations

  1. 1. © 2017 FORRESTER. REPRODUCTION PROHIBITED.
  2. 2. © 2017 FORRESTER. REPRODUCTION PROHIBITED. How to Improve Threat Detection and Simplify Security Operations Joseph Blankenship, Senior Analyst May 8, 2017
  3. 3. We work with business and technology leaders to develop customer-obsessed strategies that drive growth. 3© 2017 FORRESTER. REPRODUCTION PROHIBITED.
  4. 4. 4© 2017 FORRESTER. REPRODUCTION PROHIBITED. Agenda › Faster Detection And Response Is A Priority › Better Monitoring And Detection › Solving The People Problem › Augmenting Security With Intelligent Automation › Wrap-Up
  5. 5. 5© 2017 FORRESTER. REPRODUCTION PROHIBITED. Faster Detection And Response Is A Priority
  6. 6. 6© 2017 FORRESTER. REPRODUCTION PROHIBITED. Security Monitoring Continues To Be A Priority › Current monitoring solutions are not delivering • 96% of enterprises cite improving security monitoring to be a top priority Source: Forrester Business Technographics Global Security 2016
  7. 7. 7© 2017 FORRESTER. REPRODUCTION PROHIBITED. 53% of firms were breached in the past 12 months. 44% of Enterprise Firms Suffered 2+ Breaches in 2016
  8. 8. 8© 2017 FORRESTER. REPRODUCTION PROHIBITED. We Spend A Lot Of Time Doing The Little Things › Security teams spend too much time on day-to-day tasks • 65% of enterprises state that tactical activities taking up too much time is a challenge Source: Forrester Business Technographics Global Security 2016
  9. 9. 9© 2017 FORRESTER. REPRODUCTION PROHIBITED. Security Analysis Is A Manual Activity Source: Forrester’s Security Operations Center (SOC) Staffing
  10. 10. 10© 2017 FORRESTER. REPRODUCTION PROHIBITED. Too Many Alerts / Too Few Analysts Source: Forrester’s Security Operations Center (SOC) Staffing
  11. 11. 11© 2017 FORRESTER. REPRODUCTION PROHIBITED. Alert Handling Is Broken
  12. 12. 12© 2017 FORRESTER. REPRODUCTION PROHIBITED. The lack of speed and agility when responding to a suspected data breach is the most significant issue facing security teams today. Source: Forrester’s “Rules of Engagement: A Call to Action to Automate Breach Response” report.
  13. 13. 13© 2017 FORRESTER. REPRODUCTION PROHIBITED. Better Monitoring And Detection
  14. 14. 14© 2017 FORRESTER. REPRODUCTION PROHIBITED. We Need A New Set Of Tools › Effective security analytics tools: • Use data science to detect anomalous behavior • Utilize internal and external threat intelligence • Examine historical data • Detect data exfiltration • Provide increased security context for responders • Enable investigations and response
  15. 15. 15© 2017 FORRESTER. REPRODUCTION PROHIBITED. Security Analytics Enables Better Detection Source: Forrester’s Vendor Landscape: Security Analytics (SA)
  16. 16. 16© 2017 FORRESTER. REPRODUCTION PROHIBITED. Evolution of Security Analytics Perimeter Defense • Focus on network security • Event filtering and basic correlation • Log management and retention • Events per second: <5,000 • Storage: gigabytes • Manual breach response • High false positive rate, limited scalability Compliance • Reporting • Information sources: various log formats (still log focused) • Advanced correlation • Signature-based alerting • Increasing devices: >1,000 • Events per second: >10,000 • Storage: terabytes • Focus on threat detection and response, breach response still slow, highly dependent on security analyst skills Enterprise Security Intelligence • Log management • Feeds from applications, databases, endpoints • Threat detection • More robust IAM integration • Advanced analytics with additional security context • User and network behavior • Feeds from additional sources: multiple log sources, NetFlow, reputation data, threat intelligence feeds • Huge number of devices: >5,000 • Events per second: >100,000 • Storage: petabytes – Big Data infrastructure • Near real-time breach response, same day remediation Sophistication,volume,velocityandcomplexity 1995 – 2000 (SEM) 2005 – 2014 (SIM) 2014+ Security Analytics
  17. 17. 17© 2017 FORRESTER. REPRODUCTION PROHIBITED. Forrester Wave: Security Analytics Q1 2017 › Focused on 11 top security analytics vendors › Criteria evaluated includes: • Data sources supported • Threat and malicious behavior detection • Use of threat intelligence • Dashboards, reporting, and visibility • User experience and customer satisfaction • Workflow and automation • Strategy and roadmap Forrester’s The Forrester Wave™: Security Analytics Platforms, Q1 2017 Report
  18. 18. 18© 2017 FORRESTER. REPRODUCTION PROHIBITED. Solving The People Problem
  19. 19. 19© 2017 FORRESTER. REPRODUCTION PROHIBITED. Security Staffing Remains A Top Concern › Security teams are understaffed • 62% of enterprises report not having enough security staff Source: Forrester Business Technographics Global Security 2016 Image: www.flickr.com/photos/dt10111/2901811351
  20. 20. 20© 2017 FORRESTER. REPRODUCTION PROHIBITED. Finding Skilled Security Staff Is Also A Challenge Source: Forrester Business Technographics Global Security 2016 Image: www.flickr.com/photos/dt10111/2901811351 65% of enterprises state finding employees with the right skills is a challenge
  21. 21. 21© 2017 FORRESTER. REPRODUCTION PROHIBITED. Solving The People Problem › It’s time to face facts: • We can’t train and recruit enough security staff to fill the need • Our current teams are stretched thin › Solving the people problem requires: • Guided investigation • Process orchestration • Increased intelligence • Automation
  22. 22. 22© 2017 FORRESTER. REPRODUCTION PROHIBITED. Augmenting Security With Intelligent Automation
  23. 23. 23© 2017 FORRESTER. REPRODUCTION PROHIBITED. #1 SOC Productivity Tool
  24. 24. 24© 2017 FORRESTER. REPRODUCTION PROHIBITED. Analysts Also Swivel Chair Between Tools
  25. 25. 25© 2017 FORRESTER. REPRODUCTION PROHIBITED. Automation Isn’t A Four Letter Word › Historically, security pros have shied away from automation • Risk of stopping legitimate traffic or disrupting business • Need for human analyst to research and make decisions › Other aspects of business have automated for years • Security is playing catch-up › Automation tools can increase efficiency and productivity • Elevate less experienced analysts • Free analyst time • React faster
  26. 26. 26© 2017 FORRESTER. REPRODUCTION PROHIBITED. Add Intelligence To Security › Intelligent tools provide analysts with: • Additional context • Guided investigations • Recommended actions › Security teams benefit from: • Better decisions • Faster investigations • Consistent processes
  27. 27. 27© 2017 FORRESTER. REPRODUCTION PROHIBITED. Wrap-Up › Security teams lack the speed and agility to stop breaches • Inadequate tools and slow, manual processes impede progress › We have to address the people problem • Security automation and orchestration tools augment human analysts › Security analytics is enabling increased automation • Faster, better decision making makes automated actions possible
  28. 28. FORRESTER.COM Thank you © 2017 FORRESTER. REPRODUCTION PROHIBITED. Joseph Blankenship www.forrester.com/Joseph-Blankenship @infosec_jb
  29. 29. IBM QRadar: The story of a security analytics platform Patrick Vandenberg Program Director, IBM Security @ptvandenberg
  30. 30. 30 IBM Security COGNITIVE, CLOUD, and COLLABORATION Interpret, learn and process shared security intelligence, that is designed by and for humans, at a speed and scale like never before INTELLIGENCE, INTEGRATION, and ORCHESTRATION Leverage analytics to collect and make sense of massive amounts of real-time data flow, prioritize events, and detect high-risk threats in real-time The next era of security PERIMETER CONTROLS Deploy static defenses to guard or limit the flow of data, including firewalls antivirus software and web gateways
  31. 31. 31 IBM Security The need: coordinated foundational Security Operations capabilities THREAT INTELLIGENCE External data feeds on malicious entities THREAT HUNTING Searching cyber investigations SECURITY ANALYTICS Aggregation, automated detection, and use cases INCIDENT RESPONSE Orchestrated security response
  32. 32. 32 IBM Security Event Correlation and Log Management IBM QRadar Security Intelligence SIEM LAYER Incident Response Orchestration Cognitive Security Threat Intelligence Hunting User and Entity Behavior ABOVE THE SIEM New Security Operations Tools BELOW THE SIEM IBM QRadar – An integrated ‘Above SIEM’ solution for the SOC IBM Security App Exchange
  33. 33. 33 IBM Security Cognitive Security User Behavior Analytics Easily and quickly deployed solution for Insider threats available from the App Exchange delivering insights and value in minutes Incident Response Build and execute an automated incident response plans App Exchange and EcoSystem Open collaborative app exchange and platform enabling easily deployable secure apps on QRadar fast tracking security operations rollout and delivering real agility QRadar on Cloud Flexible solution that can deploy as either a true SaaS offering or combine with hybrid cloud environments to improve visibility into cloud-based applications Network Forensics Incident forensics and packet captures CyberTap ClientNeeds Vulnerability and Risk Management Real-time vulnerability scanning and threat based prioritization Platformevolutionbasedonclientneeds IBM QRadar – Client inspired innovation 2013 2014 2015 2015 2016 2016 2017 Innovative cognitive solution to address SOC workload and skill shortages deployed quickly and easily from the App Exchange
  34. 34. 34 IBM Security We have integrated Watson for Cyber Security with IBM QRadar to accelerate Cognitive Security for our clients Send to Watson for Security Internal Security Events and Incidents External Security Knowledge IBM QRadar Security Intelligence Platform Watson for Cyber Security QRadar sends Watson a pre-analyzed security incident Watson automatically provides response back to Security Analyst on probability of threat and best practices, resulting in substantial time savings
  35. 35. 35 IBM Security Advanced Threat Detection Insider Threat Securing the Cloud Risk and Vuln Management A cognitive security operations platform for tomorrows threats Critical Data Protection Compliance Incident Response Fast to deploy, easy to manage, and focused on your success
  36. 36. ibm.com/security securityintelligence.com xforce.ibmcloud.com @ibmsecurity youtube/user/ibmsecuritysolutions © Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. FOLLOW US ON: THANK YOU

×