Typically, they start with the deployment of a tactical, tool-oriented approach, which was used to help them with forensic investigations of anomalous activities as well as after-the-fact auditing and compliance reporting.
More of my clients are seeking to benefit from going beyond these tactical tools to adopting a more strategic and proactive platform-oriented approach to security monitoring and analytics.
Distinguishing Between Security Monitoring Tools and Platforms
Brink referred to a report by IBM and Aberdeen Research, “The Business Value of a Security Monitoring and Analytics Platform,” which surveyed nearly 11,000 current installations of selected solutions in the security monitoring and analytics category, provides some interesting, fact-based insights into the current market adoption of tools versus platforms.
About a third of those surveyed had evolved to this so called platform approach. A major benefit of this platform approach is that it lets your analysts be more proactive.
The Benefits of a Platform Approach
Unlike lower-level tools a platform approach to security monitoring and analytics is distinguished by:
- Better integration of relevant data from a diverse range of sources;
- Better visibility into a rapidly changing threat landscape and an increasingly complex computing infrastructure; and
- Better analytics to help operational staff prioritise and take action on the most relevant information.
This platform approach to security monitoring and analytics delivers significant business value by dramatically reducing the time needed to identify, investigate and remediate security-related incidents. The Aberdeen Research/IBM report quantified how better integration, visibility and intelligence translated into a substantial reduction in the business impact of security incidents. Here’s the gist in the simplest terms: Twice as fast, half (or less) the risk.
Download the report: The Business Value of a Security Analytics Platform
Moving beyond SIEM
The way security teams are operating in today’s security environment presents three challenges:
The complexity in our networks, systems and applications means most organisations struggle with the in-house capabilities and resources to keep up. Regulatory and legal requirements for demonstrating compliance represent another significant demand on limited in-house resources.
Add to these the challenges the critical skills shortage in cybersecurity in New Zealand it is little wonder that enterprise SOCs are seeing the need to build on the foundation of their existing SIEM platforms with additional capabilities and agility.
Ultimately, these capabilities must help to deliver value by reducing the total time needed to detect, investigate, respond and remediate security-related incidents — from the status quo of weeks and months to as short as hours and days.
Taking SIEM to the Next Level
It goes without saying that most IT teams primary strategic focus is on running and growing their business, not security, compliance, privacy and risk.
So whilst your team may be capable of traditional, do-it-yourself integration of on-premises security solutions using in-house resources, is it really better off doing these activities on its own? There is a growing trend of companies choosing to leverage the expertise, scale and scope of a specialised, third-party security services provider and prioritise other activities for their own staff. Regardless of how you implement — whether in-house, software-as-a-service (SaaS) or fully outsourced — what’s important is that you address these needs by taking your SIEM platform to the next level.
Either way, the platform approach to security monitoring and analytics is well-aligned with these capabilities, while a traditional, tools-based approach is not.
You may find the IBM commissioned Forrester Consulting guide on how to conduct a Total Economic Impact™ (TEI) study useful. It examines the potential return on investment (ROI) that you could achieve by deploying the IBM's QRadar Security Intelligence Platform.