For two decades, the security information and event management systems (SIEMs) business has been going through a number of iterations in tandem with technology changes.
An amalgamation of security operations and security log management software, SIEMs brought together the best of both to offer an integrated solution tor detection.
SIEMs works by incorporating data from all security-related events from multiple devices and network sources, which is then stored on a centralised platform and analysed by expert security operation centre analysts (SOCs).
Impediments with traditional SIEMs
SIEMs brought many benefits to SOCs, as prior security detection and responses were handled on disparate platforms. SIEMs dashboards allow SOC to create alerts by deploying rule-based policies based on real-time and historical data.
However, most traditional SIEM solutions focussed on meeting compliance obligations rather than threat detection. This meant that log data was prioritised over network visibility, which means decisions were made too late. In addition, clients had to build complex rules for detection over log data, and this simply didn’t help to reduce the time it took to detect incidents. It has created enormous technical debt, and this complexity benefits the attacker.
With the rise in the deployment of cloud computing, especially hybrid and multi-cloud, the acceleration of digital transformation activities across the Asia Pacific region, and the advent of hybrid working between office and homes, organisations are only going to face a tougher time detecting, investigating and responding to cyber security threats.
In today’s multi-cloud environments, resources are being accessed by a growing number of siloed constituents – including employees, suppliers, partners, and customers – all using multiple devices from virtually anywhere. This places enormous strain on the data model of traditional log-oriented solutions.
Consider these following statistics:
- Organisations today are spending hundreds of hours a week investigating suspicious alerts and yet, despite this time spent, close to 17% of alerts are missed;
- Some 60% of companies use 25 or more unique security products, with 44% engaging more than 10 vendors, notes an ESG research.
- Globally, the cybersecurity workforce needs to grow 89% to effectively defend organisations’ critical assets, while the global cybersecurity resource shortage stands at 3.1 million people, notes the 2020 (ISC)2 Cybersecurity Workforce Study.; and
- About 64% of organisations surveyed in the ISC study reported that they have a shortage of qualified personnel, while 56% felt that their organisation was at risk due to skills shortages.
Exacerbating this is the reality that traditional SIEMs are still operating in silos. They lack overall contextual visibility – not just the “‘what’ is happening,” but the “‘why’s and “how’s is it happening” – across the entire cloud and multi-cloud-based infrastructure. This impedes SOCs from gaining critical insights to help them advance business priorities while protecting the enterprise from a hostile environment. These trends are what is keeping management and board members awake at night as SOCs can’t keep pace with the rising threats that are accompanying digitalisation in the region. With budgets being exhausted and expectations for detection increasing, clients have to consider an alternate approach.
Zero Trust SIEM systems
Many enterprises today are looking at the Zero Trust framework for building a comprehensive security programme.
Based on the concept of “least privilege access,” Zero Trust is about “never trusting, always verifying and always assuming breaches can and will happen, knowingly or unknowingly.” It helps organisations to wrap security around every user, every device, every connection – every time.
A Zero Trust frameworks works because it balances risk, productivity, security and privacy in environments where workloads and risks are constantly evolving. It allows an organisation to unify and integrate security tools and to protect the most valuable assets while proactively managing threats.
That said, a Zero Trust is only a framework and organisations would still need to design, customise and implement the framework into a workable, end-to-end solution that meets the unique needs of different organisations. But doing so requires skill sets and knowhow that are beyond even some of the largest organisations in the world.
SIEMs must pivot toward a Zero Trust analytics methodology which takes into account network orientation, asset classification, segmentation and cloud configuration, and augment this with actionable context available through intelligence sources. With sound fundamentals, SOC operators will be able to move effort and cost away from log aggregation and management, and toward better threat detection.
IBM Security QRadar SIEM benefits
This is where IBM Security’s QRadar SIEM, fits. It helps organisations unify SOC workflows by providing a set of comprehensive dashboards and processes designed to simplify and improve the process of incident detection, investigation and response.
An important characteristic of this approach is to adopt actionable intelligence as context to decision making for incidents. Whilst the SOC gains complete visibility into their environments by collecting data from networks, servers, endpoints, cloud environments, applications, the context helps to prioritise incidents based on multiple risk factors.
In addition, IBM QRadar was built for network-oriented threat detection, with advanced analytics baked in that help with detection in complex network segments, at the network level.
IBM QRadar has always maintained an asset repository and establishes a network lens by incorporating firewall and switch data to understand real exposures to vulnerabilities, wherever that vulnerability is, whoever is able to access it, and from where it is accessed. This Zero Trust approach helps clients ensure that risk is taken into account in their zero trust decision processes.
Such features helped Denmark’s fourth largest power supplier, NRGI, who before adopting QRadar SIEM, faced an attack that took out 180 data servers and key systems for 60 hours and crippling 1,200 employees’ access to critical business systems.
As a centralised monitoring system that consolidates and analyses log events from across the network, QRadar SIEM helped NRGI reduce 10,000 alerts per week – the vast majority of which were false positives – to only five significant cases per week.
QRadar SIEM also applies advanced analytics to prioritise the most critical threats whereupon it will automatically investigate the threat using artificial intelligence (AI), which reduces the time between threat detection and analysis.
This advanced AI also discovers anomalies, patterns, and correlations within large data sets to predict outcomes, and supports federated searching, which does not require data to be moved.
A sample use case can be seen in the Qradar Demo here.
This is what Sri Lanka's Cargills Bank experienced when it deployed IBM’s QRadar Advisor with Watson within a mere week. Banks have largely relied on post-event diagnosis and response because they lack experienced SOCs, while the volume of potential incidents normally overwhelms human capacity.
With QRadar Advisor with Watson in place, Cargills’ SOCs received in minutes all the information they needed to conduct an investigation in a single pack including the name of the person and the malware involved, as well as the attacker’s IP address, URL and domain name, a process that would previously have taken hours.
Meanwhile, for overstressed SOCs, QRadar SIEM is a goldmine because they are able to come up with the right integrated response, which includes the ability to create and practise incident response playbooks, automate actions, orchestrate people, processes and technology, and automate privacy notifications.
This was how IBM Security’s managed service security provider partner Smarttech helped its client Dairygold Co-Operative Society in Ireland deal with its cyber threats.
Within 90 days of signing the contract with Smarttech, Dairygold had an operational security monitoring environment consolidating and analysing information feeds from the main elements of its network, including main controllers, Windows alert logs, antivirus software, and its email security platform.
Smarttech’s SOC processed 4 million events, filtering them down to 122 items that required investigation. Of those, Dairygold received 17 priority three or four incidents that the IT team needed to act on, most of which were relatively quick fixes.
“The challenges faced by today’s security professionals require a comprehensive solution that can help them contextualise advanced security threats and aid them to respond in a timely, holistic manner within a hybrid and multi-cloud environment,” said Mukul Mathur, Vice President, IBM Security, Asia Pacific & China.
“With the vulnerability management in play, access to AI-power forensic tools and an integrated incident response solution all on the same pane, IBM QRadar SIEM is that solution, one that has been validated by over 6,000 clients globally.”
To know more about IBM's SIEM solution, Qradar, explore this free 14-day trial.