ThreatRavens.

Browsing category

Threat Intelligence

Advanced Persistent Threat (APT), Analytics, Artificial intelligence, Big Data, Data Management, insider threats, Internet of Things (IoT), Machine Learning, Security Analytics, Security Intelligence & Analytics, Security Training, Threat Detection, Threat Intelligence, User Behavior Analytics (UBA),

Stay Ahead of the Growing Security Analytics Market With These Best Practices

As breach rates climb and threat actors continue to evolve their techniques, many IT security teams are turning to new tools in the fight against corporate cybercrime. The proliferation of internet of things (IoT) devices, network services and other technologies in the enterprise has expanded the attack surface every year and will continue to do so. This evolving landscape is prompting organizations to seek out new ways of defending critical assets and gathering threat intelligence.

The Security Analytics Market Is Poised for Massive Growth

Enter security analytics, which mixes threat intelligence with big data capabilities to help detect, analyze and mitigate targeted attacks and persistent threats from outside actors as well as those already inside corporate walls.

“It’s no longer enough to protect against outside attacks with perimeter-based cybersecurity solutions,” said Hani Mustafa, CEO and co-founder of Jazz Networks. “Cybersecurity tools that blend user behavior analytics (UBA), machine learning and data visibility will help security professionals contextualize data and demystify human behavior, allowing them to predict, prevent and protect against insider threats.”

Security analytics can also provide information about attempted breaches from outside sources. Analytics tools work together with existing network defenses and strategies and offer a deeper view into suspicious activity, which could be missed or overlooked for long periods due to the massive amount of superfluous data collected each day.

Indeed, more security teams are seeing the value of analytics as the market appears poised for massive growth. According to Global Market Insights, the security analytics market was valued at more than $2 billion in 2015, and it is estimated to grow by more than 26 percent over the coming years — exceeding $8 billion by 2023. ABI Research put that figure even higher, estimating that the need for these tools will drive the security analytics market toward a revenue of $12 billion by 2024.

Why Are Security Managers Turning to Analytics?

For most security managers, investment in analytics tools represents a way to fill the need for more real-time, actionable information that plays a role in a layered, robust security strategy. Filtering out important information from the massive amounts of data that enterprises deal with daily is a primary goal for many leaders. Businesses are using these tools for many use cases, including analyzing user behavior, examining network traffic, detecting insider threats, uncovering lost data, and reviewing user roles and permissions.

“There has been a shift in cybersecurity analytics tooling over the past several years,” said Ray McKenzie, founder and managing director of Red Beach Advisors. “Companies initially were fine with weekly or biweekly security log analytics and threat identification. This has morphed to real-time analytics and tooling to support vulnerability awareness.”

Another reason for analytics is to gain better insight into the areas that are most at risk within an IT environment. But in efforts to cull important information from a wide variety of potential threats, these tools also present challenges to the teams using them.

“The technology can also cause alert fatigue,” said Simon Whitburn, global senior vice president, cybersecurity services at Nominet. “Effective analytics tools should have the ability to reduce false positives while analyzing data in real-time to pinpoint and eradicate malicious activity quickly. At the end of the day, the key is having access to actionable threat intelligence.”

Personalization Is Paramount

Obtaining actionable threat intelligence means configuring these tools with your unique business needs in mind.

“There is no ‘plug and play’ solution in the security analytics space,” said Liviu Arsene, senior cybersecurity analyst at Bitdefender. “Instead, the best way forward for organizations is to identify and deploy the analytics tools that best fits an organization’s needs.”

When evaluating security analytics tools, consider the company’s size and the complexity of the challenges the business hopes to address. Organizations that use analytics may need to include features such as deployment models, scope and depth of analysis, forensics, and monitoring, reporting and visualization. Others may have simpler needs with minimal overhead and a smaller focus on forensics and advanced persistent threats (APTs).

“While there is no single analytics tool that works for all organizations, it’s important for organizations to fully understand the features they need for their infrastructure,” said Arsene.

Best Practices for Researching and Deploying Analytics Solutions

Once you have established your organization’s needs and goals for investing in security analytics, there are other important considerations to keep in mind.

Emphasize Employee Training

Chief information security officers (CISOs) and security managers must ensure that their staffs are prepared to use the tools at the outset of deployment. Training employees on how to make sense of information among the noise of alerts is critical.

“Staff need to be trained to understand the results being generated, what is important, what is not and how to respond,” said Steve Tcherchian, CISO at XYPRO Technology Corporation.

Look for Tools That Can Change With the Threat Landscape

Security experts know that criminals are always one step ahead of technology and tools and that the threat landscape is always evolving. It’s essential to invest in tools that can handle relevant data needs now, but also down the line in several years. In other words, the solutions must evolve alongside the techniques and methodologies of threat actors.

“If the security tools an organization uses remain stagnant in their programming and update schedule, more vulnerabilities will be exposed through other approaches,” said Victor Congionti of Proven Data.

Understand That Analytics Is Only a Supplement to Your Team

Analytics tools are by no means a replacement for your security staff. Having analysts who can understand and interpret data is necessary to get the most out of these solutions.

Be Mindful of the Limitations of Security Analytics

Armed with security analytics tools, organizations can benefit from big data capabilities to analyze data and enhance detection with proactive alerts about potential malicious activity. However, analytics tools have their limitations, and enterprises that invest must evaluate and deploy these tools with their unique business needs in mind. The data obtained from analytics requires context, and trained staff need to understand how to make sense of important alerts among the noise.

The post Stay Ahead of the Growing Security Analytics Market With These Best Practices appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Joan Goodchild

January 16, 2019

Data Protection, Health Care, Healthcare, Healthcare Data, Healthcare Industry, healthcare security, Internet of Things (IoT), IoT Security, Medical Data, Risk Management, Threat Intelligence, Threat Research,

How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry

At the IBM Security Summit in 2018, X-Force Red Global Head Charles Henderson told a memorable story. A colleague frantically reached out one Friday afternoon asking him to test five medical internet of things (IoT) devices. One of the devices was to be implanted in the colleague’s body, and he wanted to make sure he chose the most secure model. Charles immediately called his hacker friends, who happily agreed to help him with the research. Within a couple days, Charles recommended a specific model to his colleague, confident the model was the least hackable.

Unlike Charles’ colleague, most patients do not have someone on hand to test their medical IoT devices prior to implantation, which is why it’s critical for device manufacturers to build security into the devices from the earliest stages of development. Patients should be able to trust that the devices in their bodies have no critical vulnerabilities that criminals could potentially exploit.

A Q and A With ‘Q’: Reviewing the FDA’s Guidance on Medical IoT Devices

On Jan. 29–30, 2019, the Food and Drug Administration (FDA) will host a public workshop to discuss medical IoT security. The discussion will focus on the recently drafted guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices,” which aims to help strengthen cybersecurity across medical IoT devices.

Catherine Norcom, X-Force Red’s resident hardware hacker, specializes in building and testing IoT devices in the medical field. Catherine, also known as “Q,” recently joined the team after serving 10 years in the U.S. Air Force.

I chatted with Catherine about the FDA’s guidance, the top risks related to medical IoT devices and how to minimize those risks.

Question: Thank you for taking the time to chat today, Catherine. Which parts of the FDA’s guidance do you think will be most effective?

Catherine: I like the objective of the guidance. Manufacturers of medical IoT devices should be prioritizing security, especially considering the potential detrimental consequences of a breach. Specifically, I like the clause about logging people out after a period of inactivity. I also like the clause that discusses the need for rapid deployment of patches and updates.

However, that clause contradicts another clause in the guidance that recommends users approve any product updates before they are installed. Getting user approval will slow down the patching process. I think updates should be automated. Automated updates wouldn’t be reliant on the user, so software would continuously receive patch installations and, as such, have less vulnerabilities.

I also like that the guidance promotes encrypting any information stored on devices and requires authentication of some kind before the user accesses medical information coming from the device. That way, if a user left a device on a bus, for example, someone else could not access the user’s private medical information.

Where do you think the guidance is lacking?

There are some parts that seemed like they could vary in meaning. For example, the guidance recommends assessing risk and mitigation throughout a product’s life cycle. However, the length of life cycles may vary. I have an FDA-approved smart watch that monitors my pulse. If I have a problem with my pulse, I can take medication based on what the watch shows me. But who determines my watch’s life cycle? The manufacturer could release a newer version, but my watch works fine, so I would keep using it for the next five years.

The guidance also uses buzzwords like “holistic.” Many manufacturers — and, frankly, people in general — do not know what that term means or could interpret it differently. Also, a part of the guidance recommends manufacturers identify vulnerabilities up front. Without explaining how to do that, it’s an unrealistic expectation of a manufacturer. Even if they identified a vulnerability in the Wi-Fi connection, for example, they may not know the USB port is also vulnerable. You need a security specialist to assess risk throughout the process — whether that’s hiring outside specialists or someone in-house.

Since X-Force Red specializes in cybersecurity, let’s pivot the conversation and discuss security risks that come with medical IoT devices.

Medical IoT devices are a top target of criminals, and yet so many are developed insecurely. I recently read a Ponemon Institute study that said 67 percent of medical device makers believe an attack on one or more medical devices they have built is likely. The most obvious risk is the user losing the device, or the device being stolen.

If criminals get physical access to the hardware, they may also be able to access all of the medical data in that device. They could potentially reverse engineer the device as well and gain access to more information that is stored on underlying servers. That information could aid in planning a larger attack against the device manufacturer, or help criminals use patients’ identities in insurance fraud, etc.

Yes, physically stealing a device would provide the easiest pathway to compromising it. What about the risks related to the Wi-Fi connection used by most IoT devices?

Obviously, anything connected to Wi-Fi can be compromised. A brute-force attack is one of the more popular ones. The service set identifier (SSID) is the Wi-Fi network name you see when you try to connect. If a device broadcasts its SSID, for example, a criminal would see the device on the Wi-Fi network and may try every password under the sun until one grants him access. These attacks are typically automated by computers, and it can take mere seconds to brute-force a weak password.

Also, if the Wi-Fi connection from the device is not secured and the data stored on the device is not encrypted, a criminal could intercept the packets and access medical data as it moves from the device to the router. Essentially, a criminal could grab the device’s stored medical data as it moves through the air.

What about USB ports? Many medical IoT devices contain USB ports similar to those we use to charge our cellphones.

Yes, USB ports on medical IoT devices can be used to transfer data. If someone plugs into the device’s USB port and the stored data is unencrypted, the person could potentially access the data. It’s similar to your cellphone: If you plug a USB cable into your phone and connect it to a laptop, you can see the data on your phone and move it to your laptop.

As a rule, people should avoid connecting to any USB port they do not control. That means avoiding those in airports, airplanes, public places, etc. Behind every USB port, there can be a device reading data without explicit permission.

So, what can IoT medical device manufacturers do to strengthen the security of their products as they’re being developed?

First, developers should make sure the device’s SSID is hidden so it doesn’t show up on Wi-Fi networks. Also, oftentimes IoT manufacturers will give all their devices the same SSID. For example, devices that are meant for the kitchen will have the SSID “kitchen.” If devices have the same SSID, then a criminal can connect to them even if they are hidden. It’s crucial that devices have unique SSIDs and preferably let their owners name them to create random names that attackers won’t be able to readily look up.

Good security practices for an application programming interface (API)-enabled device include making sure a criminal doesn’t have access to the API key — which is like a password — so that he or she can’t read the private medical data that the medical device is logging.

An easy and obvious recommendation is to use encryption. Any data on the device and the connection to the wireless hotspot or cell phone should be encrypted. Encryption will disable criminals’ ability to read private data whether they steal packets or plug into a USB port. Manufacturers can also make proprietary software that only talks to the specific IoT device and enables it to securely decrypt the data on it.

It’s also critical to have a secure connection between the device and Wi-Fi access point you are using. The device should not connect to anything that doesn’t require authentication.

Finally, manufacturers should opt for testing their hardware and software as the device is being developed. Manual penetration testing can uncover unknown vulnerabilities that automated tools may not find. For example, testers can make sure the software was programmed in a way that makes files difficult to read. As they are writing and developing the device and its software, manufacturers should consult a security expert at every step, from selecting products to testing during development, and test after the device is built.

Any last words or recommendations for the FDA as it works to finalize the guidance?

Unfortunately, hacking an IoT device, medical and nonmedical, is oftentimes not that difficult. At the DEF CON hacker conference, people with little experience were hacking IoT coffee pots and voting booths in minutes. When you allow an IoT device on your network, if the device has a vulnerability, a criminal can easily compromise your entire network. That’s why it’s critical that manufacturers step up and start prioritizing security when developing their products, and buyers should favor devices that have security built in as part of the design.

This guidance is a step in the right direction to achieving that goal. It gives some really strong recommendations and a focus on the subject of IoT security. If I were sitting at the public discussion, I would suggest they revise some of the recommendations to consider more scenarios that take place in real-world use cases. It can also be helpful if the FDA had different security specialists review the guidance before it’s finalized to add different perspectives.

Listen to the X-Force Red in Action Podcast Series

The post How Secure Are Medical IoT Devices? Catherine Norcom Has Her Finger on the Pulse of the Industry appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Abby Ross

January 15, 2019

CISO, Incident Response, Incident Response (IR), Incident Response Plan, Security Intelligence, Security Intelligence & Analytics, Security Operations Center (SOC), Security Professionals, Skills Gap, Threat Intelligence, Threat Sharing,

Need a Sounding Board for Your Incident Response Plan? Join a Security Community

Incident response teams face myriad uphill battles, such as the cybersecurity skills shortage, floods of security alerts and increasing IT complexity, to name just a few. These challenges often overwhelm security teams and leave security operations center (SOC) directors searching for strategies to maximize the productivity of their current team and technologies to build a capable incident response plan.

One emerging solution is a familiar one: an ecosystem of developer and expert communities. Collaborative online forums have always been a critical part of the cybersecurity industry, and communities dedicated to incident response are growing more robust than ever.

How to Get Involved in a Developer Community

Incident response communities can be a crucial resource to give security analysts access to hands-on, battle-tested experience. They can deliver highly valuable, lightweight, easy-to-use integrations that can be deployed quickly. Community-driven security can also provide playbooks, standard operating procedures (SOPs), best practices and troubleshooting tips. Most importantly, they can help foster innovation by serving as a sounding board for your team’s ideas and introduce you to new strategies and techniques.

That all sounds great, but how do you know what community can best address your incident response needs? Where do you begin? Below are a few steps to help you get started.

1. Find the Communities That Are Most Relevant to You

To combat new threats that are being coordinated in real time, more and more vendors and services are fostering their own communities. Identify which ones are most relevant to your industry and business goals.

To start, narrow down your search based on the security products you use every day. In all likelihood, you’ll find users in these product-based communities who have faced similar challenges or have run into the same issues as your team.

Once you’ve selected the most relevant communities, make sure you sign up for constant updates. Join discussion forums, opt in to regular updates, and check back frequently for new blogs and other content. By keeping close tabs on these conversations, you can continuously review whether the communities you’ve joined are still relevant and valuable to your business.

2. Identify Existing Gaps in Your Security Processes

Communities are disparate and wide-ranging. Establishing your needs first will save you time and make communities more valuable to you. By identifying what type of intelligence you need to enhance your security strategy and incident response plan ahead of time, you can be confident that you’re joining the right channels and interacting with like-minded users.

Discussion forums are full of valuable information from other users who have probably had to patch up many of the same security gaps that affect your business. These forums also provide a window into the wider purpose of the community; aligning your identified gaps with this mission will help you maximize the value of your interactions.

3. Contribute to the Conversation

By taking part in these conversations, you can uncover unexpected benefits and give your team a sounding board among other users. As a security practitioner, it should be a priority to contribute direct and honest information to the community and perpetuate an industrywide culture of information sharing. Real-time, responsive feedback is a great tool to help you build a better security strategy and align a response plan to the current threat landscape.

Contributing to a community can take various forms. Community-based forums and Slack channels give developers a voice across the organization. By leveraging this mode of communication, you can bring important intelligence to the surface that might otherwise go under the radar. Forum discussions can also expose you to new perspectives from a diverse range of sources.

A Successful Incident Response Plan Starts With Collaboration

For its part, IBM Security gathers insights from experienced users across all its products in the IBM Security Community portal. Through this initiative, IBM has expanded its global network to connect like-minded people in cybersecurity. This collaborative network allows us to adapt to new developments as rapidly as threats evolve.

Collaboration has always been cybercriminals’ greatest weapon. It creates massive challenges for the cybersecurity industry and requires us to fight back with a united front of our own. With the support of an entire security community behind you, incident response tasks won’t seem so overwhelming and your resource-strapped SOC will have all the threat data it needs to protect your business.

The post Need a Sounding Board for Your Incident Response Plan? Join a Security Community appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Ted Julian

January 14, 2019

Artificial Intelligence (AI), Automation, Cognitive Security, Data Protection, Incident Response (IR), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), threat hunting, Threat Intelligence,

Maturing Your Security Operations Center With the Art and Science of Threat Hunting

Your organization has fallen prey to an advanced persistent threat (APT) after being targeted by a state-sponsored crime collective. Six million records were lost over 18 months of undetected presence on your network. While your security operations center (SOC) is fully staffed with analysts, your threat hunting capabilities failed to detect the subtle signs of threat actors moving laterally through your network and slowly exfiltrating customer data.

How did this happen?

It all started with a highly targeted spear phishing attack on your director of communications. He failed to notice the carefully disguised symbols in an email he thought was sent by the IT department and logged in to a spoofed domain. This credential theft resulted in the spread of zero-day malware and slowly escalated account privileges. While some of the criminals’ behavior triggered alerts in the SOC, your analysts categorized the incidents as benign positives. Your organization is now facing a multimillion-dollar cleanup and a serious loss of customer trust.

Why you need to master threat hunting

Why You Should Hunt Advanced Threats Before They Strike

Situations like the one described above are all too common in our industry. The majority of successful exploits attributed to human error fit a small series of predictable patterns that exploit known vulnerabilities in an organization’s network. As a result, many data breaches can be prevented with effective cyber hygiene tactics.

Advanced threats are a smaller proportion of incidents, but they are typically undetected and cause the most damage. In addition, the rise in state-sponsored crime and criminal activity on the dark web has created an ecosystem that fosters open exchange between the world’s most sophisticated and skilled criminals.

The cost of a serious breach is also trending upward. According to Ponemon, the average cost of a megabreach that results in the loss of more than 1 million customer records is $40 million. And more than 60 percent of data breaches have links to either state actors or advanced, organized crime groups, according to Verizon. APTs that evade detection can result in dwell times that range from three to 24 months, further increasing the total cleanup cost for a data breach.

How can security teams fight these kinds of threats? The majority of enterprise SOCs are now at least three years old, according to a recent study from Exabeam, and are increasing in maturity. While human analysts and manual research methodologies can act as a firewall against many risks, there’s a need to scale SOC intelligence and threat hunting capabilities to safeguard against APTs.

What Is Threat Hunting?

Threat hunting can be defined as “the act of aggressively intercepting, tracking and eliminating cyber adversaries as early as possible in the Cyber Kill Chain.” The practice uses techniques from art, science and military intelligence, with internal and external data sources informing the science of statistical and cognitive analysis. Human intelligence analyzes the results and informs the art of a response. Last year, 91 percent of security leaders reported improved response speed and accuracy as a result of threat detection and investigation, according to the SANS Institute.

Threat hunting is not defined by solutions, although tools and techniques can significantly improve efficiency and outcomes. Instead, it’s defined by a widely accepted framework from Sqrrl. These are the four stages of Sqrrl’s Threat Hunting Loop:

Create a hypothesis.
Investigate via tools and techniques.
Discover new patterns and adversary tactics, techniques and procedures (TTPs).
Inform and enrich automated analytics for the next hunt.

The goal for any security team should be to complete this loop as efficiently as possible. The quicker you can do so, the quicker you can automate new processes that will help find the next threat.

The 4 Characteristics of a Comprehensive Threat Hunting Capability

A mature threat hunting capability is closely associated with SOC maturity. The least mature SOCs have human analysts who act as a firewall. As SOCs approach maturity and adopt security information and event management (SIEM) tools, their capacity to reactively investigate indicators of compromise (IoCs) increases. The most mature SOCs take a proactive approach to investigating IoCs, with researchers, analysts, solutions and a clearly defined methodology to orchestrate both investigation and response. A comprehensive capacity for hunting threats is defined by four key characteristics:

Data handling: The ability to handle a deluge of data across siloed networks, including insight into internal risks, advanced activities from external threat actors and real-time threat intelligence from third-party sources.
Data analysis: The ability to correlate a high volume and velocity of disparate data sources into information and, ultimately, intelligence.
Informed action: Resources to increase threat hunters’ skills and easily feed threat intelligence through training, policy and cognitive capabilities.
Orchestrated action: Defined processes and methodologies to hunt threats in a repeatable and orchestrated way that informs proactive security capabilities throughout the organization.

Organizations that fail to increase SOC maturity and adopt the solutions and processes for hunting threats face a number of risks. Relying on manual research methodologies can lead to costly data breaches and permanent brand damage when APTs evade detection. A lack of solutions and methods for an orchestrated IoC investigation process means less efficient and accurate operations. The absence of SOC orchestration encourages heavily manual processes.

The Diverse Business Benefits of Hunting Threats

Using cognitive intelligence tools to enhance SOC capabilities, Sogeti Luxembourg successfully reduced the average time of root cause determination and threat investigation from three hours to three minutes. In the process, the financial institution sped up their threat investigation process by 50 percent and saw a tenfold increase in actionable threat indicators.

Hunting threats can offer a number of benefits to both the business and the security operations center. The outcomes include greater protection of reputation, a more intelligent SOC and orchestrated security response.

Reputation Protection

Falling prey to an APT can cause lasting damage to a brand. One core benefit of implementing a more sophisticated threat hunting capability is the potential to guard against the most costly data breaches, which typically result in millions of lost records or permanent data deletion.

SOC Maturity

SOC analyst stress and falsely assigned benign positives are at record highs. APTs can easily go unnoticed due to the sheer volume of noise, which creates a culture of alert fatigue.

Achieving mature threat detection capabilities can change how analysts work and allow organizations to implement a cognitive SOC. Security analytics platforms enhance human intelligence and reduce manual research, and correlation tools provide real-time insight from a variety of structured and unstructured third-party data sources.

Orchestrated Security Response

With the technological capabilities to outthink adversaries, organizations can inform a proactive, unified approach to incident response (IR) that begins in the SOC. Internal and external data sources augment the intelligence of human analysts, allowing real-time, informed decision-making. Investigations and response can inform action as soon as anomalous behaviors or patterns are detected. The result is a defined process that allows your organization to mitigate threats earlier in the Cyber Kill Chain.

Intelligent Response to Sophisticated Threats

The majority of threats your organization faces each day will fit predictable patterns. While APTs make up a statistically small percentage of incidents investigated by an SOC, sophisticated threat actors use unique tactics and techniques to evade detection in a noisy SOC. These threats are the most likely to evade detection and result in highly expensive cybercrime.

State-sponsored criminal activity and attacks launched by sophisticated crime collectives are increasing. To guard against these increasingly complex threat vectors, organizations need to proactively prepare their defenses. Implementing cognitive tools in the SOC can enable organizations to adopt proactive threat hunting capabilities that leverage both art and science. By combining repeatable processes for threat investigation with intelligent solutions and skilled analysts, organizations can respond to threats earlier in the kill chain and protect their most critical assets.

Read the e-book: Master threat hunting

The post Maturing Your Security Operations Center With the Art and Science of Threat Hunting appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

January 11, 2019

Advanced Persistent Threat (APT), Advanced Threats, Authentication, Behavioral Analytics, CISO, Cost of a Data Breach, Data Breach, Incident Response, Incident Response (IR), Multifactor Authentication (MFA), Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Solutions, Threat Intelligence,

Close the Gap on Advanced Threats With Integrated Security

The board of directors is finally starting to grasp that security risk equals business risk. But as you finalize your presentation on the company’s cybersecurity posture, you can’t help but second-guess yourself. You know the CEO, CFO and other senior leaders want to hear that the security team has an effective strategy for handling advanced threats, but the truth is that your analysts are drowning in data with little meaningful insight into risks.

Based on your knowledge of the rapidly expanding threat landscape, you know the company is vulnerable to a data breach it can’t afford. The problem is that you can’t demonstrate this risk without adequate visibility into the organization’s sensitive data and the vulnerabilities threat actors might exploit to steal it. What’s worse, your security operations center (SOC) is spread thin across the widening cyber skills gap, and alerts are piling up as analysts slog through manual processes. How can chief information security officers (CISOs) free up their SOC teams to investigate the most pressing alerts and minimize risks before they evolve into costly incidents?

Detect and stop advanced persistent security threats

Why Threats Are Outpacing the SOC

While the security profession is finally gaining respect and attention it deserves, understaffed SOCs are struggling to triage enormous volumes of security event data. And the problem is only getting worse; Cybersecurity Ventures predicted that the industry will have 3.5 million unfilled cybersecurity positions by 2021.

Despite the increased spend, many organizations are failing to see results from their security investments. Some organizations have 85 distinct security solutions from 45 unique vendors, but little confidence in their capacity to detect threats. No matter the size of your security arsenal, these standalone tools cannot adequately protect enterprise networks from today’s advanced threats in isolation.

Coupled with the skills crisis, the SOC is grappling with the increasing complexity of the threat landscape. Costly, difficult-to-detect insider attacks have increased by 46 percent since 2014. Meanwhile, 62 percent of security experts believe threat actors will weaponize artificial intelligence (AI) to launch targeted attacks at scale in the next year, according to a Cylance survey.

A New Approach to Detect and Stop Advanced Threats

Despite record-breaking spend on security solutions, the SOC is losing ground for more reasons than the skills shortage and evolving threats. Technology is a barrier for many enterprises in which the security organization lacks a comprehensive view of the risk landscape. Disconnected systems, the IT skills gap and a lack of automation have made it very difficult for these organizations to distinguish advanced threats from false positives.

The cost of failing to adopt a new approach to threat detection and remediation is higher than ever. According to the “2018 Cost of a Data Breach Study,” sponsored by IBM Security and conducted by the Ponemon Institute, a mega breach of 50 million or more records can cost as much as $350 million. Targeted, malicious attacks and botnets are among the most expensive types of security incident.

“With a variety of threat vectors to contend with, companies must proactively implement policies and technologies that mitigate the risk of facing a costly breach,” said Larry Ponemon, chairman and founder of Ponemon Institute.

By creating an integrated security ecosystem of solutions, policies and people, organizations can more efficiently and effectively detect advanced threats. AI, machine learning and automation can improve the accuracy and speed of threat investigations, while solutions to orchestrate systems, processes and users minimize the impact of incidents.

5 Use Cases for Advanced Threat Detection and Prevention

How’s this for a use case: With an intelligent security ecosystem, Wimbledon achieved 60 times greater efficiency in threat investigations over manual processes. IBM solutions helped the oldest brand in tennis investigate five times more incidents during the annual tournament, with zero security impact to operations.

Use cases for operations strategy, managed incident response, SOC automation, behavioral analytics and user authentication demonstrate how IBM Security solutions offer a complete spectrum of protection against sophisticated threats.

1. Operational Strategy

A recent survey of Black Hat 2018 attendees revealed that sophisticated, targeted attacks are the top concern for 47 percent of security professionals. Other frequently cited challenges facing the enterprise include social engineering, insider threats and cloud risks. When an enterprise is facing these known risks and lacks confidence in existing technologies, it’s critical to strengthen operations proactively.

Partnering with security operations and consulting services can enable the enterprise to design and build a comprehensive response with a cognitive SOC, SOC training and security incident event management (SIEM) optimization.

2. Incident Response

According to Marsh & McLennan, 14 percent of organizations are “not at all confident” or unsure if they are adequately prepared to respond to or recover from a cyber incident. As vulnerabilities and risks evolve, organizations need a culture of continuous improvement to weather the coming storm of advanced threats.

Developing relationships with industry detection and response experts can provide organizations with decades of threat intelligence experience. Managed SIEM services can offer cognitive intelligence for cybersecurity and comprehensive, compliant infrastructure.

3. SOC Automation

Enterprise SOCs encounter 200,000 unique security events each day on average. A cognitive SOC with automation, machine learning, AI and orchestration solutions eases the burden on analysts and improves effectiveness. Incident response automation can reduce the total cost of a data breach by $1.55 million. Meanwhile, intelligent SIEM solutions deliver cognitive security analytics and automation with contextual intelligence to identify significant risks.

4. Visibility Into Anomalies

According to Fidelis Security, 83 percent of SOCs triage less than half of the alerts received each day. This may be due in part to too much time spent chasing false alerts; manual research processes can yield false positive rates of 70 percent or higher.

Organizations can identify user risks and suspicious behavior by investing in behavioral analytics that provide at-a-glance visibility into anomalies.

5. User Authentication

As the enterprise pursues digital transformation, a smarter approach to identity is the new perimeter. While just 67 percent of respondents are currently comfortable using biometrics and other advanced forms of authentication, according to “The Future of Identity,” 87 percent believe they’ll be comfortable in the future.

With cloud-based multifactor authentication, organizations can simplify and scale a checkbox approach to authentication policies across web and mobile applications, including risk-based approaches to user access and biometric authentication methods.

Closing the Gap on Enterprise Threats

Enterprises are spending more than ever on security solutions. However, industry surveys and breach rates show that standalone tools aren’t providing meaningful protection against sophisticated threats.

As the threat landscape continues to evolve, organizations need an integrated ecosystem of solutions that provide visibility into internal and external risks. By continuously aligning systems, policies and people, security teams can improve the accuracy and speed of threat investigations and minimize the risks of advanced threats at each stage of the attack chain.

Advanced threats: 3 steps to safety

The post Close the Gap on Advanced Threats With Integrated Security appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Rob Patey

January 7, 2019

Cybersecurity Jobs, Cybersecurity Training, Data Classification, Data Management, Security Operations Center (SOC), Skills Gap, Threat Detection, threat hunting, Threat Intelligence, Threat Monitoring, Threat Prevention, Threat Protection,

More Than Just a Fad: Lessons Learned About Threat Hunting in 2018

The year has very nearly come and gone, and some fads that we saw throughout 2018 are going with it. Fidget spinners are collecting dust in cubicles, the mannequin challenge is something only seen in department stores, and the Nae Nae is becoming extinct on dance floors across the country.

It’s no different in the cybersecurity community; trending tools and buzzwords come and go as quickly as viral internet memes. However, one capability that it’s here to stay is threat hunting, a proactive approach to discovering and mitigating threats. The term and practice of threat hunting has actually been around for quite some time, but it is becoming more of a household concept throughout security operations centers (SOCs), governments and private sector companies around the world. This is largely due to studies around the benefits of the practice and real-world use cases that are rapidly emerging.

In the past year, we learned about the pros and cons of this approach, what it is, what it isn’t and everything in between. Let’s break down some of the lessons we learned about threat hunting in 2018.

Invest in Training and Methodology Before Technology

When a new security capability gains momentum in the industry, most companies’ first investment is in the tools to get them started. The same is true when it comes to investments in threat hunting, where an emphasis on methodology and tradecraft is paramount.

A key finding from the SANS 2018 threat hunting survey revealed that the No. 1 investment area for threat hunting is still technology, although respondents indicated that the lack of trained staff in numerous areas was an important reason why they did not perform threat hunting or why they did not perform it as effectively as they should. The tools are only as good as the trained professional. This is as true with threat hunters as it is with construction workers, and it should not be forgotten.

Training and hiring the right people is especially important since threat hunting requires individuals with a knowledge of intelligence analysis and an understanding of the technical aspects of the SOC. Currently, threat hunting falls within a skills gap, which means finding a trained threat hunter to use the tools that a company has invested in is like finding a unicorn.

Going into 2019, organizations that practice threat hunting should take a holistic look at their programs and, if it’s lacking, assess whether it’s the fancy tools or the lack of trained cyberthreat hunters that is the issue. Similarly, organizations that are new to the threat hunting game should evaluate the threat hunters they have or plan to hire before pulling the trigger on the latest tools.

Threat Hunting Is Only as Effective as Your Intelligence Framework

To launch an effective threat hunting program, you also need access to the right data. In terms of efficiency and accuracy, this should consist of internal data from the company mixed with external deep web, dark web, open source and third-party threat intelligence that provides context about threats manifesting through global cybercrime networks.

The SANS survey showed that a solid blend of internal, self-generated intelligence augmented with a combination of external data sources can reduce overall adversary dwell times across organizations’ networks. But it is more than just the access to the data itself; an organization could have access to all the data feeds in the world, but if it lacks the ability to provide context and formulate actionable hypotheses, then the data is next to useless.

In the counterterrorism community, we always said that intelligence drives operations. Yes, we needed access to the right data, but more importantly, we needed the ability to fuse all sources of data and develop actionable advice for operators. It’s the same with threat hunting: Data is key, but there needs to be a way to ingest, fuse and analyze data to formulate hypotheses about threats.

Threat Hunting Is Here to Stay in 2019

Going into 2019, the cybersecurity community will continue to learn about the world of threat hunting and how organizations can implement an effective threat hunting program. Just like the fads that will inevitably come and go in 2019, there will be new cybersecurity tools, methodologies and lessons in the new year. Due to the tangible benefits that organizations are seeing after implementing threat hunting programs, it’s apparent that the practice is not just another security fad.

As organizations train analysts on methodology before technology — and explore how to close the threat hunter skills gap, get access to the right data and generate actionable hypotheses to uncover threats — we will continue to learn how effective a threat hunting program can be when properly implemented.

Read the SANS 2018 threat hunting survey

The post More Than Just a Fad: Lessons Learned About Threat Hunting in 2018 appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Jake Munroe

December 21, 2018

Access Management, Advanced Threats, Antivirus, atm, CISO, Compliance, Credentials, cryptocurrency, cryptocurrency miner, Cybercrime, Cybercrime Trends, Data Breaches, Data Privacy, Data Protection, database security, Endpoint Protection, Financial Industry, General Data Protection Regulation (GDPR), IBM X-Force Incident Response and Intelligence Services, IBM X-Force Research, Identity and Access Management (IAM), Incident Response, Incident Response (IR), Malware, Obfuscation, Personal Data, Phishing, regulatory compliance, Security Trends, Social Security, Threat Intelligence, Vulnerabilities, X-Force,

IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape

Taking a look back at 2018, it amazes me that the cybercrime threat landscape continues to top itself year after year. Over the past year, we’ve seen historic breaches, the discovery of large-scale vulnerabilities, the emergence of the trust economy and regulators trying to help make sense of it all.

The looming General Data Protection Regulation (GDPR) deadline finally came in May after businesses spent years preparing. Now we’re in the GDPR era, and we’re still seeing organizations struggle to interpret and tackle the regulation. Businesses are asking themselves, should we disclose every possible incident to be covered or spend more time investigating incidents to confirm them?

We also saw many unintended consequences from the GDPR, including the removal of WHOIS data that threat intelligence experts rely on to identify malicious domains used by fraudsters. We learned that in Europe, organizations will need to go through work councils to receive approval to deploy endpoint protection tools in the wake of an incident due to the privacy regulation. This gives attackers a significant advantage to harvest data for an extensive amount of time — upwards of 30 to 90 days.

One of my security predictions for 2018 was that organizations will start to get response right. We’ve seen some progress on this, but there’s still a lot of work to be done here. Since we opened our Cyber Range in Cambridge, Massachusetts two years ago, we’ve had more than 2,000 people experience what it’s like to respond to an attack.

We’ve seen many industry groups come together in the Cyber Range and collaborate to help their entire industries. We also launched our Cyber Tactical Operations Center (C-TOC), an 18-wheeler that will be touring Europe in 2019 to address the increased demand for preparedness training. Of course, there’s always room for improvement, but our industry is making progress, and for that, I’m proud.

Security Predictions for the New Year

So what lies ahead in 2019? How will the cybercrime threat landscape change and evolve?

Top experts from IBM X-Force have been analyzing emerging trends and clues this year, which they believe are indicators of potential major cybercriminal activity in 2019. Below, these experts reveal their top security predictions for 2019 based on insights from their research and work with clients. The predictions span a range of potential attack schemes and consequences, from industry-specific prognostications to a rapid expansion of emerging criminal schemes.

First, a couple of my own predictions:

Social Insecurity Numbers Dropped for Access

With most Americans’ Social Security numbers a shared secret after 2017, corporations will start to move away from using the numbers as a form of access. In particular, corporate benefits programs often still use Social Security numbers as an identifier. Expect corporations and benefits programs to evolve their authentication methods ahead of regulators.

What organizations can do: Stop using Social Security numbers for identification. Instead, use one-time PIN to establish accounts tied to two-factor authentication. Also, further use of biometrics for authentication.

Unforeseen Consequences of the GDPR

2018 was all about implementation of GDPR and getting organizations prepared. In 2019, new, unforeseen impacts of GDPR on threat intelligence will be identified and have broader consequences in cybersecurity. With the elimination of WHOIS data, identification of malicious domains connected to bad actors becomes an enormous challenge, and we’ll likely see malicious domains ramp up. Organizations in Europe will struggle to remove attackers from networks and devices due to a 30- to 90-day waiting period to deploy endpoint protection after an incident. My hope is that regulators, work councils and security industry leaders can work together in 2019 to identify some exceptions in which security takes precedent.

Possible solution: Greater collaboration between regulators, work councils and security industry leaders to identify exceptions to regulations when security inadvertently could suffer due to the regulation.

Now, some predictions from my fellow X-Force team members:

Automated Customer Service Systems in Attackers’ Sights

Kiosk and other self-service systems have become more and more a part of our world. Retailers, airlines, hotels and public buildings are using these systems to speed up check-ins and reduce labor costs. In 2018, we saw a resurgence in ATM hacking, and we expect in 2019 to see public-facing self-service systems targeted as a way to harvest valuable customer data.

– Charles Henderson, X-Force Red

What organizations can do: Test hardware and software before criminals have a chance to. Harden physical interfaces and disable unused ports at the hardware level. When using third-party components, ensure that they are still supported by the manufacturer.

Listen to the podcast: Spotlight on ATM Testing

A Cyber Insurance Market Reality Check

The growth of cybersecurity insurance has risen alongside the epic growth of cybercrime. While a valuable tool to manage costs of a security incident or data breach, businesses have become too reliant on insurance, avoiding investment in other preventative technologies and response services. In 2019, we’ll see closer teaming between cyber insurance providers and security vendors to fill the emerging gap created by the market.

– Christopher Scott, X-Force Incident Response and Intelligence Services (IRIS)

Possible solution: Providers of managed security services and cyber insurance team up together to offer consulting services, assess risk and implement defensive strategies.

Have Data, Will Travel

Cybercriminals will shift their sights to the lucrative databases of personal data maintained by travel and hospitality companies. In 2018, we saw the tip of the iceberg with high-profile breaches at airlines and hotel chains. Expect more mega breaches in this area in 2019 as cybercriminals look to monetize rewards points and gather new credentials, such as passport numbers and driver licenses, to establish identities for online crime. This data could also lead to targeted, travel-related phishing, tapping a person’s interests, motivations and connections.

– Wendi Whitmore, X-Force IRIS

What organizations can do: Deploy data obfuscation technologies, encryption and regular database activity monitoring. Conduct regular security testing and have an incident response plan in place. Frequently audit the storage requirements for personally identifiable information (PII) and set expirations for how long sensitive data is stored.

Evidence of Cybercriminal Stock Manipulation

There’s growing speculation that some shorting of stocks can be tied to cyberattacks. Are criminals collaborating to time their attacks for financial gain? In 2019, we expect these schemes will be further exposed and possibly prosecuted as government regulators take notice of this activity.

– Dustin Heywood, X-Force Red

Possible solution: A breach of a public company is now both a technical crisis as well as a financial crisis. Rapid manipulation of stock prices can occur as a result of bad guys looking to profit or hedge funds reacting to breaking news. Your speed of response and precision of communications will matter. Organizations need to build and test their runbooks ahead of time.

Crypto-Mining Powered by PowerShell

PowerShell use for malicious activities has continued to grow in 2018. IBM X-Force IRIS saw the tool used by malicious actors to inject malware directly into memory, enhance obfuscation and evade antivirus detection software. In 2019, X-Force IRIS anticipates that crypto-mining tools will use PowerShell to load fileless malware onto compromised systems — similar to reported activity by the crypto-miner GhostMiner earlier this year.

– Dave McMillen, X-Force IRIS

What organizations can do: Enterprises will want to ensure that they are logging, tracking and auditing PowerShell use in their networks. This can be achieved by leveraging the latest version of PowerShell and enabling logging through Group Policy Settings. These logs should be forwarded to a central location where they can be analyzed.

In addition to logging, companies using Windows 10 should be sure to implement an antivirus solution that is compatible with the Anti Malware Scanning Interface (AMSI). This interface provides antivirus products the ability to inspect PowerShell code before it is executed, allowing the product to stop malicious PowerShell before it can run.

Meet more IBM Security All Stars

The post IBM X-Force Security Predictions for the 2019 Cybercrime Threat Landscape appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Caleb Barlow

December 20, 2018

Application Security, Exploit Mitigations, Incident Response (IR), Threat Intelligence, Threat Sharing, Vulnerability Analysis, Vulnerability Management,

Is It Time to Start a PSIRT? Why Your CSIRT May Not Be Enough

Your organization’s computer security incident response team (CSIRT) plays a crucial role in coordinating the incident response process for security events that affect the company’s infrastructure, data or users. But to whom do you turn in case of incidents or vulnerabilities related to the products you build?

A product security incident response team (PSIRT) identifies, evaluates and coordinates responses to the security vulnerabilities in the products you manufacture. Whereas the CSIRT protects the infrastructure on which the organizations rely, the PSIRT maintains the products manufactured by those organizations to generate revenue. Although the core focus of each team is different, there are many similarities.

No ‘SIRT’ Is an Island

Like CSIRTs, a PSIRT is not an island in your company; it does not operate independently of other parts of the organization. Obviously, the way it is embedded within the organization depends on the maturity, size and objective of the team — and, of course, the resources available. The most common embedding models are very similar to typical CSIRT structures.

On the one hand, there is a distributed model wherein you involve members of existing departments, such as subject matter experts from the engineering and IT teams. On the other hand, in the centralized model, the PSIRT has its own staffing.

The distributed model works very well for scaling the team, and you can make use of the existing knowledge of experts experienced in your organization. It can be a challenge, though, to maintain oversight, and there may sometimes be a clash of responsibilities or duties. The centralized model works well for clear, nonredundant structuring, but scaling, especially in environments with a large set of products, can become very difficult.

The best of both worlds, then, is the hybrid model, in which a small team is in control, but productive relationships are built with experts across departments.

Assemble the Team

When building a PSIRT, you should first develop a charter describing how the team will operate and what services it will provide. The charter should include the roles and responsibilities, operating model and products that are in scope (similar to a constituency description). Additional guidance on setting up a services framework for a PSIRT is provided by the Forum for Incident Response Teams (FIRS T).

Obviously, you need staffing and a dedicated budget to sustain long-term operations. The funding model can include “selling” services to other internal teams: Your PSIRT can deliver vulnerability assessment or code testing that you might otherwise outsource to an external partner.

Besides the budget, you also need adequate tooling to conduct your work. Especially for teams starting with a distributed model, care must be taken that team members make use of the PSIRT tooling and not rely solely on their departments’ kits. Failing to do so can introduce the risk that not all team members have access to the same knowledge.

Educate Stakeholders

Identify your stakeholders, build a relationship with them and make sure there’s support. Consider their needs and requirements when defining the charter or policies, and tailor your communication to them; not every stakeholder will expect the same types of messaging.

Document your policies, processes and procedures, and organize workshops within the organization to make them known. Deploying the team requirements without getting all the other affected teams on board would be a big mistake. It is critical to educate everyone in the organization on product security and their roles within that objective.

This will include internal stakeholders such as those in engineering, legal, communication, sales and customer support. Reach out to external stakeholders as well, including your national or sectorial CSIRT. Get involved in an information sharing and analysis center (ISAC) and build communication channels with consumer organizations and regulatory bodies.

A critical element of engagement is in the Secure Development Lifecycle (SDL). Ensure that your PSIRT participates in the SDL activities and governance process for a full picture of each version of each product before they go live.

Once you’ve identified all your stakeholders, define the metrics you will use for reporting. These metrics will most likely depend on the priorities of those to whom you report.

How to Discover Vulnerabilities

There are a few methods available to discover vulnerabilities, but there’s one that requires special attention: reports from external researchers, bug bounties or concerned users.

Enable External Reporting

External researchers and vigilant users that report vulnerabilities are also essential to your product security processes.

External reports are valuable for multiple reasons. For starters, the reporters have often looked at your product differently than your engineering department. Products get used in an unusual fashion or are broken down into different pieces, or a feature is used — or abused, as the case may be — in a way for which it was not designed.

Additionally, the reports are a good starting place for community building and can kick-start a search for other similar cases.

Engage With Other Teams

The CSIRTs, PSIRTs and partners collaborating in an ISAC make up another great source of external reports. To facilitate a swift exchange with these teams, you can set up automated intelligence sharing — for example, via the Industry Consortium for Advancement of Security on the Internet Common Vulnerability Reporting Framework (ICASI CVRF).

Monitor Public Sources

There are many public sources that can contain direct or indirect information on vulnerabilities in your products. Public sources include GitHub or Exploit Database, but even Twitter and various discussion and support boards can have valuable insights.

Monitoring all these sources can be challenging, but there are tools available to streamline the task. You can use marketing tools that track conversations about your products. You can use the Analysis Information Leak (AIL) framework, or tools that scan Twitter posts for keywords, such as TweetSniff.

Consider also scanning security conference programs or academic papers for new emerging trends or attack methodologies that might affect your products.

Learn the PSIRT Basics

The basic operating model also shares similarities with CSIRTs:

Reproduce the vulnerabilities in a secure environment.
Depending on the priority and impact, you might have to inform management.
Restrict access to the reproduction or proof-of-concept exploit codes during analysis, and store them on a separate network.

After analyzing vulnerabilities, it’s time to mitigate and remediate:

Define mitigation measures based on the analysis.
Build a remediation plan based on supported versions of the product, such as patching or workarounds.
Submit the suggested remediation to the QA and engineering teams for validation.
If the issue was reported by a third party, you should inform them of the steps taken before going public. This type of transparency will increase the level of trust a reporter has in your organization and can help streamline future reporting.
The remediation should also include a risk analysis and determination of how to most easily achieve delivery. Parts of the risk analysis can be disclosed to your customers.
Strategize your client-facing actions. Tap the sales team, customer support, comms and possibly the legal team.
The disclosed information should include clear actions for your customers and methods by which they can verify themselves that a remediation was successful. The EU Agency for Network and Information Security (ENISA)’s “Writing Security Advisories” guidelines can assist you in this process.

Never waste a good vulnerability. Reuse the incident information as training and educational material for the engineering teams to prevent similar incidents in the future. A PSIRT’s operations should feed into recursive security checks and practices to continuously scale product security with organizational growth and an ever-evolving threat environment.

The post Is It Time to Start a PSIRT? Why Your CSIRT May Not Be Enough appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: Koen Van Impe

December 17, 2018

Automation, Gartner Magic Quadrant, Security Information and Event Management (SIEM), Security Intelligence & Analytics, Security Operations Center (SOC), Security Services, Security Solutions, Threat Detection, Threat Intelligence,

3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader

Last week Gartner published its 2018 Magic Quadrant for Security Information and Event Management (SIEM). As in past years, the report supports the steady evolution of SIEM technology and the growing demand from customers for simple SIEM functionality with an architecture built to scale that meets both current and future use cases.

So how do we interpret from Gartner what it means to be a SIEM leader in 2018? Based on a quick dissection, the main characteristics of a leading SIEM tool are centered around innovation in early threat detection, adaptation to customer environments and strong market presence.

Read the 2018 Gartner Magic Quadrant for SIEM

What Separates a SIEM Leader From the Rest of the Market?

The first element, early detection via analytics — more clearly stated as efficacy in threat detection and response — remains the centerpiece of any effective SIEM solution. Security analysts and security operations center (SOC) leaders today need to detect both known and unknown threats in real time. By applying analytics to a combination of threat intelligence, behavioral analytics and a wide variety of security monitoring data, organizations can improve both their time to detection and total alert volumes. While these two basic outcomes — reduced dwell time and fewer alerts — sound tactical, they can ultimately help security teams become less distracted and more effective at managing threats, which helps reduce business risks and liabilities and maintain a positive brand reputation.

The second element of Gartner’s definition of a leader, rapid adaptation to customer environments, is becoming a core factor in how much return on investment (ROI) customers realize and how quickly they realize it. Ad hoc content, add-on applications and flexibility in upgrading the platform are all required to mature a SIEM system in an affordable way once it’s installed.

Also included in this element is the ability to scale the platform in terms of both network coverage and security capabilities. By using out-of-the-box content to automate and streamline more security workflows, organizations can better combat challenges related to the shortage of skills and headcount and better enable the business to adopt new technologies that can help increase its competitive position.

The third element of a leading SIEM is strong market presence and easy access to services. Growth rates around the world still vary based on local security maturity, regulations and specific geographic needs. Customers are looking for access to local resources to help meet their unique requirements and learn lessons from a local community that has already gone through SIEM deployment. It is not uncommon for customers to first select a SIEM platform and then find a local managed service provider or systems integrator for operational support or oversight. Support for this approach provides SIEM users with multiple options to help optimize operating expenses without cutting into expertise.

Take Your SIEM Deployment to the Next Level

IBM was named a SIEM leader in the 2018 Gartner Magic Quadrant report. The IBM QRadar platform has demonstrated continuous innovation that has expanded its value, from its origins in network behavior anomaly detection to real-time threat detection to more recent developments that help automate investigations and streamline orchestrated response processes.

Unique to QRadar is the simplified approach to provide a continuous evolution of use cases and deployment options via optimized content packs, easily downloadable apps from IBM Security App Exchange and flexible deployment options that support organizations regardless of where they are on their cloud journey.

Market presence also contributed to IBM’s leadership; a community of thousands of customers worldwide, a strong business partner network and a wealth of services options allows QRadar customers to easily find knowledgeable local resources that can help them maintain and scale their platform.

To learn more about Gartner’s full review of QRadar, SIEM market trends and vendor evaluation criteria, download your complimentary copy of the 2018 Gartner Magic Quadrant for SIEM. We also invite you to register forour upcoming webinar, “Stay Ahead of Threat Detection & Response with a Scalable SIEM Platform.” The webinar will take place Dec. 18 at 11 a.m. ET and will be available to watch on-demand thereafter.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The post 3 Security Business Benefits From a 2018 Gartner Magic Quadrant SIEM Leader appeared first on Security Intelligence.

This post appeared first on Security Intelligence
Author: John Burnham

December 12, 2018