Light Dark
June 16, 2014 By Michael Sanders 3 min read
Intelligence & Analytics

Is your organization, like many others, thinking about security monitoring and realizing that it is hard to find and/or fund the resources needed to keep up with the ever-changing threat landscape? In today’s interconnected world, the threats that are unseen are sometimes more problematic than those we do see within our IT infrastructure. The question then becomes: How can your organization monitor and respond to threats in real time?

Perhaps you are asking questions like, “Should I invest in a security information and event management (SIEM) solution?” “Should I build a security operations center (SOC) to optimize my security operations?” “How can I implement and operate a SIEM solution and/or a SOC given the minimal resources I have on hand?”

Security Monitoring with SIEM

SIEM technology provides real-time analysis of security alerts generated by network hardware and applications. In my role, I have the opportunity to help clients optimize the effectiveness of their security operations. Most of us agree that, due to the growing complexity of the security threat, it is necessary to rely on the power and insight offered by SIEM technology.

SIEM capability can be integrated into most organizations using one of three options:

  • Customer-premise SIEM tool
  • Managed security service; or
  • A hybrid solution that combines a CPE SIEM tool and managed security service.

3 Key Characteristics of a Hybrid Security Operations

Which approach is best for your organization? Let’s take a look at the three key characteristics of a hybrid security operations solution.

  1. First, for many midmarket organizations and some large enterprises, the operation of a SIEM seems overwhelming, given the need for staff expertise in SIEM administration, threat research and security intelligence analysis. The SIEM environment must continually be monitored, managed, tuned and extended to maximize effective operational coverage. With the hybrid approach, the solution can be set up quickly, has the flexibility to scale effectively and minimizes risks and unforeseen costs. The services provider offers extended resources to supplement your internal staff in the operation of the CPE SIEM environment. With a hybrid solution, the organization now has access to named resources to overcome staffing challenges. Imagine an arrangement in which Tier One and Two security event tickets are handled by the MSSP and Tier Three handled internally.
  2. Second, the services provider can provide broad threat intelligence resulting from their global visibility across hundreds and thousands of customer environments, thereby enhancing the threat awareness capability of your operation. Imagine having access to global threat intelligence and highly-skilled security intelligence analysts as a normal extension of your internal resources.
  3. Lastly, the services provider can flex staffing to scale as the need arises or take on planned coverage and/or unforeseen resource requirements. Flexible staffing can eliminate the need to attract and retain staff needed for given conditions (even off-hours support). Consider your needs for specialty resources and teams in areas such as security incident response, forensics, remediation actions, etc. Many MSSPs can provide specialty services such as these to supplement your staff. On a separate point, consider the times when you desire access to expertise for assistance in developing and/or validating your security program strategy. Similarly, think of the need to implement or refresh technology and/or process in one or more elements of your security program — IAM, Data Security, GRC, Policy, etc. Many MSSP providers offer security consultants to advise or deliver on program assessments, comparative benchmarks or other strategy considerations.

The good news is that organizations of all sizes can now take advantage of the proven benefits of a full SIEM for security operations. As a result, they become equipped to better support the business risk management objectives. Whether the organization is prepared to implement and execute a SIEM extension using existing resources or needs the help and expertise of a third party, a SIEM strategy can be implemented using the flexible approach of a hybrid security operations model.

Read the IT executive guide to security intelligence

Michael Sanders
Program Director, Strategy, Cloud Security Services, IBM Security

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature