Light Dark
March 16, 2018 By Patrick Vandenberg 3 min read
Intelligence & Analytics
CISO
Incident Response

As a die-hard hockey fan and coach, I often like to think of things in terms in sports. When you think about it, cybersecurity teams and professional sports teams aren’t all that different. If you are a fan of a professional sports franchise, you are well-aware of your expectations for your favorite team every year. Without question, you make an emotional investment at the start of the season, cheering your team on to combat the opposition on a nightly or weekly basis.

But what about the team’s perspective? Undoubtedly, the team has expectations as well — namely, to run a healthy business and protect the fan base’s sacred investment. But most fans do not appreciate the complexities of running a successful franchise. Every year, the odds are stacked against teams trying to succeed. They face so many challenges and questions, such as:

  • Do we have the necessary budget to invest in and support our resources?
  • Do we have sufficient skill in our player pool to deliver a winning product?
  • What does our competition look like this year? Are their budgets and talent resources going to be an even greater mountain for us?
  • Are we able to field a competitive team today while simultaneously building for an even stronger team in the future?

The last point is perhaps the least understood concern of a sports franchise among fans. It takes a long-term vision and a strategy to be able to answer “yes” to that question.

Championship or Bust: Building a Winning Security Operations Center

Cybersecurity teams face a similar challenge. Of course, it’s not about franchising security teams, but rather building an effective and enduring security operations center (SOC). There are many parallels in the challenges that each face.

In striving to protect the sensitive data of employees, clients and citizens, security teams are perennially faced with budget limitations. This affects the resources available to combat cyberattacks, leading to long odds to fight back without enough staff. That brings us to one of the biggest issues for security teams: the skills shortage. (ISC)2 recently updated its skills shortage projection to 1.8 million vacant positions by 2022.

Just like a sports team will inevitably meet unexpected challenges such as new and stronger playoff contenders or a rash of injuries, so it goes for our cybersecurity team, which encounters continuously evolving attack methods and ever-widening gaps in staffing. The opposition never lets up, so how can our cyber athletes change the game for a better outcome in the future?

Watch the on-demand Webinar: 5 Building Blocks for a SOC That Rocks

Looking Toward the Future With Automation and Orchestration

A modern SOC first needs visibility across your environments, from traditional infrastructure to cloud. A security analytics platform that can ingest millions of data points from hundreds of sources is also a critical backbone to build upon. With the ability to apply network insights, user behavior and artificial intelligence (AI) capabilities, we can better prioritize incidents that require the attention of our limited team of security analysts.

In fact, there is a tremendous amount of automation available to enhance the effectiveness of the SOC. With the complexity and skill of attacks today, a modern SOC must be proactive in attack investigation. IBM i2 provides this capability and is already entrenched in the law enforcement and intelligence communities. Automation is a recurring criterion in a modern SOC and works well when implementing orchestration. A leading incident response platform is essential to drive coordinated response plans, from addressing potential compliance requirements to managing endpoint patches, which is an essential automation capability that helps bridge security and IT operations.

Certainly, there are more functions and services necessary to run a mature and adaptable SOC, but this serves as a quick illustration of the very effective automation and orchestration capabilities already empowering mature SOCs today.

Watch the full session from Think 2018: Building the AI-Enabled Security Operations Center

 |  |  |  | 
Patrick Vandenberg
Program Director, Security Product Marketing, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature