SIEM technology has been around for years and continues to enjoy broad market adoption. Companies continue to rely on SIEM capabilities to handle proactive security monitoring, detection and response, and regulatory compliance. However, with today’s staggering volume of cyber-security threats and the number of security devices, network infrastructures and system logs, IT security staff can become quickly overwhelmed.
Gartner projects that by 2020:
-- 50% of new SIEM implementations will be delivered via SIEM as a service.
-- 60% of all advanced security analytics will be delivered from the cloud as part of SIEM-as-a-service offerings.
2. www.forsythe.com
Forsythe is a leading enterprise IT company,
providing advisory services, security, hosting
and technology solutions for Fortune 1000
organizations. Forsythe helps clients optimize,
modernize and innovate their IT to become
agile, secure, digital businesses.
Sponsored by
4. WE’VE ALL SEEN WHO’S
BEEN IN THE HEADLINES…
Online Properties Automotive Retail
Fast Food Healthcare Manufacturing
Media & Entertainment Travel Telecommunications
5. AND WE’VE ALL HEARD
FROM THE EXPERTS
“You can’t protect
everything equally…
we have to find a
way to control only
what matters.”
Earl Perkins, VP, Gartner
“Today's security climate is
such that enterprises fear
becoming victims of the next
major cyber attack
or cyber extortion."
Sean Pike, VP, IDC
“…many global
enterprises face
targeted attacks on
a daily basis.”
Chris Sherman, Sr.
Analyst, Forrester
6. Shortage is projected to reach
1.8 million professionals by 2022
MIND THE GAP
THE SECURITY TALENT
GAP IS GROWING
Source: 2017 Global Information Security Workforce Study (GISWS)
9. ULTIMATE GOAL
IS TO MAKE THE
COMPANY MORE
SECURE
What to do?
Limited resources
Limited time
Limited money
10. Ask yourself:
a) Finding and retaining skilled security personnel
b) Filling a security capability gap
c) Getting value from the tools we have
d) Keeping up with day to day operations
WHAT IS YOUR BIGGEST SECURITY
CHALLENGE?
12. Defined, a SIEM stands for
Security Information and Event
Management and is software
that identifies real-time possible
security threats by analyzing
alerts generated from network
and security technologies
WHAT IS
A SIEM?
13. WHAT DOES A SIEM DO?
1. Various technologies are deployed in an IT
environment.
2. They throw off alerts recorded in log files..
3. That are fed into the SIEM software.
4. SIEM is configured with rules and use cases to
identify possible threats.
5. SOC team proactively monitors the SIEM and
investigates alerts triggered by the SIEM.
6. When threats are identified, remediation actions
are taken on the technologies, and..
7. Where investigated alerts are not deemed to be
threats (“false positives”), rules and use cases are
updated to suppress future alerting.
SIEM
1
2
3
45
6
7
14. Reduce the number of people
needed to stay on top of alerts
Focus staff on threats requiring
investigation and remediation
Customize unique rules to
eliminate ‘false positive’ alerts
HOW DOES A SIEM
HELP SECURITY
POSTURE?
17. 17 IBM Security
Advanced Threat
Detection
Insider Threat
Securing the
Cloud
Risk and Vuln
Management
A cognitive security operations platform for the threats of tomorrow
Critical Data
Protection
Compliance
Incident
Response
Fast to deploy, easy to manage,
and focused on your success
18. 18 IBM Security
Watson for Cyber Security and i2 Enterprise Insight Analysis
Core cognitive
capability that
continuously
understands,
reasons, and
learns the many
risk variables
across the
entire security
ecosystem
Cyber analysis
to hunt for
attackers and
predict threats
IBM QRadar: Continued investment based on client needs
Incident
Response and
Network
Insights
Integration
with Resilient
enables building
and executing
automated
incident
response plans
Network Insights
bridges flows
and full packet
capture,
enhancing
real-time
detection
Security
Intelligence
on Cloud
and Apps
Deploy as
SaaS offering
or combine
with hybrid cloud
and on-prem
environments
Easily extend
QRadar with
apps, available
on curated
IBM App
Exchange
Network
Forensics
Incident
forensics
including
full packet
capture,
storage,
indexing,
searching and
session
reconstruction
Vulnerability
and Risk
Management
Real-time
vulnerability
scanning and
prioritizations,
combined with
configuration
analysis, policy
monitoring, and
risk assessment
Log
Management
Identity
management,
complete log
management,
and compliance
reporting
SIEM
Combined
flows, behavioral
analytics, SIM
and vulnerabilities
into one of the
first SIEMs
ClientNeeds
Flow
Visualization
and NBAD
Anomaly
detection
and threat
resolution plus
network
visualization
Platformevolutionbasedonclientneeds
2002 – 2005 2006 – 2007 2008 – 2009 2010 – 2013 2014 2015 2016 2017
19. 19 IBM Security
Cognitive Security Starts Here
IBM Security Introduces a Revolutionary Shift in Security Operations
IBM CONFIDENTIAL
• Employs powerful cognitive capabilities to
investigate and qualify security incidents and
anomalies on behalf of security analysts
• Powered by Watson for Cyber Security to tap into
vast amounts of security knowledge and deliver
insights relevant to specific security incidents
• Transforms SOC operations by addressing current
challenges that include skills shortages, alert
overloads, incident response delays, currency of
security information and process risks
• Designed to be easily consumable: delivered via
IBM Security App Exchange and deployed in
minutes
NEW! IBM QRadar Advisor with Watson
20. 20 IBM Security
Revolutionize how security analysts work
Automatically uncover new
security context and full scope
of an incident
• 2.3M+ security documents
• 10B+ security data elements
• 80K+ documents read per day
• 250K+ investigations enhanced
in just six months
IBM QRadar Advisor with Watson
21. 21 IBM Security
Case Study: An international energy company reduces billions
of events per day to find those that should be investigated
An international energy firm analyzes
2 billion
events per day to find
20-25
potential offenses to investigate
Business challenge
Reducing huge number of events to find the ones that need to be investigated
Automating the process of analyzing security data
IBM Security Solutions (QRadar SIEM, QFlow, Risk Manager)
Combined analysis of historical data with real-time alerts to gain a ‘big picture’ view and uncover
patterns of unusual activity humans miss and immediately block suspected traffic
Optimize threat analysis
22. Ask yourself:
a) Haven’t considered
b) Currently evaluating
c) Deployed and running smoothly
d) Deployed but unmanaged
WHERE ARE YOU ON YOUR SIEM
“JOURNEY”?
24. CONSUMPTION
MODELS
Deployed SIEM
Buy a SIEM and run it
Co-Managed SIEM
Buy a SIEM and have an
MSSP help support it
As-a-Service SIEM
Full Opex model for SIEM and
operations, pay as you go
25. IBM QRADAR
The backbone of
Forsythe’s SIEMaaS
Inclusive of hardware, SIEM
software, hosting, and support
Located in Forsythe’s Uptime
Institute certified Tier III hosting
facility in Chicago
Priced on a per Events Per
Second (“EPS”) basis
FORSYTHE
SIEMAAS
27. WHAT TO LOOK FOR IN
A MSSP PARTNERSHIP
Setting Expectations
A good partner will help you ask the
right questions upfront to set appropriate
expectations and avoid surprises.
Onboarding for Success
A successful activation requires upfront
tuning of the environment. Make sure
the partner offers this.
Engineering Expertise
Be clear on the level of technical expertise
and if the technical team is tasked with
identifying and rectifying issues proactively.
Ongoing Tuning
Work with a partner whose shared goal is
your improved security posture and will
therefore perform the required tuning.
Flexibility
Understand that some providers are
more flexible than others.
Culture and Communication
For partnership to work, everyone must be
dedicated to problem-solving, effective
communication and a sense of teamwork.
28. Understand your security mandate1
2
3
4
5
6
7
Determine build-vs-buy
consumption model
Do not get caught in product
comparison paralysis
Evaluate staffing limitations
and priorities
Engage an MSSP where
appropriate to add value
Identify and incorporate
SLAs into contracts
Check references
GETTING
STARTED
30. READ RELATED ARTICLES:
5 Steps to Choosing a Managed Hosting and Managed Services Partner
http://focus.forsythe.com/articles/346/5-Steps-to-Choosing-a-Managed-
Hosting-and-Managed-Services-Partner
7 Steps to a Successful Partnership with a Managed Security Services Provider
http://focus.forsythe.com/articles/305/7-Steps-to-a-Successful-Partnership-
with-a-Managed-Security-Services-Provider
6 Questions to Help You Find the Right Managed Security Services Provider
http://focussecurity.forsythe.com/articles/447/6-Questions-to-Help-You-Find-
the-Right-Managed-Security-Services-Provider