Light Dark
April 5, 2017 By Alexander M. Paterson 3 min read
Intelligence & Analytics

When it comes to security information and event management (SIEM) solutions, you get out what you put in. Choosing the right method for organizing the teams that deploy and implement the SIEM, use cases and all, is an important decision. When it comes to organizing the projects and services related to the security of your enterprise, you need to stick to what you know — right? Not necessarily.

Making the switch to Agile may enable your organization to achieve a more rapidly enhanced security posture. The world of security moves fast, and black-hat hackers prey on organizations with sticky feet.

In 2017, being secure means being agile. At the core of any SIEM is the concept of the use case, the set of rules about what patterns and anomalies we are looking for and prioritizing on an enterprise network. Staying agile and keeping these rules and searches up to date and relevant enable us to focus on today’s primary threat vectors, not those from six months ago.

Traditional Versus Agile: QRadar Face-Off

You might assume that Agile is just for software developers, but security analysts can use it to implement a SIEM. Let’s look at an example of Agile security services in action.

IBM QRadar, which earned recognition in the Gartner Magic Quadrant and Forrester Wave, made for a good test case on a recent project. During the project, the SIEM team switched from a traditional Waterfall methodology to Agile.

Here’s what I saw from both sides of the fence. For each area of concern, we’ll first analyze the old approach and then look at how the switch to Agile affected organizational security.

Client Collaboration

  • Traditional: The client basically dropped a big book of what it expected to get out of QRadar on the delivery team’s desk and then went back to fighting fires. OK, it wasn’t quite that bad, but collaboration was not incentivized by management, and this began to create a divided work environment, making it difficult for analysts to use security intelligence to break down silos and create a single-pane view.
  • Agile: The client got involved from the start and throughout the QRadar implementation process, and the required resources were made available on a dynamic basis to meet Agile sprint goals. This way, the client got to see and feel the product rather than waiting long days, weeks or months to see what QRadar could do.

Getting Requirements Right

  • Traditional: Requirements were thoughtfully established and then given to service delivery teams. Requirements changed and security considerations moved on. Slowly, what was being delivered lost touch with what was needed.
  • Agile: Requirements were considered on an ongoing basis, and the product was demonstrated at regular intervals to enable the customer to see where it was meeting expectations and where it could benefit from a different approach.

Team Connectivity

  • Traditional: Different teams worked on the product and in the QRadar environment with little or no communication. We may not have seen how planned changes in the network and security ecosystem affected the product until it was alive and kicking.
  • Agile: Agile product owners got insight into multiple products and changes to the security environment in the enterprise during demonstrations and sync-ups. Potential clashes could be proactively mitigated, eliminating unnecessary delays and keeping motivation high.

Time to Value

  • Traditional: Delivery would have occurred at the end date of the project, no earlier.
  • Agile: QRadar came alive in iterations, giving the fastest possible value by working quickly with the highest-priority incidents rather than waiting for the minutiae of arcane documentation to be completed before realizing value.

Find the Fun in Security

You have probably noticed a pattern by now. With the flexibility and availability of many Agile tools, SIEM is no sweat for a team of motivated and empowered individuals. This project ended with a well-tuned and powerful SIEM, as well as a sense of exponential progress for a team that had found the fun in security.

This is just one example of how a team could work together to adopt Agile and QRadar to beat expectations and create a state of security intelligence. To begin thinking about what your company can do with a powerful SIEM and an empowering way of working, ask yourself the following questions:

  1. Could your organization benefit from closer collaboration between service providers and your enterprise’s security teams and higher-level business units?
  2. Do you find your security priorities changing on a monthly or even weekly basis?
  3. Do you wish you could realize the potential of new products faster and stay on pace with cybercriminals?

If the answer to any of these is yes, it might be time to start thinking about adopting Agile and taking your product implementations to the next level.

Read the white paper: Transitioning from SIEM to Total Security Intelligence

 |  |  |  | 
Alexander M. Paterson
Security Intelligence Consultant, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature