In many cases, organizations do not discover their own security threats/breaches—the discovery is made by an external third party and then reported to the victim organization. When breaches are discovered internally, they typically come from either active methods designed specifically for detection or passive methods in which an incident is uncovered by a non-security process.

The security model of 10 to 12 years ago is no longer adequate to meet contemporary challenges, as “Internet hooliganism” has given way to organized criminal activity. The older model is outmoded and does not scale in the face of today’s threats and IT environment. Perimeter-based security has evolved to a highly distributed model as employees, partners and customers conduct business remotely across the Internet and criminals exploit new attack vectors and misplaced user trust. Government and industry regulatory mandates emerged and were given “teeth” through stronger penalties and more diligent enforcement.

The security industry has responded with new and enhanced products to meet each threat. All of these tools add value to overall enterprise security, but they are, in effect, islands of security technology. They are not conducive to a risk-based, enterprise-wide security program, and the overall effort tends to be fragmented.

In many cases, organizations must deal with incomplete data because a given security tool may not recognize a threat or risk for what it is without correlation from other data sources. On the other hand, even when data is collected from disparate sources, analysts are challenged by the sheer volume, making it extremely difficult to distill actionable information.

Security intelligence addresses these problems across the spectrum of the security lifecycle, centralizing data from disparate silos, normalizing it and running automated analyses. This enables organizations to prioritize risk and cost-effectively deploy security resources for detection, prevention, response and remediation.

Moving Beyond Log Management and SIEM

The concept of security intelligence is partially realized in security information and event management (SIEM) tools, which correlate and analyze aggregated and normalized log data. Log management tools centralize and automate the query process, but they lack the flexibility and sophisticated correlation and analysis capabilities of SIEM and, ultimately, security intelligence.

But SIEM should be regarded as a point along the way rather than a destination—the end goal is comprehensive security intelligence. SIEM is very strong from an event-management perspective and plays a particularly important role in threat detection. Comprehensive security intelligence, however, must encompass and analyze a far broader range of information. It requires continuous monitoring of all relevant data sources across the IT infrastructure, as well as evaluating information in contexts that extend beyond typical SIEM capabilities.

Security intelligence should include a much broader range of data, leveraging the full context in which systems are operating. That context includes, but is not limited to, security and network device logs, vulnerabilities, configuration data, network traffic telemetry, application events and activities, user identities, assets, geo-location, and application content.

This produces a staggering amount of data. Security intelligence provides great value in leveraging that data to establish very specific context around each potential area of concern and executes sophisticated analytics to accurately detect more and different types of threats.

For example, a potential exploit of a web server reported by an intrusion detection system can be validated by unusual outbound network activity detected by network behavioral anomaly detection (NBAD) capabilities.

Or, you have a report that a server has a potential vulnerability that has just been disclosed. But it’s one of hundreds in your organization, so how do you evaluate the threat for this particular server? Security intelligence can analyze all available data and tell you:

  • The presence or absence of the vulnerability
  • The value the organization assigns to the asset or data
  • The likelihood of an exploit based on attack-path threat models
  • Configuration information, which may indicate, for example, that the server is not accessible because a default setting has been changed
  • The presence of protective controls, such as an intrusion prevention system

Or, consider the insider threat. The 260,000 diplomatic cables on military issues given to WikiLeaks in 2010 were obtained by a U.S. Army insider with a security clearance who, according to charges, did “intentionally exceed his authorized access.” According to news reports, he took advantage of a loophole in policies intended to prevent unauthorized downloading. It is possible that analysis of correlated data, applying contexts from multiple sources, may have stopped the leak before it could cause damage.

A key value point for security intelligence beyond SIEM is the ability to apply context from across an extensive range of sources. This can reduce false positives, tell users not only what has been exploited but also what kind of activity is taking place as a result, and provide quicker detection and incident response.

Schedule a consultation today to learn how Flagship can help you design and implement an effective security intellience solution.


Educational materials on this topic can be found at:


logo-ibmStay connected online:

Facebook | Twitter | LinkedIn | Instagram

IBM Security: QRadar Intelligence and Ops

IBM's integrated solutions harness security-relevant information from across your organization, and use analytics and automation to provide context and help you detect threats faster, identify vulnerabilities, prioritize risks, perform forensics analysis and automate compliance activities. 

  • IBM QRadar Security Intelligence Solutions Grow As Your Needs Grow

  • Organizations today need integrated security intelligence solutions that can grow as their business grows, both in terms of size and capabilities. The IBM QRadar Security Intelligence Platform meets these requirements by providing an integrated security solution that is highly scalable, and can expand it’s capabilities to meet increasingly hostile security challenges. This short video describes how IBM Security QRadar delivers scalability, visibility, vulnerability management, risk management, and performs forensics analysis to help you quickly and efficiently detect and respond to security threats. To learn more, please visit

  • How IBM Helps Secure the Cloud

  • IBM Security helps customers secure public, private and hybrid clouds. With IBM Security customers can manage user access to cloud applications and protect the data that lives in the cloud. Customers can use IBM Security products like QRadar to gain full visibility into security threats facing their organization.For more information, please visit

  • Benefits of Security Intelligence on Cloud

  • Watch this short video and listen to Vijay Dheap, IBM Global Product Manager for Security, describe the benefits of Security Intelligence on Cloud, a new offering from IBM. These include lowering costs, increasing efficiency, shifting from a CapEx to an OpEx model, and improving compliance and reporting. Vijay also touches on the advantages of incident forensics and the rapid analysis of security offenses. For more information, please visit

  • KocSistem Replaces Their SIEM & Deploys QRadar For Log Management & Regulatory Compliance

  • Many organizations are challenged with meeting regulatory compliance mandates. Watch this video and learn how Ko?Sistem, one of the largest IT services companies in Turkey, is complying with regulations using IBM Security QRadar. You will hear about how they removed a SIEM from another company and installed QRadar, and lowered costs, improved performance, and benefited from greater ease of use.For more information on QRadar, please visit:

  • The Next Era for Security – IBM QRadar Security Intelligence Platform

  • “IBM QRadar Security Intelligence Platform provides real-time transparency to see better into your organization than ever before,” says Steve Robinson, Vice President, IBM Security Division. Implementing the security information and event management (SIEM) dashboard, the IBM QRadar platform brings security operations teams full visibility through a single window. It also automates the tedious task of vulnerability management. Security teams can spend less time on manual tasks and more time on network security assessments. This means, according to Robinson, “QRadar will probably pay for itself right out of the gate.”For more information on Security Intelligence go to: more information on IBM Security:

  • IBM Security Intelligence for the Cloud with QRadar

  • IBM QRadar Security Intelligence helps you monitor the cloud for security breaches and compliance violations using advanced security analytics. Using a flexible deployment architecture and connectors to popular cloud services, IBM QRadar Security Intelligence provides deep visibility of threats across both on-premise IT and hybrid cloud deployments.To learn more, please visit

  • How to Investigate Security Incidents Quickly and Easily

  • What’s behind a cyber attack? Gaining insight and clarity into the what, when and how of an enterprise security incident: IBM Security QRadar Incident Forensics helps you win the race against time when a security breach occurs by allowing you to rapidly and easily perform in-depth security incident investigations. It provides visibility and clarity to potentially malicious activity by thoroughly analyzing packets captured from your network, and in most cases can help resolve security incidents in minutes or hours instead of days or weeks. It is integrated with IBM Security QRadar solutions, allowing the same person who has visibility to logs and network flows to conduct searches and learn more about an incident. With QRadar Incident Forensics, security staffs can analyze many types of data, understand their relationships, re-trace the steps of an attacker, remediate damage, and reduce the chances of a recurrence. Learn more about QRadar Incident Forensics:

  • IBM Security QRadar and iSecure Work Together to Improve Customer Security

  • This short video describes the benefits that customers receive from the IBM Security QRadar and iSecure partnership. iSecure wraps their services around IBM’s QRadar products and helps clients address their security gaps. iSecure chose IBM because of the visibility QRadar provides to security exposures, and IBM’s continued investment in new capabilities such as vulnerability management, risk management, and incident forensics. iSecure also endorses IBM ability to provide a solution that combines multiple point products into a single, consolidated security solution.Learn more about IBM Security:

  • Local Government Secures Their Data With QRadar

  • Securing people and funds is a challenge for the public sector. With these limited resources, IT departments must choose a security tool set that will be easy to implement as well as easy to manage. In this video, a local government explains why they chose IBM Security’s QRadar and how it has been a true asset to their work process.To learn more about QRadar, please visit

  • Quickly Investigate & Resolve Security Events with QRadar Incident Forensics

  • When you make intelligent analytics part of your IT security strategy, you gain access to the tools to quickly identify and stop network security breaches, before real damage is done. IBM QRadar Incident Forensics helps security professionals reduce time spent on manual searches to identify a true threat, quickly analyze and stop the attack, and reconstruct the incident to gain the knowledge to prevent a similar attack in the future. To learn more, visit