Security Intelligence: What You Really Need to Know
If there was ever a time, security intelligence could be put on autopilot, the time is over. As technology evolves so do hackers and their abilities to penetrate traditional defenses. Organizations could no longer depend solely on traditional gateways to weed out the nefarious activities.
As the old adage puts it: “knowledge is power”. This applies to security intelligence as well. To understand security intelligence — and the risks and threats that your organization faces — you need knowledge. This knowledge, collectively known as “security intelligence,” and it is becoming more critical to organization as attackers become more sophisticated in their exploits.
Until recently, most organizations’ efforts in security have been focused more on stopping threats than on analyzing attacks. To make the leap from tactical/operational approaches, organizations need to take a more strategic approach like consolidating and analyzing security intelligence.
I would like to share the following 5 fundamentals
Perhaps the most important step of developing a security intelligence initiative is defining what information it will provide — and how that information relates to the business. Before going out and identifying data sources for input, consider the multiple outputs that will come from building this service.
Threat intelligence is the first and foremost piece of information that will be obtained from your security intelligence initiative. Threat intelligence allows your enterprise to meet tactical and operational needs through the real-time alerting of threats. With good threat intelligence, organizations are also in a better position to recognize the most serious threats and build strategic defenses to address them.
If you decide to in-source security intelligence there are a few major challenges that you should be aware of: It’s time consuming, it may never yield the results you’re looking for, and it requires a significant capital investment in the right tools to do the job. You will need a core set of security tools to provide the essential foundational elements for performing in-house threat intelligence, and you should certainly consider leveraging external sources and service providers to fill in gaps in your defenses.
Among the mandatory arsenals are the enterprise class stateful firewalls that include robust application control and intrusion protection system/intrusion detection system capabilities. Data Leak Prevention [DLP] systems are vital as well. A worthy email security appliance is also compulsory for filtering out email-borne exploits and viruses, as well as for auditing purposes. If you can’t swing a fully capable enterprise DLP system, then you should at the very least be capturing flow data from all switching and routing gear and forwarding that data to a flow collector for analysis. That flow collector should also be able to perform DNS geolocation.
Lastly, and perhaps most importantly, you need a robust Security information and event management [SIEM] package. This is the cornerstone of your threat intelligence effort. Indeed, without SIEM in place, your threat intelligence program will almost surely fail. There’s simply no way, a single human—or even a team of security experts —can process and correlate the vast amount of security and access logs that are generated from large numbers of switches, routers, firewalls, servers and other security appliances. You don’t necessarily need to purchase and manage a log and incident management tool in-house—there are plenty of capable service providers that offer either a cloud-based or managed SIEM service. Whatever options you choose, don’t skimp on your SIEM service. Doing so is like building a house with a hammer instead of a nail gun.
Most security professionals need to re-direct their efforts toward more substantial and relevant data – including threat intelligence sources, open source information, industry contacts, and law enforcement. By focusing more closely on directly-relevant sources of information, organizations will collect less redundant information and keep stakeholders more accurately informed.
Performing a risk assessment of your enterprise is a good entry point to assess your critical assets and tagged these critical elements of your business with a quantifiable amounts as well as zeroing in on which are the mandatory security data sources that you should capture and consolidate.
Collecting security intelligence data is something like a loose thread on a sweater; the more you pull, the bigger it gets. SIEM tools, open source information (such as news feeds), industry sources (such as Gartner or Forrester), and professional peers at other organizations may all be useful sources in the information-gathering effort.
Your security intelligence can be used to support further research, investigations, and defensive measures. It’s not enough to aggregate, normalize, and present data — you must analyze it to ensure its accuracy, reliability, and usefulness to the organization.
A solid strategy should include analyzing network flow data, server and application logs, events and alerts from network security appliances such as firewalls and intrusion prevention system (IPS) devices, and user activity data such as database activity monitoring (DAM) information, and putting them into a scalable, distributed repository so you can apply big data analytics and indexed search to find the “needle in the haystack” indicating that an attack has occurred. Organizations should also include contextual information such as threat intelligence feeds (e.g., IP reputation information), vulnerability and configuration management information, and asset profiles, plus identity and access management data about users and roles, to quickly prioritize alerts and focus on the top incidents requiring attention
Communicating security intelligence data to business stakeholders can be laborious, primarily because the data does not translate very easily to business operations. More often than not, intelligence data communicated in reports is viewed as a snapshot in time — it becomes outdated quickly and no action is taken.
Intelligence reporting should be business-focused and targeted at primary stakeholders, including executives and non-technical stakeholders. It should include analytic data that can be easily understood and used to make informed business decisions. Those decisions will only be as good as the data you provide.
With the right intelligence in hand, organizations can move on the final step: determining the next set of priorities. While some intelligence is focused on a single security issue, there are other times when intelligence becomes a cycle of collecting, analyzing, and reporting.
Security intelligence is a key source of information for making security decisions, but it is only one point of discussion. The data and analyses must be combined with other information, both on the IT and business sides, and considered in context.
The most effective security intelligence-gathering efforts are done on a strategic level, taking longer-term trends, risks, and business issues into account. This is not to say that tactical and operational intelligence are declining practices – they remain critical for understanding the organization’s security and risk posture.
By placing greater emphasis on strategic, long-term threat intelligence, organizations will be able deliver more consistent security defenses that are flexible enough to deal with changing requirements and protect the business as threats landscape evolve.