Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Security Intelligence: A Spy Story

SIEM vendors are all jumping on the Security Intelligence tag line, but what does it really mean? The bad guys are getting more sophisticated and the quality and breadth of intelligence is crucial to early identification and thwarting attacks. Can SIEM bring the analog of human intelligence (aka, espionage) to cyber threats and the security visibility of business intelligence to the executive boardroom?

Defining the threat landscape:

SIEM vendors are all jumping on the Security Intelligence tag line, but what does it really mean? The bad guys are getting more sophisticated and the quality and breadth of intelligence is crucial to early identification and thwarting attacks. Can SIEM bring the analog of human intelligence (aka, espionage) to cyber threats and the security visibility of business intelligence to the executive boardroom?

Defining the threat landscape:

Security Intelligence SIEMWith security breaches and insider fraud rampant, it’s no surprise that security is among the greatest concerns for government bodies, IT teams, and business executives today. And for good reason: not only are the threats more varied than ever, but the intent of today’s threats has changed – from targets of opportunity to targets of choice.

Let’s start by first addressing a company’s worst nightmare: a massive data breach. The thousands of diplomatic cables that found their way to the WikiLeaks web site is sensational, but it’s certainly not an isolated incident. Insider threats are a real possibility for any organization, in the public sector and private. Prolific worms and bots are often the fodder for television soundbites, partly because they’re random—anyone may be the victim. Like rubbernecking at a traffic accident, it’s easy to tell ourselves that it’s okay to look because we survived the odds. But we don’t laugh much about insider threats because the stakes are grave and we can never really say that we’re immune.

And let’s not forget external threats. Just recently, police in the UK arrested Topiary, who they believe is the spokesperson for one of the recently notorious hacker groups. These groups are doing a favor for the just: they’re crystallizing to the general public that when a person with an axe to grind targets a specific organization, all that defense in depth security technology we all bought in the early oughts aren’t going to stop a determined intruder.

I like to use real-world analogies to define cyber problems, and targeted attacks and advanced persistent threats are well represented by traditional espionage, terrorism, political activism, and even warfare tactics. It all starts with intelligence gathering and surveillance, followed by incursion. It’s easy to see the parallels between sleeper agents, like the ten people arrested in 2010 accused of being Russian spies, or the group Greenpeace who broke into Menwith Hill spy base in 2011, and the recent theft of hundreds of digital certificates from Dutch certificate authority, DigiNotar. Just like real-world attacks, online threats have transitioned from the bragging rights of virus authors to cyber crime syndicates, nation state tactics, and theft of commercial intellectual property.

Defining the solution:

Appropriately, the solution is defined by the problem: we need to spy on the spies, perform our own form of counterespionage on the bad guys. Our defense in depth technology may not completely protect us, but it’s still useful. The firewalls, IDS/IPSes, endpoint security software, VLAN devices, and the rest of the infrastructure we all put in place nearly a decade ago is a wealth of intelligence—security intelligence.

Security Intelligence: the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.

Advertisement. Scroll to continue reading.

To start, you need to collect logs and events from everywhere: firewalls, IDS/IPS, identity management servers, web servers, social media, business applications like CRM and financial management packages, DLP solutions, to name just a few. And don’t forget the network: data thieves are becoming smarter about avoiding detection just as the external black hats have become adept at flying under the wire of IDSes and firewall thresholds. With broad telemetry collection you can create more sophisticated correlation use cases, covering more of the ground where the bad guys have learned to hide.

Security intelligence goes beyond correlation rules, which analyze discrete numbers or sequences of activity such as, “send me an alert when there are more than 10 login failures across more than 3 targets in a 5 minute period, followed by a login success”, possibly signaling a successful brute force password attack. Baselining normal event and network activity, and identifying anomalous behavior, is key to detecting sophisticated threats like APTs or insider theft. Don’t forget, sometimes it’s not big spikes that signal an attack, but small, but regular, exfiltration of data.

Beyond events and network activity, situational awareness is critical to security intelligence and providing comprehensive analysis that covers the entire attack timeline, from profiling your environment before an attack occurs, to detecting the attack, and through forensics and impact analysis if you are compromised. Situational awareness includes user identity information and activity; profiling assets, including workstations, servers, and network and security devices, and analyzing their configuration and vulnerabilities; and gathering intelligence about the external threat landscape.

If terms like situational awareness, attacks, and intelligence evoke images of real-world warfare, it’s not coincidence. The battleground in this case is your information infrastructure, which may comprise private networks, partners, and the cloud. Your field operatives are your deployed assets, which are constantly gathering data. In sum total, security intelligence and advanced analytics are your spies, NSA, and CIA of information security.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...