SIEM vendors are all jumping on the Security Intelligence tag line, but what does it really mean? The bad guys are getting more sophisticated and the quality and breadth of intelligence is crucial to early identification and thwarting attacks. Can SIEM bring the analog of human intelligence (aka, espionage) to cyber threats and the security visibility of business intelligence to the executive boardroom?
Defining the threat landscape:
Let’s start by first addressing a company’s worst nightmare: a massive data breach. The thousands of diplomatic cables that found their way to the WikiLeaks web site is sensational, but it’s certainly not an isolated incident. Insider threats are a real possibility for any organization, in the public sector and private. Prolific worms and bots are often the fodder for television soundbites, partly because they’re random—anyone may be the victim. Like rubbernecking at a traffic accident, it’s easy to tell ourselves that it’s okay to look because we survived the odds. But we don’t laugh much about insider threats because the stakes are grave and we can never really say that we’re immune.
And let’s not forget external threats. Just recently, police in the UK arrested Topiary, who they believe is the spokesperson for one of the recently notorious hacker groups. These groups are doing a favor for the just: they’re crystallizing to the general public that when a person with an axe to grind targets a specific organization, all that defense in depth security technology we all bought in the early oughts aren’t going to stop a determined intruder.
I like to use real-world analogies to define cyber problems, and targeted attacks and advanced persistent threats are well represented by traditional espionage, terrorism, political activism, and even warfare tactics. It all starts with intelligence gathering and surveillance, followed by incursion. It’s easy to see the parallels between sleeper agents, like the ten people arrested in 2010 accused of being Russian spies, or the group Greenpeace who broke into Menwith Hill spy base in 2011, and the recent theft of hundreds of digital certificates from Dutch certificate authority, DigiNotar. Just like real-world attacks, online threats have transitioned from the bragging rights of virus authors to cyber crime syndicates, nation state tactics, and theft of commercial intellectual property.
Defining the solution:
Appropriately, the solution is defined by the problem: we need to spy on the spies, perform our own form of counterespionage on the bad guys. Our defense in depth technology may not completely protect us, but it’s still useful. The firewalls, IDS/IPSes, endpoint security software, VLAN devices, and the rest of the infrastructure we all put in place nearly a decade ago is a wealth of intelligence—security intelligence.
Security Intelligence: the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.
To start, you need to collect logs and events from everywhere: firewalls, IDS/IPS, identity management servers, web servers, social media, business applications like CRM and financial management packages, DLP solutions, to name just a few. And don’t forget the network: data thieves are becoming smarter about avoiding detection just as the external black hats have become adept at flying under the wire of IDSes and firewall thresholds. With broad telemetry collection you can create more sophisticated correlation use cases, covering more of the ground where the bad guys have learned to hide.
Security intelligence goes beyond correlation rules, which analyze discrete numbers or sequences of activity such as, “send me an alert when there are more than 10 login failures across more than 3 targets in a 5 minute period, followed by a login success”, possibly signaling a successful brute force password attack. Baselining normal event and network activity, and identifying anomalous behavior, is key to detecting sophisticated threats like APTs or insider theft. Don’t forget, sometimes it’s not big spikes that signal an attack, but small, but regular, exfiltration of data.
Beyond events and network activity, situational awareness is critical to security intelligence and providing comprehensive analysis that covers the entire attack timeline, from profiling your environment before an attack occurs, to detecting the attack, and through forensics and impact analysis if you are compromised. Situational awareness includes user identity information and activity; profiling assets, including workstations, servers, and network and security devices, and analyzing their configuration and vulnerabilities; and gathering intelligence about the external threat landscape.
If terms like situational awareness, attacks, and intelligence evoke images of real-world warfare, it’s not coincidence. The battleground in this case is your information infrastructure, which may comprise private networks, partners, and the cloud. Your field operatives are your deployed assets, which are constantly gathering data. In sum total, security intelligence and advanced analytics are your spies, NSA, and CIA of information security.