The dangerous new reality

Security Intelligence is quickly reaching the mainstream consciousness as a result of recent events. The brazen global cyber bank heist that netted the perpetrators $45M and high profile data losses incurred by prominent organizations including defense companies as a result of targeted cyberattacks.

In the past, the public reaction to compromised data or cyber security was one of surprise and filled with reactionary angst.  Now the reaction resembles more of grudging acceptance desensitized by repeated occurrences.  As organizations look for ways to respond to this dangerous new reality, greater emphasis is placed on security intelligence.

Traditional approach to organizational security has been to clearly delineate the organizational boundary or perimeter.  However, this is getting harder for organizations to define given the growing adoption of dynamic technologies such as mobile and cloud, coupled with evolving social norms and fluid business interactions such as BYOD, direct consumer engagement or adaptive supply chain.

Attackers have adapted: The need for greater intelligence

Good security hygiene emphasized protection from inbound broad-based external threats, but just as individuals and organizations adapted to attack patterns, the attackers have adapted to these defensive postures.

Attackers now are perfecting targeted approaches that allow them to compromise an organization’s users and systems from the inside out. For example, it’s no longer a generic phishing attack it’s a spear phishing attack on an individual or group using social engineering, and generic malware is being supplanted by designer malware focused on specific systems.

The traditional approach to cyber security also placed significant reliance on the knowledge of an attack so that detection techniques and appropriate countermeasures can be deployed.  This not only left organizations vulnerable until they gained awareness of an attack but also is completely blind to targeted attacks that are specific to the organization. Therefore, an organization has the need for greater intelligence on attack patterns to respond effectively.

Three key security intelligence considerations

The origins of security intelligence arose from the need for constant monitoring of an organization’s security posture.  Noting that new behaviors and capabilities will always precede security best practices, the only way for an organization to keep abreast of the change is to monitor traffic flows into and out of the organization. But basic monitoring can provide a deluge of raw data, most of which is noise.

The intelligence is a pre-requisite for sifting through the noise and identifying the incidents that require the attention of security team of the organization.  Alerts of security offenses need to be done with a high degree of certainty or else it will not only overwhelm security resources but also desensitize responders with an influx of false positives leading to complacency.

Three key considerations in developing and/or enhancing an organization’s Security IQ are the following:

1. Purpose-Built Security Intelligence Solution: a significant consideration, which will increase the time to value of a security intelligence solution.  A purpose built security solution will add security context to all the monitored traffic. It will also offer an existing portfolio of rule-based analytics that are able to detect attack patterns empowering an organization to quickly showcase value of the investment. Given the dearth of skills in security analysis this will prevent an organization from having to take on the challenge of enumerating potential attack patterns themselves.  If custom solutions need to be developed a purpose built security intelligence solution provides a foundation upon which other capabilities can be introduced.
2. Intelligence Quotient and Usability: an essential criterion, which will influence the efficacy of security intelligence solution.  The solution’s IQ is a function of enrichment capabilities to add context to raw data to derive quality information, a rich portfolio of powerful analytics to transform information into knowledge and an effective user experience to surface insights from the knowledge.  This will lower the barrier to deployment and utilization within the organization as well as help the organization optimally capitalize its skilled security resources to address qualified security incidents rather than false positives.
3. Scalability and Extensibility: a necessary property, which will future-proof the investment made in a security intelligence solution.  Scalability is required across three main vectors – capacity to consume and analyze large volumes of data, real-time processing speed including throughput, and ability to support distributed deployment. Over time additional data sources may be identified that may provide additional visibility and context to an organization’s security posture.  In addition, core security data may need to be persisted for longer durations to identify slower attack patterns.  Real-time awareness along with the ability to process increasing set of concurrent data feeds will grow in importance.  Finally, most organizations have multiple sites, and a distributed deployment will be necessary but provide a unified view.  On the topic of extensibility, it is mainly around incorporating additional analytical approaches – investigative, statistical and data mining to complement the real-time analysis.

Security intelligence is no longer optional but rather a necessity affording an organization visibility over its security posture.  It is a continuous process to improve upon an organization’s Security IQ to deal with emerging threats.

Would be great to get your feedback…Is your organization actively looking to enhance its Security IQ?  If so, what initiatives are you pursuing? Are there other important considerations you would recommend that are not mentioned above?