April 17, 2015 By Stephanie Stack 4 min read

What is Security Intelligence?

In this interview, IBM Security Intelligence Product expert Mark Ehr offers strategy guidance to help IT security teams detect and respond to threats in today’s dynamic security environments.

Stack: IT Security professionals are challenged to understand hundreds or thousands of security incidents each week. How can they detect and prioritize what’s most important?

Ehr: A holistic, big data-like approach is required to view and manage the security and risk posture of an IT organization. It’s simply not possible for a security staff to examine every bit of data that may be suspicious. And perimeter defenses such as firewalls, intrusion prevention systems, and antivirus are not adequate against modern threats that utilize multi-vector attack methods that succeed in breaching a network using a combination of techniques including leveraging stolen user credentials and unpatched vulnerabilities.

Millions of pieces of security data from users, networks, and infrastructure need to be collected, normalized, and analyzed in real time in order to find the real threats. This—rather than drowning security analysts in a sea of data— is the essence of security intelligence. Analytics-driven solutions offer a more efficient approach to security because they create actionable results by applying not only rules and heuristics, but also leverage behavioral-based anomaly detection across large sets of data. This helps reduce false-positives or wild goose chases, while still providing the required forensics data to conduct advanced investigations.

Stack: What are the essential capabilities of a Security Intelligence platform?

Ehr: A good security intelligence offering includes not only ubiquitous log source data collection, but also network activity monitoring (flow) capabilities that can help you see when something’s not right. I believe that managing security without flows is like having one eye closed—logs can be tampered with, but it’s nearly impossible to alter flows since they come directly off of the wire.

Learn how Security Intelligence helps maintain comprehensive information security

Security intelligence platforms like QRadar collect and analyze all of the relevant data in your organization—such as events, network flows, vulnerability, identity, and configuration data—and boil all of it down into a small number of ‘offenses’ that security analysts can quickly investigate and respond to. This approach cannot be solved with a pile of point products like what most organizations have been budgeted and tasked with doing over the last half-dozen years. Teams needs a finely tuned prevention, detection, and response system that helps reduce risk and improves operational efficiencies. And they need to be able to quickly deploy all of this without an army of consultants and support personnel.

Stack: As businesses are shifting to cloud infrastructures, what factors need to be considered to effectively monitor and secure these environments?

Ehr: There are a couple of points to consider when talking about cloud security. The first is securing the cloud infrastructure and the second is moving your security operations to the cloud.

Let’s start with securing the cloud. The adoption of cloud services has changed the paradigm for IT security monitoring, most notably because the infrastructure may not be all under the direct control of the IT department. Organizations around the globe are prioritizing investment in three areas:

  1. To gain visibility into their cloud environments
  2. To deliver security consistently across all platforms—cloud, on-premise, and hybrid combinations of the two
  3. To partner with a proven vendor with software and services experience in public, private, and hybrid cloud environments

When selecting a provider, organizations should look carefully at their capabilities to detect irregular network behavior and abnormal user behaviors across a wide range of sources, both in the cloud and on premise.

Stack: You mentioned that organizations are shifting their security operations to the cloud. What are the benefits to that approach?

Ehr: Many organizations want to shift security operations to the cloud to overcome skill shortages and replace their disjointed collection of point products with an integrated solution capable of delivering an end-to-end security view, while building on their existing investments.

As a first step to this transition, organizations often retain responsibility for monitoring security incidents, while the cloud provider monitors the cloud infrastructure status and health on a 24×7 basis. This infrastructure can be scaled up to meet seasonal or changing demand, and organizations don’t have to worry about large up-front capital expenses.

Many organizations choose to continue to have their in-house security team handle the monitoring, as they often know best where their critical data resides and whom is allowed to access what. With a cloud-based security infrastructure, the internal team can continue to monitor threats, prioritize risks and vulnerabilities, plus take the right steps for forensic investigations, remediation, and mitigation. Over time, they may choose to add additional outsourced services to supplement their efforts.

Stack: Looking ahead, what do you expect to be the next evolution in security intelligence platforms?

Ehr: It’s going to be all about the cloud. Both security in the cloud and security on the cloud, combined with “classic” on-premise security systems. Security in the cloud allows you to monitor all of the different levels of the cloud infrastructure—from platforms to the applications. Security on the cloud allows you to deploy your security intelligence platform in an infrastructure as a service environment.

Additionally, as security threats become more sophisticated and widespread, there is a growing lack of skilled people to monitor, analyze, prioritize, and respond to threats. Outsourcing some of your security core infrastructure can provide quick access to market leading technology and to the expertise of world-class security services teams that ensure your infrastructure is configured according to security best practices.

Download the IT Executive Guide: Transitioning from SIEM to Total Security Intelligence

Better solution integration is also a critical initiative. Effective IT security programs are built from a collection of defensive technologies designed to protect the infrastructure, the assets, and the endpoints. This is a tall order for most of the smaller security services providers; this marketplace is still young and no vendor has more than a 25% overall share. It’s important to deploy a security intelligence solution that is flexible enough to handle a mix of on-premise IT and cloud IT infrastructures.

Stack: How can a security leader make the business case to adopt a security intelligence platform?

Ehr: The business case should include costs of business disruption and exploit remediation in the event of a breach, as well as the cost savings that can be gained with an integrated security system. In a 2014 Ponemon Institute report, Quantifying the Cost of a Data Breach, the average worldwide cost of a single stolen record is estimated at $145, and the total average cost of a breach is $3.5M. In terms of cost savings, one of our clients estimates that they save about 50% in staff time by using IBM QRadar as their security intelligence platform. If you need help from external experts, managed services options are available for security intelligence, which can help you reallocate resources to other business objectives.

More from Intelligence & Analytics

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today