What is Security Intelligence?
In this interview, IBM Security Intelligence Product expert Mark Ehr offers strategy guidance to help IT security teams detect and respond to threats in today’s dynamic security environments.
Stack: IT Security professionals are challenged to understand hundreds or thousands of security incidents each week. How can they detect and prioritize what’s most important?
Ehr: A holistic, big data-like approach is required to view and manage the security and risk posture of an IT organization. It’s simply not possible for a security staff to examine every bit of data that may be suspicious. And perimeter defenses such as firewalls, intrusion prevention systems, and antivirus are not adequate against modern threats that utilize multi-vector attack methods that succeed in breaching a network using a combination of techniques including leveraging stolen user credentials and unpatched vulnerabilities.
Millions of pieces of security data from users, networks, and infrastructure need to be collected, normalized, and analyzed in real time in order to find the real threats. This—rather than drowning security analysts in a sea of data— is the essence of security intelligence. Analytics-driven solutions offer a more efficient approach to security because they create actionable results by applying not only rules and heuristics, but also leverage behavioral-based anomaly detection across large sets of data. This helps reduce false-positives or wild goose chases, while still providing the required forensics data to conduct advanced investigations.
Stack: What are the essential capabilities of a Security Intelligence platform?
Ehr: A good security intelligence offering includes not only ubiquitous log source data collection, but also network activity monitoring (flow) capabilities that can help you see when something’s not right. I believe that managing security without flows is like having one eye closed—logs can be tampered with, but it’s nearly impossible to alter flows since they come directly off of the wire.
Security intelligence platforms like QRadar collect and analyze all of the relevant data in your organization—such as events, network flows, vulnerability, identity, and configuration data—and boil all of it down into a small number of ‘offenses’ that security analysts can quickly investigate and respond to. This approach cannot be solved with a pile of point products like what most organizations have been budgeted and tasked with doing over the last half-dozen years. Teams needs a finely tuned prevention, detection, and response system that helps reduce risk and improves operational efficiencies. And they need to be able to quickly deploy all of this without an army of consultants and support personnel.
Stack: As businesses are shifting to cloud infrastructures, what factors need to be considered to effectively monitor and secure these environments?
Ehr: There are a couple of points to consider when talking about cloud security. The first is securing the cloud infrastructure and the second is moving your security operations to the cloud.
Let’s start with securing the cloud. The adoption of cloud services has changed the paradigm for IT security monitoring, most notably because the infrastructure may not be all under the direct control of the IT department. Organizations around the globe are prioritizing investment in three areas:
- To gain visibility into their cloud environments
- To deliver security consistently across all platforms—cloud, on-premise, and hybrid combinations of the two
- To partner with a proven vendor with software and services experience in public, private, and hybrid cloud environments
When selecting a provider, organizations should look carefully at their capabilities to detect irregular network behavior and abnormal user behaviors across a wide range of sources, both in the cloud and on premise.
Stack: You mentioned that organizations are shifting their security operations to the cloud. What are the benefits to that approach?
Ehr: Many organizations want to shift security operations to the cloud to overcome skill shortages and replace their disjointed collection of point products with an integrated solution capable of delivering an end-to-end security view, while building on their existing investments.
As a first step to this transition, organizations often retain responsibility for monitoring security incidents, while the cloud provider monitors the cloud infrastructure status and health on a 24×7 basis. This infrastructure can be scaled up to meet seasonal or changing demand, and organizations don’t have to worry about large up-front capital expenses.
Many organizations choose to continue to have their in-house security team handle the monitoring, as they often know best where their critical data resides and whom is allowed to access what. With a cloud-based security infrastructure, the internal team can continue to monitor threats, prioritize risks and vulnerabilities, plus take the right steps for forensic investigations, remediation, and mitigation. Over time, they may choose to add additional outsourced services to supplement their efforts.
Stack: Looking ahead, what do you expect to be the next evolution in security intelligence platforms?
Ehr: It’s going to be all about the cloud. Both security in the cloud and security on the cloud, combined with “classic” on-premise security systems. Security in the cloud allows you to monitor all of the different levels of the cloud infrastructure—from platforms to the applications. Security on the cloud allows you to deploy your security intelligence platform in an infrastructure as a service environment.
Additionally, as security threats become more sophisticated and widespread, there is a growing lack of skilled people to monitor, analyze, prioritize, and respond to threats. Outsourcing some of your security core infrastructure can provide quick access to market leading technology and to the expertise of world-class security services teams that ensure your infrastructure is configured according to security best practices.
Better solution integration is also a critical initiative. Effective IT security programs are built from a collection of defensive technologies designed to protect the infrastructure, the assets, and the endpoints. This is a tall order for most of the smaller security services providers; this marketplace is still young and no vendor has more than a 25% overall share. It’s important to deploy a security intelligence solution that is flexible enough to handle a mix of on-premise IT and cloud IT infrastructures.
Stack: How can a security leader make the business case to adopt a security intelligence platform?
Ehr: The business case should include costs of business disruption and exploit remediation in the event of a breach, as well as the cost savings that can be gained with an integrated security system. In a 2014 Ponemon Institute report, Quantifying the Cost of a Data Breach, the average worldwide cost of a single stolen record is estimated at $145, and the total average cost of a breach is $3.5M. In terms of cost savings, one of our clients estimates that they save about 50% in staff time by using IBM QRadar as their security intelligence platform. If you need help from external experts, managed services options are available for security intelligence, which can help you reallocate resources to other business objectives.