Every so often, a new phrase or buzzword does the rounds for a bit before it goes off to join the other forgotten buzzwords in the sky, only to be recalled at corporate parties for a laugh, or to gauge how long someone has been in the trade. However, a select few remain firmly embedded in the security lexicon because of the way they continuously enrich our lives and businesses. Security intelligence is a phrase with such staying power.
What Is Security Intelligence?
Security intelligence is actionable threat data compiled from security information and event management (SIEM), user behavior analytics (UBA), log management, and other tools and sources to aid incident response planning and decision-making around data breaches.
It’s all in a day’s work for security professionals, but what does all that security data mean to your business leaders?
Imagine your chief operating officer (COO) strolls up to your desk and asks you, “How fit are we on our security intelligence?” If they are like the COOs I’ve worked with, they’ve done a bit of homework before approaching you with this question. No amount of techno-babble, hand waving or staring off into the distance like Jack Sparrow will get you through this conversation — it’s not like we’re talking about encryption, after all.
A few things might run through your head at this point. You might think to yourself, “The board must’ve heard another buzzword at a conference, and now they want me to tell them what it is,” or, “Clearly, this is the new name for the logging and event management we’ve been doing for ages.” Well, yes and no.
Yes, security intelligence is a relatively new buzzword that has made its way into executives’ vocabulary.
Yes, you have been collecting logs and events for ages, and every now and then — in an increasingly worrying trend — something hits a threshold that makes you wonder, “Now, what’s going on there?”
Yes, you are going to have to explain it and assure top leadership that you are on top of it.
However…
No, the way you have operated for all these years is not enough to keep up with the evolving cyberthreat landscape. Looking at logs and events in isolation is inadequate because the chain of attacks has morphed into something that is beyond traditional thinking and technology.
And no, security intelligence isn’t going away. In fact, I wouldn’t be surprised to see a surge in job postings for information security intelligence professionals in the near — if not immediate — future.
What Does a Successful Security Intelligence Program Look Like?
To put it simply, you need to be able to consume, analyze and asses the vast amount of security information passing through your network. We’re talking network devices, host operating systems, applications, databases, user activity and more.
The analytics must be able to identify, manage and prioritize the threats that pose the most risk, consummate with the organization’s risk appetite. It’s more than just security information and event management (SIEM) and risk management; it needs to be done in near real time and capable of automating incident response and compliance.
The world of cybercrime is constantly evolving, and threat actors are growing more sophisticated by the minute. When you’re bombarded with billions of events on thousands of endpoints every day, how can you interpret all that information to reveal threats lurking on your network and targeting your organization?
You need a security intelligence solution that can:
- Provide full visibility into your network, application and user activity;
- Identify high-risk threats;
- Correlate those threats in near real time with behavioral anomaly detection;
- Detect and understand vulnerabilities; and
- Determine where high-priority incidents are occurring that would not normally rattle a threshold in the traditional way of using SIEM.
Staying ahead of this wave is difficult, and solutions often seem too big and complicated. Remember, you already have a lot of the answers in place; it’s more a question of how do we stitch all that data together to aid decision-making in this ever-changing cybersecurity landscape?
You’ll need a strategy to help you get your security intelligence program off the ground, but it’ll likely resemble the one you already have in place, because you should already know your networks, systems and data, and the threat model and attack surface should be in place. From your SIEM tools, you know what your data sources are, have specified events and use cases, and understand your thresholds.
Show How Security Impacts the Bottom Line
Even when threat analysis and risk management are in place, it’s critical to extract the right actionable information to inform the executive decision-making process regarding the reputation, profitability and overall health of the business. How are you measuring the success or value of your tools, reporting and communications? There is no case for improvement without feedback.
The myriad security incidents reported in the press emphasize the need and business case for better, smarter tooling that can respond in an automated fashion using artificial intelligence to analyze huge amounts of data at speed. If you can show why it is important and how it impacts the business’ bottom line, you should have no problem getting increasingly security-aware COOs and business leaders on the same page with your security intelligence strategy.
Lead Information Security Solutions & Engineering Consultant, IBM UK