May 22, 2014 By Sandy Bird 4 min read

Hopefully you’ve read our initial two articles on the need for a more intelligent approach to stopping advanced threats and why detection is not the new prevention. If you have, you will no doubt recognize the parallels between the complex entity that is our immune system, and the required cooperative security intelligence ecosystem necessary to help IT security teams counter the barrage of advanced attacks against our enterprises. The first dimension we discussed was ‘Prevention‘ and the interrelationship between detection and prevention. Now let’s extend that conversation further.

What is threat detection, ultimately? It’s vision; it’s the ability to see massive amounts of activity across the enterprise to discover meaningful behaviors requiring immediate attention. Yet vision by itself is sometimes imperfect. What’s also required to detect the more subtle threats and attacks is the detail behind the discovery — that’s clarity. Vision and clarity are both very important to an effective security intelligence solution, and are a product of its advanced analytics and forensic search capabilities.

Combating Advanced Threats with Security Intelligence

A good security intelligence solution enables complex problem-solving capabilities, uniquely equipping them to defend against advanced threats. Let’s look at critical capabilities of effective security intelligence solutions.

  • Consolidation of data silos for 360-degree view: Connect the dots between seemingly unrelated or benign activities and ultimately deliver better insight for advanced threat detection.
  • Pre- and post-exploit insights: Gather and prioritize information about existing security gaps to prevent breaches, as well as suspicious behavior to detect breaches.
  • Forensic capabilities: Exhaustively research the impact of the breach using captured packet data, easing the burden on the security and network staff who have to build a remediation plan.
  • Anomaly detection capabilities: Baseline current activity and identify meaningful deviations — a core and vital aspect of detecting advanced threats in progress.
  • Real-time correlation and analysis: Process massive data sets using advanced analytical methods and purpose-built data repositories, allowing for earlier and more accurate detection of advanced threats, and helping to distinguish the signal from the noise.
  • Helping reduce false positives: De-prioritize unusual yet benign activity to reduce the time spent investigating anomalous but harmless activity, helping the organization focus on its top incidents.
  • Flexibility: Constant environmental changes require constant product evolution to add data sources, create and tune analytics, create new user views and reports, and expand and evolve the overall deployment architecture.
  • Unified approach: Prevention of complex, multi-pronged attacks requires a unified or integrated platform to help organizations intelligently wade through hundreds of security alerts and massive quantities of raw event and flow data.

Perhaps one of the most egregious types of offenses is any incident associated with a privileged user. By correlating data access logs with information stored within identity systems and network asset databases, a security analyst could determine when one of these trusted users begins to process an unusual amount of critical or private data. The signs or symptoms are available just like when a human experiences numbness or slurred speech — it’s time to take action. Saving an organization’s intellectual property, buyer or patient data, and overall marketplace reputation requires quick action, before 40,000 or 4 million records are sent to some external IP address.

Stopping Advanced Attacks from Flourishing

Yet even though a good SIEM solution serves to focus the IT security team on their most pressing incidents and vulnerabilities, the forensic investigations of these situations can take hours, days, even weeks to conclude — and that’s using specially trained forensics resources. Basically, the goal here is to establish the root cause or underlying conditions that generated the incident or offense, and all security intelligence solutions aren’t created equally. We are in an era of continuous attacks and network security breaches, and any vendor that fails to continually invest in their defensive capabilities will fall behind and succumb to the asymmetrical advantage the cyber criminals possess — they only need to find one weakness!

2014 Gartner Magic Quadrant for SIEM

That imbalance requires security teams to be ready to confront a security breach, and this response is largely a race against time. The attackers might have broken into the network, but that doesn’t mean all is lost. Outsiders need time to discover what valuable data exists and where it resides, and all of their activities leave an identifiable trail. The sooner security teams can make that incident identification, the earlier they can disrupt the attack and mitigate its impact.

Our newest integrated module of the QRadar platform was designed to help organizations compress the time required to discover exactly what happened, by using full packet capture data to provide better clarity into security incidents. QRadar Incident Forensics uses Internet search engine technology to convert all associated network packets into documents that are fully indexed, helping IT security teams perform forensic searches in minutes or even seconds in most cases. The user interface is highly intuitive, allowing almost any member of a security team to conduct the necessary investigations by defining simple search cases using free-text keywords or metadata elements.

QRadar SIEM is the tool we offer clients to detect attacks and anomalous behavior within their networks — the vision — and QRadar Incident Forensics provides an accelerated ability to respond to those incidents — the clarity — by helping security teams build an effective remediation plan. Working together, they provide an unrivaled capability that we believe will help restore a little symmetry to the battle our clients are fighting on a daily basis.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today