Hopefully you’ve read our initial two articles on the need for a more intelligent approach to stopping advanced threats and why detection is not the new prevention. If you have, you will no doubt recognize the parallels between the complex entity that is our immune system, and the required cooperative security intelligence ecosystem necessary to help IT security teams counter the barrage of advanced attacks against our enterprises. The first dimension we discussed was ‘Prevention‘ and the interrelationship between detection and prevention. Now let’s extend that conversation further.

What is threat detection, ultimately? It’s vision; it’s the ability to see massive amounts of activity across the enterprise to discover meaningful behaviors requiring immediate attention. Yet vision by itself is sometimes imperfect. What’s also required to detect the more subtle threats and attacks is the detail behind the discovery — that’s clarity. Vision and clarity are both very important to an effective security intelligence solution, and are a product of its advanced analytics and forensic search capabilities.

Combating Advanced Threats with Security Intelligence

A good security intelligence solution enables complex problem-solving capabilities, uniquely equipping them to defend against advanced threats. Let’s look at critical capabilities of effective security intelligence solutions.

  • Consolidation of data silos for 360-degree view: Connect the dots between seemingly unrelated or benign activities and ultimately deliver better insight for advanced threat detection.
  • Pre- and post-exploit insights: Gather and prioritize information about existing security gaps to prevent breaches, as well as suspicious behavior to detect breaches.
  • Forensic capabilities: Exhaustively research the impact of the breach using captured packet data, easing the burden on the security and network staff who have to build a remediation plan.
  • Anomaly detection capabilities: Baseline current activity and identify meaningful deviations — a core and vital aspect of detecting advanced threats in progress.
  • Real-time correlation and analysis: Process massive data sets using advanced analytical methods and purpose-built data repositories, allowing for earlier and more accurate detection of advanced threats, and helping to distinguish the signal from the noise.
  • Helping reduce false positives: De-prioritize unusual yet benign activity to reduce the time spent investigating anomalous but harmless activity, helping the organization focus on its top incidents.
  • Flexibility: Constant environmental changes require constant product evolution to add data sources, create and tune analytics, create new user views and reports, and expand and evolve the overall deployment architecture.
  • Unified approach: Prevention of complex, multi-pronged attacks requires a unified or integrated platform to help organizations intelligently wade through hundreds of security alerts and massive quantities of raw event and flow data.

Perhaps one of the most egregious types of offenses is any incident associated with a privileged user. By correlating data access logs with information stored within identity systems and network asset databases, a security analyst could determine when one of these trusted users begins to process an unusual amount of critical or private data. The signs or symptoms are available just like when a human experiences numbness or slurred speech — it’s time to take action. Saving an organization’s intellectual property, buyer or patient data, and overall marketplace reputation requires quick action, before 40,000 or 4 million records are sent to some external IP address.

Stopping Advanced Attacks from Flourishing

Yet even though a good SIEM solution serves to focus the IT security team on their most pressing incidents and vulnerabilities, the forensic investigations of these situations can take hours, days, even weeks to conclude — and that’s using specially trained forensics resources. Basically, the goal here is to establish the root cause or underlying conditions that generated the incident or offense, and all security intelligence solutions aren’t created equally. We are in an era of continuous attacks and network security breaches, and any vendor that fails to continually invest in their defensive capabilities will fall behind and succumb to the asymmetrical advantage the cyber criminals possess — they only need to find one weakness!

2014 Gartner Magic Quadrant for SIEM

That imbalance requires security teams to be ready to confront a security breach, and this response is largely a race against time. The attackers might have broken into the network, but that doesn’t mean all is lost. Outsiders need time to discover what valuable data exists and where it resides, and all of their activities leave an identifiable trail. The sooner security teams can make that incident identification, the earlier they can disrupt the attack and mitigate its impact.

Our newest integrated module of the QRadar platform was designed to help organizations compress the time required to discover exactly what happened, by using full packet capture data to provide better clarity into security incidents. QRadar Incident Forensics uses Internet search engine technology to convert all associated network packets into documents that are fully indexed, helping IT security teams perform forensic searches in minutes or even seconds in most cases. The user interface is highly intuitive, allowing almost any member of a security team to conduct the necessary investigations by defining simple search cases using free-text keywords or metadata elements.

QRadar SIEM is the tool we offer clients to detect attacks and anomalous behavior within their networks — the vision — and QRadar Incident Forensics provides an accelerated ability to respond to those incidents — the clarity — by helping security teams build an effective remediation plan. Working together, they provide an unrivaled capability that we believe will help restore a little symmetry to the battle our clients are fighting on a daily basis.

More from Intelligence & Analytics

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language. Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the…

Moving at the Speed of Business — Challenging Our Assumptions About Cybersecurity

The traditional narrative for cybersecurity has been about limited visibility and operational constraints — not business opportunities. These conversations are grounded in various assumptions, such as limited budgets, scarce resources, skills being at a premium, the attack surface growing, and increased complexity. For years, conventional thinking has been that cybersecurity costs a lot, takes a long time, and is more of a cost center than an enabler of growth. In our upcoming paper, Prosper in the Cyber Economy, published by…

Overcoming Distrust in Information Sharing: What More is There to Do?

As cyber threats increase in frequency and intensity worldwide, it has never been more crucial for governments and private organizations to work together to identify, analyze and combat attacks. Yet while the federal government has strongly supported this model of private-public information sharing, the reality is less than impressive. Many companies feel that intel sharing is too one-sided, as businesses share as much threat intel as governments want but receive very little in return. The question is, have government entities…

Tackling Today’s Attacks and Preparing for Tomorrow’s Threats: A Leader in 2022 Gartner® Magic Quadrant™ for SIEM

Get the latest on IBM Security QRadar SIEM, recognized as a Leader in the 2022 Gartner Magic Quadrant. As I talk to security leaders across the globe, four main themes teams constantly struggle to keep up with are: The ever-evolving and increasing threat landscape Access to and retaining skilled security analysts Learning and managing increasingly complex IT environments and subsequent security tooling The ability to act on the insights from their security tools including security information and event management software…