Blurred Vision: The Case for Security Intelligence

Hopefully you’ve read our initial two articles on the need for a more intelligent approach to stopping advanced threats and why detection is not the new prevention. If you have, you will no doubt recognize the parallels between the complex entity that is our immune system, and the required cooperative security intelligence ecosystem necessary to help IT security teams counter the barrage of advanced attacks against our enterprises. The first dimension we discussed was ‘Prevention‘ and the interrelationship between detection and prevention. Now let’s extend that conversation further.

What is threat detection, ultimately? It’s vision; it’s the ability to see massive amounts of activity across the enterprise to discover meaningful behaviors requiring immediate attention. Yet vision by itself is sometimes imperfect. What’s also required to detect the more subtle threats and attacks is the detail behind the discovery — that’s clarity. Vision and clarity are both very important to an effective security intelligence solution, and are a product of its advanced analytics and forensic search capabilities.

Combating Advanced Threats with Security Intelligence

A good security intelligence solution enables complex problem-solving capabilities, uniquely equipping them to defend against advanced threats. Let’s look at critical capabilities of effective security intelligence solutions.

  • Consolidation of data silos for 360-degree view: Connect the dots between seemingly unrelated or benign activities and ultimately deliver better insight for advanced threat detection.
  • Pre- and post-exploit insights: Gather and prioritize information about existing security gaps to prevent breaches, as well as suspicious behavior to detect breaches.
  • Forensic capabilities: Exhaustively research the impact of the breach using captured packet data, easing the burden on the security and network staff who have to build a remediation plan.
  • Anomaly detection capabilities: Baseline current activity and identify meaningful deviations — a core and vital aspect of detecting advanced threats in progress.
  • Real-time correlation and analysis: Process massive data sets using advanced analytical methods and purpose-built data repositories, allowing for earlier and more accurate detection of advanced threats, and helping to distinguish the signal from the noise.
  • Helping reduce false positives: De-prioritize unusual yet benign activity to reduce the time spent investigating anomalous but harmless activity, helping the organization focus on its top incidents.
  • Flexibility: Constant environmental changes require constant product evolution to add data sources, create and tune analytics, create new user views and reports, and expand and evolve the overall deployment architecture.
  • Unified approach: Prevention of complex, multi-pronged attacks requires a unified or integrated platform to help organizations intelligently wade through hundreds of security alerts and massive quantities of raw event and flow data.

Perhaps one of the most egregious types of offenses is any incident associated with a privileged user. By correlating data access logs with information stored within identity systems and network asset databases, a security analyst could determine when one of these trusted users begins to process an unusual amount of critical or private data. The signs or symptoms are available just like when a human experiences numbness or slurred speech — it’s time to take action. Saving an organization’s intellectual property, buyer or patient data, and overall marketplace reputation requires quick action, before 40,000 or 4 million records are sent to some external IP address.

Stopping Advanced Attacks from Flourishing

Yet even though a good SIEM solution serves to focus the IT security team on their most pressing incidents and vulnerabilities, the forensic investigations of these situations can take hours, days, even weeks to conclude — and that’s using specially trained forensics resources. Basically, the goal here is to establish the root cause or underlying conditions that generated the incident or offense, and all security intelligence solutions aren’t created equally. We are in an era of continuous attacks and network security breaches, and any vendor that fails to continually invest in their defensive capabilities will fall behind and succumb to the asymmetrical advantage the cyber criminals possess — they only need to find one weakness!

2014 Gartner Magic Quadrant for SIEM

That imbalance requires security teams to be ready to confront a security breach, and this response is largely a race against time. The attackers might have broken into the network, but that doesn’t mean all is lost. Outsiders need time to discover what valuable data exists and where it resides, and all of their activities leave an identifiable trail. The sooner security teams can make that incident identification, the earlier they can disrupt the attack and mitigate its impact.

Our newest integrated module of the QRadar platform was designed to help organizations compress the time required to discover exactly what happened, by using full packet capture data to provide better clarity into security incidents. QRadar Incident Forensics uses Internet search engine technology to convert all associated network packets into documents that are fully indexed, helping IT security teams perform forensic searches in minutes or even seconds in most cases. The user interface is highly intuitive, allowing almost any member of a security team to conduct the necessary investigations by defining simple search cases using free-text keywords or metadata elements.

QRadar SIEM is the tool we offer clients to detect attacks and anomalous behavior within their networks — the vision — and QRadar Incident Forensics provides an accelerated ability to respond to those incidents — the clarity — by helping security teams build an effective remediation plan. Working together, they provide an unrivaled capability that we believe will help restore a little symmetry to the battle our clients are fighting on a daily basis.

Share this Article:
Sandy Bird

IBM Fellow, CTO for IBM Security

Sandy Bird was the co-founder and CTO of Q1 Labs, now part of IBM. Today, he's the CTO for IBM Security and is responsible for the company's strategic technology direction. Sandy has extensive technology experience specializing in database design and development for web applications. Prior to IBM and Q1 Labs, he held a variety of technical positions at the University of New Brunswick in support, development and administration. Sandy studied Electrical Engineering at the University of New Brunswick and was named an IBM Fellow in 2014.