July 17, 2013 By Vijay Dheap 4 min read

Amplifying Security Intelligence with Big Data

Leading security intelligence solutions today rely upon a set of structured and semi-structured data sources, including logs, network traffic and others, to provide the Security Operations Center with an on-going real-time view of their organization’s security posture.  The metrics employed to evaluate solutions include the scale and speed of data that can be processed in real-time, pruning the large set of raw data to a limited set of significant security incidents requiring the attention of the organization.

While security intelligence solutions do enable security analysts to explore the data and identify emerging threats or pinpoint new risk exposures, the focus is on employing an existing portfolio of threat and risk identifiers to enable real-time analysis for detection.  While this approach is effective for monitoring and maintaining the cyber defenses of an organization as well as improving the response time to handle incidents, a new set of challenges are surfacing which requires security intelligence to be amplified with big data analytics.

DOWNLOAD THE 2015 GARTNER MAGIC QUADRANT FOR SIEM

Proactively Mitigating Risk and Identifying Threats

As the organizational perimeter blurs due to rapid market adoption of cloud and mobile technologies as well as consumer engagement in social networks, an organization cannot solely focus on defense. Rather the organization has to be more proactive in mitigating risk and identifying threats.

Attackers are also employing more sophisticated targeted attack techniques such as social engineering, and spear-phishing.  The attack methodologies are also adapting to current defensive approaches – attempting to either hide malicious activities among large amounts of innocuous activity or disguise the intent by appearing to be innocuous activity.  Even current tumultuous economic and social conditions are further motivating new types of malicious behaviors.

The Need for Big Data and Big Data Analytics

Evolving security intelligence to meet the needs of the new security challenges requires big data and big data analytics.

Firstly, an organization needs to keep its traditional security data for longer periods of time to perform analysis on the data.  Historical analysis has the potential of unearthing longer running attack methods and identifies relapses in security over time.

Secondly, data sources not traditionally employed for security can help an organization better qualify what assets and entities need to be protected and/or observed.  For example, identifying users who most often work with sensitive data, and systems that are critical to core business processes.  Data sources such as email, social media content, corporate documents, and web content may help add additional context to traditional security data but are predominantly unstructured data.

Next, a variety of analytics can be performed to reveal security insights from these larger data sets and will require more processing time.  This analysis will need to be done asynchronously to the real-time analysis that traditional security intelligence specializes in.  However, once the analysis is complete, the insights have to be fed back to the real-time component to make the overall solution more effective over time.

Finally, a renewed emphasis needs to be placed on investigative analysis that can initially be categorized as ad hoc before it is codified.  Given the specificity of an organization and its business ecosystem this will be crucial for the security intelligence solution gain contextual awareness necessary for thwarting targeted attacks.

Six Categories of Use Cases

Security Intelligence with Big Data solution will empower an organization to address the needs of a changing security landscape.  The following are categories of use cases where it can prove at least beneficial if not essential:

1. Establish a Baseline

Organization gains an understanding of its ecosystem, what needs to be defended or observed as well as formulating a risk profile enabling it to detect abnormalities.

Common Use Case Questions:

  • Who are the attractive targets within my enterprise?
  • Which applications and what data do we need to defend due to their sensitivity?
  • What is the normal behavior profile for users, assets, and applications?

2. Recognize Advanced Persistent Threats:

Organization gains awareness of a motivated or incentivized attacker who attempts to hide or disguise the attack as innocuous interactions, potentially over a long period of time (months, years).

Common Use Case Questions:

  • Which assets within my organization are already compromised or are vulnerable?
  • Which external domains may be the source of attacks?
  • Are there any low profile network traffic elements that might signal an ongoing or imminent attack?

3. Qualify Insider Threats

Organization gains evidence or is warned of users within the organization’s network who may be inclined to steal intellectual property, compromise enterprise systems or perform other actions that are detrimental to the organization’s operations.

Common Use Case Questions:

  • What data is being leaked or lost and by whom?
  • Who internally has the motivation and skills to compromise the cyber operations of the company?
  • Who is exhibiting abnormal usage behavior?

4. Predict Hacktivism

Organization is alerted to attack from groups or entities that sympathize with causes that are contrary to the business interests of an enterprise.

Common Use Case Questions:

  • Which controversial issues may trigger a negative sentiment about the organization triggering an increased risk of attack?
  • How to identify and monitor intentions of entities antagonistic to the organization’s business practices?
  • How does publicity of the company in the media impact risk?

5. Counter Cyber Attacks

Organization is informed of an impending or on-going attack by criminal enterprises or government funded or government sponsored groups.

Common Use Case Questions:

  • What is the origin of an attack?
  • Which hacking tools may be used and who is gaining access to them?
  • Are their symptoms of an attack underway or being planned manifesting themselves as support issues?

6. Mitigate Fraud

Organization is appraised of new or existing fraud methods that may compromise its compliance with regulations or cause significant losses to its financial operations.

Common Use Case Questions:

  • How can the organization identify a fraudulent activity?
  • Which users have compromised identities that may lead to fraudulent activity?
  • Can well known fraud attempts have patterns can either be detected or even anticipated?

 

DOWNLOAD THE 2015 GARTNER MAGIC QUADRANT FOR SIEM

 

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today