Light Dark
July 17, 2013 By Vijay Dheap 4 min read
Intelligence & Analytics

Amplifying Security Intelligence with Big Data

Leading security intelligence solutions today rely upon a set of structured and semi-structured data sources, including logs, network traffic and others, to provide the Security Operations Center with an on-going real-time view of their organization’s security posture.  The metrics employed to evaluate solutions include the scale and speed of data that can be processed in real-time, pruning the large set of raw data to a limited set of significant security incidents requiring the attention of the organization.

While security intelligence solutions do enable security analysts to explore the data and identify emerging threats or pinpoint new risk exposures, the focus is on employing an existing portfolio of threat and risk identifiers to enable real-time analysis for detection.  While this approach is effective for monitoring and maintaining the cyber defenses of an organization as well as improving the response time to handle incidents, a new set of challenges are surfacing which requires security intelligence to be amplified with big data analytics.

DOWNLOAD THE 2015 GARTNER MAGIC QUADRANT FOR SIEM

Proactively Mitigating Risk and Identifying Threats

As the organizational perimeter blurs due to rapid market adoption of cloud and mobile technologies as well as consumer engagement in social networks, an organization cannot solely focus on defense. Rather the organization has to be more proactive in mitigating risk and identifying threats.

Attackers are also employing more sophisticated targeted attack techniques such as social engineering, and spear-phishing.  The attack methodologies are also adapting to current defensive approaches – attempting to either hide malicious activities among large amounts of innocuous activity or disguise the intent by appearing to be innocuous activity.  Even current tumultuous economic and social conditions are further motivating new types of malicious behaviors.

The Need for Big Data and Big Data Analytics

Evolving security intelligence to meet the needs of the new security challenges requires big data and big data analytics.

Firstly, an organization needs to keep its traditional security data for longer periods of time to perform analysis on the data.  Historical analysis has the potential of unearthing longer running attack methods and identifies relapses in security over time.

Secondly, data sources not traditionally employed for security can help an organization better qualify what assets and entities need to be protected and/or observed.  For example, identifying users who most often work with sensitive data, and systems that are critical to core business processes.  Data sources such as email, social media content, corporate documents, and web content may help add additional context to traditional security data but are predominantly unstructured data.

Next, a variety of analytics can be performed to reveal security insights from these larger data sets and will require more processing time.  This analysis will need to be done asynchronously to the real-time analysis that traditional security intelligence specializes in.  However, once the analysis is complete, the insights have to be fed back to the real-time component to make the overall solution more effective over time.

Finally, a renewed emphasis needs to be placed on investigative analysis that can initially be categorized as ad hoc before it is codified.  Given the specificity of an organization and its business ecosystem this will be crucial for the security intelligence solution gain contextual awareness necessary for thwarting targeted attacks.

Six Categories of Use Cases

Security Intelligence with Big Data solution will empower an organization to address the needs of a changing security landscape.  The following are categories of use cases where it can prove at least beneficial if not essential:

1. Establish a Baseline

Organization gains an understanding of its ecosystem, what needs to be defended or observed as well as formulating a risk profile enabling it to detect abnormalities.

Common Use Case Questions:

  • Who are the attractive targets within my enterprise?
  • Which applications and what data do we need to defend due to their sensitivity?
  • What is the normal behavior profile for users, assets, and applications?

2. Recognize Advanced Persistent Threats:

Organization gains awareness of a motivated or incentivized attacker who attempts to hide or disguise the attack as innocuous interactions, potentially over a long period of time (months, years).

Common Use Case Questions:

  • Which assets within my organization are already compromised or are vulnerable?
  • Which external domains may be the source of attacks?
  • Are there any low profile network traffic elements that might signal an ongoing or imminent attack?

3. Qualify Insider Threats

Organization gains evidence or is warned of users within the organization’s network who may be inclined to steal intellectual property, compromise enterprise systems or perform other actions that are detrimental to the organization’s operations.

Common Use Case Questions:

  • What data is being leaked or lost and by whom?
  • Who internally has the motivation and skills to compromise the cyber operations of the company?
  • Who is exhibiting abnormal usage behavior?

4. Predict Hacktivism

Organization is alerted to attack from groups or entities that sympathize with causes that are contrary to the business interests of an enterprise.

Common Use Case Questions:

  • Which controversial issues may trigger a negative sentiment about the organization triggering an increased risk of attack?
  • How to identify and monitor intentions of entities antagonistic to the organization’s business practices?
  • How does publicity of the company in the media impact risk?

5. Counter Cyber Attacks

Organization is informed of an impending or on-going attack by criminal enterprises or government funded or government sponsored groups.

Common Use Case Questions:

  • What is the origin of an attack?
  • Which hacking tools may be used and who is gaining access to them?
  • Are their symptoms of an attack underway or being planned manifesting themselves as support issues?

6. Mitigate Fraud

Organization is appraised of new or existing fraud methods that may compromise its compliance with regulations or cause significant losses to its financial operations.

Common Use Case Questions:

  • How can the organization identify a fraudulent activity?
  • Which users have compromised identities that may lead to fraudulent activity?
  • Can well known fraud attempts have patterns can either be detected or even anticipated?

 

DOWNLOAD THE 2015 GARTNER MAGIC QUADRANT FOR SIEM

 

 |  | 
Vijay Dheap
Big Data Security Intelligence & Mobile Security, IBM Security

More from Intelligence & Analytics
February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

December 19, 2023

Web injections are back on the rise: 40+ banks affected by new malware campaign

8 min read - Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In March 2023, security researchers at IBM Security Trusteer uncovered a new malware campaign using JavaScript web injections. This new campaign is widespread and particularly evasive, with historical indicators of compromise (IOCs) suggesting a possible connection to DanaBot — although we…

December 14, 2023

Accelerating security outcomes with a cloud-native SIEM

5 min read - As organizations modernize their IT infrastructure and increase adoption of cloud services, security teams face new challenges in terms of staffing, budgets and technologies. To keep pace, security programs must evolve to secure modern IT environments against fast-evolving threats with constrained resources. This will require rethinking traditional security strategies and focusing investments on capabilities like cloud security, AI-powered defense and skills development. The path forward calls on security teams to be agile, innovative and strategic amidst the changes in technology…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature