Amplifying Security Intelligence with Big Data

Leading security intelligence solutions today rely upon a set of structured and semi-structured data sources, including logs, network traffic and others, to provide the Security Operations Center with an on-going real-time view of their organization’s security posture.  The metrics employed to evaluate solutions include the scale and speed of data that can be processed in real-time, pruning the large set of raw data to a limited set of significant security incidents requiring the attention of the organization.

While security intelligence solutions do enable security analysts to explore the data and identify emerging threats or pinpoint new risk exposures, the focus is on employing an existing portfolio of threat and risk identifiers to enable real-time analysis for detection.  While this approach is effective for monitoring and maintaining the cyber defenses of an organization as well as improving the response time to handle incidents, a new set of challenges are surfacing which requires security intelligence to be amplified with big data analytics.


Proactively Mitigating Risk and Identifying Threats

As the organizational perimeter blurs due to rapid market adoption of cloud and mobile technologies as well as consumer engagement in social networks, an organization cannot solely focus on defense. Rather the organization has to be more proactive in mitigating risk and identifying threats.

Attackers are also employing more sophisticated targeted attack techniques such as social engineering, and spear-phishing.  The attack methodologies are also adapting to current defensive approaches – attempting to either hide malicious activities among large amounts of innocuous activity or disguise the intent by appearing to be innocuous activity.  Even current tumultuous economic and social conditions are further motivating new types of malicious behaviors.

The Need for Big Data and Big Data Analytics

Evolving security intelligence to meet the needs of the new security challenges requires big data and big data analytics.

Firstly, an organization needs to keep its traditional security data for longer periods of time to perform analysis on the data.  Historical analysis has the potential of unearthing longer running attack methods and identifies relapses in security over time.

Secondly, data sources not traditionally employed for security can help an organization better qualify what assets and entities need to be protected and/or observed.  For example, identifying users who most often work with sensitive data, and systems that are critical to core business processes.  Data sources such as email, social media content, corporate documents, and web content may help add additional context to traditional security data but are predominantly unstructured data.

Next, a variety of analytics can be performed to reveal security insights from these larger data sets and will require more processing time.  This analysis will need to be done asynchronously to the real-time analysis that traditional security intelligence specializes in.  However, once the analysis is complete, the insights have to be fed back to the real-time component to make the overall solution more effective over time.

Finally, a renewed emphasis needs to be placed on investigative analysis that can initially be categorized as ad hoc before it is codified.  Given the specificity of an organization and its business ecosystem this will be crucial for the security intelligence solution gain contextual awareness necessary for thwarting targeted attacks.

Six Categories of Use Cases

Security Intelligence with Big Data solution will empower an organization to address the needs of a changing security landscape.  The following are categories of use cases where it can prove at least beneficial if not essential:

1. Establish a Baseline

Organization gains an understanding of its ecosystem, what needs to be defended or observed as well as formulating a risk profile enabling it to detect abnormalities.

Common Use Case Questions:

  • Who are the attractive targets within my enterprise?
  • Which applications and what data do we need to defend due to their sensitivity?
  • What is the normal behavior profile for users, assets, and applications?

2. Recognize Advanced Persistent Threats:

Organization gains awareness of a motivated or incentivized attacker who attempts to hide or disguise the attack as innocuous interactions, potentially over a long period of time (months, years).

Common Use Case Questions:

  • Which assets within my organization are already compromised or are vulnerable?
  • Which external domains may be the source of attacks?
  • Are there any low profile network traffic elements that might signal an ongoing or imminent attack?

3. Qualify Insider Threats

Organization gains evidence or is warned of users within the organization’s network who may be inclined to steal intellectual property, compromise enterprise systems or perform other actions that are detrimental to the organization’s operations.

Common Use Case Questions:

  • What data is being leaked or lost and by whom?
  • Who internally has the motivation and skills to compromise the cyber operations of the company?
  • Who is exhibiting abnormal usage behavior?

4. Predict Hacktivism

Organization is alerted to attack from groups or entities that sympathize with causes that are contrary to the business interests of an enterprise.

Common Use Case Questions:

  • Which controversial issues may trigger a negative sentiment about the organization triggering an increased risk of attack?
  • How to identify and monitor intentions of entities antagonistic to the organization’s business practices?
  • How does publicity of the company in the media impact risk?

5. Counter Cyber Attacks

Organization is informed of an impending or on-going attack by criminal enterprises or government funded or government sponsored groups.

Common Use Case Questions:

  • What is the origin of an attack?
  • Which hacking tools may be used and who is gaining access to them?
  • Are their symptoms of an attack underway or being planned manifesting themselves as support issues?

6. Mitigate Fraud

Organization is appraised of new or existing fraud methods that may compromise its compliance with regulations or cause significant losses to its financial operations.

Common Use Case Questions:

  • How can the organization identify a fraudulent activity?
  • Which users have compromised identities that may lead to fraudulent activity?
  • Can well known fraud attempts have patterns can either be detected or even anticipated?




More from Intelligence & Analytics

2022 Industry Threat Recap: Manufacturing

It seems like yesterday that industries were fumbling to understand the threats posed by post-pandemic economic and technological changes. While every disruption provides opportunities for positive change, it's hard to ignore the impact that global supply chains, rising labor costs, digital currency and environmental regulations have had on commerce worldwide. Many sectors are starting to see the light at the end of the tunnel. But 2022 has shown us that manufacturing still faces some dark clouds ahead when combatting persistent…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

The 13 Costliest Cyberattacks of 2022: Looking Back

2022 has shaped up to be a pricey year for victims of cyberattacks. Cyberattacks continue to target critical infrastructures such as health systems, small government agencies and educational institutions. Ransomware remains a popular attack method for large and small targets alike. While organizations may choose not to disclose the costs associated with a cyberattack, the loss of consumer trust will always be a risk after any significant attack. Let’s look at the 13 costliest cyberattacks of the past year and…