Amplifying Security Intelligence with Big Data

Leading security intelligence solutions today rely upon a set of structured and semi-structured data sources, including logs, network traffic and others, to provide the Security Operations Center with an on-going real-time view of their organization’s security posture.  The metrics employed to evaluate solutions include the scale and speed of data that can be processed in real-time, pruning the large set of raw data to a limited set of significant security incidents requiring the attention of the organization.

While security intelligence solutions do enable security analysts to explore the data and identify emerging threats or pinpoint new risk exposures, the focus is on employing an existing portfolio of threat and risk identifiers to enable real-time analysis for detection.  While this approach is effective for monitoring and maintaining the cyber defenses of an organization as well as improving the response time to handle incidents, a new set of challenges are surfacing which requires security intelligence to be amplified with big data analytics.


Proactively Mitigating Risk and Identifying Threats

As the organizational perimeter blurs due to rapid market adoption of cloud and mobile technologies as well as consumer engagement in social networks, an organization cannot solely focus on defense. Rather the organization has to be more proactive in mitigating risk and identifying threats.

Attackers are also employing more sophisticated targeted attack techniques such as social engineering, and spear-phishing.  The attack methodologies are also adapting to current defensive approaches – attempting to either hide malicious activities among large amounts of innocuous activity or disguise the intent by appearing to be innocuous activity.  Even current tumultuous economic and social conditions are further motivating new types of malicious behaviors.

The Need for Big Data and Big Data Analytics

Evolving security intelligence to meet the needs of the new security challenges requires big data and big data analytics.

Firstly, an organization needs to keep its traditional security data for longer periods of time to perform analysis on the data.  Historical analysis has the potential of unearthing longer running attack methods and identifies relapses in security over time.

Secondly, data sources not traditionally employed for security can help an organization better qualify what assets and entities need to be protected and/or observed.  For example, identifying users who most often work with sensitive data, and systems that are critical to core business processes.  Data sources such as email, social media content, corporate documents, and web content may help add additional context to traditional security data but are predominantly unstructured data.

Next, a variety of analytics can be performed to reveal security insights from these larger data sets and will require more processing time.  This analysis will need to be done asynchronously to the real-time analysis that traditional security intelligence specializes in.  However, once the analysis is complete, the insights have to be fed back to the real-time component to make the overall solution more effective over time.

Finally, a renewed emphasis needs to be placed on investigative analysis that can initially be categorized as ad hoc before it is codified.  Given the specificity of an organization and its business ecosystem this will be crucial for the security intelligence solution gain contextual awareness necessary for thwarting targeted attacks.

Six Categories of Use Cases

Security Intelligence with Big Data solution will empower an organization to address the needs of a changing security landscape.  The following are categories of use cases where it can prove at least beneficial if not essential:

1. Establish a Baseline

Organization gains an understanding of its ecosystem, what needs to be defended or observed as well as formulating a risk profile enabling it to detect abnormalities.

Common Use Case Questions:

  • Who are the attractive targets within my enterprise?
  • Which applications and what data do we need to defend due to their sensitivity?
  • What is the normal behavior profile for users, assets, and applications?

2. Recognize Advanced Persistent Threats:

Organization gains awareness of a motivated or incentivized attacker who attempts to hide or disguise the attack as innocuous interactions, potentially over a long period of time (months, years).

Common Use Case Questions:

  • Which assets within my organization are already compromised or are vulnerable?
  • Which external domains may be the source of attacks?
  • Are there any low profile network traffic elements that might signal an ongoing or imminent attack?

3. Qualify Insider Threats

Organization gains evidence or is warned of users within the organization’s network who may be inclined to steal intellectual property, compromise enterprise systems or perform other actions that are detrimental to the organization’s operations.

Common Use Case Questions:

  • What data is being leaked or lost and by whom?
  • Who internally has the motivation and skills to compromise the cyber operations of the company?
  • Who is exhibiting abnormal usage behavior?

4. Predict Hacktivism

Organization is alerted to attack from groups or entities that sympathize with causes that are contrary to the business interests of an enterprise.

Common Use Case Questions:

  • Which controversial issues may trigger a negative sentiment about the organization triggering an increased risk of attack?
  • How to identify and monitor intentions of entities antagonistic to the organization’s business practices?
  • How does publicity of the company in the media impact risk?

5. Counter Cyber Attacks

Organization is informed of an impending or on-going attack by criminal enterprises or government funded or government sponsored groups.

Common Use Case Questions:

  • What is the origin of an attack?
  • Which hacking tools may be used and who is gaining access to them?
  • Are their symptoms of an attack underway or being planned manifesting themselves as support issues?

6. Mitigate Fraud

Organization is appraised of new or existing fraud methods that may compromise its compliance with regulations or cause significant losses to its financial operations.

Common Use Case Questions:

  • How can the organization identify a fraudulent activity?
  • Which users have compromised identities that may lead to fraudulent activity?
  • Can well known fraud attempts have patterns can either be detected or even anticipated?




More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…