The Evolution of Security Intelligence
With security breaches and insider fraud rampant, it’s no surprise that security is among the most significant concerns of every industrial vertical in the world. Not only are the threats more varied in sophistication than ever, but the intent of today’s threats has changed from targets of opportunity to destinations of choice.
In all reality with many organizations still in the state of denial, it means organizations have nowhere to hide, and breaches will occur. Some may, in fact, are in violation and they don’t know about it yet.
In this article, I will be discussing the common issues surrounding the current state a traditional Security Information Event Management (SIEM) infrastructure to the far more analytical “Intelligent” technological systems that are now being incorporated utilizing Big Data.
The topics I will cover are:
- The Limitations of SIEM
- Security Intelligence (SI)
The Limitations of SIEM
SIEM tools have helped many organizations get a better handle on aggregating and analyzing logs across disparate security tools and are starting to encounter the limitations of SIEM. Many organizations are finding that they should not make the mistake of confusing the use of SIEM for the existence of security analytic practices. This analogy is critical that SIEM is only a starting point in security analytics.
SIEM has gained as the main steam tool of choice for teams seeking to sift through real-time event information to more quickly respond to security programs. What I and others have observed is a struggle to gain more value out of their SIEM deployments and that the reputation for these platforms has started to come into question. Referencing the diagram above, Gartner’s 2014 Magic Quadrant ranks IBM QRader, HP, Splunk, McAfee, and LogRythem as the leaders in this space who are now incorporating some level of SI. This is the direction the security industry is headed with SI replacing the obsolete SIEM. With these SIEM tools, the difficulty has been issues of increased security “noise” (false positives) and complexity of systems feeding into the SIEM. With the infrastructure becoming ever complex such as virtualization along with mobile devices makes for a perfect environment for attackers and a nightmare for security teams to analyze.
These tools were not originally designed to consume much more than Syslog or NetFlow information with a few exceptions around configuration or vulnerability assessment. Architecturally, security analytics is far more than just big data it also includes the vastness of diverse data which causes severe limitations. A good example is SIEM cannot account for data sources like financial data that could help with fraud detection, human resource information, metadata about the business, or sentiment data from sources like social media. These kinds of external sources to security can prove crucial in pinpointing business risks that require contextual clues to spot. The most severe limitations, in my opinion, SIEM does not include big-picture thinking, the adaptive intelligence to pinpoint the meanings and interactions of events.
Security Intelligence (SI) is a holistic risk-based analytical approach to viewing and managing the security and risk posture of an organization. It is not only a system to analyze an exploit after it has occurred, but also proactive before a feat happens. It is not only just a partial view of network activity but the complete 360-degree visibility of structured and unstructured data, what we have called Security Intelligence with Big Data. Earlier SIEM systems were just a means to record massive amounts of data, but with SI it provides a means to gain critical insight and take proactive measures based on it.
The diagram below is an architectural representation of how a predictive security model is designed. This represents the sharing of intelligence using Big Data with organizations worldwide.
We can take this concept even farther by sharing this intelligence with other organizations in a concerted effort to prevent breaches and rapidly responding to them should they occur. Security Intelligence goes beyond SIEM, and it impacts budgets profoundly. Intelligent security analytical systems require raw horsepower to accommodate the underlying significant data infrastructure. The investment in this infrastructure is necessary for security analytics to be implemented, including data warehouses or NoSQL environments, which the organization may be able to leverage for information security purposes. Some organizations already have data analytics and business intelligence teams. These teams can be a CISO’s friend when building out a security analytics capability by leveraging both talent and tools.
The benefits of SI is immense and is the only viable proactive solution that can be shared with other willing organizations. This is a trend with the retail industry to share intelligence with other retailing organizations and the federal government.
Some of the critical benefits of SI are as follows:
- Regulatory Compliance — for NIST, ISO 2700x, PCI DSS, HIPAA, NERC CIP, SOX and many others is a significant driver of IT security initiatives. It aids both regulatory and internal policy compliance by logging and proactively monitoring diverse information across the enterprise in real time, providing accountability, transparency and measurability, a key benefit. It also offers practical value through automated reporting and efficient searching of logs, events, and network flow.
- Rapid Detection and Remediation of Threats — multi-perimeters, the workforce behind and in front of perimeters with mobile devices makes the whole shebang porous. Not only that, the insider threat risk is ever present and growing what is called a zero-trust environment. The human is, of course, the weakest link in security. SI attempts to find the needle in the haystack, by correlating massive data volumes in real time which is a fundamental advantage over SIEM.
- Employee Fraud and Data Loss — insider threats are the devastating exfiltration of vital data for financial gain that is common. SI detects these occurrences by correlating flow-based network activity and content capture (via Deep Packet Inspection or DPI). With DPI, it provides drill-down capabilities allowing the view of specific emails sent by the employee through his personal email account to the third party. Like with anything it is not foolproof. For example, anyone with their own smartphone device that uses a third party wireless Telco provider and encryption can bypass detection by going outside of an organization’s network.
- Proactive Risk Reduction — where SI excels is that it provides automated policy-based monitoring of device configurations such as firewalls, etc. It also prioritizes vulnerabilities that are detected by various vulnerability scanners and predicts threat modeling with simulated network changes. This is another key advantage over SIEM an essential element to perform centralized device configuration monitoring and auditing which reduces the risk of security breaches.
- Simplified Operations — SI applies intelligent automation to simplify security operations and reduce the burden on security and network staff.
Security Intelligence is the future direction the industry is taking us where previous generations of SIEM are obsolete and now evolving with SI in new systems. I discussed the typical weaknesses of SIEM and the significant improvements SI has provided to date. In a nutshell, a real-time proactive risk-based system that provides actionable analytics, drawn from Big Data is the outcome of a vision to combat the Cybercriminal who’s sophistication continuously challenges detection within organizations.
Originally published at blog.moraetes.com.