Reaching for Security Intelligence
Security Intelligence is the process of collecting information and applying the knowledge, creativity, and skill of the security team and deriving business value. Most organizations now have to be concerned about two types of threats. ‘Known threats’ – the ones reported to us by signature and rule based systems such as anti-virus, IDS/IPS, firewalls, and security information and event management systems (SIEM). The other kind of threat is called the ‘unknown threat.’
Monitoring Unknown Threats
Unknown threats comprise abnormal patterns in ‘normal’ IT data. Normal IT data is generated by the user of enabler services that humans use every day. This data is the reflection of human-to-machine and machine-to-machine interactions and activities. Our normal activities include badging into the building, surfing the web, getting an IP address from a DHCP server, using DNS, using a VPN, using email, and accessing enterprise applications and company information. It is in these normal activities where attackers want to hide their activities.
Patterns of human activity seen in this data follow business patterns and happen within parameters of time and location. TBG BASIC can be set to monitor for thresholds and outliers in this data that can reveal stealthy malware activities. TBG BASIC’s analytics language supports threat scenario based thinking that allows the security professional to ask any question of the data — ultimately searching for ‘unknown threats.’ Employing this strategy monitoring the enterprise’s most critical data assets is a risk based approach aligned with business goals and objectives.
Supporting the Security Intelligence Analyst
Security Intelligence Solutions move beyond traditional SIEM use cases of providing canned reports, dashboards, and monitoring for known threats to support a Security Intelligence analyst’s needs for data exploration to find abnormal activity patterns in massive amounts of normal data. TBG BASIC supports the newest role in security — the Security Intelligence Analyst
This approach supports the newest versions of regulatory requirements and frameworks such as FFIEC, HIPAA, and FISMA, that emphasize data protection and privacy. The SEC’s recent guidance that public companies discuss their cyber security risks in their 10-K statements specifically mentions, “Risks related to cyber incidents that may remain undetected for an extended period” as a risk to be discussed. Adopting a Security Intelligence approach when looking for unknown threats in ‘normal’ IT data is a mitigation strategy that can be mentioned in the 10-K.