Security intelligence - definition & overview

Security intelligence refers to the practice of collecting, standardizing and analyzing data that is generated by networks, applications, and other IT infrastructure in real-time, and the use of that information to assess and improve an organization's security posture. The discipline of security intelligence includes the deployment of software assets and personnel with the objective of discovering actionable and useful insights that drive threat mitigation and risk reduction for the organization.

Security analysts today use industry-leading technologies such as machine learning and big data analysis to help automate the detection and analysis of security events and extract security intelligence from event logs generated throughout the network.

Security intelligence takes place in real-time

Real-time monitoring is a crucial aspect of security intelligence gathering for today's technologically advanced IT organizations. In the past, viewing historical log data manually was the painstaking work of security analysts who would engage their expertise to correlate event logs from throughout the network to better understand potential security risks. Today, IT organizations use technological tools such as SIEM software to gather security intelligence in real-time.

Security intelligence requires data collection, standardization and analysis

Simply aggregating data from the IT infrastructure in the form of network, event and application logs are insufficient for developing security intelligence. IT organizations today use complex machine learning, pattern recognition and big data analysis to sift through millions of logs from across applications, translate the aggregated data into a standardized format that is human readable, and analyze the data to detect attacks or vulnerabilities that a human analyst could easily miss.

Security intelligence must be actionable

Genuine security intelligence must be actionable for the organization. The goal of security intelligence is not simply to collect and store additional data and information but to generate actionable data that drives the informed and targeted implementation of security controls and countermeasures.

Security intelligence must be useful

Can security intelligence be actionable without being useful? As you will learn in the next section, IT organizations are capable of collecting security intelligence that does not correspond to a known vulnerability. For a piece of security intelligence to be useful, it should correspond meaningfully to a vulnerability that can be secured through the introduction of new security policies or controls.

The discipline of security intelligence is full of complex jargon, including acronyms that can prove confusing to the uninitiated. Reviewing these common terms will enhance your understanding of key issues surrounding security intelligence.

CIA - The CIA triad is a model used to guide the development of policies for information security within an IT organization. In this context, CIA stands for Confidentiality, Integrity and Availability. IT organizations must maintain a system of IT security that ensures data privacy, prevents unauthorized changes to data, and permits only authorized users to access protected or sensitive information.

CIO - The acronym CIO represents the three requirements for a security threat to exist: Intent, Capability and Opportunity. A cyber threat exists when there is a malicious actor who wants to harm your organization (intent), who has access to the tools necessary to do so (capability) and when there is a potential vulnerability that can be exploited (opportunity).

APT - An Advanced Persistent Threat is a cyber attack initiated by an organization aiming to secure long-term access to an IT organization's internal networks and data. APT attacks are highly targeted towards a specific organization and typically aim to compromise the target and maintain access to it for an extended period. This enables the attack to infect the entire network while covering its tracks and ultimately to steal well-protected and valuable data.

IoC - Indicators of Compromise is a piece of forensic data whose characteristics indicate or identify malicious activity or an attack on the network. SIEM software tools can be configured to alert security analysts when an IoC is detected, supporting timely responses to cyber threats.

TTP - The acronym TTP is short for techniques, tactics and procedures. While an IoC refers to the data signature of a cyber attack, TTP is a direct reference to the methodology that cyber attacks use to execute the attack against the network. Security analysts must understand the techniques, tactics and procedures hackers use to implement adequate security controls that prevent data breaches.

Security intelligence has significant benefits for IT organizations that face strict regulatory compliance requirements for the sensitive data they collect through web applications. The gathering of security intelligence feeds into other downstream SecOps processes that help secure the IT infrastructure against cyber attacks.

IT organizations adopt security information and event management (SIEM) tools to bolster security intelligence-gathering efforts. Here are three ways that IT organizations can benefit from gathering security intelligence more quickly and efficiently.

Improved regulatory and standards compliance

Regulatory compliance is a key driver of IT security initiatives for organizations covered by HIPAA, PCI DDS or who seek compliance with the ISO 27001 standard. Tools that collect, standardize and analyze log data can help IT organizations demonstrate compliance with a specified security standard.

Enhanced threat detection and remediation

Detecting security threats is a core function of SIEM tools. Today's best tools use machine learning and big data to correlate events buried in millions of log files across the network. That translates into faster threat detection and better response times when detecting IoCs.

Simplified security operations

Today, IT organizations can automate many types of security intelligence-gathering tasks through cutting-edge SIEM tools, simplifying their operations and reducing the cost of gathering actionable and useful security intelligence.

Sumo Logic uses the latest technology in machine learning and big data analytics to support your security intelligence gathering efforts. IT security analysts can use LogReduce® pattern analysis to quickly and accurately detect unusual behavior on the network, supporting rapid incident response and forensic investigation of network security events.