The term Security Intelligence describes the practice of collecting, standardizing and analyzing data that is generated by networks, applications, and other IT infrastructure in real-time, and the use of that information to assess and improve an organization's security posture. The discipline of Security Intelligence includes the deployment of software assets and personnel with the objective of discovering actionable and useful insights that drive threat mitigation and risk reduction for the organization.
Gathering security intelligence is not a singular activity that organizations undertake, rather it is a series of connected activities, technologies and tools that work together to deliver the intended result. Security intelligence has significant benefits for IT organizations that face strict regulatory compliance requirements for the sensitive data that they collect through web applications. The process for gathering security intelligence feeds into other downstream SecOps processes that help to secure the IT infrastructure against cyber attacks.
Security analysts today use industry-leading technologies such as machine learning and big data analysis to help automate the detection and analysis of security events and extract security intelligence from event logs generated throughout the network.
The concept of security intelligence can be further clarified with a developed understanding of the key elements of the discipline. Organizations collect many kinds of information throughout their IT security and operational tasks, but how is it known whether a piece of information counts as "security intelligence"? What characteristics are shared by security intelligence processes in IT organizations across industry verticals? By reviewing the key elements of security intelligence, we can address both of these questions.
Security Intelligence Takes Place in Real Time
Real-time monitoring is a crucial aspect of security intelligence gathering for today's technologically advanced IT organizations. In the past, viewing historical log data manually was the pain-staking work of security analysts who would engage their expertise to correlate event logs from throughout the network to better understand potential security risks. Today, IT organizations use technological tools such as SIEM software to gather security intelligence in real time.
Security Intelligence Requires Data Collection, Standardization and Analysis
Simply aggregating data from the IT infrastructure in the form of network, event and application logs is insufficient for developing security intelligence. IT organizations today use complex machine learning, pattern recognition and big data analysis to sift through millions of logs from across applications, translate the aggregated data into a standardized format that is human readable, and analyze the data to detect attacks or vulnerabilities that a human analyst could easily miss.
Security Intelligence Must Be Actionable
Genuine security intelligence must be actionable for the organization. The goal of security intelligence is not simply to collect and store additional data and information, but to generate actionable data that drives the informed and targeted implementation of security controls and countermeasures.
Security Intelligence Must Be Useful
Can security intelligence be actionable without being useful? As you will learn in the next section, IT organizations are capable of collecting security intelligence that does not correspond to a known vulnerability. For a piece of security intelligence to be useful, it should correspond meaningfully to a vulnerability that can be secured through the introduction of new security policies or controls.
The discipline of security intelligence is full of complex jargon, including acronyms that can prove confusing to the uninitiated. Reviewing these common terms will enhance your understanding of key issues surrounding security intelligence.
CIA - The CIA triad is a model used to guide the development of policies for information security within an IT organization. In this context, CIA stands for Confidentiality, Integrity and Availability. IT organizations must maintain a system of IT security that ensures data privacy, prevents unauthorized changes to data, and permits only authorized users to access protected or sensitive information.
CIO - The acronym CIO represents the three requirements for a security threat to exist: Intent, Capability and Opportunity. A cyber threat exists when there is a malicious actor who wants to harm your organization (intent), who has access to the tools necessary to do so (capability) and when there is a potential vulnerability that can be exploited (opportunity).
APT - An Advanced Persistent Threat is a cyber attack initiated by an organization whose goal is to secure long-term access to an IT organization's internal networks and data. APT attacks are highly targeted towards a specific organization and typically have a goal of compromising the target and maintaining access to it for an extended period. This enables the attack to infect the entire network while covering its tracks and ultimately to steal well-protected and valuable data.
IoC - The term IoC stands for Indicators of Compromise. An IoC is a piece of forensic data whose characteristics indicate or identify malicious activity or an attack on the network. SIEM software tools can be configured to send alerts to security analysts when an IoC is detected, supporting timely responses to cyber threats.
TTP - The acronym TTP is short for "techniques, tactics and procedures". While an IoC refers to the data signature of a cyber attack, TTP is a direct reference to the methodology that cyber attacks used to execute the attack against the network. Security analysts must understand the techniques, tactics and procedures used by hackers in order to implement adequate security controls that prevent data breaches.
IT organizations adopt security information and event management (SIEM) tools to bolster their security intelligence gathering efforts. Here are just three ways that IT organizations can benefit from gathering security intelligence more quickly and efficiently.
Improved Regulatory and Standards Compliance
Regulatory compliance is a key driver of IT security initiatives for organizations covered by HIPAA, PCI DDS or who seek compliance with the ISO 27001 standard. Tools that collect, standardize and analyze log data can help IT organizations demonstrate their compliance with a specified security standard.
Enhanced Threat Detection and Remediation
Detecting security threats is a core function of SIEM tools. Today's best tools use machine learning and big data to correlate events that are buried in millions of log files from across the network. That translates into faster threat detection and better response times when IoCs are detected.
Simplified Security Operations
IT organizations today can automate many different types of security intelligence gathering tasks through cutting-edge SIEM tools, simplifying their operations and reducing the cost of gathering actionable and useful security intelligence.
Sumo Logic uses the latest technology in machine learning and big data analytics to support your security intelligence gathering efforts. IT security analysts can use LogReduce® pattern analysis to quickly and accurately detect unusual behavior on the network, supporting rapid incident response and forensic investigation of network security events.
Complete visibility for DevSecOps
Reduce downtime and move from reactive to proactive monitoring.