Reaching for Security Intelligence
Security Intelligence is the process of collecting information and applying the knowledge, creativity, and skill of the security team and deriving business value. Most organizations now have to be concerned about two types of threats. 'Known threats' - the ones reported to us by signature and rule based systems such as anti-virus, IDS/IPS, firewalls, and security information and event management systems (SIEM). The other kind of threat is called the 'unknown threat.'
Monitoring Unknown Threats
Unknown threats comprise abnormal patterns in 'normal' IT data. Normal IT data is generated by the user of enabler services that humans use every day. This data is the reflection of human-to-machine and machine-to-machine interactions and activities. Our normal activities include badging into the building, surfing the web, getting an IP address from a DHCP server, using DNS, using a VPN, using email, and accessing enterprise applications and company information. It is in these normal activities where attackers want to hide their activities.
Patterns of human activity seen in this data follow business patterns and happen within parameters of time and location. Splunk can be set to monitor for thresholds and outliers in this data that can reveal stealthy malware activities. Splunk's analytics language supports threat scenario based thinking that allows the security professional to ask any question of the data -- ultimately searching for 'unknown threats.' Employing this strategy monitoring the enterprise's most critical data assets is a risk based approach aligned with business goals and objectives.
Supporting the Security Intelligence Analyst
Security Intelligence Solutions move beyond traditional SIEM use cases of providing canned reports, dashboards, and monitoring for known threats to support a Security Intelligence analyst's needs for data exploration to find abnormal activity patterns in massive amounts of normal data. Splunk supports the newest role in security -- the Security Intelligence Analyst
This approach supports the newest versions of regulatory requirements and frameworks such as FFIEC, HIPAA, and FISMA, that emphasize data protection and privacy. The SEC's recent guidance that public companies discuss their cybersecurity risks in their 10-K statements specifically mentions, "Risks related to cyber incidents that may remain undetected for an extended period" as a risk to be discussed. Adopting a Security Intelligence approach when looking for unknown threats in 'normal' IT data is a mitigation strategy that can be mentioned in the 10-K.
- Investigate security incidents in record time by searching and analyzing all your security-relevant data from one place.
- Improve your security posture by quickly filtering out false positives and visualize security information for situational awareness.
- Splunk reports keep management informed of your organizations security status, incident investigations, and more.
- Enable security analysts to investigate incidents in minutes instead of hours or days by searching and analyzing all security relevant data from one place - catching attackers and malicious insiders who had previously gone undetected.
- Reduce integrity and maintenance cost with the flexibility to index and search all the data without custom parsers or connectors.
- Provide your security team with a solution that integrates with your existing infrastructure - complementing SIEM installations - and expand your security monitoring coverage to include complex, organization specific threat such as online fraud and insider threat.
- Dramatically reduce risk by having the ability to monitor for any and all risk patterns, and investigate and remediate all incidents faster.
- Achieve better security by providing your security team with a solution that makes them more productive and better at identifying and responding to attacks.
- Avoid loss of intellectual property and costly public disclosures by detecting and resolving security threats before they become costly and embarrassing situations.
- Ensure business continuity by identifying specific attacks and respond before attackers succeed in creating system outages such as from denial of service attacks.
- Maintain security with limited budget by enabling security teams to be more cost-effective in monitoring responding to attacks, and conducting thorough investigations.