Things to know about Security Intelligence
by CIRT Team
Security Intelligence is the collection, evaluation, and response to data generated on an organization’s network undergoing potential security threats in real-time. This platform was developed from log management, SIEMs, NBADs, and network forensics. As cybersecurity threats and attacks continue to grow and evolve, advanced security solutions are more important than ever, with security intelligence leading the way. [1]
Key Principles
- Real-time analysis
- Pre-exploit analysis
- Collection, normalization and analysis
- Actionable insight
- Scalable
- Adjustable size and cost
- Data security and risk
Threat intelligence
Threat intelligence, or cyber threat intelligence, is information an organization uses to understand the threats that have, will, or are currently targeting the organization. This info is used to prepare, prevent, and identify cyber threats looking to take advantage of valuable resources.
Things about security intelligence
From the context of cyber risk, threat intelligence is considered to be highly potential to help organizations make better security decisions and reduce cyber risk. Intelligence and security teams are often complementing each other, and intelligence outputs can lack relevance to the audiences they serve. It causes slower response to intelligence while it comes at all. This is the scenario where elite security intelligence comes in.
Security intelligence works as the application of intelligence across the security functionality within the organization and beyond. It enhances organizations capacity to realize operational improvements and reduce cyber risk by embedding intelligence into security within their workflows.
Empowering the decision-makers
People in operational and leadership positions mostly makes decisions based on their own expertise and experience. They have limited access to insights that would improve the outcomes of their decisions. Any data on security intelligence puts insights that have historically been out of reach directly into their hands.
A modern, well equipped and powerful security intelligence solution is well equipped to collect data from a broad range and variety of sources and uses powerful analytics to turn previously unusable information into genuine insights that put impacts on business decisions. Such solution uses natural language processing to ingest information in any language and provide insights in the user’s native language.
Dozens of potential sources could be found in dark web, those may have very useful insights, but it’d unwise and potential threat if people go digging around there in search of intelligence. For an analyst a security intelligence solution breaks down the barriers to access these insights, making it safe and easy to pull out the benefit from them.
Turning security into a business driver
In “The Risk Business” the author Levi Gundert discussed on demonstrating return of investment for an effective program for calculating and tracking cyber risk. To forecast the financial impact of cyber incident, security intelligence plays the most integral role and also makes itself essential for a risk-based Cybersecurity program.
Most organizations considered cybersecurity a cost center — a function that consumes a lot of resources without contributing to the bottom line. Outcomes from security intelligence impacts on enabling cybersecurity teams to demonstrate business value in the form of ROI.
Security intelligence is more worthy while it identifies relevant issues & produces more insights regarding business of the organization. Such insights, or intelligence other hand, supports fast, informed & efficient decision making throughout the organization.
Turning jobs in easy way
Integration with existing technology is a critical step for security intelligence solution providers. So any solution that integrates with existing technologies, providing insights to inhabitant operational staff would be considered efficient. Such efficiency will reduce any extra effort or procedural burden while making a decision. Gavin Reid (CHIEF SECURITY OFFICER, RECORDED FUTURE) says, “Good detection tools get made great with useful, time-sensitive, and low false-positive indicators. A constant stream of fresh insights will help you make the best use of Netflow, DNS, IDS, and all other detection sources.”
Alerts from detection tool helps analyst to identify an attack, better if possible to identify in early stage. But challenge comes while prioritizing the alerts. Security intelligence solution integrated with existing technology enriches all the alerts with contextual information. Also makes it easier to identify and high-risk alerts are prioritized.
Making risk relatable for everyone
It is essential to communicate Cybersecurity issues in a language the business understands. Effective security intelligence makes cyber-risk relatable for any audience. It also improves understanding the meaning of threats or insights for the business. Maggie McDaniel (VP RESEARCH FROM INSIKT GROUP) says – “Someone who needs to make a business decision doesn’t need technical details. They need to know the ‘so what?’ of the threat so they can make an effective decision.”
An effective security intelligence is solely prepared for its particular target audience. For security analysts this includes technical details and indicator. Although, for an executive, it means a simple definition of the threat and its impact on the organization as well as on business. For a developed cybersecurity function, it must communicate in a language that is understandable in the term of business. In other sense we also can define this as “The Language of Risk”.
In a business-focused Cybersecurity function the security intelligence plays the role of a powerful tool. It translates technical security issues in to clear, concise, risk-based insights. As a result anybody can use such knowledge to improve their decision making ability. “Not all insights are useful to everyone. It’s important to have a flexible security intelligence solution that can produce insights in a format and level of detail that’s appropriate to each audience.” — Wendy Swank (SENIOR SOLUTIONS ARCHITECT, RECORDED FUTURE)
In Closing
It requires careful planning while serving different audiences with security intelligence. From security intelligence an operational team may require constant stream of insights from existing workflow. On the other hand, leaders and executives may prefer monthly summaries.
To build an effective security intelligence few question toward the audience may get some help, such as, “what data do you need?”, “where do you want the date to live?”. These answers will help to determine the format and frequency of intelligence and such security intelligence will provide insights to make more effective decisions.
Having security solution added with threat intelligence helps organizations prioritize their security activities. Security intelligence has to be adaptable enough to be merged with existing & new technologies. This will impact on decision making effectively.
Rubayet Bin Modasser
Digital Forensic Analyst
BGD e-GOV CIRT (Bangladesh National CERT), Bangladesh Computer Council
Reference:
- https://www.exabeam.com/glossary/security-intelligence-definition/
- https://securityintelligence.com/defintion-security-intelligence/
- https://www.recordedfuture.com/security-intelligence-secrets/?utm_content=140682332&utm_medium=social&utm_source=linkedin&hss_channel=lcp-678036
- https://www.forcepoint.com/cyber-edu/threat-intelligence
- https://www.getfilecloud.com/blog/2018/11/a-brief-overview-of-threat-intelligence/#.X41RTtAzbIV