The importance of security intelligence
While military intelligence is often used as a prime example of an oxymoron, there’s nothing moronic about security intelligence; without it your organisation would be much more vulnerable. So, what exactly is security intelligence then?
Understanding what security intelligence actually is, rather than what you assume it to be, is key to understanding why it’s so important to the security of your networks and your data. My favourite quick and dirty definition says it is “information relevant to protecting an organization from external and inside threats as well as the processes, policies and tools designed to gather and analyse that information.”
To which I would add that the information has to be both evaluated and actionable, in the sense that it must be factual and therefore able to be acted upon to a profitable end. There is plenty of information out there by way of rumour and hearsay, but that is not ‘intelligence’ as it cannot be put into practise (actioned) as something which will strengthen your security posture. This one simple thing is what differentiates information from intelligence, and once you get that you are on the way to a more secure organisation.
Simple probably isn’t the right word, upon reflection, and maybe I should have used ‘considered’ instead just then. After all, there is nothing simple about filtering the actionable chaff from the fields of informational wheat out there.
The key to scything through that field has context written all over it. To paraphrase the old website success mantra; context, not content, is king. There is plenty of security-based content, and more of it is being produced all the time from network scans and logs through to in-house consultancy reports and media news stories and analysis pieces.
Taking any one piece of information out of all that and determining that it is not useful intelligence is all but impossible without putting it into context, as on its own it could seem to be of little inherent value but actually be priceless when seen as part of the bigger picture.
There are numerous services and products out there (generally lumped together under the heading of security information and event management (SIEM) solutions) that promise to take data and help turn it into meaningful security intelligence, and then take action by absorbing that intelligence into your security posture. How so? Well, your security intelligence can be used to reduce the number of false positives reported by your intrusion detection systems, to spot trends in attack activity and facilitate speedier detection and response times, and to ultimately validate your policies and strategic planning.
Robert M.Lee is a co-founder of Dragos Security and also an active-duty US Air Force Cyberspace Operations Officer who knows a thing or three about security intelligence. I particularly like his explanation of the intelligence life cycle that appears as a guest posting over at the Tripwire ‘State of Security’ blog and talks in terms of it being a circular and repeated process. The steps of this life cycle that Robert identifies are as follows:
1.Planning and direction
“To appropriately create any amount of intelligence out of information you should have a defined goal and intentions. This could be something as simple as wanting to know the command and control servers of a piece of malware, so that you can block it on your network, to wanting to know the type of information systems your target uses so that you can infiltrate them.”
“Where and how you acquire the data and information to process. This can be honeypots, Firewall logs, Intrusion Detection System logs, scans of the Internet, etc.”
“The conversion of your collected information into something you can use; being able to access and parse through the data you collected.”
“All produced reports should meet a defined intelligence need or goal from your planning and direction phase.”
“If your users cannot access your product or cannot use it then it is useless and does not meet a goal.”
“To ensure that your planning and direction phase lined up correctly with what was produced.”
This, as Robert himself admits, is all rather dependent upon the analysts employed, and how they interpret the data before them. The quality of the data is key to successful interpretation, and SIEM tools are an essential part of providing specific context around flagged areas of concern within data logs. You can think of SIEM tools as being part of the analyst team, in fact, as without them the process would get bogged down in conjecture pretty damn quickly. A good SIEM tool can execute sophisticated analytics capable of accurately detecting anomalies and place them within a contextual framework.
In my own guest posting at MAX IQ entitled ‘Event log management: stop security threats by turning your data to detective’ I talk of the predictive power of patterns that bring the ability to spot anomalous items within a huge flow of daily event information.
Outlier detection (an observation that deviates from other observations) is the key, and it’s a lot simpler than it sounds. Simply put it’s an ability to understand what is normal overlaid with the ability to spot what isn’t.
Want an example of outlier detection, and thus security intelligence, in action? OK, you’ve probably experienced that occasion when your bank or credit card provider declines a purchase for security reasons and phones to check it’s you making the purchase, right? That’s security intelligence spotting an anomaly outside of the context of your ‘normal’ spending patterns. It could be down to the amount being spent, the item being purchased or the location of the transaction; security intelligence in the form of event log management or a SIEM tool does the same thing, alerting you to potential attacks on network infrastructure through the detection of abnormal traffic patterns. Understand that it’s the pattern outside of the norm that is the anomaly and not just an anomalous action in isolation, and you are half way to understanding what security intelligence is really all about.
Which is when I throw a sideways spanner in the works by introducing the notion of intelligence sharing. For the longest time, and against popular perception for much of it, security vendors have always shared intelligence. I have visited the HQs and labs of vendors big and small over the decades, since first the idea of anti-virus as a commercial product was born, and the common theme amongst all of them (other than the need to have a giant screen with, James Bond fashion, a graphical mapping of live attacks and infections happening across time zones) is that they all shared intelligence on those threats.
If a new virus was discovered then data regarding the identification of it would be distributed between those vendors who had agreed to share such data. Despite commercial competitiveness being strong, the desire to defeat the bad guys has always been stronger in my experience at any rate.
The same cannot, sadly, be said about the government. According to recent research from unified security management and security intelligence specialists AlienVault, some 81 per cent of security professionals think the government could be doing a better job of sharing threat intelligence with the private sector.
When asked the question ‘how do you view government from the perspective of protecting business from hostile nations and major threats’ nearly a quarter (23.5 per cent) reckoned it was a consumer of threat intelligence rather than a sharer.
Ironically, much the same number (26 per cent) thought that government information in this regard was reliable enough to be relied upon, and 58 per cent thought their own detection systems were more reliable.
The problem, as AlienVault security advocate Javvad Malik states, is a two way street. “It’s worrying that so few security practitioners view government information as reliable” he says “but it’s a case of chicken and egg – unless the private sector shares intelligence with government sources, its information is bound to be out of date. Without a consistent process for intelligence sharing, the situation will continue.”
And there lies the rub, as only 20 per cent of security professionals share discovered threat intelligence with the government, compared to 40 per cent doing so with their trusted peers.
Neither number is something the security community should be proud of, as sharing intelligence is frankly the only way that we stand any chance of keeping the bad guys at least in sight if not alongside them (that race was lost long ago, get used to it.)
Javvad Malik points out “as nation-state attacks become more frequent, and reportedly become more involved in launching attacks against businesses, the role of the government becomes crucial. These types of attack are often politically motivated, and companies would benefit from access to improved intelligence about them. If no one shares, you won’t get good threat intelligence.”
There is some light at the end of the tunnel though, with Europol’s European Cybercrime Centre (EC3) and security vendor FireEye agreeing a Memorandum of Understanding (MoU) just recently that allows for the exchange of knowledge and expertise on cybercrime. Richard Turner, President EMEA at FireEye, says that “working with Europol means that, as well as granting early access to FireEye’s threat intelligence, FireEye will be able to respond to requests for assistance around threats or technical indicators of compromise in order to assist Europol combating the ever increasing threat from cyber criminals.”