Once upon a time, information security meant firewalls and antivirus. Then came IDS and all the other wonderful technologies, each promising to solve most, if not all of our security problems.
Like in that famous Dire Straits song, then came the lawyers and the rules and, before we realised it, complexity was the biggest enemy of security.
Complexity and data overload are very real problems today for the security practitioner. In a typical organisation, there are more than ten security and integrity tools installed and used every day to protect users and data.
From log aggregators to network behaviour analysers; from file integrity checkers to anti-spam and content control solutions; from botnet detectors to data leakage and insider threat protection systems; they are both necessary and in need of constant attention and tuning.
To do them justice, analyst time and effort needs to be spent.
Installing more tools and dedicating more analysts to the task of sifting through all this data, while maintaining the ability to react quickly to adverse security events, is a losing proposition, as scale and cost soon become an issue.
Outsourcing security operations is a possibility, but even for MSSPs, dealing with big data, ICT estate complexity and understanding their client’s business processes in enough detail to be really effective has become a challenge.
I suggest a new approach may be needed, one based on selectivity rather than volume and raw data crunching and event processing power.
Today’s information security analyst needs to become more of a threat intelligence analyst and less of a pure data and ICT technologist. Understanding one’s estate remains very important, however applying intelligence techniques to information security and technology risk mitigation could give tomorrow’s practitioner the winning edge.
Organisations should not only employ technologists in their security functions, but professionals with other backgrounds, for example intelligence operations, risk reduction, strategy analysis.
They should make use of services to identify and understand the external threats, both generic and sector specific, that could affect them.
Internally, more emphasis should be placed on understanding anomalous behaviour – be it from compute facilities, from staff or from suppliers and partners – rather than on processing everything and producing ever detailed reports for senior management.
By carefully selecting which pieces of information to analyse, by understanding deviations from ‘normal’ operations or behaviour and by having a constant stream of pertinent external and internal intelligence, security teams have a better chance of staying ahead of the threats and of protecting their information assets.
Ionut Ionescu is director at Serinomics and member of the European advisory board to (ISC)2
Read more about intelligence-led security
- Security Think Tank: Security intelligence needs a plan
- Security Think Tank: Intelligence-led security is more efficient and effective
- Security Think Tank: Intelligence-led security is about risk management
- Security Think Tank: RASP – a must-have security technology
- Security Think Tank: Using big data for intelligence-led security
- Security Think Tank: Proof of intelligence-led security is in the metrics
This was first published in June 2012