The major benefits of moving towards intelligence-led security are efficiency, accuracy and compliance. These are realised through defining proper aims at the outset and then selecting solutions that will achieve those aims.
No matter how good the average security engineer is, 1,000 events per day is the practical maximum to deal with. To put this into perspective, large organisations can expect to see more than one million events across their logs per day, and even SMEs can see 100,000 events per day. An engineer equipped with a security incident and event monitoring (Siem) tool can handle 100,000+ events per day, according to the Sans Institute.
Using a Siem tool can realise efficiency in two ways: to the business as a means of reducing headcount by automating log oversight; and by the more effective analysis of security logs which are dispersed across many sources such as IDS, IPS, operating system event logs, database and application logs, and device management logs.
In terms of accuracy, as well as the unified oversight, intelligence-led security also allows for better threat detection than manual oversight can hope to discover.
Consider, for example, a “low and slow” attack where the hacker attempts only a few login attempts per hour to avoid an IDS detection and operating system lockout situation. Without intelligence behind this attack, the hacker can continue indefinitely until the account password is detected – whereas with Siem the events are correlated and can be presented as an automated alert.
Read more about intelligence-led security
Demonstrating compliance is another major benefit. A major aspect of compliance regulations is auditing, and compliance with key regulations can be improved if product due diligence is done effectively.
Part of this due diligence process for product selection should be analysis of how flexible the reporting options are – they should be customisable and adaptable to corporate security policies. Guidelines in the International Standard ISO/IEC 27002 regarding best practice for information security management are also helpful in this process.
For SMEs, intelligence-based security can provide outsourced expertise where currently none exists in-house. Any outsourced provider should provide security and performance service level agreements (SLAs) as a minimum basis in the due diligence process.
Phil Stewart is director of communications at ISSA UK.
This was first published in June 2012