Anyone considering intelligence-led security in their organisation will need to consider a number of questions – the first and most important being, why? What are the benefits one hopes to achieve from such a direction?
Here are some of the most obvious reasons: improved risk reduction; improved compliance; reduction of insider fraud and theft; improved data leakage detection and response; quicker detection and remediation of threats; better co-ordinated and simplified response operations; and reduction in effort required.
Once we get beyond this "why" question, the obvious considerations should be an understanding of intelligence and what intelligence will lead to better security outcomes. This raises the obvious question of what exactly comprises security intelligence.
What security intelligence means for an organisation will vary from industry to industry as well as business to business, because it will need to be based on an effective risk management strategy. However, it will consist of elements of the following:
- an appropriate baseline of security controls in place;
- an appropriate baseline of sensors for monitoring endpoints;
- an appropriate baseline of sensors for monitoring the network;
- an appropriate baseline of sensors for monitoring server activity;
- an appropriate baseline of sensors for vulnerabilities;
- appropriate relevant vulnerability research;
- know your network better than your attackers will want to know it;
- know your response capabilities.
Once controls are in place and sensors are providing the data as the basis for decision making information, the incoming information will still need to be converted to intelligence.
To convert information into intelligence it will need to be relevant, timely, accessible, comparable, appropriate, updateable and analysable instantly. Then it is possible that, if a security professional wants to make an intelligence-led decision, they will be able to.
However, there is not much point in putting in all the sensor infrastructure without being able to react appropriately and effectively; and be able to tell that the actions taken (including follow-up moves) have come to an end at some point, until another point in time.
When do you know whether you are just doing what others are doing or actually practising intelligence-led security? If you are really practising this, you will be able to quantify it by your metrics and by the maturity of your practices and the outcomes that maturity achieves.
Sarb Sembhi is the chair of the ISACA GRA sub-committee
Read more about intelligence-led security
- Security Think Tank: Security intelligence needs a plan
- Security Think Tank: Intelligence-led security is more efficient and effective
- Security Think Tank: Intelligence-led security is about risk management
- Security Think Tank: RASP – a must-have security technology
- Security Think Tank: Using big data for intelligence-led security
This was first published in June 2012