Maksim Kabakou - Fotolia

Security Think Tank: Security intelligence is useful only if isolated from the noise

What is best practice for collecting and using threat indicators from security incidents to improve defences against future cyber attacks?

The steady parade of attacks disclosed throughout 2015 has made it abundantly clear that current security efforts and checkbox compliance are not sufficient for protecting against increasingly sophisticated cyber attacks. 

Many companies generate alerts and insights that could prevent a severe data breach or service disruption, but these can only be useful if the warning signals can be isolated from the noise. As such, most companies unfortunately are not using the available intelligence and tools to their fullest potential; or constructing indicators of attack into a cogent picture; or in timely fashion.

While organisational structures will differ, security information and event management (Siem) is a good benchmark for all organisations to start from. This is a security intelligence programme designed to analyse events, flow, and log data in real time for internal and external threat management; however, it also collects, stores, analyses and reports on log data for regulatory compliance and forensics – which is vital for constructing future proactive measures.

The original adoption of Siem technology was log archival for compliance. The emphasis was based on passing audits, not mining the data at high speed. In contrast, modern Siem systems integrate threat intelligence, correlation, analytics, active response, and adaptive technologies that are specifically geared to help incident response.

In order to use threat indicators from previous incidents it is key to collate data from the following areas:

  • Behavioural-based (rule-less) correlation can trigger priority alerts and automated responses based on risk scores tied to specific services and combinations of events;
  • Baseline-driven anomaly detection. Once normal is defined, abnormal events can be given heightened visibility;
  • Inclusion of external threat feeds enhances the internally sourced behavioural and baseline detection methods;
  • Threat prioritisation allows systems to score and initiate responses based on suspicious activities and the relevance of threats to specific assets due to asset value, vulnerabilities, patching levels, and countermeasures in place.

An effective defence against advanced threats hinges not only on being able to detect pernicious intruders, but doing so in time to prevent significant damage to business operations and assets.

According to a recent McAfee, Intel Security report, this negative impact is the key variable in the risk equation: Risk = threat x vulnerability x impact.

By the time forensic analysts comb through mountains of security data looking for indicators of compromise (IoCs), organisations may have already incurred losses. A real-time Siem is a significant enabler, since continuous monitoring and advanced analytics allow security managers to identify IoCs quickly and accurately. Integration can even catalyse instant action to contain and remediate the attack – in reality however, technology is not always the problem. The information most helpful to success can be recognised and mitigated today with adequate people and process.

The call to action and best practices for risk and threat managers is to focus on time management: improving the ability to detect, respond to, and learn from events as they unfold—thinking and acting within a timeline expressed in second and minutes, rather than (historically), days and weeks.

Ramsés Gallego is international vice-president of ISACA and security strategist & evangelist with Dell Software

Read more about using threat indicators to improve security

  • Security Think Tank: Addressing the gap between security data and intelligence
  • Security Think Tank: Keep C-suite informed on incidents to drive better security
  • Security Think Tank: Security intelligence demands getting the basics right

Read more on Hackers and cybercrime prevention