The major benefits of moving towards intelligence-led security are efficiency, accuracy and compliance. These are realised through defining proper aims at the outset and then selecting solutions that will achieve those aims.
No matter how good the average security engineer is, 1,000 events per day is the practical maximum to deal with. To put this into perspective, large organisations can expect to see over one million events across their logs per day, and even SMEs can see 100,000 events per day. An engineer equipped with a security incident and event monitoring (SIEM) tool can handle 100,000+ events per day, according to the Sans Institute.
Using a SIEM tool then can realise efficiency in two ways: to the business as a means of reducing headcount by automating log oversight, and by the more effective analysis of security logs which are dispersed across many sources such as IDS, IPS, operating system event logs, database and application logs and device management logs.
In terms of accuracy as well as the unified oversight, intelligence-led security also allows for better threat detection than manual oversight can hope to discover. Consider for example a “low and slow” attack where the hacker attempts only a few login attempts per hour in order to avoid an IDS detection and operating system lockout situation. Without intelligence behind this attack, the hacker can continue indefinitely until the account password is detected – whereas with SIEM the events are correlated and can be presented as an automated alert.
Demonstrating compliance is another major benefit. A major aspect of compliance regulations is auditing, and compliance with key regulations can be improved if product due diligence is done effectively. Part of this due diligence process for product selection should be analysis of how flexible the reporting options are: they should be customisable and adaptable to corporate security policies. Guidelines in the International Standard ISO/IEC 27002 regarding best practice for information security management are also helpful in this process.
For SMEs, intelligence-based security can provide outsourced expertise where currently none in-house exists. Any outsourced provider should provide security and performance SLAs as a minimum basis in the due diligence process.
Phil Stewart is the director of communications at ISSA UK
Read more about intelligence-led security
- Security Think Tank: Security intelligence needs a plan
- Security Think Tank: Intelligence-led security is more efficient and effective
- Security Think Tank: Intelligence-led security is about risk management
- Security Think Tank: RASP – a must-have security technology
- Security Think Tank: Using big data for intelligence-led security
- Security Think Tank: Proof of intelligence-led security is in the metrics
- Security Think Tank: Intelligence-led security could give IT pros the edge