Security Think Tank: Intelligence-led security demands planning ALREADY USED

What should organisations be doing to benefit from the move to intelligence-led security?

The major benefits of moving towards intelligence-led security are efficiency, accuracy and compliance. These are realised through defining proper aims at the outset and then selecting solutions that will achieve those aims.

No matter how good the average security engineer is, 1,000 events per day is the practical maximum to deal with. To put this into perspective, large organisations can expect to see over one million events across their logs per day, and even SMEs can see 100,000 events per day. An engineer equipped with a security incident and event monitoring (SIEM) tool can handle 100,000+ events per day, according to the Sans Institute.

Using a SIEM tool then can realise efficiency in two ways: to the business as a means of reducing headcount by automating log oversight, and by the more effective analysis of security logs which are dispersed across many sources such as IDS, IPS, operating system event logs, database and application logs and device management logs.

In terms of accuracy as well as the unified oversight, intelligence-led security also allows for better threat detection than manual oversight can hope to discover. Consider for example a “low and slow” attack where the hacker attempts only a few login attempts per hour in order to avoid an IDS detection and operating system lockout situation.  Without intelligence behind this attack, the hacker can continue indefinitely until the account password is detected – whereas with SIEM the events are correlated and can be presented as an automated alert.

Demonstrating compliance is another major benefit. A major aspect of compliance regulations is auditing, and compliance with key regulations can be improved if product due diligence is done effectively.  Part of this due diligence process for product selection should be analysis of how flexible the reporting options are: they should be customisable and adaptable to corporate security policies. Guidelines in the International Standard ISO/IEC 27002 regarding best practice for information security management are also helpful in this process.

For SMEs, intelligence-based security can provide outsourced expertise where currently none in-house exists. Any outsourced provider should provide security and performance SLAs as a minimum basis in the due diligence process.

Phil Stewart is the director of communications at ISSA UK

Read more about intelligence-led security

Read more on Hackers and cybercrime prevention