Security Think Tank: Intelligence-led security is about risk management

What should organisations be doing to benefit from move to intelligence-led security?

A recent trend in information security is the move towards intelligence-led security, but should you try an internet search you will come up with some fascinating links, mostly associated with policing.

The most useful link I found was a Wikipedia one on intelligence-led policing which stated that it was “built around risk assessment and risk management” – and this is what I believe intelligence-led information security is about.

Of course, risk is associated with an understanding of threat, vulnerability and value. Understanding an organisation's business, and the threats to that business, is a starting point that auditors (including IT auditors) have practised for a very long time, and is long overdue in the information security area.

A corollary to understanding the risks is a solid understanding of what informational assets (and asset value) an organisation has, and where those assets are located. Looking at these areas forms a good practical starting point for an organisation in getting to grips with good information security.

There is another, rather more technical view of intelligence-led security, and that is the mass collection of system and audit logs and the analysis of those logs both in real time and regular batch mode. 

Real-time analysis using appropriate correlation and filter parameters can generate alerts for staff to action, and analysis of captured data over a period of time can identify other issues, such as someone taking a copy of a client database in small chunks so as not to raise suspicion.

While this move to capturing and analysing all the available system and audit logs is to be welcomed because of the security insights it can bring, the volume of data captured can be overwhelming even from smallish systems and networks, and the products to capture, correlate and analyse, and the associated professional services to configure these products, are not cheap. 

So for the moment this sort of technology is only for the “big boys”, but in time costs should come down much as they did when Microsoft entered the customer relationship management (CRM) market.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on Hackers and cybercrime prevention