Information security intelligence demands network traffic visibility

This tip is part of SearchSecurity.com's Data Protection Security School lesson, Security Visibility. For more learning resources, visit SearchSecurity.com's Security School Course Catalog.

In an economic environment of reduced budgets, increased focus on how information technology is supporting the business, and increasing complexity of security challenges, information security professionals often ask about the right level of information security investment.

How much should an enterprise spend on information security? The only consistent answer is: “It depends.” The best counter-question, in fact, is: “How much visibility do we have into our network infrastructure to determine where data is flowing?” In looking at enterprise security spending during the last several years, it’s become apparent most U.S. enterprises haven’t made appropriate investments to gain network traffic visibility and information security intelligence.

The new objective for most information security teams should be to reduce the scope of their responsibilities to a subset of data – in other words, identify the data that really matters from a security standpoint – and then invest in gaining as much intelligence as possible about who is using that data, what they’re doing with it and where it’s going. The objective for enterprise IT security teams should be to establish a true data security intelligence capability using network and host data, and then use that intelligence to create business-focused action plans to protect data.

Strategy: Boosting information security intelligence
While the effort to gain network traffic visibility for the purpose of augmenting security intelligence is a largely tactical effort, it's important to begin by taking a more strategic look at how the process should unfold. With that in mind, here are some key tips about how to get an information security intelligence capability established:

• Assure that the mission of the security team aligns with the business’ needs and expectations. By understanding what goals and processes the business values, the security team can know where to begin when evaluating organisational data security priorities.
• Analyse data created, used and stored by a particular business group on a pilot basis. If all goes well, add business groups until the data analysis effort elucidates how data is used across the company. But to start, stick to as few users and as little data as possible.
• Identify up-to-date data sources such as email activity logs that can be fed into an intelligence function. Being able to identify anomalies quickly, such as odd data or unusual traffic flows, will be critical, but doing so requires a baseline of normal activity. Also remember most enterprises add new data sources all the time, so plan on adding new data sources periodically.
• Design reports that outline how the intelligence impacts the business. These should be developed by human analysts based upon findings culled from up-to-date data sources.
• Take feedback to improve the intelligence process, assuring that intelligence is never created solely for the sake of intelligence. Ultimately the process must support the business, so be prepared to accept input from business stakeholders.

Before imagining this as an insurmountable process fraught with risk and difficulty, take a step back and think of it on the simplest of terms.  For example, imagine that you’re working with a small research division of 20 people tasked with updating a profitable product.  It is likely that email will play an important role in how the users work.  Getting access to email logs will be an important first step in building an information security intelligence capability to protect this small R&D group. 

Information security intelligence: What data matters?
Most organisations developing a security intelligence program discover that there's no shortage of data from which to compile. Including all data is impossible; it's simply overwhelming and, quite frankly, a considerable amount won't be relevant. Hence zeroing in on relevant data is essential. Using the email example above, what follows are some key suggestions for determining precisely what data an organisation would want to evaluate:

• Basic email inbox statistics for all users of the group.  Go as far back as possible (through backups, etc.) to determine inbox growth rate, send/receive ratio, attachment/email ratio, etc. As a starting point, if your organisation uses Exchange 2007 or 2010, your team will want to familiarise itself with the Exchange Management Shell. 
• Real-time email statistics for all users of the group.  Identify which logging point will give you the best data.  For example, in smaller email server deployments, the email server could provide most of the logging data.  In larger environments with many email servers, the network edge logs may be the most efficient place to gather the information.
• Email client inventory.  Which devices are connecting to get access to the mailbox, how often do those devices connect and if/when anyone suspicious has connected to the inbox in the past. 

Of course, the raw data should not be the objective of your efforts.  Consolidating the data and making sense of it will be the most important thing to focus on.  In this sample case of 20 people, using an Excel spreadsheet to consolidate and track the metrics over time will probably be the most efficient means.  For larger situations, it will be necessary to look to automated data-gathering and reporting tools such as a security information and event management (SIEM) to make sense of hundreds of individuals’ email data. 

Take the example above and use it to brainstorm how to reduce the scope of your data intelligence efforts to a manageable group on a manageable platform.  By starting small, the efforts can be measured and progress made without feeling overwhelmed. 

Information security intelligence: Next steps
There really aren’t any products that can help create an intelligence program from start to finish.  There are many different technologies that create data feeds (such as logs, etc.), but that raw data is useless without creating a matrix that can rapidly and repeatedly process that data to make sense of it in a way that helps the business understand the relative risks of different communication channels (such as email).  It takes the dedicated time of intelligent humans to design a program that can discern relevant data, consume the massive amounts of data that will need to be analysed and develop a repeatable processes to consistently make sense of that data.  It may be cliché, but it truly comes down to people and processes to get security right. 

To be clear, with some dedication to making sense of data, you can gain visibility into critical teams’ communications and how the individuals on those teams may be targeted by adversaries who wish to steal your organisation’s information (or worse, turn your organisation into a hideout from which to attack  your business partners to get their information).

What you don’t know can hurt you, so work toward the goal of establishing an intelligence program that gives you visibility into what’s really happening within your network infrastructure. Otherwise an enterprise will find itself simply responding to breaches over and over again.

About the author: Aaron Turner is the co-founder of N4Struct, an information security consultancy focused on helping organisations identify how to solve some of the toughest industrial espionage cases.  He has worked with organisations of all sizes around the world and has extensive knowledge of how to help business leaders analyse how new technologies can introduce risks into their businesses.