Published on August 22, 2013
It seems like everybody’s talking about security intelligence these days. Of course, what people mean when they use the term can vary widely depending upon what they’re selling, but the primary purpose remains the same. Some kind of machine intelligence that can detect successful cyber attacks, information theft, fraud and breaches as they happen.
At its most basic conceptual level, security intelligence consists of two parts. First, the collection and integration of a comprehensive set of network system, server, application, user, access, activity and transaction data in a robust security data repository, and second, the continuous analysis and monitoring of that data to detect suspicious or malicious actions. At a minimum, there should be out-of-the-box connectors for all the most common data sources, from SysLog to IAM tools, AD/LDAP and common HR Databases to DLP and SIEM platforms that are collecting large amounts of event data. The analytics should intelligently correlate every account with a specific user identity and should establish comprehensive behavioral profiles for each account, user and peer group. But theres much more to security intelligence than just behavioral profiling. A robust security intelligence platform must resolve and monitor access entitlements in order to align access to resources with roles and requirements to reduce insider risk, it should be able to monitor data access at the file and database level to protect IP, it should be able to monitor transactions at the application level to detect fraud, and it should provide a clear, functional visualization of the security status of the entire enterprise network, all while minimizing false positives. Beyond that, a modern security intelligence platform will provide strong support for incident response and investigation, including the ability to drill down into suspicious events to see them in operational detail.
So you hear this again and again, and you keep wondering, well, great, but what’s it GOOD for? What does it actually do that a) isn’t getting done now and b) solves a real-world information security problem without causing a whole host of second-order problems such as network performance and false positives? Let’s think about a few ways the Securonix security intelligence platform can be deployed to provide real solutions to vexing problems today.
High Privileged Account Monitoring
Here at Securonix, this is one of the most common initial use cases we see customers implement. A subset of insider threat monitoring, Securonix provides an organization with very specific insight into the access permissions, activities and behaviors of its highest risk personnel. By first identifying ALL accounts with very high level access entitlements including IT administrators, service accounts and vendor access/support accounts, and then correlating every one of them to a specific user identity, the IT administration team can management can then clean up rogue and zombie accounts, more finely tune access privileges to align them with actual job requirements. Once that is done, the platform enables a continuous view of the routine day-to-day activities of these users and their peers, and will quickly alert on any activity or behavior that falls outside the baseline range.
There are two primary vectors for Internet fraud. The highest risk vector is from an organization’s call center or customer service operation. This represents a large number of users with access to customer accounts, credit card numbers and options for handling returns, refunds and recompense for unhappy customers. This represents a major security risk because most network security monitoring systems such as SIEMs do not have visibility into the application to monitor transactions in real time, compare them with those of the entire peer group, and detect activities and events that are abnormal or suspicious. Customer fraud is a larger scale version of the same process - the online activities and transactions completed by customers in retail, gaming, VOIP, banking and other high-volume interactive services can be profiled and monitored in order to detect the unusual events that indicate fraudulent activities.
Zero Day Exploits
The most dangerous attacks are those with the highest potential costs, and when the rewards accruing to the cyber-criminals are great enough, they are willing to make their own significant investment in technology. In the most serious cases, this can be the exploitation of a previously unknown vulnerability, which cannot be recognized by existing signature-based Malware detection systems simply because it has never been fingerprinted. Securonix is the additional layer of defense - it doesn’t detect the penetration either, but rather detects the activities of the hacker once inside the network defenses, even if he appears to be operating with valid authentication credentials. The detection can be the result of behavior - based monitoring, or it can be the detection of an unusual escalation in privileges, or even an unusual login profile, from a different IP range or at an unusual day or time. With securonix, the security operations team has the option of managing the thresholds for alerts, tightening them under specific cases and whitelisting those that are known to be benign.
Insider Threat Monitoring
In the case of external cyber attacks, an organization has a very strong set of perimeter and endpoint security systems specifically intended to prevent unauthorized access. Of course, none of that matters when it comes to that organization’s employees, contractors, customers and, in some cases, vendors. They are handed a set of access privileges and authentication credentials, and at that point they are constrained only by the existing set of rules, policies and access controls. While the overwhelming majority of insiders are reliable and trustworthy, this inherent level of access also makes them the primary risk vector, and it only takes one rogue insider to wreak extensive havoc on an organization - just ask the management at Booz Allen about that. The powerful identity correlation, access monitoring, behavioral profiling and peer group analysis functions in the Securonix platform allows essentially the entire process of insider security monitoring to be handled automatically and in real time, with a limited number of risk-ranked, actionable security alerts that can be investigated and addressed before they become front page news.
In a sense, detecting attacks that use advanced malware to successfully compromise an account to gain access to the network is, from a detection standpoint, similar to detecting insider threats. What you have is someone gaining authenticated access by using perfectly valid credentials. There is no way to ‘prevent’ this penetration - it has all the appearances of a routine user login event - so detection becomes the only path to harm reduction. As soon as the attacker using the compromised account deviates from routine tasks to actually exploit the breach, the Securonix security intelligence platform will recognize that access or activity as an outlier and trigger an alert. Once again, it wasn’t the attack that was detected, but the actions taken by the attacker.
The best thing about an intelligent analytics engine is its flexibility. Once you have the data, you can configure the analytics to monitor any combination of factors you can capture data on, and you can set up any kind of alerts, reports and dashboards that will help the GRC professional do his or her job. The bottom line is simple - the tools we are using to manage the information security of the enterprise have become so large and complex that they cannot be monitored usefully merely by a staff of security professionals. Like all large-scale high-velocity data environments, it takes a robust and effective set of intelligent analytics to examine that massive flow of data in real time and provide the human monitors with a filtered set of actionable results. That’s what security intelligence does, and Securonix does it better than anyone.