Security Intelligence – Think Outside the Logs

We often consider our security posture and architecture with an eye to the threat environment. We look outside, and try to determine what we are defending against. Even in the case of insider threats, we are often trying to develop the defenses in terms of the attack vectors, vulnerabilities and exploits. And this is an entirely worthwhile project – you can’t develop an effective defense without a clear understanding of what you are defending, and what you are defending against.

But sometimes that’s nothing more than a great way to examine the trees without ever seeing the forest. It’s an example of layered ‘prevention first’ information security architecture, and while it’s a necessary part of the security stack, it is in no way sufficient to secure valuable data and resources. In thinking about information and network security from a Security Intelligence standpoint, it can be valuable to take two steps back and turn around. To look at defense from a systemic rather than a mechanistic point of view. What do you need to know to see what you need to see? Think about network security from a data analysis standpoint.

You want your network system and server logs, your directory services identity data, your application logs, your IDS and DLP logs and violations, certainly. But you also want to integrate user information – HR database information like annual reviews, promotions, warnings and disciplinary actions. You want data from any partner or vendor who is connected to your network – who they are, what their access includes and how it is being used and controlled. You want comprehensive network maps that include non-computer devices such as access control systems, building management systems and IP cameras.

It is very much a worthwhile undertaking to put together a ‘wish list’ of network, user, application and access data and start thinking about how to collect it, how to integrate it, and how to analyze it for accurate and specific insights into network activity and transactions.

This is actually a much more practical exercise than you might think at first glance. Much of the success of the Securonix security intelligence platform is the result of its broad capability to connect to and ingest virtually any data source available – and the more data available to the analytics engine, the better, faster and more accurate the results. Whether you have classic application platforms like SAP or EPIC, home grown legacy apps or even other aggregate sources like SIEM or Splunk, there is either an out-of-the-box connector or a simple wizard to help you create one.

And the best part is that this is data you are already collecting and archiving. Securonix doesn’t require the installation of any software agents or monitoring appliances, and places no additional load on your network performance. It’s a straightforward ETL process that pulls all the disparate data sources into a sort of “security warehouse”, normalizes the data and provides it to the analysis engine. And once you have the data collectors in place, Securonix is a very low-maintenance application suite. The analytics are built in – it doesn’t require you to write queries and policies or sort through long lists of flags, violations and errors.

At the end of the day, it’s important to understand the threats and vulnerabilities you’re defending against, but it’s not enough. You need to understand all the resources you might already have available and develop a strategy to bring them to bear on the information and cyber security problem. And right now, as of today, Securonix is by far the best way to do that.