My grandmother – security intelligence pioneer
Wes Simonds 120000EFD6 firstname.lastname@example.org | | Tags:  software log ibm service-management management labs simonds michael siem security information intelligence applebaum event capabilities wes q1 rsa
0 Comments | 9,998 Visits
Quite a few of today's organizations could learn a little something about security from my grandmother -- a thoughtful, yet paranoid creature who maintained a watchful vigilance over her home. I recall once she was going to Europe for two weeks. So, anticipating hordes of burglars, she developed an advanced domestic security architecture:
I believe quite a few IT security concepts can be extrapolated from this ad hoc architecture. Let's go down that list and rephrase things a bit...
Not too shabby, I think, for a woman in her late seventies with no training.
And in the area of security intelligence, one finds many of the same concepts explored. In fact, security intelligence – powered by next-generation Security Information and Event Management (SIEM) and log management – emphasizes all the points above. Taken together, these assertions about data, analytics and centralized analysis can lead to a greatly enhanced security posture.
This may remind you of business intelligence, which uses advanced analytics to aggregate business data and sift through it looking for hidden patterns or insights. Security intelligence does much the same with security data. And just as with business intelligence, security intelligence works better when solutions are smarter: capable of drawing more data, from more sources, analyzing it more quickly, drawing more accurate conclusions and thus turning a spotlight on what really matters (while avoiding, what doesn't).
That, in a nutshell, is why in 2011 IBM acquired Q1 Labs, a leading provider of SIEM and security intelligence solutions that reduce security and compliance risks and better detect suspicious events that may be taking place in the IT environment.
Last-generation solutions can't cope with next-generation threats
Recently I had a chance to talk to Michael Applebaum, Director of Product Marketing for Q1 Labs, about security intelligence and how it relates SIEM.
‘Security Intelligence is actually a superset of SIEM,’ said Applebaum. ‘It involves collecting and analyzing many types of security and compliance-relevant data for real-time decision making. And to do that, it goes far beyond first-generation SIEM tools -- not just performing log data analysis, but also correlating related data like network flows and asset profiles, to provide deeper visibility into what's really happening.’
The problem with earlier SIEM solutions, it appears, is threefold: They aren't smart enough to make sense of all the data, they aren't adequately integrated with other security solutions and they aren't flexible enough to cope with organizations’ changing needs.
So IT teams tend to get bombarded with false positives that, though seemingly suspicious, don't actually involve a security incident. This is roughly like the difference between ‘breaches’ (which are security-relevant) and ‘breeches’ (which are short pants).
‘Too often, solutions dump so much data on the security professional that the solutions become useless,’ said Applebaum. ‘Managing more data than ever before requires sharper tools to find what matters. SIEM and security intelligence, then, are about culling through the masses of data to find the signal in the noise.’
Indeed. And bumping up that signal-to-noise ratio, via smart analysis, is particularly critical at a time when hackers and malware are both getting more sophisticated and capable -- often, in ways that simply defeat last-generation security solutions.
Want an example? Consider the Conficker worm -- an incredibly resilient form of malware with multiple variations that can attack organizations using multiple, completely different attack vectors. This is not the sort of thing organizations are going to be able to recognize and eradicate using traditional, signature-based tactics, which is probably why Conficker is still around, and still creating problems, despite the fact that it was originally detected in 2008.
Organizations are, from a security standpoint, simply living in a different world than they were even five years ago, and they need solutions that are just as smart as the threats they face -- or, ideally, smarter. And that's exactly where security intelligence can play a valuable role.
What IBM's new security intelligence solutions bring to the game is scalable, fast correlation of exceptionally large data volumes, originating from a wide range of IT systems and devices, to deliver a complete view of the total security posture at any point in time. So, going beyond log analysis, that also means key capabilities like configuration monitoring, network anomaly detection and advanced persistent threat detection.
In this way, threats like Conficker become significantly more detectable and resolvable, even though they appear in multiple variations and take advantage of different security weaknesses. Instead of trying to recognize them using a specific exploit-based signature, or any other limited identifier, organizations can instead recognize that type of behavior as suspicious and worthy of investigation.
Perhaps, for instance, a sequence of failed log-in attempts to a high-value database is followed by a successful log-in attempt and a data selection, which is then followed by an email transmission of a large amount of data to an IP address in an eastern European country where this organization has never done business.
This type of comprehensive analysis and insight detects questionable behavior almost in the way a trained and experienced human security expert would. It's significantly smarter and more flexible than the siloed kind of analysis most organizations are limited to today.
Get a 360-degree, real-time view of your complete security posture
However, making all of that happen does, in turn, mean security intelligence solutions have to bridge security, network and infrastructure silos, to put the whole picture -- prioritized by business value / risk and rendered via intuitive dashboards -- at the fingertips of security pros and executives.
Fortunately, that's just what IBM's new offerings can do. And it's a compelling strength, especially for organizations who may not have realized such a thing is even possible.
‘The real 'a-ha' moment is when clients see how easily they can view and drill down into security-relevant activity across the enterprise -- logs, network flows, vulnerabilities, identities, asset profiles, threat intelligence -- all with a single user interface,’ said Applebaum. ‘Clients are so used to dealing with silos of data they are blown away by a security dashboard that provides seamless visibility.’
Still more value stems from the extensive range of report templates and correlation rules (like the kind I described above, involving a database compromise) that come with the solutions right out of the box. Through them, clients who deploy IBM's security intelligence solutions immediately inherit much of the deep expertise developed by Q1 Labs through years of real-world client experience.
That's not just better security, but better security achieved faster. And over time, as those templates and rules are expanded to include new insight from IBM's X-Force team, that argument will just get stronger and stronger.
Finally, all of these new security capabilities also pertain to a closely related issue: regulatory compliance. Through smarter, more comprehensive monitoring and reporting, organizations will find it easier not just to achieve compliance, but also to demonstrate it easily in the event of an audit.
‘Clients often start by focusing on compliance initiatives because of the potential penalties for failure,’ said Applebaum. ‘And while compliance is just a part of a security program, it’s an important step. Next-generation SIEM and log management provide central logging, reporting and monitoring, which provide peace of mind while reducing a great deal of manual effort.’
Discover how to build security intelligence into your processes
Check out Q1 Labs, an IBM company
Attend a webcast with Q1 Labs and Gartner about security in a post-perimeter world
Learn more about security intelligence at RSA Conference 2012
Connect with the IBM Security communities
Get the IBM X-Force 2011 Trend & Risk Report:
Read more at the official Q1 Labs blog
About the author
Guest blogger Wes Simonds worked in IT for seven years before becoming a technology writer on topics including virtualization, cloud computing and service management. He lives in sunny Austin, Texas and believes Mexican food should always be served with queso.