Security Intelligence for the Enterprise - Part 1

Monday, June 17, 2013

Rafal Los


Security Intelligence. This topic seems to come up over and over in discussions with enterprise security leaders, security professionals, writers, and pundits. There are many different facets to the topic, but ultimately what are we talking about?


Princeton’s WordNet defines it more broadly (not specific to the cyber world) as such:

“Intelligence on the identity and capability and intentions of hostile individuals or organizations that may be engaged in espionage or sabotage or subversion or terrorism”


John Burnham of Q1 Labs brings a little flare by adding in the notion of “actionable,” as such:


Security Intelligence is the real-time collection, normalization, and analysis of the data generated by users, applications and infrastructure that impacts the IT security and risk posture of an enterprise. The goal of Security Intelligence is to provide actionable and comprehensive insight that reduces risk and operational effort for any size organization.


So what you have, really, is actionable and comprehensive insight on the identity, capability and intentions of parties that are hostile to your organization.


Today’s enterprise is under constant attack, there’s simply no denying that. And there has never been a more important time to have timely and actionable insight into what’s going on. There is, however, a caveat here which we’ll discuss in a bit.


Know thine enemy, before thou striketh

Let’s talk about why identity, capability and intentions are important. Take an article like this one hot off the presses, “U.S. urged to permit self-defense retaliation on hackers” from ZDNet. Let’s pretend for a minute that we live in a world where “retaliation on hackers” is a capability your enterprises possesses. (This would put you in the top .05 percent of all organizations out there, from my humble experiences, but let’s ignore that for a moment and just pretend.) The decision to strike back is difficult — there are no two ways to go about it. An organization does not simply make a decision to “strike back” at any random attacker. There is a difficult decision to be made. The insight that security intelligence provides you on the identity, capability and intentions is critical to your decision-making process.


Attribution is perhaps one of the most critical components of such a decision, and having a clear identity (whether it be a group, a nation-state, or an individual) is paramount to your decision-making process. You wouldn’t go wasting resources striking back at someone port-scanning your web servers, would you? That simply wouldn’t make sense, partially because this happens every few seconds on the Internet. Identifying an attacker is a difficult process, and while the art and science of profiling and target attribution is developing … it’s still largely something best left to the specialists.


While you’re putting together the identity of your attacker it’s important to know the capabilities of that entity. You don’t want to end up in a situation where a lone attacker, being part of a larger group, probes your organization and you strike back at them, stirring the ire of the entire group and thereby incurring a greater attack than you’ve aimed to stop. Capability is important because you need to know whether your attacker has more resources and knowledge than your anti-hacker-hackers™ which you employ.


You don’t want to end up bringing a knife to a gun fight.


Last — but certainly not least — is intent. As part of your decision-making process you’re going to want to bring in the intentions (or at least perceived intentions) of the attacker you’re thinking of striking back against. Ask yourself: Is this a targeted attack by a determined individual?  Or is this your grandparents’ computer being compromised and used as a point of origin for an attack against your company to simply cause a distraction or take your attention away from something more important?


Identity, capability and intention are all critical in the way that an enterprise defends itself. Back to the real world — where your enterprise security organization is trying to do intelligent defense — having this information is absolutely critical to how you position your defenses, build your strategy, and operationalize your defensive capabilities.


So what exactly does actionable mean?


There is a lot of talk about having the right data, and being able to turn it into knowledge in a timely manner to make decisions or take meaningful action. At the center of that discussion is the idea of “actionable intelligence,” and what it really means. In my opinion, and after watching several organizations attempt to operationalize intelligence reports/feeds, in order for anything to be actionable it must be able to quickly be converted by your organization from bits to meaningful action. Actionable intelligence can be as broad as a memorandum that alerts the banking industry that there has been chatter by “cyber terrorists” of creating a large botnet in order to DDoS banking websites. Even if this doesn’t provide immediate detail, it can provide a sense of direction and urgency from which your organization can then derive action.


On the other end of that spectrum is an automated feed that takes data generated from human interaction and is packaged for consumption by an automated mechanism. More concretely, a feed from a security research organization that produces IP reputation data that is then fed into your firewalls and IPs to make more intelligent — alerting and blocking decisions is a great example.


Putting it together


Now that we have a relatively more clear definition, and have discussed what security intelligence is and should provide for your enterprise, let’s talk about putting it all together. You see, having the information and being able to do something with it are entirely different. Having knowledge that it will rain tomorrow does not necessarily mean I won’t get wet during the day — it simply means I’ll likely be more prepared if I heed the information.


This is where things get difficult. Where the rubber meets the road. In the next post, I’ll discuss why even if you’ve got good, actionable intelligence you’re probably not going to do much with it.


Cross Posted from Following the Wh1t3 Rabbit

Possibly Related Articles:
Enterprise Security
Threats security intelligence
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.