This was originally published in December 2011 on q1labs.com (which has since been integrated into ibm.com and securityintelligence.com).
This is the 6th and final entry in a series of posts that answer “Six Things You Always Wanted to Know About Security Intelligence but Were Afraid to Ask.”
To understand how people are getting started with Security Intelligence, let’s go straight to an industry expert: IBM Security’s own Chris Poulin. Chris is not only the former Q1 Labs Chief Security Officer but also the head of our worldwide Professional Services practice, and drives our Customer Council. Chris has seen more Security Intelligence use cases and customer deployments than most security pros will ever dream (or have nightmares!) about.
I recently sat down with Chris to get the straight talk about how organizations begin their Security Intelligence (SI) journey. Much of what Chris shared with me has also been published in this SecurityWeek article. Here are my takeaways from our conversation:
1. Organizations know they need Security Intelligence, but often don’t know where to start.
We often speak with customers whose SI business cases start with regulatory compliance – PCI DSS, HIPAA, NERC CIP, FISMA, NIST 800-53, GPG 13, etc. – and that’s certainly important. But they know log management and reporting are just the tip of the iceberg in how SI can benefit them. As Chris noted, using Security Intelligence for compliance alone is like stamping a checkbox with a sledgehammer.
2. There are several use cases that apply to nearly all customers.
Although SIEM and other Security Intelligence solutions provide great value through company- and vertical industry-specific use cases, they also address many generic use cases. These include botnet detection, traffic from darknets, excessive authentication failures, and IPS alerts indicating that an attack is targeting an asset the VA scanner reports is vulnerable to that exploit, for example. SI vendors usually provide out-of-the-box rules (with alerts), reports, dashboard widgets, and saved searches that cover these scenarios.
3. Start with a set of core data sources.
Before you can monitor anything, you need to decide which data sources to start with. To avoid getting overwhelmed, Chris recommends beginning with a core set of log sources:
- Authentication events (from Active Directory and other identity management services)
- Windows, Linux/UNIX, and other OS administration logs
- Perimeter firewalls and VPN concentrators
- Anti-malware logs
- File and directory auditing on high-value servers (those that contain PII, ePHI, financial information, and sensitive company information or intellectual property)
In addition, bring in network activity flows (ideally Layer 7 flows) as soon as practical. If incorporated from day one, they can save you a ton of time by automatically discovering and profiling assets (is this server behind the firewall?) and auto-tuning your solution. On an ongoing basis, flows then provide an entirely new dimension of information that leads to better identification of threats, elimination of false positives and faster forensic investigations – across a range of use cases.
4. Define targeted use cases by examining your key business problems.
Once you’re addressing the common use cases, step back and look at your business. What are you and your executives most concerned about detecting or preventing? If you’re an investment brokerage, it might be trader fraud. If you’re a retailer, you might want to protect customers’ PII, including credit card numbers.
If you’re a utility or energy company, you might need to strengthen security around your SCADA systems. Re-examine the business case for your project, or take a close look at your CEO’s and CIO’s top priorities, to define your next use cases.
5. Spend time understanding your network and your SI solution’s capabilities.
Congratulations, your solution is in production and delivering new real-time security intelligence! Take some time to digest what you’re seeing in its dashboards, reports and offenses (incidents). Move beyond the well-trodden road and push it to give you more. You can learn a lot more than just which users can’t enter their passwords correctly the first three times. Think about new insights you could gain from correlating previously disparate data sets, and new reports you can deliver now that all this data is in a single repository.
6. Phase in IDS/IPS data and other application/user/network telemetry.
IDS/IPS data is also important, but those systems are often improperly tuned, leading to a significant volume of alerts. Therefore Chris recommends waiting until you’ve brought the number of offenses in your SIEM or SI solution down to about 25 per day before adding IDS/IPS telemetry.
Once you’re in business with IDS/IPS data and have tuned your solution sufficiently, think about layering in additional data sources – such as database (and database security) logs, application logs, physical security system logs, etc. – to improve the accuracy of your risk and threat management efforts. A Security Intelligence solution in many ways is already a Big Data Security Intelligence solution!
7. Don’t overlook the value of training and community.
Lastly, remember there are others out there who can help you. Look into the training options for your products. Explore vendor and industry conferences that give you the opportunity to meet with peers face to face. Participate in online vendor communities and industry organizations. Everyone using Security Intelligence (SI) or SIEM today – and there are tens of thousands of us worldwide – was once a beginner, and went through the same learning curve. Many will be happy to help, so don’t be shy.
In summary, I hope this blog series has clarified the concept and practice of Security Intelligence. SI is a powerful new enabler of security and compliance that delivers actionable information through real-time insight and deep forensics. It provides significant benefits by addressing customers’ needs for intelligence, integration and automation – areas that have historically been the Achilles heel of security solutions. And most importantly, SI solutions are reasonable to implement and manage for both small and large organizations, and deliver value quickly.
For the final word, I look to Jerry Walters of Ohio Health for the customer perspective:
We’ve seen tremendous value using the QRadar product. In the past we were very reactive. My team would get a call to do an investigation, and things had already occurred and we had to piece together what happened. With QRadar we’re able to see things before they even occur and prevent them upfront before they become a real problem. [QRadar] helps us get in front of the things we need to be in front of as a security organization.
Best wishes on your Security Intelligence journey!