Security Intelligence

1. Introduction to Security Intelligence:

   • IBM introduced the term "security intelligence" to emphasize the value derived from analyzing security data similarly to business data (e.g., marketing).

   • The goal is to provide actionable insights that reduce risk and operational effort for any organization.

2. Data Collected for Security Intelligence:

   • Security intelligence solutions gather data including:

     • Logs

     • Events

     • Network flows

     • User identities and activities

     • Asset profiles and locations

     • Vulnerabilities

     • Asset configurations

     • External threat data

3. Characteristics of Security Intelligence:

   • Advanced Analytics:

     • Security intelligence involves reviewing and normalizing vast amounts of data to highlight critical issues needing immediate attention.

   • Iterative Process:

     • The process continuously tunes system analytics and rules, eliminating false positives, and refining incident detection.

4. Core Security Intelligence Solutions:

   • Risk Manager, Vulnerability Manager, and Incident Forensics:

     • These tools improve accuracy and context throughout the security event timeline, from detection to remediation.

   • Security Information and Event Management (SIEM) Engine:

     • Central to improving security visibility and response.

5. Three Pillars of Effective Threat Detection:

   • Visibility:

     • Centralizing data from all environments (on-premises, cloud, operational) to gain a comprehensive view of the security state.

   • Automation:

     • Automating insights with analytics to prioritize critical threats.

   • Proactivity:

     • Shifting from reactive to proactive threat hunting, enabling faster response and continuous improvement.

     
6. Security Effectiveness Report 2020:

   • Reveals many companies mistakenly believe their security investments are effective, while undetected breaches are common.

   • Highlights the importance of combining security effectiveness with financial impact insights.

7. Key Takeaways from SANS Report:

   • Visibility: A major concern, especially regarding privileged user and credential abuse.

   • Incident Sources: Endpoint alerts and network access devices are top sources of incident information.

   • Hybrid Environments: Organizations often operate a mix of on-premise and cloud environments, necessitating versatile security intelligence solutions.

8. Conclusion:

   • Security intelligence is essential for gaining insights across the security event timeline, enabling organizations to detect threats, respond faster, and continuously improve their defenses.