Do you have a Cyber intelligence plan? That's the question IT Security Managers should be asking themselves these days. The threat landscape has changed from noisy, messy worm attacks to stealthy, sophisticated, state-funded attacks, with major organizations such as Google, Microsoft, Apple, The New York Times, and our government as victims.
Our enemies know people are vulnerable, so virus-laden file attachments and web links to infected sites are sent to people for mouse clicking. The result is an infestation of malicious software that provides command and control of an employee's computer to an attacker sitting in China or another country where no laws apply. Depending on who was compromised at your company, and their level of access, the world becomes their oyster, and in enough time, if they are not stopped, this can significantly impact the confidentiality, integrity and availability of your company's most precious assets.
What can we do to reduce our greatest areas of risk -- people?
As part of your intelligence program to improve security, capturing and understanding your employee's computer/Internet behaviors or habits will play a valuable role in reducing risk long term. It shouldn't be the only area you focus your intelligence gathering on of course, but rather it should be a component of your Cyber intelligence plan. It should produce valuable intelligence that will aid in delivering accurate security awareness and education to your user community.
A good intelligence program consistently improves your company's Cyber security plan through reliable, accurate and timely information. That information must then be parsed and pulled together in some format to formulate a consistent security metrics program that reflects the value of your security investments. It should show how your defense model is actually protecting your company, your people, your customers and your partners.
What are some of the best ways to build a Cyber intelligence program?
Build a strong, centralized, scalable foundation for collecting security intelligence.
The Merriam Webster Dictionary defines Intelligence as the ability to learn or understand or to deal with new or trying situations. The best way to learn and understand what new or trying situations (threats, risks and vulnerabilities) impact the confidentiality, integrity and availability of your company's information and information systems is to identify and procure a robust security incident and event management (SIEM) solution. This solution can be outsourced or purchased and managed by your IT Security Team internally. The solution you choose must be scalable with enough horsepower and smarts to correlate all your security log data to produce reliable and timely incident information. The more systems you can collect security relevant information from (again, those that have value), the more robust your intelligence program, user awareness and education program will be. There's a cost to collecting data and that's where we need to be careful. Don't throw everything and the kitchen sink at your SIEM solution just for the heck of it. Ask yourself, "will these logs provide value?" If it doesn't, toss it out. Don't rush your data collection strategy. Communicate the value of your Cyber defense strategy across IT for the life of your Cyber intelligence program. Make everyone part of your strategy to protect your business. The more the merrier.
Should You Outsource it?
If you have a large enough team with the experience, knowledge and capabilities to do this internally, go for it, but let me remind you it is a full time job. Depending on the size of your organization, you may need to dip into the budget and spend money on full time employees (FTE's) to manage and maintain a SIEM solution, and have the skill set to perform raw log analysis -- protocol/traffic and system log analysis. You'll have to weigh those costs carefully.
Outsourcing is a cost effective alternative to doing it in house. There are a number of companies like Symantec and Dell SecureWorks that offer these services at about 50 percent less than it would cost you to do internally. Their services are broad and cover everything from device management, monitoring, incident and event management and response, forensics services, guidance and risk assessment services. They can also act as an extension of your security team and collaborate with you and your team on new ideas and answer questions.
Making Information Actionable
Once your foundation is in place, you can begin collecting security log data. Here are five types of systems you'll want to think about collecting security log (event) information from:
- All your firewalls
- All your intrusion prevention/detection systems
- All your Domain Controllers
- All your business critical systems that reside in the DMZ
- All your business critical systems that reside internally
Responding to Incidents
Once you have all your systems sending log data to your "Cyber Intelligence Platform," you'll want to begin generating reports off of the events and incidents generated. Start trending activity and share it with your team and your C Level Executives. There are two other programs I will talk about in upcoming blogs: "Developing a Security Metrics Program," and "Developing a Security Awareness and Education Program."