Security Intelligence is the process of collecting information and applying the knowledge, creativity, and skill of the security team and deriving business value. Most organizations now have to be concerned about two types of threats. ‘Known threats’ – the ones reported to us by signature and rule based systems such as anti-virus, IDS/IPS, firewalls, and security information and event management systems (SIEM). The other kind of threat is called the ‘unknown threat.’
Monitoring Unknown Threats
Unknown threats comprise abnormal patterns in ‘normal’ IT data. Normal IT data is generated by the user of enabler services that humans use every day. This data is the reflection of human-to-machine and machine-to-machine interactions and activities. Our normal activities include badging into the building, surfing the web, getting an IP address from a DHCP server, using DNS, using a VPN, using email, and accessing enterprise applications and company information. It is in these normal activities where attackers want to hide their activities.
Patterns of human activity seen in this data follow business patterns and happen within parameters of time and location. Splunk can be set to monitor for thresholds and outliers in this data that can reveal stealthy malware activities. Splunk’s analytics language supports threat scenario based thinking that allows the security professional to ask any question of the data — ultimately searching for ‘unknown threats.’ Employing this strategy monitoring the enterprise’s most critical data assets is a risk based approach aligned with business goals and objectives.
Supporting the Security Intelligence Analyst
Security Intelligence Solutions move beyond traditional SIEM use cases of providing canned reports, dashboards, and monitoring for known threats to support a Security Intelligence analyst’s needs for data exploration to find abnormal activity patterns in massive amounts of normal data. Splunk supports the newest role in security — the Security Intelligence Analyst.