The Transformation from Analytics to Security Intelligence

Firosh Ummer
By Firosh Ummer

July 2, 2015


the concept of  thinking.background with brain.the file is saved in AI10 EPS version. This illustration contains a transparency. Threat Intelligence


With the rapid rise of technology and integration of the internet into almost every facet of conducting business, change is something every CISO has to embrace. There is far too much data that an organization has to sort through and filter to successfully prevent online attacks. Even if a company has the ability to analyze large volumes of data, true threat detection and prevention requires analyzing data over long time periods to detect low and slow attacks. When looking for outliers, signature-based reporting is inadequate. Beyond that, it’s essential to understand that the day and age of simple security analytics is gone, paving the way for security intelligence. Think of your whole modus operandi changing from reactive resistance to proactive threat detection & elimination.

Evolving Threat Landscape

What we are now seeing are sophisticated attacks that are driven by geo-political issues, hacktivists, and financial motivation. The scale, funding, and technical complexity of these attacks are high, which is why even large conglomerates and governmental entities are seeing their systems being compromised. The surprising aspect is that such companies and government institutions use the latest and greatest security technologies to thwart online threats, yet they are compromised.

What Is Security Intelligence?

But before I jump into how this transformation has come about, let’s take a quick primer on what security intelligence is. In my opinion, security intelligence is not just gathering, but also closely evaluating large volumes of logs/events created by servers, applications, and network & security devices to detect unusual patterns. These “unusual patterns” are further investigated to detect potential breaches in your IT environment.

Making Sense of Large Data Volume

As loads and loads of data is gathered through these logs and events, human actions and decisions taken on a specific log or event can be recorded and learned by the machine or intelligence engine. This allows it to weed out false positives from the large volume of data. Consequently, threat detection can be carried out without the presence of a human being and at the same time, is much more effective in eliminating malicious activity.

From Caterpillar to Butterfly

The truth of the matter is that your system(s) may already have been breached. Nine out of ten times the evidence is in plain sight, but companies are unable to find a solution because they don’t have the ability to perceptively correlate and assess information. This is why I think that gathering data from all relevant devices and systems in your network is the first step. You then have to normalize it so you can compare apples to apples. Once this is done, you can apply whatever analytics you have in your possession to convert this whole process into security intelligence. No longer are you using stale information that was applicable days, weeks, months or even years ago. You now have real-time information which helps you enhance security and improve threat discovery.

Exponential Growth in Security Systems

You may ask why I titled this blog “The Transformation from Analytics to Security Intelligence” and yet, I just stated above that you apply existing analytics to get to intelligence security. You see, simple analytics and reporting was helpful at one point in time, when the volume of logs collected was at a relatively manageable level. With the exponential growth of security systems being used at enterprises and the increasing requirements of business applications for monitoring purposes, the sheer amount of data that has to be analyzed has gone up the roof.

Protecting Your Assets

Truthfully, it’s far beyond what a lot of small to medium businesses can handle. In today’s corporate environment, you have to be poised to secure your intellectual property, data, and IT assets from internal and external threats. At the same time you must maintain efficient and reliable business operations. Therefore, security intelligence is an integral aspect of protecting your company, its reputation & longevity, and your brand. This can only be done by gathering and examining comprehensive data that is generated across the organization.

Method of Attack Has Changed, so Should You

Today’s attacks are highly sophisticated and happen at a relatively slow pace. Due to this slower speed of attack, a log is never generated because the system doesn’t evaluate and report it as a critical event to analysts at the security operations center. To prevent this from happening, the managed security services team has to go through large volumes of data and analyze it by using statistical and mathematical models to root out potential security breaches.

Comprehensive and Actionable Insight

While a good way to start is by gathering and analyzing all relevant data contained within your network, keep in mind that data in the form of query results, events, or logs on its own is worthless. Companies receive overload alerts on a regular basis because of such data. Security intelligence allows you to interpret the data and use it to swiftly identify and remediate specific incidents.

What Should You Be Doing

So, one thing we can definitely learn from all this is that it isn’t about having a specific technology implemented, rather, it’s about better surveillance and monitoring, coupled with security intelligence and efficient technology controls. As long as these aspects are used in unison, you have a better chance of surviving online threats, whether they come from within the company or from outside.


About the Author

Firosh Ummer, co-founder and Director, heads Paladion's Consulting practice. Firosh is the co-author of "Application Security in the ISO 27001 Environment" published by IT Governance of UK. Firosh has been invited to speak at multiple conferences, most recently the "Securing eGovernance" conference in the Middle East. He was also an instructor for SANS courses in India.

Tags: Uncategorized


Firosh Ummer