From ongoing threat research, to crowd sourcing information, to Big Data analytics, and the list goes on, some security solutions provide mountains of data that are getting higher all the time. And while all of this “intelligence” is important (and potentially overwhelming), enterprises need to take a step back and ask a significant question before they find themselves breached; not after: is the intelligence supplied by our security solution truly actionable?
At first glance, this question may seem redundant. After all, isn’t it a given that security solutions deliver actionable intelligence? The answer is yes and no. Yes, virtually all security solutions deliver actionable intelligence. But no, they do not all provide it to same extent, level, quality, and degree. And the absolute worst time for an enterprise to discover a gap between what they expected and what they need is during a cyber attack. That is like learning that the building’s sprinkler system is ineffective — or even worse, broken — during a fire.
With that being said, it is both fair and necessary to highlight that the definition of “actionable intelligence” can differ from vendor to vendor; and this difference can be surprisingly, even shockingly large. As such, it is up to enterprises to do some digging — proactively, not reactively — and ensure that the intelligence supplied by their current or prospective security solution is truly actionable, and not just an attractive marketing claim.
To that end, here are five questions that enterprises should ask about actionable intelligence now, not later:
1. Can we identify compromised assets within the corporate network, as well as beyond the corporate network (i.e. remote employees, 3rd party vendors, distributed sites, etc.)?
2. Are we able to use indicators of compromise for further analysis?
3. Can we easily retrieve analysis results to get additional insight into network activity?
4. Can we correlate indicators from compromised devices with other security-related events?
5. Can we integrate all of our actionable threat intelligence into our legacy security solutions so that we get the protection we need?
Simply put, enterprises should be able to answer an unqualified “yes” to each question, and not settle for anything less. Otherwise, what sounds good in theory will not translate into practice, and enterprises will find themselves scrambling to recover in the aftermath of an attack, instead of implementing a swift, accurate, and effective response based on truly actionable intelligence. The former is a risky proposition that threatens to severely and possibly permanently damage profits and reputations. The latter, however, is arguably the only way for enterprises to stay safe and keep the bad guys from getting the upper hand.
Aviv Raff is Co-Founder and Chief Technology Officer at Seculert. He is responsible for the fundamental research and design of Seculert’s core technology and brings with him over 10 years of experience in leading software development and security research teams. Prior to Seculert, Aviv established and managed RSA’s FraudAction Research Lab, as well as working as a senior security researcher at Finjan’s Malicious Code Research Center. Before joining Finjan, Aviv led software development teams at Amdocs. He holds a B.A. in Computer Science and Business Management from the Open University (Israel).Previous Columns by Aviv Raff:5 Actionable Intelligence Questions Enterprises Should Ask Before Being BreachedThe Target PoS Attack: Gleaning Information Security PrinciplesRedefining Malware: When Old Terms Pose New ThreatsFrom Prevention to Detection: A Paradigm Shift in Enterprise Network SecurityCloud-Based Sandboxing: An Elevated Approach to Network Security
Tags: INDUSTRY INSIGHTS