The Role of 'Intelligent Security'Using a Combination of Technologies to Detect Threats
Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Many security technologies are very good at detecting known threats so that security professionals can react. But an evolving concept, known as "intelligent security," involves using a combination of technologies to detect both known and unknown threats, helping security professionals become more proactive.
Intelligent security harnesses the power of big data; analytics; security information event management, or SIEM; and other tools to more quickly identify anomalies that could be early signs of bad behavior or immediate threats.
In healthcare and other business sectors, a few pioneering organizations, including OhioHealth and Lake Health, are using intelligent security tools to more quickly sort through mountains of data generated by multiple systems and logs. The technology is helping the organizations to identify the sources and causes of suspicious activity so that problems, ranging from malware to malfunctioning devices, can be addressed before trouble escalates.
Intelligent security aims to close a gap by improving real-time visibility into security threats.
"We're trying to understand attackers better and be able to thwart them by using all the potential security methods out there at our disposal rather than rely on one solution," says Charles Kolodgy, a vice president at the research firm IDC.
Jens Laundrup, principal consultant for the IT security consultancy Emagined Security, notes: "We've become good at catching spam, viruses and worms, and there's been an explosion of technology used in firewalls. Intrusion detection is also good at catching attacks on a network and virtual network. However, all those things put together only get us 95 percent there. The bad guys are getting in [by taking advantage of] the other 5 percent."
Understanding how these threats work and identifying their patterns is important to mitigating them. That requires the use of technologies that, for example, help detect malware and hacking based less on signature and more on anomalies and behavior, Kolodgy says.
"We're all trying to be smarter," Kolodgy says. "There is more layering of security and more layers for discovery."
But more layers of technology don't always mean better security. "We can layer different security, but the problem is that each layer doesn't talk to the next," Laundrup says. "That's where big data analytics help."
While many organizations use a broad spectrum of security technologies, including firewalls, virtual private networks and intrusion detection systems, these systems often are not integrated so they can accurately identify an individual or system that was responsible for malicious behavior.
Intelligent security involves integrating or layering a variety of technologies to look for anomalies in data from multiple sources that help connect the dots to identify security threats.
Healthcare providers are among the organizations implementing intelligent security tools to bolster their ability to proactively address critical security issues.
For example, OhioHealth is using intelligent security technology to more efficiently identify and respond to threats, says Jerry Walters, director of information security at the nine-hospital system in the Columbus region.
OhioHealth is using the QRadar Security Intelligence platform, from Q1 Labs, a unit of IBM. The platform, which includes SIEM tools, helps OhioHealth analyze data from multiple systems, databases and logs, including the organization's servers and firewall as well as Microsoft Active Directory, for signs of events that warrant action, Walters says.
For instance, QRadar has helped OhioHealth flag activity on multiple systems that indicated suspicious communication involving systems outside the U.S.
"We're a regional hospital; we wouldn't communicate outside the borders of the U.S.," Walters says. Based on information from a number of logs, including location of servers, the time of activity and volumes of data flowing, the intelligent security technology helped OhioHealth narrow down and correlate the anomalies to identify, isolate and respond to inappropriate communications with a computer in a foreign country, Walters says.
"It's like finding a virtual needle in a haystack of needles," says Walters of using the technology to sift through mountains of data from multiple systems to identify threats and potential threats that warrant response.
In addition to detecting cyberthreats from outside the U.S., other difficult-to-detect threats that intelligent security technology can help identify include hacktivists, like Anonymous; cybercriminals, including those who steal credit card information; and insider threats, says Joe Goldberg, senior manager of security and compliance at Splunk, a vendor of intelligent security products.
Besides identifying threats, intelligent security technologies also can be used to aid regulatory compliance. That includes adherence to HIPAA in healthcare, says Chris Poulin, a security strategist at IBM.
At Lake Health, which operates two hospitals and several other facilities in the Cleveland area, intelligent security technology is helping the organization improve regulatory compliance while more proactively addressing threats such as intrusions and malware, says Keith Duemling, Lake Health's information security officer.
Lake Health is using Hewlett Packard's HP ArcSight Express to better consolidate and correlate events that are monitored by multiple systems and audit logs. ArcSight Express combines SIEM with log management and user activity monitoring.
The intelligent security technology is helping Lake Health meet patient records access auditing regulatory requirements by providing improved correlated reporting.
If records were accessed by an unauthorized person, leading to a breach of information, Duemling says he's confident that his organization could present investigators with proof of the organization's diligent auditing of systems access.
Lake Health's ArcSight Express implementation provides a centralized monitoring of events that gives a correlated view of audit logs from infrastructure technology, firewall, Window servers, intrusion detection, antiviral and other systems, Duemling says.
The tools provide Duemling and his team with more consolidated "situational awareness" that would've otherwise required several staffers to audit multiple logs and systems, he says.
In fact, Lake Health would likely have had to eventually double the number of staff involved with monitoring data security logs and systems because so much more information is being generated as the healthcare organization rolls out electronic health records and other systems, Duemling says.
ArcSight Express enables Lake Health to create custom reports from multiple systems within minutes, compared to the several hours that it used to take to build a custom report from multiple logs.
One example of the kind of chore that ArcSight Express has enabled Lake Health to perform more efficiently involved identifying why a user had difficulty logging into a system every Monday. By monitoring system activity over a 48-hour period and running a custom report, Lake Health was able to identify the problem as a misconfigured wireless card. But a malware issue could have easily been identified as the cause with help from ArcSight Express, he says.
The intelligent security technology enables Lake Health to be more proactive in catching problems sooner, such as being able to identify the cause of trouble when the first user calls into the help desk with a complaint before a problem escalates.
In the coming months, Lake Health also will integrate additional devices and systems to ArcSight, including medical devices, such as wireless insulin pumps. "Most medical devices have Windows and are really a computer in a custom shell," he says. "This makes them vulnerable to worms and malware."
The intelligent security technology will help Lake Health identify medical device anomalies that are caused by malware or more mundane problems, including malfunctioning components, Duemling says.
Splunk's Goldberg says big data analysis can also help identify anomalies by looking at employees' typical work patterns. That could include analysis of data generated by employee badges.
"If an employee is in San Francisco at 9 a.m., and then at 10 a.m. they're accessing data from a server in Sydney, that could be signs of a stolen credential," he says.
But even if intelligent security tools can provide insight into anomalies that could indicate possible threats, those findings still need to be followed up by security professionals.
"I can throw money at security technologies all day long, but you need to make sure you take care of the people," Laundrup says. Organizations must provide staff with the training and resources needed to take advantage of these tools to follow up on alerts indicating that something is suspicious, he says.