Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Many security technologies are very good at detecting known threats so that security professionals can react. But an evolving concept, known as "intelligent security," involves using a combination of technologies to detect both known and unknown threats, helping security professionals become more proactive.
Intelligent security harnesses the power of big data; analytics; security information event management, or SIEM; and other tools to more quickly identify anomalies that could be early signs of bad behavior or immediate threats.
In healthcare and other business sectors, a few pioneering organizations, including OhioHealth and Lake Health, are using intelligent security tools to more quickly sort through mountains of data generated by multiple systems and logs. The technology is helping the organizations to identify the sources and causes of suspicious activity so that problems, ranging from malware to malfunctioning devices, can be addressed before trouble escalates.
Intelligent security aims to close a gap by improving real-time visibility into security threats.
"We're trying to understand attackers better and be able to thwart them by using all the potential security methods out there at our disposal rather than rely on one solution," says Charles Kolodgy, a vice president at the research firm IDC.
Jens Laundrup, principal consultant for the IT security consultancy Emagined Security, notes: "We've become good at catching spam, viruses and worms, and there's been an explosion of technology used in firewalls. Intrusion detection is also good at catching attacks on a network and virtual network. However, all those things put together only get us 95 percent there. The bad guys are getting in [by taking advantage of] the other 5 percent."
Understanding how these threats work and identifying their patterns is important to mitigating them. That requires the use of technologies that, for example, help detect malware and hacking based less on signature and more on anomalies and behavior, Kolodgy says.
"We're all trying to be smarter," Kolodgy says. "There is more layering of security and more layers for discovery."
But more layers of technology don't always mean better security. "We can layer different security, but the problem is that each layer doesn't talk to the next," Laundrup says. "That's where big data analytics help."
While many organizations use a broad spectrum of security technologies, including firewalls, virtual private networks and intrusion detection systems, these systems often are not integrated so they can accurately identify an individual or system that was responsible for malicious behavior.
Intelligent security involves integrating or layering a variety of technologies to look for anomalies in data from multiple sources that help connect the dots to identify security threats.
Healthcare providers are among the organizations implementing intelligent security tools to bolster their ability to proactively address critical security issues.
For example, OhioHealth is using intelligent security technology to more efficiently identify and respond to threats, says Jerry Walters, director of information security at the nine-hospital system in the Columbus region.
OhioHealth is using the QRadar Security Intelligence platform, from Q1 Labs, a unit of IBM. The platform, which includes SIEM tools, helps OhioHealth analyze data from multiple systems, databases and logs, including the organization's servers and firewall as well as Microsoft Active Directory, for signs of events that warrant action, Walters says.
For instance, QRadar has helped OhioHealth flag activity on multiple systems that indicated suspicious communication involving systems outside the U.S.
"We're a regional hospital; we wouldn't communicate outside the borders of the U.S.," Walters says. Based on information from a number of logs, including location of servers, the time of activity and volumes of data flowing, the intelligent security technology helped OhioHealth narrow down and correlate the anomalies to identify, isolate and respond to inappropriate communications with a computer in a foreign country, Walters says.