Actionable Security Intelligence: Using Integrated Data to Turn the Tide of Cyber War

13 minute read
Turn the Tide of Cyber War

Today’s threat landscape can overwhelm even the most mature IT security organizations. The traditional network perimeter has dissolved; companies now face the task of securing highly virtualized IT environments, and conventional security defenses were not designed to deal with threats associated with cloud, mobile and social computing.

Cyber war—which was not even part of our lexicon a few years ago—has become a reality. The Pentagon has designated cyber space as the fifth domain of warfare (after land, sea, air and space), and enterprises are under attack. Systematic cyber espionage and data theft is being perpetrated against organizations around the world. Apple, Facebook, the New York Times, the Wall Street Journal and Twitter are among those that have recently come forward to report security breaches. Highlighting the extent of the problem, Dmitri Alperovitch, McAfee’s former vice president for threat research, said, “I divide the entire set of Fortune Global 2000 firms into two categories: those that know they’ve been compromised, and those that don’t yet know.”

Many attacks come in the form of advanced persistent threats (APTs) that can remain undetected for months, or even years. And when they are detected, it can be difficult to effectively contain them and determine how the breach occurred, and what information may have been compromised.

During an interview with Smithsonian magazine, Richard Clarke—White House counter-terrorism and security advisor to U.S. Presidents George H.W. Bush, Bill Clinton and George W. Bush—said, “My biggest fear is that rather than having a cyber-Pearl Harbor event, we will instead have this death of a thousand cuts, where we lose our competitiveness by having all of our research and development stolen by the Chinese. And we never really see the single event that makes us do something about it. That it’s always just below our pain threshold. That company after company in the United States spends millions, hundreds of millions, in some cases billions of dollars on R&D and that information goes free to China….after a while, you can’t compete.”

Despite the escalating sophistication of cyber attacks, many companies are still trying to protect themselves with out-of-date approaches. In a recent study conducted by ISACA, an international security association, 63 percent of the 1,500 security professionals surveyed reported believing that it is only a matter of time before they fall victim to an APT, and one in five already had. However, more than 90 percent also reported that they are relying on antivirus and/or traditional network perimeter technologies to thwart the attacks. This is somewhat astonishing when you consider that Symantec—the world’s largest antivirus-software manufacturer—has publicly stated “antivirus software alone is not enough.”

The majority of successful cyber attacks are effectively zero-day, exploiting unknown software vulnerabilities. They can easily evade “set it and forget it” prevention-based tool sets that block potential threats based on signatures and known patterns of behavior.

The traditional strategy of waiting for an attack is no longer enough. Protecting data in today’s complex threat environment requires an active approach to enterprise security that may be best summed up by a simple 16th-century axiom—knowledge is power.

As Art Coviello, executive chairman of EMC's RSA security division, said during his keynote speech at the 2013 RSA Security Conference:

"Many organizations have not been able to access the critical information they need to combat potential threats." — Art Coviello, executive chairman of EMC's RSA security division

Too Much Information, Not Enough Intelligence

The issue that many enterprises face is not so much a lack of data to act upon, but having information without knowing how to process it in a way that is useful from a security perspective. Comprehensive insight into log files and output from applications and various security, network, server, and storage devices is difficult to achieve. Much of the data that is collected exists in separate repositories that are not integrated. And a lot of it may be considered "garbage data" from a security standpoint.

Currently available security information and event management (SIEM) tools allow companies to aggregate huge amounts of data from multiple security devices and bring it all into one system. However, they are only as effective as the environments they are installed in and the people that maintain them. Staff may not have the necessary skills or processes in place for analyzing and correlating data in a way that allows for the identification of precursor hacking activity or active intrusions.

Additionally, most IT security organizations focus on internal, security-only events. They are not looking at all of the events generated that could provide relevant insight. Gaining the context needed to effectively identify risks and stop potential breaches requires the analysis of security-related information from both internal IT environments and external sources such as Internet and social media activities.

“It’s past time for us to disenthrall ourselves from the reactive and perimeter-based security dogmas of the past and speed adoption of intelligence-driven security,” said Coviello. “Organizations must be able to gain full visibility into all data—structured and unstructured, internal and external.”

Making Sense of the Senseless

Enterprises are flooded with data of all types, accumulating terabytes—or even petabytes—of information. It's one thing to collect it; it's another thing entirely to make sense of it. Security systems can generate a virtual tsunami of information. An average firewall, for example, can produce more than 500,000 messages per day. Without a comprehensive view, this can overwhelm IT staff and lead to mistakes in interpretation. Multi-vendor, multi-device security and IT environments can add to the information overload.

Many organizations—even those that have carefully developed their security programs—are finding themselves in the frustrating and dangerous position of having so much information that they cannot effectively interpret what it is telling them.

To make matters worse, many sources of security-related information are not being used in security operations because they are considered to be too big or too variable (e.g., big data). Nevertheless, organizations must find a way to effectively gather the data they need and convert it into comprehensive reports that can verify the security of their networks in order to meet the burden of compliance with regulations such as the Sarbanes-Oxley Act (SOX), Payment Card Industry Data Security Standards (PCI DSS), and the Health Insurance Portability and Accountability Act (HIPAA). Failure to do so can result in hundreds of thousands of dollars in fines, and the dedication of significant resources to bring the network into compliance.

So how can companies sort through massive amounts of data and gain the insight they need to maintain compliance and protect their clients, their business partners and themselves?

Transform Your Data

The security industry is responding to cyber attacks with rapid innovation. Emerging big data security analytics solutions (see “What is Big Data Security?”) feature new storage and processing technologies designed specifically for large data volumes. The goal of these systems is to combine network monitoring, traditional log-centric SIEM, forensics, compliance, and big data management and analytics to enable intelligence-driven threat detection and faster security investigations. By taking advantage of a huge volume and wide scope of data, much of which is already available in the enterprise, they can help provide the context and visibility to enable real-time insight—a persistent stare—into events that spring not only from traditional IT environments, but also from mobile, social media, cloud and Internet activities.

What is Big Data Security? Big data security is an emerging field that focuses on discovering threats by collecting and analyzing big data—data sets that are too large, too unrefined, or too fast-changing for analysis using relational or multidimensional database techniques—that has typically not been used for security analysis in the past. Several security companies are now offering products in this space in order to provide a more complete view of security events, and to facilitate intelligence-driven security strategies.

The idea behind these platforms is similar to the creation of U.S. Army Task Force ODIN (short for observe, detect, identify and neutralize) in the fight against improvised explosive devices (IEDs) in Iraq and Afghanistan.

In 2006, the war in Iraq was evolving into a conflict with the roadside bomb. Insurgents had discovered an effective way around U.S. defenses, and were attacking U.S.-led coalition forces with IEDs. Thousands of tons of munitions left in former Iraqi Republican Guard garrisons and other sites after the 2003 invasion offered the attackers a virtually endless supply of explosives. "The entire country was one big ammo dump," former Defense Secretary Robert M. Gates observed. "It's a huge, huge problem."

In just three months in Iraq, American-led coalition forces faced more IEDs than British troops encountered during 30-plus years of conflict in Northern Ireland. By 2006, they had been the cause of nearly two-thirds of the combat deaths in Iraq, and an even higher proportion of battle wounds. Many present-day security professionals can surely sympathize with the sentiment expressed by the Army's operations chief at the time: 

"The problem is getting out of control. We've got to stop the bleeding." — Lt. Gen. Richard A. Cody, U.S. Army (Retired)

For years, the counter-IED effort was defensive, reactive and inadequate. Billions of dollars were poured into various bomb-busting techniques and countermeasures, but the casualties continued to mount.

Task Force ODIN—a specialized anti-insurgency aviation battalion that combats IEDs with intelligence—was a dramatic step in the right direction. Still operating in Afghanistan today, it was initially deployed to Camp Speicher in Northern Iraq in August of 2006 to conduct reconnaissance, surveillance and target acquisition (RSTA) operations to fight back against the operators of IEDs.

Observe, Detect, Identify and Neutralize

ODIN coordinates fixed-wing assets—including unmanned General Atomics Warrior drones and specially modified airplanes—with attack helicopters such as the Boeing AH-64 Apache into a “persistent stare,” allowing combat commanders to stealthily observe insurgents as they scout locations for IEDs.

The ODIN methodology can be applied to IT security with big data analytics tools:



Task Force ODIN



Security Analytics Tools




Using wide-angle video cameras and radar, piloted planes conduct high reconnaissance—flying unobserved at high altitudes for extended periods of time—looking for anything unusual taking place on or near the roads. This enables the task force to establish a baseline for normal activity.

They capture large amounts of diverse data types from various applications and devices—which can then be normalized for use by analytics engines—while continuously monitoring and recording all network activity. This enables analysts to establish a baseline for normal behavior, so that anomalous behavior can be detected.






When suspicious activity—such as the appearance of people digging in an area where no new infrastructure is being placed—is detected, an unmanned drone is sent in for a closer look.

They send and receive information from third parties and external threat intelligence feeds combined with analysis of internally collected security data. Using anomaly-based algorithms, they detect changes in how individual or groups of hosts interact with one another on a network. They automatically alert to suspicious behavior, enabling analysts to take a closer look and detect potential threats that can elude traditional tools.







Mission data is continuously pushed to signals, imagery and intelligence analysts. Analysts and task force commanders evaluate the data, and determine whether or not IED activity is taking place.

Analysts can easily pivot through terabytes of metadata, log data and recreated network sessions. Metadata parsing and management facilitates the blending of data to help evaluate potential threats. A mix of cloud monitoring, content analytics and big data processing enables assessments to be made based on behavior and risk models, rather than on static threat signatures. This allows analysts to identify sophisticated threats that they could not previously see or fully understand.









Analysts send intelligence in near real time to supported units to take action. If an IED is in play, an attack helicopter is sent to “dynamically address” (kill) the emplacers, which enables coalition forces to stay “left of boom,” stopping the bomb before it goes off. Lt. Colonel Jim Cutting, who commanded Task Force ODIN in Iraq in 2007 and 2008, pointed out, "Sometimes you're to the right of one boom, but you use what you've learned from that to get to the left of the next one." If a bomb does go off in an area ODIN has been watching, the task force is able to essentially “rewind” the video, and watch where the attackers came from. They may also choose to do this in real time with a drone, immediately after an insurgent has placed a bomb. In this way, they can go after not only the bomb emplacers, but the insurgent force that is behind the attacks.


Security analytics—including monitoring, detection, investigation, reporting and administration—is brought together in a single system that is optimized for near real-time analysis. This puts enterprise-level visibility directly into the hands of analysts, thereby accelerating the investigation process and allowing them to determine the most critical risks in the shortest amount of time. While we may not be able to “dynamically address” cyber attackers who are trying to steal our proprietary information and intellectual property, these tools help us fuse threat intelligence from the global security community with our own enterprise data, so that we know what to look for.  They facilitate the actionable intelligence we need to make mitigative (if not retaliatory) counter-strikes, and will eventually coordinate with other security controls on the endpoint and perimeter to automatically block or quarantine threats.


Gaining Information Superiority

ODIN’s impact on the fight against IED attacks has been dramatic. In August 2010, General David Petraeus reported that during the previous 90 days alone, information provided by ODIN had resulted in the killing or capture of 365 militant leaders, detained 1,335 insurgent foot soldiers, and killed another 1,031 Taliban.

As former ODIN pilot and Illinois Military Aviation Hall-of-Famer Gerry Ventrella put it:

“It’s all about intelligence. Getting the information we need and sharing it with the right people, so we can take out the bad guys and prevent the next attack.” — Gerry Ventrella, former Task Force ODIN pilot

Like the creation of Task Force ODIN, the deployment of security intelligence and analytics tools can make a difference. The Ponemon Institute’s 2012 Cost of Cybercrime Study concluded companies that used security intelligence systems enjoyed an average cost savings of $1.6 million when compared to companies not deploying those technologies, because they were more efficient at spotting breaches. Big data analytics tools are offering the opportunity to take advantage of big data streams, and facilitate the analysis of all types of security data with the context that can elevate it into actionable intelligence—necessary information that is immediately available in order to deal with the situation at hand. This is critical to providing a clear picture of existing or emerging risks to an organization’s assets, and can make it possible to more rapidly identify and respond to threats.

Collaborative defense is crucial in the fight against sophisticated cyber attacks. In a recently published report, IT research firm Gartner noted that “defenses against APTs and professional cyber criminals have failed to reach their full potential due to, among other reasons, lack of industrywide information sharing.”* The vast majority of critical infrastructure in the U.S.—around 85 percent—is dependent upon networks that are in private hands. Collaboration not only between trusted business partners, but between the government and private sectors can greatly enhance cyber security efforts. While still in their infancy, security analytics tools and techniques are offering both government and business organizations the opportunity to collect, analyze, and share information across all sources.

Turning Knowledge into Action

Intelligence is at the nexus of our security challenges. Just as it was (and still is) with the struggle against IEDs, immediate access to actionable intelligence is critical to establishing a proactive security stance, and effectively combating our attackers. Security analytics are ushering in an era of predictive insight, offering us the opportunity not only to collect large amounts of previously untapped data, but to understand it and take advantage of its value. Integrated intelligence gained through the evaluation of all types of data—internal and external, security and non-security—can help us harness the most relevant information, and find hidden correlations in the attacks being perpetrated against us. With broad-based initiative across the private sector, we can share the right information with the right people at the right time, turning knowledge into action, and bringing the fight to our cyber adversaries.


*Gartner, Inc., "Information Sharing as an Industry Imperative to Improve Security," Anton Chuvakin, Dan Blum, June 17, 2013. 

You Might Also Like
Join our Newsletter

Stay up to date with the latest and greatest from our monthly newsletter

More Info Provided By
About the Authors
Popular Today