Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

The new era of security intelligence

Cindy_Blake ‎05-01-2013 10:13 AM - edited ‎09-16-2015 08:46 AM

When you think of security intelligence or threat intelligence, do visions come to mind of FBI or CIA analysts, sitting in a room full of compute power and cool technology gadgets?  The world of information security intelligence – like that used by commercial enterprises to protect themselves – is becoming strangely similar to those visions of intelligence.  Given that hackers, hactivists and others are pulling corporations into this cyber warfare, it should not be surprising that security programs are relying more and more on intelligence to thwart their enemy attackers.


An analogy might be useful to better envision how such a scenario might work.  Let’s say I am an avid shopper at a big national retailer.  I shop there for everything from clothes, to food, to housewares, gifts and cards.  I often imagine that this retail buddy of mine knows more about me and what I like than my own mother.  The data resulting from a point of sale (POS) system includes my shopping habits: what time of day I shop (before/after work vs weekends), frequency of my trips, average purchase amount etc.  You might expect a retailer to have this level of information. 


With a little bit of analysis, meaning can be applied to the items I purchase to determine my rough age and sex, that of my children, type of pets, music and book tastes, favorite colors, and more.  How could they know this? They glean this level of knowledge by applying algorithms to my purchases that assess meaning and apply context to individual data points.  And by assessing this data over time, they can look for trends or patterns.  Am I (female, middle-aged, with teen children), beginning to substitute one product for another, or otherwise changing my purchases?  The granularity of insight becomes explosive!


Sharpening the focus with additional data


Now, if this retailer were to combine POS data with data from online shopping, they can also determine my shipping and billing addresses (more socio-economic demographics, also helpful in aggregate).  If I “Like” them on Facebook, or pin something on Pinterest, they may even begin to understand, and potentially tap into my social network.  Essentially, if I “Like” something from this retailer, I become an advertising agent – and although my reach is limited in breadth, it is much more credible and targeted to people (buyers) like myself.


How do information security professionals use these same tools?


Let’s look at how we would apply those same techniques to information security.  Hackers have specialized to obtain this type of information to craft “spear pfishing” attacks – highly targeted attacks that lure you into clicking a link or providing information through clever disguises or tricks.  Luckily, the good guys can use techniques similar to retailers, to identify potential attacks, even before they happen. 


The multitude of devices, users, and generated traffic all combine to create a proliferation of data that is being created with incredible volume, velocity and variety. As a result, organizations need a way to protect, utilize and gain real-time insight from events that spring from traditional IT environments, but also from mobile, social medial, cloud and Internet activities.  Harvesting insight from these ‘big data’ sources is key.  And often, they already have many of the tools needed – it’s just a matter of integrating them so they work together and properly applying use cases to solve problems that may be different than those for which they were deployed.  Two such tools are HP ArcSight and HP Autonomy. 


HP ArcSight is a traditional security tool, with its powerful CORR engine for correlating seemingly disparate security events.  It has some terrific capabilities that make it a leader among SIEM products. The recent whitepaper, “Big Security for Big Data” points out that it can detect more incidents, correlate more data (capacity), and more efficiently focus resources on exceptions than competitors.  And, HP ArcSight connectors collect, normalize and categorize log data making them more readily understood. Normalized logs are indexed and categorized to make it easy for a correlation engine to process and identify patterns based on heuristics and security rules. It is here where the art of combining logs from multiple sources and correlating events come together to help create real-time alerts. 


HP ArcSight Enterprise Security Manager (ESM) uses a heuristic analytics model to keep a baseline of activity from events received and monitors any increases in attack, target, protocol, or user activity using a percentage threshold.

It is the powerful correlation that is the foundation of this intelligence.



Now, add to that the correlation capability, meaning and context from the vastness of ‘big data’ – mobile, social medial, cloud and Internet activities.


HP Autonomy’s IDOL can supercharge ArcSight’s correlation by providing even more who, what and where context to correlate with more traditional security logs and events.  Social media is a common place for hackers to communicate and for people to express themselves – and their frustrations, their plans, their accomplishments (both good and bad).  It is also vastly unstructured.  That’s why HP Autonomy IDOL is such a perfect tool for making sense of this ‘big data’.  It can apply meaning, apply sentiment of the communique and identify patterns.  When combined with HP ArcSight’s CORR engine, these seemingly minute data points can provide context, greater insight, and further identify and vet potential threats. 


Check out the “Big Security for Big Data” white paper to find out more about how ArcSight provides a foundation to help you with Big Data.

0 Kudos
About the Author


Alan Kessler
on ‎05-25-2013 07:20 AM

This is an excellent piece and points to the value of big data security analytics.  I look forward to the next post in the series that focuses on sources of data.  I believe more focus must be placed on security intelligence focused on the data.  Data is the new currency.  Implementing a policy-based approach to data protection and event logging of data activity, properly correlated, can significantly reduce the attack surface.

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all