Unifying Your Security Intelligence Setup in a Perfect World

It’s budget time!

Your CFO points in your direction and smiles. He gives you carte blanche as far as spending goes because ‘we simply must not be put in the public eye the way that Target was in 2013’. This has to be the happiest day of your career–to have full power and control over your company’s security destiny.

Just for a brief review, 99% of security attacks are directed at the user. With that in mind, there are a variety of (potentially unpopular) security controls I would implement.

Every host, not user, not server… every host would be its own /30 network with a network/application firewall as its default gateway. Every host would be it’s own trusted intrusion detection system (IDS) variable, as far as network is concerned, and it would be connected to an incredibly well thought-out OS security and control model centrally managed by a team of people I could only describe as something Hollywood would portray as a group of people working 24×7 to solve some unsolvable mystery.

Other controls would include cloud-based web filtering, full disk encryption, and multiple layers of public facing asset protections.

Pondering cognitive security

Just think about that idea for a moment: cognitive security. Not the product Cisco acquired, but the true idea of information working to your advantage with minimal administrative interaction.

I’ve been doing it the hard way for customers as a security vendor for the past 5 years of my career. Multiple products in place; ISA/TMG, Qualys, mod-security, TrendMicro, <insert firewall vendor name here>, Barracuda, Sourcefire, port-security, etc. That’s a lot of administration effort in a very disconnected format that requires significant attention for purposeful functioning. I’m not going to bash any one product, they all control what they were meant to control; however, many organizations don’t have the manpower or time to give these products the proper attention they require to be as completely up-to-date as possible.

Enter Splunk>

That’s why we moved to Splunk–it puts everything in one place. Don’t stop there. You still need to do something with it that can effectively manage these products and their capabilities globally. For the good of each product and the better of your response and support teams.

That’s where we put Splunk to work. You can tell Splunk to do things with your log data/security alerts based upon the information provided by your network and security infrastructure, the systems and infrastructure you already have in place. Just by sending Splunk your log data.

Let’s look at some examples

A simple example would be automatically opening up a help-desk ticket because Splunk was able to tell from your IDS alert data that a host at your Chicago office has tripped. A less simple example would be that the same help-desk ticket was opened only if the alert triggered a certain amount of times within a specific time frame. An even more complex example would be the same alert threshold would correlate with your Websense and firewall data to verify that the traffic passed successfully to properly prioritize the ticket it opens with your help-desk team, to help communicate how quickly action needs to be taken.

A simple example of an outside security threat would be parsing the IDS alert data against internal Qualys scan results to determine if that threat requires a help-desk/security ticket internally because it’s running the affected software, on top of running a script that will kill the connection at the network or host based firewall. It can even go as far as to detect a DDoS or Reflection attack from your firewall logs and execute a script that automatically drops the traffic for a certain time period without any human interaction at all.

Proactive security intelligence

Honestly, that’s as perfect as you can get in today’s security world. We call it HDSI, because we’re Hurricane Defense and it’s our Security Intelligence. I call it being as proactive as you possibly can with the information and infrastructure you have in place.

Sure, nothing is perfect and things change, but if you put in the effort to be as proactive as you can with what you have, you can sit back and say you are doing everything in your power to be as proactive as possible.