Actionable intelligence lets businesses be proactive about security to minimise the effects of any incidents and ensure they’re identified and dealt with before chaos ensues.
With each new breach making headlines, it is becoming clearer and clearer that yesterday’s defences are no match for today’s attacks. The growing popularity of cloud services, mobile devices and the Internet of Things (IOT) is widening the attack surface, and targeted and non-targeted attacks are being used interchangeably. Traditional security solutions are incapable of meeting all of these threats on their own, leaving many organisations with blind spots and gaps in their protection.
Add to this the fact that security analysts are in short supply and existing security teams are under constant pressure to deliver more with less, and it becomes obvious that companies need something more to keep themselves safe, says Ignus de Villiers, Divisional Manager for Cybersecurity at Nexio. He explains that today’s threat landscape requires more than prevention; it necessitates better detection, an improved understanding of threats to enable proactive and pre-emptive actions, and most importantly, effective and accurate diagnostic information in the event of an incident.
“There’s much more to modern security than simply being able to block a known threat using an updated endpoint security device,” De Villiers says.
“Prevention, as they say, is better than cure. But while it is an essential element in the security ecosystem, spending most of your security resources on building a stronger defence will only keep you safe from the obvious threats.
“If an attacker manages to get past that defence, and the statistics say that they will, the company doesn’t have the insight it needs to protect against an attack moving laterally across the network, nor is it able to respond immediately and effectively to the breach. What is needed is actionable intelligence, allowing the business to take a proactive and pre-emptive approach to security, ensuring that the effects of any incidents are mitigated and minimised, and that they can be identified and dealt with before they cause chaos.”
According to De Villiers, actionable intelligence goes beyond signatures or details tied to a specific threat. “Providing information and context about attack methodologies, how an attack hides inside network traffic or evades detection, the sorts of data being stolen or malware being planted, and how an attack communicates back to its controller; such actionable intelligence enables the company to defend against common threats as well as to disrupt and respond to attacks.”
Actionable intelligence, he says, covers the entire security footprint. This includes information from the edge to the core, helping to interpret security events and providing the right resources and counter-measures to keep the business safe.
“Organisations have access to a variety of intelligence sources, but very few have the capabilities to evaluate these and turn them into the instruments that convert data into actionable intelligence. By overlaying context and applying sophisticated analytics to that data, actionable intelligence allows companies to understand what is meaningful and the best course of action to take.”
De Villiers adds that context is essential. “Without context, threat intelligence is merely a flood of alerts that either mean nothing or that are being ignored because of the volume of false positives. Providing proper context by quickly analysing new alerts, filtering out false positives, and generating real-time data about actual threats is what transforms data into actionable intelligence.”
By looking for attack patterns identified via threat intelligence, companies can shorten the window between compromise and when they detect that compromise. More importantly, actionable intelligence goes beyond the detection of threats and supports the incident response and diagnostic process, enabling faster and more effective reactions.
“Real-time intelligence allows for faster and more accurate decisions, and enables the security team to focus on the serious threats,” says De Villiers. “By providing the status of affected systems and their users, and up-to-date threat intelligence, actionable intelligence allows the security team to detect and stop the spread of attacks as they occur, rather than trying to catch up long after the event.
“Actionable intelligence allows rogue users to be intercepted, information flows to be halted and personal data or IP to be secured before it is compromised, extracted or lost. Without actionable intelligence, any security strategy will be flawed. It is every bit as important as the firewall that has been deployed at the network edge or the endpoint security solution protecting user devices,” De Villiers says.
Nexio, together with Cisco, will be hosting a webinar on 24 October 2019 to ask questions about threat mitigation, gain insights into how actionable intelligence enables real-time response, and find out how to make it easier to focus on critical incidents, not noise