Nmedia - Fotolia

Manage Learn to apply best practices and optimize your operations.

How best to monitor today's murky threat environment

Today's threat environment can be murky. Learn the latest means for rooting out the fast-moving malicious actors that populate it.

Today's threat environment is complex and requires careful monitoring. But security professionals around the world...

struggle daily under the deluge of information that security systems generate. Security information and event management (SIEM) systems seek to wrangle this flood of data into some semblance of control, but they are only one element in a robust information security program. Let's take a look how you can improve the strength of your security monitoring program with real-time threat intelligence and automated monitoring practices that clear up murky threat environments.

Intelligence for today's threat environment

InfoSec professionals today work in a threat environment where they face adversaries with unprecedented sophistication, persistence and technology. The new cyberthreat is both technically advanced and fast moving, rendering many older security technologies ineffective. Real-time threat intelligence feeds help security professionals stay ahead of these adversaries.

Each customer of a threat intelligence service contributes anonymized information about cyberattacks back to the service. The service then applies both automated and manual analysis techniques to rapidly learn as much as possible about the latest developments in the threat environment. These services can correlate information from many different sources to paint a picture of a new malicious actor far faster than could be done when only drawing upon one company's network for evidence. The threat intelligence service then shares this information with all of their customers, allowing them to defend themselves against new threats. This response occurs, in most cases, before the attacker even reaches most customer networks.

The product of most threat intelligence services is a risk score that uses IP addresses and feeds directly into firewalls, intrusion prevention system and other network security devices. Those devices consume the feed and use that information, in conjunction with site-specific security policies, to block malicious threats as soon as they strike any member of the intelligence-sharing service. You might think of real-time threat intelligence as the Internet's answer to NATO—everyone becomes stronger through intelligence sharing.

 Automated monitoring practices

There's no doubt that information is critical to the success of any cybersecurity program. Security logs contain important details that can trace the source of attacks, identify potential threats and determine the extent of a successful compromise. Every information security professional who has analyzed logs, however, knows that manually parsing logs is akin to hunting for the proverbial needle in a haystack. Log monitoring is frustrating, tedious and time-consuming work and finding the single record that contains critical information often seems an insurmountable task.

Fortunately, SIEM systems automate the vast majority of log monitoring work. SIEMs collect log information from a wide variety of network devices, servers, applications and other data sources and perform detailed analysis on that information, searching for potential security issues. The SIEM also provides analysts with the ability to quickly search across all log sources when conducting a security investigation. For example, if an organization suspects that an account was compromised in a phishing attack, security analysts can quickly pull all login events related to that account, combining information from desktop logins, VPN connections, application authentication and server access in a single set of search results. That type of automation facilitates rapid response.

In some cases, SIEM systems can go a step further and take automated response actions designed to contain and mitigate threats immediately. For example, if the SIEM detects a potentially compromised account, it might disable that account and then notify administrators after. The time this type of decisive rapid response saves may mean the difference between a minor account compromise and a major data compromise.

Threat intelligence and automation provide security analysts with tremendous advantages in today's threat environment. Cybersecurity today is a cat-and-mouse game. By leveraging real-time attack information from a threat intelligence network and combining it with the automated correlation and response capabilities of a SIEM, information security teams can stay one step ahead of their adversaries.

Next Steps

Learn how best to launch a new SIEM system

Security monitoring in a software-defined world.

What you need to know about threat intelligence tools

This was last published in December 2015

Dig Deeper on Real-time network monitoring and forensics