These days, lots of companies are looking for ways to use big data and analytics to improve their security, but Intel is one of the first to actually pull it off.
The company's initiative, called Security Business Intelligence (SBI), earned the company top honors in the CSO40 awards, which recognize security projects that have delivered outstanding business value.
Intel IT began building its SBI platform in 2010. "SBI is one of the pillars of our Protect to Enable enterprise security strategy," says Malcolm Harkins, Intel's chief security and privacy officer. "The ability to filter and distill the billions of events per day brings tremendous security value to the enterprise."
The Protect to Enable strategy focuses on applying reasonable levels of protection, which allows information to flow through the organization and gives users a better experience while at the same time reducing risk.
In 2012, Intel made significant progress in implementing this architecture, which is based on four pillars. The first pillar is identity and access management, which allows users' access privileges to be dynamically adjusted as the level of risk changes. Intel has tested this system in its production environment and continues to refine these tools for a range of devices, locations and infrastructure technologies.
The second pillar is data protection. Intel is implementing technologies to safeguard its information when it's created, stored and in transit. The company has expanded deployment of enterprise-rights-management software and implemented new data-loss-prevention technologies to better track sensitive data.
The third pillar is infrastructure. For example, Intel has implemented secure trust zones within its enterprise private cloud that enables it to virtualize internally and externally facing applications with higher security requirements.
The final pillar is SBI. "As we allow access to enterprise systems from more devices, we need improved detection and analytical capabilities," says Alan Ross, senior principal engineer. "We deployed a flexible dashboard to view malware infection data down to the machine level and added a predictive engine that enables proactive protection and simulations to improve our ability to respond to threats."
The primary goals of the SBI platform are to use big data and advanced analytics to improve Intel's ability to predict, prevent, detect and respond to cyberthreats; develop the tools and reporting capabilities to distill large amounts of data into meaningful analysis; and use the resulting analysis to cut overall costs by reducing or eliminating other security controls that may be less effective. Intel IT is also looking at ways to use trusted sensor and event information from its platforms to improve the quality and reliability of the SBI system.
Emphasis on Privacy privacy controls before and during the deployment of the platform to ensure that data administrators, analysts, security investigators and forensics teams "understand, respect and abide by Intel's privacy compliance requirements," Ross says.
One goal of SBI was to develop
While working on SBI, Intel also wanted to clearly define who has access to certain types of data, how the data will be stored and segmented, and when certain types of data will be deleted. Of particular importance to the team was the development of policies and processes that ensure that personal information is stored and accessed according to the company's guidelines.
By incorporating privacy early on when developing products, services and programs, Intel can fulfill its objectives. To make sure it covers all its bases, the company uses a privacy impact assessment (PIA).
A PIA is similar to an audit -- it's an evaluation performed to verify that a new or existing organizational process or system adheres to appropriate privacy laws, regulations and policies. It also assesses the risk to privacy associated with the business process that's being evaluated, and it examines potential methods of risk mitigation.
One objective of a PIA is to cause an organization to think about its process choices and their impact on privacy. The assessment allows a company to analyze and document not only the project's anticipated data lifecycle, but also its reasons behind the treatment of data at each stage.
The SBI platform performs real-time correlation of big data to detect security threats faster, boosting Intel's ability to intervene quickly while reducing its risk exposure, Ross says. "Using this platform, we can monitor traffic from Intel's servers to detect data exfiltration abnormalities and send alerts to security responders," he says. "This platform allows us to detect security threats faster, not only to boost our ability to intervene quickly, but also to reduce our risk exposure."
The SBI architecture is built around three layers: common logging service, correlation layer and predictive analytics. It collects some six billion events per day to deliver near real-time reporting. Analysis of these events provides early detection of anomalous behaviors both among client devices and in the server environment.
For example, SBI can detect and respond to anomalous situations such as when a user appears to log in from two geographic locations at the same time. This can be indicative of a compromised credential and may cause the system to dynamically adjust the device trust level and the access that is granted to that account.
In the case of bring-your-own-device initiatives, Intel can use SBI tools to monitor the transactions with its application gateways and one-time password generator. These logs, combined with the company's new trust-level-based architecture, mean "we can create detailed, real-time correlation rules and can dynamically adjust the trust level of a device and the applications a user can access," Ross says.
Among the results Intel has seen with its SBI platform is a 99 percent increase in efficiency, reducing data collection analysis throughput time from two weeks to 20 minutes. In addition, the platform can process 200 billion server event logs and provide results in less than 30 minutes. With these and other controls in place, the company is currently seeing a malware infection rate of less than one percent.
Several key factors helped Intel's SBI project succeed. One was starting small and choosing a value asset or a few core infrastructure services before expanding. Another was to focus on the areas where a breach would be most harmful.
Yet another winning strategy was to build the program's value based on its goals. "We built solutions for our investigators before expanding to cover additional use cases from our customers," Ross says.
Finally, Intel put together a strong team to create and implement SBI. "We gathered experienced security professionals, including architects, investigators and engineers," Ross says. "These people worked closely with our privacy experts to design and document the tools, policies, processes and privacy guidelines."
Intel is developing a My Security Alerts tool, which it will deploy sometime in 2013, that lets employees view activity associated with their accounts and report suspicious behavior.
"Advanced malware attacks can infiltrate employee accounts and gain access to our internal network and do harm without appearing to be an intrusion. Our SBI platform is incredibly powerful, but it does not have the contextual information that an individual employee knows about their own use of company resources. The My Security Alerts tool will allow our employees to help us identify suspicious activity," says Ross.
Every day, the SBI platforms collect and process billions of events. Ross says. "We filter those events down, process the data with a new set of analytics that can flag potentially suspicious activity, and then present a summarized view of that to each individual employee. We then ask for their help to review these events and let us know if they want us to investigate it further."
Intel is continuing to scale its SBI platform to increase its ability to find advanced threats, react quickly and develop preventive and corrective controls for the future.