SA is one of those terms that can have multiple definitions and usually depends on who you are, your background, what you do, whom you work for, etc. When I'm talking about SA I'm referencing the ability for machine-based analysis to augment human intuition. I'm a big believer that when it comes to security nothing beats the power of a skilled, human analyst, but at the same time, those analysts need to leverage tools to increase their efficiency and effectiveness.
SA is often tided to correlation. Advanced correlation rules found in many security products have the ability to look at multiple variables and derive metadata results such as an alert (log, trap, email or SMS) or a response (block traffic on layer 2 or 3, reroute traffic, or engage more robust monitoring capabilities). These SA capabilities are not limited to just correlation; they may also provide:
- Anomaly detection -- what doesn't fit
- Pattern discovery -- what's normal and what's its inverse
- Data enrichment through threat intelligence -- known malicious, suspicious sources
- Visualizations -- graphical patterns that can reduce the time required by a security analyst to identify, understand and remediate an incident
Consider this scenario. I may see some packets sourced from a known malicious domain, targeting an asset that is known to be vulnerable, with an exploit that is known to take advantage of said vulnerability. Further, I may also know that this is a critical system housing sensitive customer financial data and I may detect an abnormally large amount of data being downloaded. Any of these events may or may not be enough by itself to warrant an alert, but taken collectively the SA provides the security analyst with an alert or possibly even an automated response to mitigate the threat.
So why is SA such a big deal for Singapore? Singapore is a major financial hub. It has an extremely successful economy that is growing with a vast number of large businesses and government organizations. As such, Singapore is a target, and not just amongst South East Asian countries, but from threats around the world.
Singapore, like every other country, has a limited supply of skilled security analysts. This is not to say that Singapore doesn't have a pool of these individuals. In fact, for a country of only about 5.5 million it seems to have a disproportionally high number of security ninjas. But that's still not enough to go around. Given the current success of Singapore and its projected growth, organizations are looking for mechanisms to increase security operational efficiencies while reducing risk.
Some organizations have outsourced part of their security operations. Rarely did I see much more than traditional security IT management being outsourced such as firewall administration and IPS signature updates as opposed to actual security analysis being outsourced. I spoke to a few organizations that stated they attempted to outsource part of their security analysis only to discover that it made more business and security sense to bring it back in-house.
What Singaporean organizations really need are solutions -- not products. There needs to be a higher level of integration between endpoint, network and data security across traditional network assets as well as BYOD, virtualized environments and cloud. These solutions need to work collectively so that SA can work across their environment and ensure that as new solutions are added to the mix, those solutions don't just work in a silo but do in fact increase the overall capabilities of their SA. By doing this, SA will help better prevent attacks as well as decrease the amount of time it takes to detect and respond to and incident: minimizing the threat window.
Singapore is an interesting case study for the world. Because of Singapore's reliance on information systems, tremendous growth, and high value targets - coupled with resource limitations based of population, scalability is a huge concern. We can extrapolate this to represent virtually any business unit, organization, or country facing more threats than they can process. Regardless, everyone has limited resources and security analysts need SA to be successful.
Many organizations in the private sector as well as government agencies within Singapore seem to get this. They understand that simply throwing products and people at the problem isn't the right solution. They are integrating their products, leveraging SA solutions to analyze them in real-time and forensically, and educating their security analysts to take advantage of those solutions. In doing so, they are shifting the security scales to their advantage.
Image credit: Public domain
This article is published as part of the IDG Contributor Network. Want to Join?