Big Data Protects Intel's Info

These days, lots of companies are looking for ways to use big data and analytics to improve their security, but Intel is one of the first to actually pull it off.

The company's initiative, called Security Business Intelligence (SBI), earned the company top honors in the CSO40 awards, which recognize security projects that have delivered outstanding business value.

Also see: Next Stop for Security: Business Intelligence and Business Services

Intel IT began building its SBI platform in 2010. "SBI is one of the pillars of our Protect to Enable enterprise security strategy," says Malcolm Harkins, Intel's chief security and privacy officer. "The ability to filter and distill the billions of events per day brings tremendous security value to the enterprise."

The Protect to Enable strategy focuses on applying reasonable levels of protection, which allows information to flow through the organization and gives users a better experience while at the same time reducing risk.

In 2012, Intel made significant progress in implementing this architecture, which is based on four pillars. The first pillar is identity and access management, which allows users' access privileges to be dynamically adjusted as the level of risk changes. Intel has tested this system in its production environment and continues to refine these tools for a range of devices, locations and infrastructure technologies.

The second pillar is data protection. Intel is implementing technologies to safeguard its information when it's created, stored and in transit. The company has expanded deployment of enterprise-rights-management software and implemented new data-loss-prevention technologies to better track sensitive data.

The third pillar is infrastructure. For example, Intel has implemented secure trust zones within its enterprise private cloud that enables it to virtualize internally and externally facing applications with higher security requirements.

The final pillar is SBI. "As we allow access to enterprise systems from more devices, we need improved detection and analytical capabilities," says Alan Ross, senior principal engineer. "We deployed a flexible dashboard to view malware infection data down to the machine level and added a predictive engine that enables proactive protection and simulations to improve our ability to respond to threats."

The primary goals of the SBI platform are to use big data and advanced analytics to improve Intel's ability to predict, prevent, detect and respond to cyberthreats; develop the tools and reporting capabilities to distill large amounts of data into meaningful analysis; and use the resulting analysis to cut overall costs by reducing or eliminating other security controls that may be less effective. Intel IT is also looking at ways to use trusted sensor and event information from its platforms to improve the quality and reliability of the SBI system.

Emphasis on PrivacyOne goal of SBI was to develop privacy controls before and during the deployment of the platform to ensure that data administrators, analysts, security investigators and forensics teams "understand, respect and abide by Intel's privacy compliance requirements," Ross says.

While working on SBI, Intel also wanted to clearly define who has access to certain types of data, how the data will be stored and segmented, and when certain types of data will be deleted. Of particular importance to the team was the development of policies and processes that ensure that personal information is stored and accessed according to the company's guidelines.

By incorporating privacy early on when developing products, services and programs, Intel can fulfill its objectives. To make sure it covers all its bases, the company uses a privacy impact assessment (PIA).

A PIA is similar to an audit -- it's an evaluation performed to verify that a new or existing organizational process or system adheres to appropriate privacy laws, regulations and policies. It also assesses the risk to privacy associated with the business process that's being evaluated, and it examines potential methods of risk mitigation.

One objective of a PIA is to cause an organization to think about its process choices and their impact on privacy. The assessment allows a company to analyze and document not only the project's anticipated data lifecycle, but also its reasons behind the treatment of data at each stage.

The SBI platform performs real-time correlation of big data to detect security threats faster, boosting Intel's ability to intervene quickly while reducing its risk exposure, Ross says. "Using this platform, we can monitor traffic from Intel's servers to detect data exfiltration abnormalities and send alerts to security responders," he says. "This platform allows us to detect security threats faster, not only to boost our ability to intervene quickly, but also to reduce our risk exposure."

The SBI architecture is built around three layers: common logging service, correlation layer and predictive analytics. It collects some six billion events per day to deliver near real-time reporting. Analysis of these events provides early detection of anomalous behaviors both among client devices and in the server environment.

For example, SBI can detect and respond to anomalous situations such as when a user appears to log in from two geographic locations at the same time. This can be indicative of a compromised credential and may cause the system to dynamically adjust the device trust level and the access that is granted to that account.

In the case of bring-your-own-device initiatives, Intel can use SBI tools to monitor the transactions with its application gateways and one-time password generator. These logs, combined with the company's new trust-level-based architecture, mean "we can create detailed, real-time correlation rules and can dynamically adjust the trust level of a device and the applications a user can access," Ross says.

Tangible ResultsAmong the results Intel has seen with its SBI platform is a 99 percent increase in efficiency, reducing data collection analysis throughput time from two weeks to 20 minutes. In addition, the platform can process 200 billion server event logs and provide results in less than 30 minutes. With these and other controls in place, the company is currently seeing a malware infection rate of less than one percent.

Several key factors helped Intel's SBI project succeed. One was starting small and choosing a value asset or a few core infrastructure services before expanding. Another was to focus on the areas where a breach would be most harmful.

Yet another winning strategy was to build the program's value based on its goals. "We built solutions for our investigators before expanding to cover additional use cases from our customers," Ross says.

Finally, Intel put together a strong team to create and implement SBI. "We gathered experienced security professionals, including architects, investigators and engineers," Ross says. "These people worked closely with our privacy experts to design and document the tools, policies, processes and privacy guidelines."

Intel is developing a My Security Alerts tool, which it will deploy sometime in 2013, that lets employees view activity associated with their accounts and report suspicious behavior.

"Advanced malware attacks can infiltrate employee accounts and gain access to our internal network and do harm without appearing to be an intrusion. Our SBI platform is incredibly powerful, but it does not have the contextual information that an individual employee knows about their own use of company resources. The My Security Alerts tool will allow our employees to help us identify suspicious activity," says Ross.

Every day, the SBI platforms collect and process billions of events. Ross says. "We filter those events down, process the data with a new set of analytics that can flag potentially suspicious activity, and then present a summarized view of that to each individual employee. We then ask for their help to review these events and let us know if they want us to investigate it further."

Intel is continuing to scale its SBI platform to increase its ability to find advanced threats, react quickly and develop preventive and corrective controls for the future.

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsCSO40Security Business IntelligencesoftwareSBIinteldata protectionData Protection | Data Privacy

More about Intel

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place