A Security Intelligence reference model to assess your security posture

While Business Intelligence helps you identify business opportunities, SI helps you do much the same thing with threat information

On April 1, the president of the United States issued an executive order to sanction malicious cyber actors who profit from stealing sensitive information from U.S. businesses, government agencies and individuals. President Obama said cyber threats "pose one of the most serious economic and national security challenges to the United States" and the executive order declared a national emergency pertaining to online threats.

is announcement comes on the eve of the annual RSA Conference, where tens of thousands of IT security practitioners will gather to peruse the latest and greatest security solutions designed to help protect digital assets.

At no time in history has there ever been such a concentrated focus on the importance of cyber security, and for good reason. The 2015 Global State of Information Security Survey says the compound annual growth rate of detected security incidents has increased 66% year-over-year since 2009. That's just what has been detected. According to the 2014 Trustwave Global Security Report, as many as 71% of compromises go undetected. Thus it's no surprise that the World Economic Forum declares the theft of information and the intentional disruption of online or digital processes to be among the leading business risks that organizations face today.

CISOs know that not every attack can be stopped at the network perimeter—or what's left of it. They've got to operate under the assumption that "if we are not compromised already, we could be at any time." This makes rapid detection and mitigation of threats an important aspect of any cyber security defense program. The sooner a threat inside an environment can be detected and mitigated, the less damage it is likely to do.

LogRhythm CTO Chris Petersen says there are two key metrics for measuring the effectiveness of an organization's security capabilities. One is Mean-Time-to-Detect (MTTD), which is the average amount of time it takes an organization to identify threats that present an actual risk and which require further analysis and response efforts. The second metric is Mean-Time-to-Respond (MTTR), or the average amount of time it takes an organization to fully analyze the threat and mitigate any risk presented.

"Many organizations operate in a mode where MTTD and MTTR would be measured in weeks or months," Petersen says. Enterprises that have already been compromised are at high risk during this time. If they want to reduce the risk, they need to move the needle on these key metrics—from weeks or months down to hours and days, and ideally to hours and minutes.

Research from Trustwave backs up this assertion. Analyzing 691 data breach investigations from around the world, Trustwave learned that 71% of the compromised victims didn't even detect the breach themselves. Often law enforcement agencies and other third parties informed the breached organizations of the incident. In this particular study, the MTTD was 87 days, and the MTTR was a week. According to Trustwave, self-detection of a threat can shorten the timeframe from detection to containment from 14 days down to one.

An organization's key to lowering its MTTD and MTTR is through Security Intelligence, Petersen says. "Just as Business Intelligence has helped numerous organizations clear the fog of too many points of seemingly extraneous business data to find previously unknown business opportunities, Security Intelligence does much the same thing with threat information. It enables companies to clearly see the threats that matter. The main objective of Security Intelligence is to deliver the right information, at the right time, with the appropriate context, to significantly decrease the amount of time it takes to detect and respond to damaging cyber threats."

Petersen describes the importance of Security Intelligence, as well as the two metrics and how to lower them, in a new white paper where he details a Security Intelligence Maturity Model (SIMM). This model is similar to the Department of Defense Cyber Security Maturity Model.

LogRhythm's SIMM describes various stages of Security Intelligence capabilities and organizational and risk characteristics that together determine how well prepared (or not) an organization is to reduce the likelihood of a harmful breach. As an organization advances in its maturity level, it increases its capabilities for detecting and mitigating threats and thus reducing its MTTD and MTTR and its overall risk posture.

The Security Intelligence Maturity Model is illustrated in an extensive table in the white paper, but here's a sample of the maturity levels and what they mean:

* Level 0: Blind – MTTD measured in months, MTTR measured in weeks or months. The organization has basic firewalls and anti-virus but nobody is really watching for indicators of threat and there's no formal incident response process. If the company has intellectual property (IP) of interest to nation-states or cyber criminals, it has likely already been stolen.

* Level 1: Minimally Compliant – MTTD measured in weeks or months, MTTR measured in weeks. The organization does what it must to comply with regulatory mandates. Areas of high risk might receive more security scrutiny, but the company is still generally blind to most insider and external threats. IP of interest has likely been stolen.

* Level 2: Securely Compliant – MTTD and MTTR measured in hours or days. The organization has deployed sufficient Security Intelligence capabilities to move beyond "check box" compliance and toward improved security assurance. Resilient to some threats but still highly vulnerable to advanced threats.

* Level 3: Vigilant – MTTD and MTTR measured in hours. The organization has significant capabilities to detect and respond to threats. It actively hunts for risks via fully monitored dashboards. Resilient to most threats, even those leveraging APT type capabilities.

* Level 4: Resilient – MTTD and MTTR measured in minutes. The organization has holistic Security Intelligence capabilities and a functional 24 x 7 SOC. Though the organization is a high value target, it can withstand and defend against the most extreme types of adversaries.

Each organization needs to assess for itself the appropriate level of maturity based on its own risk tolerances. Not every company needs to reach Level 4. For example, organizations with limited budget and higher risk tolerance can achieve significant improvement in their risk posture by moving towards a Level 2 posture.

With cyber threats now being labeled a matter of national security, the important thing for companies is to keep growing their security maturity and reducing their overall risk posture.

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber actorsTrustwave Global Security ReportSecurity and Vulnerability ManagementLogRhythm's SIMMLogRhythmcyber securityCSO AustraliaMTTRUnited StatesRSA ConferenceMTTDsecuritysecurity intelligencesecurity posture

More about APTLogRhythmRSATrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Linda Musthaler

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts