As Jason Wright points out in part five of the Agile Security Manifesto, gathering information is the first step in any well-designed decision-making process. Many pages of documentation and hours of classroom time have been dedicated to this subject. The challenge? Seldom is this sort of information-gathering and decision-making reapplied, let alone in the rapid and infinitely repeating fashion that todays threat landscape demands.The sixth element of the Sourcefire Agile Security Manifesto is “Intelligence Accelerates Security Effectiveness. Static Intelligence is of Little Value in Todays Dynamic IT and Threat Environments.” This may seem like a mouthful, but in fact it’s a pretty simple concept, albeit one that is often overlooked.
It doesn’t matter if you designed and implemented the world’s greatest birdfeeder. If you are not constantly monitoring for the presence of squirrels and keeping a constant eye on the level of feed available, are you really doing your job? As a commenter on the introductory post from Martin Roesch points out, “Security is about the integrity and availability of assets, systems and processes; security is not just about stopping bad guys.” The problem here is, in the time it has taken you to read my complete and inexcusable overuse of Jason Brvenik’s birdfeeder analogy, your infrastructure has changed in some way.
What you are defending changes all the time. How you defend it must change, just as fast.
Understanding exactly what makes up your environment and knowing exactly when and what changes is intelligence; intelligence is the single largest ingredient in accelerating your security effectiveness. In fact, I would argue that “static intelligence” is an oxymoron, referring to a rapidly decaying situational snapshot. It’s of little use to anyone taking security seriously.
Serious practitioners need to be able to apply security intelligence to the seemingly insurmountable amount of data being collected, using it as a filter in the distillation and retrieval of what is contextually relevant to that environment. Armed with this clear and concise picture, we can adapt our defenses and act on the data appropriately.
Security isn’t easy, and “set it and forget it” simply doesn’t apply. Commitment and vigilance is essential for continued success. The problem is, there is no finish line, just another chance to see what’s out there, learn the threats, adapt our defenses and act. During this cyclical process we need to ensure we have all the information we need to be effective, and understand that what we know now will be different by the end of this sentence.
Chris: Excellent post, and I couldn't agree more. We believe intelligence is about capturing the most possible information, and continuously correlating and analyzing it for anomalies. No one can know what the next threats will be or what vulnerabilities they will attack, so a dynamic, real time approach is the only way to go if you're serious about protecting your assets.
ReplyDeleteI described our view of Security Intelligence in a recent Q1 Labs blog here: http://blog.q1labs.com/2011/08/15/what-is-security-intelligence-and-why-does-it-matter-today/ .
Michael Applebaum, Q1 Labs
http://twitter.com/ma08
Michael - Thanks for the comment, and the complement. In reading your post it's clear that we have similar thoughts on dynamic security intelligence. Like many things in life, admitting that you have a problem is the first step. The "problem" in this case is that threats change too quickly for static defenses.
ReplyDeleteWe are only about halfway into this series, so I hope you check back and offer more comment.
Thanks,
~chris