Intelligent Security Tools

Security intelligence is defined as the continuous real-time collection, normalization and analysis of varying data sources generated by users, infrastructure and applications (IBM Software, 2013). An intelligent security system integrates network activity monitoring, security event correlation, and log management instead of segregated approach in traditional security information and event management (SIEM) systems (IBM Software, 2013). Besides logs and events, the intelligent security system takes into account network flows, user credentials and activity, asset profiles, configurations, vulnerabilities of systems and applications, and external threat intelligence for a complete holistic solution (IBM Software, 2013).

IBM Security QRadar & InfoSphere BigInsights

IBM QRadar intelligent security platform is based on big data architecture to provide actionable intelligence against potential security threats across the organization (IBM Software, 2013). Big data platforms like Hadoop helped in performing large scale analysis using historical baselines, statistics and visualization to highlight fraud and security breaches. Key elements of QRadar solutions to mitigate advanced threats are:

1. Scalability and Interoperability

2. Pre and post-exploit insights

3. Anomaly detection capabilities

4. Real-time correlation and analysis

5. Reduced false positives

6. Forensic capabilities

7. Flexibility (2013)

Some of the examples where IBM’s intelligent security big data prowess helped in identifying threats to the organizations are:

1. Correlation of DNS requests, HTTP flow and deep packet inspection to identify malicious botnet traffic

2. Fraud detection by correlating real-time and historic user activity to highlight abnormal and suspicious transactions

3. Linguistic and predictive analysis of emails and social communications to identify suspicious activities ((IBM Software, 2013)

IBM QRadar performs real-time correlation, analysis and reporting based on traditional sources like user activity, event logs, transaction data, and anomaly detection whereas IBM InfoSphere BigInsights perform complex analysis of massive non-traditional sources, such as text, audio, video, VoIP, email content, web traffic etc. for additional insights using Hadoop and MapReduce frameworks (IBM Software, 2013). In summary, IBM’s solution provides a complete end-to-end fully scalable solution to thwart traditional, non-traditional and advanced threats to the organization using sophisticated big data analytical techniques. Although the solution is built on low cost hardware and open-source big data applications, but additional IBM’s integrated software solution approach brought all under one roof for a complete intelligent security system (IBM Software, 2013). The only disadvantage of IBM’s intelligent security system is the prohibitively high cost associated with it which is bearable for large scale enterprises, but not so much for small companies.

Microfocus’ Intelligent Security Platform – ArcSight

ArcSight is based on an open architecture using Apache Kafka to ingest data from varying sources with intensity as high as millions of events per second (Microfocus Intelligent Security Operations, 2018). ArcSight offers real-time threat detection using fifty advanced analytical algorithms and correlates thousands of events to find threats (Microfocus Intelligent Security Operations, 2018). Advanced visualization offers intuitive investigation, faster search and analytical capabilities using powerful dashboards managed centrally for ease. Additionally, application store ensures publishing of trusted apps, add-ons, and best practices (2018).

ArcSight data platform (Microfocus ADP, 2018) ingest data from varying sources and format while supporting enterprise grade data ingestion velocity. At the core of ArcSight is an Apache Kafka based message bus in an N:M architecture thus enabling data ingestion from all sources and broker to multiple destinations. With this architecture, companies can connect their existing data lakes, tools and technologies to ArcSight event broker for an intelligent security operation. The architecture offers flexible framework to store, search and analyze data while offering future proof real-time and open platform for threat detection (Microfocus ADP, 2018).

ArcSight Enterprise Security Manager (Microfocus ESM, 2018) is a distributed framework for real-time correlation and event triaging. Solution reduces the response time from hours to minutes using efficient and simplified workflows (Microfocus ESM, 2018). ArcSight ESM sits on top of ArcSight data platform to offer:

1. Powerful real-time correlation

2. Categorization and normalization

3. Powerful and modular content development

4. Integrated solution with event broker and visualization

5. Workflow automation

6. Automated response within console

7. Multi-tenancy (2018)

ArcSight user behavior analytics (Microfocus UBA, 2018) detects anomalies by comparing against baseline user activity and entity behavior. Microfocus UBA (2018) enables real-time alerts based on suspicious user and entity activity and behavior. Intuitive workbench delivers quick insight to highlight security risk. Intelligent prioritization is also performed to identify the most suspicious and abnormal user activity. Suspicious activity generated from legitimate user credentials are flagged for timely intervention and mitigation (Microfocus UBA, 2018). The key features are:

1. Threat detection using user and entity behavior

2. Proactive adversary hunting to reduce breach impact

3. Quick and accurate investigation and decision making

4. Greater awareness for intelligent and effective resolution (2018)

Overall product suite from ArcSight encompass all modern-day threat detection from either internal or external users, applications and entities employing open architecture. However, the offerings from Microfocus are broken into several products, such as ArcSight ADP, ESM and UBA which will become uneconomical for small scale organization.

Microsoft Secure

Microsoft offers a strong portfolio of intelligent security products under the umbrella of Microsoft Secure (2018), which include identity and access protection, threat protection, information protection, security management and intelligent mechanism. Identity management is offered through multi-factor authentication such as PINs and biometry security protocols, simplified access to devices and applications using single sign-on, protecting cloud from hash attacks and so on.

Threat protection is offered using integrated and intelligent cyber security mechanism (Microsoft Security Threat Protection, 2018). The mechanism has native solutions to work across products thus providing coordinated protection and remediation to improve security. Identities, applications, data, devices and workloads across infrastructure are secured to stop the harm. Sophisticated machine learning models uncover suspicious and abnormal behavior inside the organization IT infrastructure as well as cloud. Faster response time help in thwarting attacks quick to reduce harm (Microsoft Security Threat Protection, 2018).

Information protection is offered through custom policies enforced on sensitive data with high level of protection (Microsoft Security Information Protection, 2018). Complete data regulation and compliance offer secured and privacy compliant posture of an organization. High level of encryption, access restriction and devices to remotely wipe data strengthened security posture while preventing data leaks. Offers visibility to how end users distribute data to mitigate security event effectively (Microsoft Security Information Protection, 2018).

Microsoft Intelligent Security Graph (2018) offers vast threat intelligence, advanced analytics and APIs for connected systems. The offering from Microsoft consolidate and standardize alerts for easier visualization, actions and efficiency. Some of the key features are:

1. Unify and standardize alert management

2. Unlock security context to investigate

3. Highly efficient and automated security operation

Microsoft Intelligent Security Graph (2018) offers custom security dashboards, operational tools, threat protection solutions and added security to non-security applications like human resource, financials and healthcare. APIs also let partners join the intelligent security graph by contributing their own alerts, contexts and actions, which result in a connected and extended ecosystem for better security (Microsoft Security Intelligence, 2018).

LogRhythm Security

Security analytics offering from LogRhythm is an intelligent security system based heavily on big data analytics (LogRhythm SA, 2018). The solution offers user-based threat detection, network threat identification, custom malware, and zero-day attack detection (LogRhythm SA, 2018). The system, LogRhythm threat lifecycle management (TLM) platform is an efficient and scalable platform with reasonable cost through:

1. Artificial intelligence and machine learning algorithms

2. Elasticsearch powered analytics

3. Scenario based analytics (LogRhythm SA, 2018)

Product is offered for large scale enterprises as well as small and medium sized business for an efficient and affordable solution (LogRhythm SA, 2018). The platform offers end-to-end threat lifecycle management from forensic data collection, identification, qualification, investigation, neutralization and recovery (LogRhythm SA, 2018). Forensic data collection phase collects all logs and events data across the enterprise as well as any purpose-built forensic sensors and then intelligent machine learning algorithms perform classification, contextualization and normalization for analytics and automation. In the discovery phase, the big data security analytics approach ensure that no threat goes unnoticed. In the qualification phase, risk assessment prioritizes the threat based on severity. Investigation phase is performed using real-time dashboards. Automated response procedures are executed to neutralize the threat followed by rapid recovery (LogRhythm SA, 2018).

Security automation and orchestration (Log Rhythm SAO, 2018) architecture of LogRhythm help in responding to threats in seconds instead of days by automating workflows and accelerating threat qualification, investigation and response. SAO empowers the security team with ease and high efficiency of operation. Some of the key use cases are:

1. Endpoint quarantine

2. User suspension

3. Machine data collection

4. Network access suspension

5. Process killing

The framework creates the case, investigate followed by collaboration with multi-level security operation teams for mitigation and response (LogRhythm SAO, 2018). In an essence, offering from LogRhythm offer complete intelligent security system comprising of security information and event management (SIEM), security analytics, threat detection, user and entity behavior analytics, cloud security, security automation and orchestration, network traffic and behavior analytics, network forensics, log management and file integrity monitoring (LogRhythm SA, 2018).

References

LogRhythm SAO (2018). Security Automation and Orchestration. Retrieved from https://logrhythm.com/solutions/security/security-automation-and-orchestration/

LogRhythm SA (2018). Security analytics. Retrieved from https://logrhythm.com/solutions/security/security-analytics/

Microsoft Secure (2018). Cyber Security. Retrieved from https://www.microsoft.com/en-us/security/default.aspx

Microsoft Security Intelligence (2018). Security Intelligence. Retrieved from https://www.microsoft.com/en-us/security/intelligence

Microsoft Security Information Protection (2018). Security Information Protection. Retrieved from https://www.microsoft.com/en-us/security/information-protection

Microsoft Security Threat Protection (2018). Security Threat Protection. Retrieved from https://www.microsoft.com/en-us/security/threat-protection

Microsoft Security Identity Access Management (2018). Identity Access Management. Retrieved from https://www.microsoft.com/en-us/security/identity-access-management

Microfocus Intelligent Security Operations (2018). Intelligent Security Operations. Retrieved from https://software.microfocus.com/en-us/solutions/security-operations

Microfocus ESM (2018). ArcSight Enterprise Security Manager. Retrieved from https://www.microfocus.com/media/flyer/arcsight_enterprise_security_manager_ds.pdf

Microfocus UBA (2018). ArcSight User Behavior Analytics. Retrieved from https://www.microfocus.com/media/data-sheet/arcsight_user_behavior_analytics_ds.pdf

Microfocus ADP (2018). ArcSight Data Platform. Retrieved from https://www.microfocus.com/media/data-sheet/arcsight_data_platform_ds.pdf

IBMS Software (2013). Extending security intelligence with big data solutions. Retrieved from http://www.ndm.net/siem/pdf/Extending%20security%20intelligence%20with%20big%20data%20solutions.PDF