1. ADOPTING INTELLIGENCE DRIVEN SECURITY
A Security Strategy to Help Build Trust in the Digital World
INTELLIGENCE DRIVEN SECURITY
Today’s changing business requirements, exciting IT innovations, and the dynamic
threat landscape underscore the need for a modern security strategy that updates
security processes to achieve a more effective approach to cyber-defense. This paper
provides guidance for how to adopt an Intelligence Driven Security strategy that delivers
three essential capabilities; visibility, analysis, and action. These capabilities can help
detect, investigate, and respond to advanced threats, confirm and manage identities,
and prevent online fraud and cybercrime. This strategy empowers organizations to
effectively address the challenges they have today and those still beyond the horizon.
2. Adopting Intelligence Driven Security
It’s a classic example of a double-edged sword -- the very same IT innovations that
increased enterprise efficiency over the past decade have created opportunities for
dangerous, nuanced cyber threats to damage the organization. As enterprise processes
grew in sophistication, so too did attacker tactics; evolving beyond rudimentary mass
malware into precisely targeted, devastatingly advanced attacks. As IT plays an
increasingly central role in fundamentally transforming business operations and
creating new opportunities and advantages, IT risk and security challenges have never
been more important to address.
RSA’s Intelligence Driven Security strategy helps organizations mitigate the risk of
operating in a digital world. Organizations can employ this strategy to deliver the
visibility, analysis, and action they need to detect, investigate, and respond to advanced
threats, confirm and manage identities, and prevent online fraud and cybercrime.
THE CHANGING BUSINESS
Not so long ago, IT’s reach was well-defined and well-controlled. Most applications
required a comparatively small amount of access, little or no information was shared
externally, and IT had near-complete control over the infrastructure for applications and
access. Then things changed. Organizations recognized they could lower costs and
increase productivity by granting third-party access to applications, and as a result,
introduced a greater number of digital identities corresponding to employees,
suppliers, and partners. To further complicate matters, the workforce brought a host of
new personal mobile devices (mobile phones, laptops, and tablets) that all required
access. Many business processes, including core functions such as IP development or
financial transaction processing transitioned partially or fully to the cloud. Today, many
former in-house tasks are conducted outside the organization’s traditional “four walls.”
Further, the explosion of digital data created by new applications and new digital
business processes dispersed over multiple silos resulted in a significantly expanded
attack surface. Potential points of vulnerability increased, and the newly hyper-
extended business struggled to adequately secure what it suddenly didn’t own,
manage, or control.
Simultaneously, hackers, politically motivated “hacktivists,” and fraudsters capitalized
on this evolution, developing more advanced attack tactics, such as moving “low and
slow” to mimic the behaviors of a normal user, while their motivations transformed
from largely notoriety-driven to objectives like stealing intellectual property. With more
points of vulnerability and a lethal combination of hacker motivation and know-how,
the possibility of a breach today is unprecedented. In fact, most authorities agree that
yesterday’s goal of preventing every intrusion is impossible, and today’s security
imperative is to detect and stop intruders before they can cause damage or loss to the
Against this backdrop of a changing business, IT, and threat landscape, there’s a
fundamental disconnect between most organizations’ in-place security processes and
an effective, contemporary approach to cyber-defense. Intelligence Driven Security is
that new strategy.
3. Adopting Intelligence Driven Security
“In order to keep pace with the rapidly growing number of users, devices,
and internal and external threats, intelligence driven security has evolved
from a conceptual theory to a must-have strategy for today’s enterprise. This
proliferation of access requirements by people and devices has dramatically
increased security risk; ensuring that the right systems are accessed only by
those who are authorized is driving the need for intelligence around those
Chris Christiansen, IDC
WHAT MAKES AN INTELLIGENCE DRIVEN SECURITY STRATEGY
An Intelligence Driven Security strategy delivers three essential capabilities designed to
prevent inevitable breaches from causing damage or loss: visibility, analysis, and action.
Organizations gain visibility by collecting data about what matters. But what matters
today and what control points still exist in today’s hyper-extended enterprises?
First is risk -- What are the risks to the organization? What are its vulnerabilities? How
well is it defending against those at any given point in time? Without visibility into risk,
organizations can’t design optimal defense strategies or appropriately prioritize
activities. Second is what’s happening on the network. Network visibility needs to go
beyond what we have today, from logs and events down to the packet and session level
to spot faint signals that indicate advanced threats. Third is digital identities.
Organizations need to understand who/what are on their networks, what they are
doing, and is that behavior appropriate. And finally, transactions – organizations need
to know what’s happening inside key applications that drive the business.
All the data gathered to gain visibility is useless without the ability to extrapolate
insight and meaning from it. Analysis involves understanding normal state behavior
and then looking for anomalies. By knowing what is “normal,” an organization can then
spot, investigate, and root out anomalies that result from malicious activity. Once
anomalies are discovered, additional, more detailed, contextual analysis may be
required to determine the appropriate response.
Action is the response to confirmed malicious anomalies. Rapid action allows
organizations to mitigate potential threats by enforcing controls such as access
restrictions or additional authentication. Action also results in remediation processes
and activity. The key to success is keeping action consistent, so each time an analysis
finds something potentially threatening; the organization can “operationalize” the
4. Adopting Intelligence Driven Security
WHAT WOULD AN INTELLIGENCE DRIVEN SECURITY STRATEGY
An Intelligence Driven Security strategy places emphasis on detection, analysis, and
action while deemphasizing static, signature-based, perimeter detection. This “even-
split” approach understands the modern threat landscape and allocates resources
accordingly. This includes creating a better balance between monitoring, response
“Securing today’s global enterprise is a massive undertaking. With the
dissolution of the security perimeter, organizations need to take a more
intelligence-driven approach to security. Using data from systems and users to
drive decision-making can help improve the speed and efficiency of spotting
and responding to attacks and ultimately safeguard an organization’s most
important digital assets.”
William Boni, Corporate Information Security Officer (CISO) and Vice President,
Enterprise Information Security
The following charts demonstrate the difference in priorities between many of today’s
security strategies and an Intelligence Driven Security strategy.
WHAT ARE THE BENEFITS?
Aside from the critical capability to combat today’s increasingly dangerous threat
landscape, an Intelligence Driven Security strategy provides additional benefits:
Because Intelligence Driven Security drives action based on mitigating the most
pressing risks to the business, it ensures that organizations prioritize activity and
5. Adopting Intelligence Driven Security
Most organizations’ in-place security systems rely on a significant number of disparate
solutions; malware analysis, identity and access management, governance, risk, and
compliance, etc. Intelligence Driven Security reduces the number of point products and
fuses together otherwise disjointed data sets and tools, increasing both security and
With the ability to identify attacks in a more timely fashion, Intelligence Driven Security
reduces bottom line loss that often results from an undetected breach.
It’s no secret that there exists a dearth of needed talent in the IT Security industry. An
Intelligence Driven Security strategy can aid in attracting top performers, empower them
with the right set of technologies and tools, and make their efforts more extensible
throughout the organization. Automation and sophistication aids in freeing already
overburdened employees, focusing them on what matters to defend the organization,
and can elevate average performers into vital components of a winning IT security staff.
CONSEQUENCES OF NOT ADOPTING AN INTELLIGENCE DRIVEN
While the upside is clear, there is also a significant downside for organizations who fail
to adopt an Intelligence Driven Security strategy:
Level of Exposure Rises
Every organization has something of value, including its brand, intellectual property,
and the bottom line. The inability to effectively manage today’s digital risks significantly
increases the potential for damage to this value. One devastating breach can wipe out
years of establishing steady revenue, cutting-edge research, or a trusted brand.
Even if a breach never occurs, an organization that does not adopt an Intelligence
Driven Security strategy is at serious risk of jeopardizing competitiveness. An
organization that is able to effectively manage its digital risks can confidently channel
resources into growing, expanding, and differentiating via new IT initiatives, leaving
Regardless of your current technology implementations or organizational security
maturity, a roadmap towards an Intelligence Driven Security strategy can be developed.
Current investments can be used as building blocks to a more sophisticated model.
Nearly every organization has the potential to gain the required capabilities for
visibility, analysis, and action. What’s important is not precisely where you are today,
but what next steps you take to improve. The goal should be a roadmap across people,
process, and technology to comprehensively increase maturity. The key is committing to
adopting a more Intelligence Driven Security strategy.