We in IT often rely on gut instinct to make decisions. We pride ourselves on the ability to look at a problem and quickly find a solution. We see a vulnerability, know a nasty exploit exists, and react by telling everyone the vulnerability must be patched. Instict and intuition play a useful role in decision-making, but it's a lot more limited than many people would like to admit, particularly in the realm of security and risk management. It's foolish to think that the complex risks that a corporation faces can be met on intuition alone.
We owe it to the companies we work for to provide insightful, intelligent decisions. Threat and event intelligence gathering is key. That means we need tools that gather and analyze data, and provide information that we can then use to prioritize our goals and address risks. Security Event and Information Management (SEIM) tools are a good starting point. While you most likely have some sort of central logging server in place, be it syslog or a log collector like Splunk, chances are you aren't running a system that can analyze the content of the data, correlate events across multiple systems and networks, and provide threat and risk information. Adding a SEIM such as LogLogic, ArcSight or one of the other numerous offerings can save time and resources on tasks such as log reviews. It also helps you make informed decisions rather than reacting based on instinct.
Going a step further and gathering threat intelligence gets a bit more complicated. Knowing what is happening on the network is great for reacting to ongoing threats and attacks. Even better is to be proactive and take steps to address potential threats before they occur. Adding tools that overlay threat data, such as vulnerability scans, to your network and show current attack vectors as well as new threats that would exist if you made specific changes to the network or system provide great value to security and operations pros.
Products from vendors such as Skybox Security, RedSeal and Tufin provide methods to import firewall and switch configurations, vulnerability scan data, and understand how it all comes together in the real world to create opportunity for an attacker. This gives IT the ability to understand the consequences of daily activities, such as adjusting firewall rules or a switch configuration. Such information can be a great asset to busy security and network teams.
There are those that dismiss the need for threat intelligence and the value of these tools. If you are a doubter, bring in a vendor and its product to perform a proof of concept. If it shows nothing, congratulations to you: your network is better off than most. If it does show events and threats you previously didn't realize existed, which I am sure it will, you have an opportunity to move away from gut instinct and into the realm of informed and educated decision-making.
