SAN FRANCISCO-What, exactly is security intelligence and where does it come from? Asking this of people at the RSA security conference produced dozens of definitions. For example:
1. To the big vendors with multiple security tool offerings, intelligence is the data collected from their tools that can be unified into a nice interface and used for 'visibility' into their full environments. This visibility is something that organizations simply don't have today, despite using multiple tools to achieve this. Cisco, McAfee, Symantec, H-P, Oracle and many more vendors unveiled their versions of a security ecosystem connecting the dots between the many alarms and signals coming from their devices, and you wonder why they haven't been doing this all along?
2. To the stand-alone 'intelligence' vendors, intelligence comes from making middleware to connect the dots between devices that are from different brands of security and infrastructure vendors to do essentially the same thing for heterogenous environments.
3. To established forensics firms and a new breed of information sharing firms, intelligence goes far beyond what you can get from your own network devices, applications and traffic. It involves huge databases of known patterns to look for based on previous investigations, honeynet findings and subscriptions to groups like the ISACs (Information Sharing and Analysis Centers).
4. To the mixed group of C-level IT pros from John Deere, Hawaiian Airlines and analyst firms speaking on a panel briefing hosted by Trainer PR at Restaurant LuLus on Wednesday, the general consensusus was that wherever the intelligence comes from, it has to be "actionable."
Translation: Let's not turn intelligence into yet another set of files to search along with all that information building up in our SIEMs. To be actionable, that intelligence must pertain to the target's environment, applications and users; and also quickly lead responders to the problem without false positives while providing compliance and remediation assistance.
What will probably end up happing is that one day, all of these definitions will be the basis for a more comprehensive, accurate and visual product for IT staffs to find bad things going on in their environments and repair their systems so these bad things can't get to them anymore. This could be wishful thinking, but I'd like to think that this stuff will take the same maturity path we've seen with other security technologies.
From what I could see at RSA, we're a long way from that but it's a start.