Operations

2/27/2015
12:00 PM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Cyber Intelligence: Defining What You Know

Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

It’s no secret that committing to a common strategy around collecting, analyzing, reporting on, and liberally sharing valid cyber intelligence data between the operations side of your security domain and the business side of your operations is one of the thorniest problems organizations face today.

Contrary to conventional wisdom, evaluated cyber intelligence data is not the raw threat intelligence that flows into your Ops team on any given day. It’s not the results of a saved search run by a security team member via their SIEM tool of choice. It isn’t the last 35 new malware signatures loaded in the last few days into your endpoint protection database. It’s not even one of the 2471 alerts that fired today for any one of the 456 SNORT rules your folks added over the last 90 days. Neither is it the off-hand alert issued last night by the ISAC you’re a member of, nor is it the latest exploit described this morning in the news.

Evaluated cyber intelligence is the thing you know. The thing you have hard evidence of, or you know is definitely wrong  --even if you can’t yet pin it to a negative outcome.

It is the thing you can point to and say "That. Just. Happened." It’s the seemingly inert point-of-sale malware you found last month on your systems and removed. It’s the phishy emails your HR department notified you of yesterday and you confirmed was indeed phishing. It’s the Jetty vulnerability CVE that came out this morning that directly affects the primary SaaS portal your suppliers log into. It’s the botnet you discovered your Wordpress blog site was participating in and the malvertising you successfully removed from your subsidiary’s eCommerce site. It’s even the permissions on your database you discovered were wrong and unthinkingly changed.

The trouble is, almost no one is very good at tracking and analyzing evaluated intelligence. It’s boring. Too often, these things get chalked up as "closed" or "mitigated" and are assumed to have little value once done. We tell ourselves that it’s got to be the unknown that’s the most important and we dive right back into those haystacks. This all couldn’t be further from the truth.

Leadership needs more insight
When you think about it, in every successful corporation, the business side of things runs on evaluated intelligence: recorded sales data by region or product, financial numbers for the current month versus last, and what was predicted or marketing expenditures last quarter for mature products versus new ones, and on and on. All this information leads to insights and diligence that help businesses become resilient over time and survive (or avoid) the unexpected.

Good business managers run things on a foundation of the knowable and it’s something they wouldn't think of running a business without. Unfortunately, collection and analysis of evaluated intelligence is a rarely-prioritized requirement for leaders seeking to bridge the gap between business and the cybersecurity operations they manage.

Without it, the business side cannot apply the same planning and strategy they do elsewhere, thus they can’t help the entire organization become more cyber resilient. Over time, using evaluated cyber intelligence provides leaders with a way to get a grip on cyber planning and better support security operations long term.

The data is rarely collected in-depth, much less in standard, predictable and intuitive ways. Instead, management too often settles for data about the"possible"or "assumed" rather than the proven. Thus, business leadership is unable to efficiently baseline a domain it cannot make amenable to time-tested business strategies and formulas.

Time to free trapped data
Security teams must commit to opening up and freeing data trapped at the operational level. It’s simply not possible for businesses to be fully secure. Hits do and will continue to happen. It’s becoming increasingly clear that the best defenses are the ones that most quickly identify something as it is happening and are the most prepared in advance to deal with the likeliest hits and impacts they may have -- and on what. Learning from experience is very valuable to this posture.

Today, with all the emphasis on more data and more tools that produce more data, security teams are completely drowning. Sadly, the majority of it is useless or goes unobserved. Worse yet, almost no valuable "performance" data routinely escapes this environment and makes its way over to the business side where it’s most needed to bring the right resources to bear to help long-term.

In such an environment, evaluated intelligence is a highly efficient means that requires relatively little resources to exploit. If security teams simply committed to daily diligence in recording data on things they’ve evaluated in simple, easy to understand data formats and shared all this regularly and routinely with leadership, each side would likely be surprised at the rise in mutual understanding over time.

Even better, because business analysts and leaders analyze data differently than security professionals, it truly brings both sides together around joint planning and strategy with more eyes on the problems at hand. Of course, what we don’t know can always hurt us. But what we do know (and choose not to pay attention to) is what usually hurts a lot more.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mwatson1920
50%
50%
mwatson1920,
User Rank: Apprentice
3/21/2018 | 4:05:03 PM
Re: Cyber Intelligence and knowing what you know!
Mike Anders...I just saw this comment of yours from 3 years ago.  Amazing still just as relevant and elusive today.  I am a Cyber Intel instructor, may I use your "Cyber intel...more than the sum of all threat feeds" saying?

Thank you.

Michelle Watson, President, Cyber Intelligent Partners ([email protected])
Mike Anders
50%
50%
Mike Anders,
User Rank: Apprentice
3/2/2015 | 3:50:17 PM
Cyber Intelligence and knowing what you know!

There is a growing awareness that Cyber Intelligence is more than a sum of all threat feeds! Unfortunately, for many, adopting an "intelligence-based" Cyber security mindset seems difficult. In practice, however, it is far easier than one might expect. Granted, for some corporate cultures doing so might require some adjustment. But, as we have learned lately, doing so is no longer a "Nice to do!" It is more like a "We gotta do!" Not a lecture, just an observation!

Government Shutdown Brings Certificate Lapse Woes
Curtis Franklin Jr., Senior Editor at Dark Reading,  1/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.
CVE-2018-20727
PUBLISHED: 2019-01-17
Multiple command injection vulnerabilities in NeDi before 1.7Cp3 allow authenticated users to execute code on the server side via the flt parameter to Nodes-Traffic.php, the dv parameter to Devices-Graph.php, or the tit parameter to drawmap.php.