12:00 PM
Jason Polancich
Jason Polancich
Connect Directly
E-Mail vvv

Cyber Intelligence: Defining What You Know

Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

It’s no secret that committing to a common strategy around collecting, analyzing, reporting on, and liberally sharing valid cyber intelligence data between the operations side of your security domain and the business side of your operations is one of the thorniest problems organizations face today.

Contrary to conventional wisdom, evaluated cyber intelligence data is not the raw threat intelligence that flows into your Ops team on any given day. It’s not the results of a saved search run by a security team member via their SIEM tool of choice. It isn’t the last 35 new malware signatures loaded in the last few days into your endpoint protection database. It’s not even one of the 2471 alerts that fired today for any one of the 456 SNORT rules your folks added over the last 90 days. Neither is it the off-hand alert issued last night by the ISAC you’re a member of, nor is it the latest exploit described this morning in the news.

Evaluated cyber intelligence is the thing you know. The thing you have hard evidence of, or you know is definitely wrong  --even if you can’t yet pin it to a negative outcome.

It is the thing you can point to and say "That. Just. Happened." It’s the seemingly inert point-of-sale malware you found last month on your systems and removed. It’s the phishy emails your HR department notified you of yesterday and you confirmed was indeed phishing. It’s the Jetty vulnerability CVE that came out this morning that directly affects the primary SaaS portal your suppliers log into. It’s the botnet you discovered your Wordpress blog site was participating in and the malvertising you successfully removed from your subsidiary’s eCommerce site. It’s even the permissions on your database you discovered were wrong and unthinkingly changed.

The trouble is, almost no one is very good at tracking and analyzing evaluated intelligence. It’s boring. Too often, these things get chalked up as "closed" or "mitigated" and are assumed to have little value once done. We tell ourselves that it’s got to be the unknown that’s the most important and we dive right back into those haystacks. This all couldn’t be further from the truth.

Leadership needs more insight
When you think about it, in every successful corporation, the business side of things runs on evaluated intelligence: recorded sales data by region or product, financial numbers for the current month versus last, and what was predicted or marketing expenditures last quarter for mature products versus new ones, and on and on. All this information leads to insights and diligence that help businesses become resilient over time and survive (or avoid) the unexpected.

Good business managers run things on a foundation of the knowable and it’s something they wouldn't think of running a business without. Unfortunately, collection and analysis of evaluated intelligence is a rarely-prioritized requirement for leaders seeking to bridge the gap between business and the cybersecurity operations they manage.

Without it, the business side cannot apply the same planning and strategy they do elsewhere, thus they can’t help the entire organization become more cyber resilient. Over time, using evaluated cyber intelligence provides leaders with a way to get a grip on cyber planning and better support security operations long term.

The data is rarely collected in-depth, much less in standard, predictable and intuitive ways. Instead, management too often settles for data about the"possible"or "assumed" rather than the proven. Thus, business leadership is unable to efficiently baseline a domain it cannot make amenable to time-tested business strategies and formulas.

Time to free trapped data
Security teams must commit to opening up and freeing data trapped at the operational level. It’s simply not possible for businesses to be fully secure. Hits do and will continue to happen. It’s becoming increasingly clear that the best defenses are the ones that most quickly identify something as it is happening and are the most prepared in advance to deal with the likeliest hits and impacts they may have -- and on what. Learning from experience is very valuable to this posture.

Today, with all the emphasis on more data and more tools that produce more data, security teams are completely drowning. Sadly, the majority of it is useless or goes unobserved. Worse yet, almost no valuable "performance" data routinely escapes this environment and makes its way over to the business side where it’s most needed to bring the right resources to bear to help long-term.

In such an environment, evaluated intelligence is a highly efficient means that requires relatively little resources to exploit. If security teams simply committed to daily diligence in recording data on things they’ve evaluated in simple, easy to understand data formats and shared all this regularly and routinely with leadership, each side would likely be surprised at the rise in mutual understanding over time.

Even better, because business analysts and leaders analyze data differently than security professionals, it truly brings both sides together around joint planning and strategy with more eyes on the problems at hand. Of course, what we don’t know can always hurt us. But what we do know (and choose not to pay attention to) is what usually hurts a lot more.

Jason Polancich is founder and chief architect of SurfWatch Labs http://www.surfwatchlabs.com, a cyber risk intelligence firm. He has more than 20 years of experience as an intelligence analyst, software engineer, systems architect, and corporate executive. Jason is also ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/21/2018 | 4:05:03 PM
Re: Cyber Intelligence and knowing what you know!
Mike Anders...I just saw this comment of yours from 3 years ago.  Amazing still just as relevant and elusive today.  I am a Cyber Intel instructor, may I use your "Cyber intel...more than the sum of all threat feeds" saying?

Thank you.

Michelle Watson, President, Cyber Intelligent Partners ([email protected])
Mike Anders
Mike Anders,
User Rank: Apprentice
3/2/2015 | 3:50:17 PM
Cyber Intelligence and knowing what you know!

There is a growing awareness that Cyber Intelligence is more than a sum of all threat feeds! Unfortunately, for many, adopting an "intelligence-based" Cyber security mindset seems difficult. In practice, however, it is far easier than one might expect. Granted, for some corporate cultures doing so might require some adjustment. But, as we have learned lately, doing so is no longer a "Nice to do!" It is more like a "We gotta do!" Not a lecture, just an observation!

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...
PUBLISHED: 2018-09-25
IBM DataPower Gateway -, -, -, -, -, and - as well as IBM DataPower Gateway CD - echoing of AMP management interface authorization headers exposes login credentials in browser cache. ...
PUBLISHED: 2018-09-25
IBM DataPower Gateway -, -, -, -, -, and - as well as IBM DataPower Gateway CD - are vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote atta...
PUBLISHED: 2018-09-25
IBM Rational Engineering Lifecycle Manager 5.0 through 5.02 and 6.0 through 6.0.6 could allow remote attackers to bypass authentication via a direct request or forced browsing to a page other than URL intended. IBM X-Force ID: 142561.