informa
/
Operations
Commentary

Cyber Intelligence: Defining What You Know

Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

It’s no secret that committing to a common strategy around collecting, analyzing, reporting on, and liberally sharing valid cyber intelligence data between the operations side of your security domain and the business side of your operations is one of the thorniest problems organizations face today.

Contrary to conventional wisdom, evaluated cyber intelligence data is not the raw threat intelligence that flows into your Ops team on any given day. It’s not the results of a saved search run by a security team member via their SIEM tool of choice. It isn’t the last 35 new malware signatures loaded in the last few days into your endpoint protection database. It’s not even one of the 2471 alerts that fired today for any one of the 456 SNORT rules your folks added over the last 90 days. Neither is it the off-hand alert issued last night by the ISAC you’re a member of, nor is it the latest exploit described this morning in the news.

Evaluated cyber intelligence is the thing you know. The thing you have hard evidence of, or you know is definitely wrong  --even if you can’t yet pin it to a negative outcome.

It is the thing you can point to and say "That. Just. Happened." It’s the seemingly inert point-of-sale malware you found last month on your systems and removed. It’s the phishy emails your HR department notified you of yesterday and you confirmed was indeed phishing. It’s the Jetty vulnerability CVE that came out this morning that directly affects the primary SaaS portal your suppliers log into. It’s the botnet you discovered your Wordpress blog site was participating in and the malvertising you successfully removed from your subsidiary’s eCommerce site. It’s even the permissions on your database you discovered were wrong and unthinkingly changed.

The trouble is, almost no one is very good at tracking and analyzing evaluated intelligence. It’s boring. Too often, these things get chalked up as "closed" or "mitigated" and are assumed to have little value once done. We tell ourselves that it’s got to be the unknown that’s the most important and we dive right back into those haystacks. This all couldn’t be further from the truth.

Leadership needs more insight
When you think about it, in every successful corporation, the business side of things runs on evaluated intelligence: recorded sales data by region or product, financial numbers for the current month versus last, and what was predicted or marketing expenditures last quarter for mature products versus new ones, and on and on. All this information leads to insights and diligence that help businesses become resilient over time and survive (or avoid) the unexpected.

Good business managers run things on a foundation of the knowable and it’s something they wouldn't think of running a business without. Unfortunately, collection and analysis of evaluated intelligence is a rarely-prioritized requirement for leaders seeking to bridge the gap between business and the cybersecurity operations they manage.

Without it, the business side cannot apply the same planning and strategy they do elsewhere, thus they can’t help the entire organization become more cyber resilient. Over time, using evaluated cyber intelligence provides leaders with a way to get a grip on cyber planning and better support security operations long term.

The data is rarely collected in-depth, much less in standard, predictable and intuitive ways. Instead, management too often settles for data about the"possible"or "assumed" rather than the proven. Thus, business leadership is unable to efficiently baseline a domain it cannot make amenable to time-tested business strategies and formulas.

Time to free trapped data
Security teams must commit to opening up and freeing data trapped at the operational level. It’s simply not possible for businesses to be fully secure. Hits do and will continue to happen. It’s becoming increasingly clear that the best defenses are the ones that most quickly identify something as it is happening and are the most prepared in advance to deal with the likeliest hits and impacts they may have -- and on what. Learning from experience is very valuable to this posture.

Today, with all the emphasis on more data and more tools that produce more data, security teams are completely drowning. Sadly, the majority of it is useless or goes unobserved. Worse yet, almost no valuable "performance" data routinely escapes this environment and makes its way over to the business side where it’s most needed to bring the right resources to bear to help long-term.

In such an environment, evaluated intelligence is a highly efficient means that requires relatively little resources to exploit. If security teams simply committed to daily diligence in recording data on things they’ve evaluated in simple, easy to understand data formats and shared all this regularly and routinely with leadership, each side would likely be surprised at the rise in mutual understanding over time.

Even better, because business analysts and leaders analyze data differently than security professionals, it truly brings both sides together around joint planning and strategy with more eyes on the problems at hand. Of course, what we don’t know can always hurt us. But what we do know (and choose not to pay attention to) is what usually hurts a lot more.

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5