Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Jason Polancich
Jason Polancich
Connect Directly
E-Mail vvv

Cyber Intelligence: Defining What You Know

Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

It’s no secret that committing to a common strategy around collecting, analyzing, reporting on, and liberally sharing valid cyber intelligence data between the operations side of your security domain and the business side of your operations is one of the thorniest problems organizations face today.

Contrary to conventional wisdom, evaluated cyber intelligence data is not the raw threat intelligence that flows into your Ops team on any given day. It’s not the results of a saved search run by a security team member via their SIEM tool of choice. It isn’t the last 35 new malware signatures loaded in the last few days into your endpoint protection database. It’s not even one of the 2471 alerts that fired today for any one of the 456 SNORT rules your folks added over the last 90 days. Neither is it the off-hand alert issued last night by the ISAC you’re a member of, nor is it the latest exploit described this morning in the news.

Evaluated cyber intelligence is the thing you know. The thing you have hard evidence of, or you know is definitely wrong  --even if you can’t yet pin it to a negative outcome.

It is the thing you can point to and say "That. Just. Happened." It’s the seemingly inert point-of-sale malware you found last month on your systems and removed. It’s the phishy emails your HR department notified you of yesterday and you confirmed was indeed phishing. It’s the Jetty vulnerability CVE that came out this morning that directly affects the primary SaaS portal your suppliers log into. It’s the botnet you discovered your Wordpress blog site was participating in and the malvertising you successfully removed from your subsidiary’s eCommerce site. It’s even the permissions on your database you discovered were wrong and unthinkingly changed.

The trouble is, almost no one is very good at tracking and analyzing evaluated intelligence. It’s boring. Too often, these things get chalked up as "closed" or "mitigated" and are assumed to have little value once done. We tell ourselves that it’s got to be the unknown that’s the most important and we dive right back into those haystacks. This all couldn’t be further from the truth.

Leadership needs more insight
When you think about it, in every successful corporation, the business side of things runs on evaluated intelligence: recorded sales data by region or product, financial numbers for the current month versus last, and what was predicted or marketing expenditures last quarter for mature products versus new ones, and on and on. All this information leads to insights and diligence that help businesses become resilient over time and survive (or avoid) the unexpected.

Good business managers run things on a foundation of the knowable and it’s something they wouldn't think of running a business without. Unfortunately, collection and analysis of evaluated intelligence is a rarely-prioritized requirement for leaders seeking to bridge the gap between business and the cybersecurity operations they manage.

Without it, the business side cannot apply the same planning and strategy they do elsewhere, thus they can’t help the entire organization become more cyber resilient. Over time, using evaluated cyber intelligence provides leaders with a way to get a grip on cyber planning and better support security operations long term.

The data is rarely collected in-depth, much less in standard, predictable and intuitive ways. Instead, management too often settles for data about the"possible"or "assumed" rather than the proven. Thus, business leadership is unable to efficiently baseline a domain it cannot make amenable to time-tested business strategies and formulas.

Time to free trapped data
Security teams must commit to opening up and freeing data trapped at the operational level. It’s simply not possible for businesses to be fully secure. Hits do and will continue to happen. It’s becoming increasingly clear that the best defenses are the ones that most quickly identify something as it is happening and are the most prepared in advance to deal with the likeliest hits and impacts they may have -- and on what. Learning from experience is very valuable to this posture.

Today, with all the emphasis on more data and more tools that produce more data, security teams are completely drowning. Sadly, the majority of it is useless or goes unobserved. Worse yet, almost no valuable "performance" data routinely escapes this environment and makes its way over to the business side where it’s most needed to bring the right resources to bear to help long-term.

In such an environment, evaluated intelligence is a highly efficient means that requires relatively little resources to exploit. If security teams simply committed to daily diligence in recording data on things they’ve evaluated in simple, easy to understand data formats and shared all this regularly and routinely with leadership, each side would likely be surprised at the rise in mutual understanding over time.

Even better, because business analysts and leaders analyze data differently than security professionals, it truly brings both sides together around joint planning and strategy with more eyes on the problems at hand. Of course, what we don’t know can always hurt us. But what we do know (and choose not to pay attention to) is what usually hurts a lot more.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/21/2018 | 4:05:03 PM
Re: Cyber Intelligence and knowing what you know!
Mike Anders...I just saw this comment of yours from 3 years ago.  Amazing still just as relevant and elusive today.  I am a Cyber Intel instructor, may I use your "Cyber intel...more than the sum of all threat feeds" saying?

Thank you.

Michelle Watson, President, Cyber Intelligent Partners ([email protected])
Mike Anders
Mike Anders,
User Rank: Apprentice
3/2/2015 | 3:50:17 PM
Cyber Intelligence and knowing what you know!

There is a growing awareness that Cyber Intelligence is more than a sum of all threat feeds! Unfortunately, for many, adopting an "intelligence-based" Cyber security mindset seems difficult. In practice, however, it is far easier than one might expect. Granted, for some corporate cultures doing so might require some adjustment. But, as we have learned lately, doing so is no longer a "Nice to do!" It is more like a "We gotta do!" Not a lecture, just an observation!

COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.