Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


12:00 PM
Jason Polancich
Jason Polancich
Connect Directly
E-Mail vvv

Cyber Intelligence: Defining What You Know

Too often management settles for security data about things that are assumed rather than things you can prove or that you know are definitely wrong.

It’s no secret that committing to a common strategy around collecting, analyzing, reporting on, and liberally sharing valid cyber intelligence data between the operations side of your security domain and the business side of your operations is one of the thorniest problems organizations face today.

Contrary to conventional wisdom, evaluated cyber intelligence data is not the raw threat intelligence that flows into your Ops team on any given day. It’s not the results of a saved search run by a security team member via their SIEM tool of choice. It isn’t the last 35 new malware signatures loaded in the last few days into your endpoint protection database. It’s not even one of the 2471 alerts that fired today for any one of the 456 SNORT rules your folks added over the last 90 days. Neither is it the off-hand alert issued last night by the ISAC you’re a member of, nor is it the latest exploit described this morning in the news.

Evaluated cyber intelligence is the thing you know. The thing you have hard evidence of, or you know is definitely wrong  --even if you can’t yet pin it to a negative outcome.

It is the thing you can point to and say "That. Just. Happened." It’s the seemingly inert point-of-sale malware you found last month on your systems and removed. It’s the phishy emails your HR department notified you of yesterday and you confirmed was indeed phishing. It’s the Jetty vulnerability CVE that came out this morning that directly affects the primary SaaS portal your suppliers log into. It’s the botnet you discovered your Wordpress blog site was participating in and the malvertising you successfully removed from your subsidiary’s eCommerce site. It’s even the permissions on your database you discovered were wrong and unthinkingly changed.

The trouble is, almost no one is very good at tracking and analyzing evaluated intelligence. It’s boring. Too often, these things get chalked up as "closed" or "mitigated" and are assumed to have little value once done. We tell ourselves that it’s got to be the unknown that’s the most important and we dive right back into those haystacks. This all couldn’t be further from the truth.

Leadership needs more insight
When you think about it, in every successful corporation, the business side of things runs on evaluated intelligence: recorded sales data by region or product, financial numbers for the current month versus last, and what was predicted or marketing expenditures last quarter for mature products versus new ones, and on and on. All this information leads to insights and diligence that help businesses become resilient over time and survive (or avoid) the unexpected.

Good business managers run things on a foundation of the knowable and it’s something they wouldn't think of running a business without. Unfortunately, collection and analysis of evaluated intelligence is a rarely-prioritized requirement for leaders seeking to bridge the gap between business and the cybersecurity operations they manage.

Without it, the business side cannot apply the same planning and strategy they do elsewhere, thus they can’t help the entire organization become more cyber resilient. Over time, using evaluated cyber intelligence provides leaders with a way to get a grip on cyber planning and better support security operations long term.

The data is rarely collected in-depth, much less in standard, predictable and intuitive ways. Instead, management too often settles for data about the"possible"or "assumed" rather than the proven. Thus, business leadership is unable to efficiently baseline a domain it cannot make amenable to time-tested business strategies and formulas.

Time to free trapped data
Security teams must commit to opening up and freeing data trapped at the operational level. It’s simply not possible for businesses to be fully secure. Hits do and will continue to happen. It’s becoming increasingly clear that the best defenses are the ones that most quickly identify something as it is happening and are the most prepared in advance to deal with the likeliest hits and impacts they may have -- and on what. Learning from experience is very valuable to this posture.

Today, with all the emphasis on more data and more tools that produce more data, security teams are completely drowning. Sadly, the majority of it is useless or goes unobserved. Worse yet, almost no valuable "performance" data routinely escapes this environment and makes its way over to the business side where it’s most needed to bring the right resources to bear to help long-term.

In such an environment, evaluated intelligence is a highly efficient means that requires relatively little resources to exploit. If security teams simply committed to daily diligence in recording data on things they’ve evaluated in simple, easy to understand data formats and shared all this regularly and routinely with leadership, each side would likely be surprised at the rise in mutual understanding over time.

Even better, because business analysts and leaders analyze data differently than security professionals, it truly brings both sides together around joint planning and strategy with more eyes on the problems at hand. Of course, what we don’t know can always hurt us. But what we do know (and choose not to pay attention to) is what usually hurts a lot more.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/21/2018 | 4:05:03 PM
Re: Cyber Intelligence and knowing what you know!
Mike Anders...I just saw this comment of yours from 3 years ago.  Amazing still just as relevant and elusive today.  I am a Cyber Intel instructor, may I use your "Cyber intel...more than the sum of all threat feeds" saying?

Thank you.

Michelle Watson, President, Cyber Intelligent Partners ([email protected])
Mike Anders
Mike Anders,
User Rank: Apprentice
3/2/2015 | 3:50:17 PM
Cyber Intelligence and knowing what you know!

There is a growing awareness that Cyber Intelligence is more than a sum of all threat feeds! Unfortunately, for many, adopting an "intelligence-based" Cyber security mindset seems difficult. In practice, however, it is far easier than one might expect. Granted, for some corporate cultures doing so might require some adjustment. But, as we have learned lately, doing so is no longer a "Nice to do!" It is more like a "We gotta do!" Not a lecture, just an observation!

Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...
PUBLISHED: 2021-04-16
Portofino is an open source web development framework. Portofino before version 5.2.1 did not properly verify the signature of JSON Web Tokens. This allows forging a valid JWT. The issue will be patched in the upcoming 5.2.1 release.