As a few insightful colleagues have pointed out this year, "threat intelligence" is a confusing concept that isn't yet well-defined. Ask around a bit about "What is threat intelligence?" and you'll get descriptions of solutions and services that range from malware databases to signature detection tools and IDS/IPS systems to on-site consulting services -- and everything in between.
Yet, on first blush, the two terms seen together seem to immediately make sense. It's "intelligence," as in gathering detailed info on something, and "threat" -- that's what you're gathering info about. Just query Google for "intelligence gathering," and it's clear:
- In the broadest possible form, an intelligence gathering network is a system through which information about a particular entity is collected for the benefit of another through the use of more than one, inter-related source."
From a cyber perspective, the concept of gathering info on the bad things that could threaten your business, your networks, your software, your web servers, and everything in your connected world ought to be a no brainer. So why is cyberthreat intelligence so hard to pin down? For starters, isn't almost every security tool or cyberdefense activity a threat intelligence mechanism? And, if so, how do businesses make sense of (much less act on) all that data coming in at different levels to take any sort of action? The answers are "yes" and "not very easily." In fact, I believe that most enterprises gain very little real value from threat intelligence as it is performed (or not performed) today.
Most solutions in the cyber security space measure, track, log, or report on one thing or another. Any and all of these tools and processes produce data outputs that can be analyzed and, thus, could be called "threat intelligence." They pump out row after row of data, most of it at very low levels. In other words, the information produced about any entity is voluminous, super variegated, and rarely interrelated.
What's more, few organizations have implemented robust descriptive-predictive-prescriptive analysis efforts that clean all this up and support decision making at the highest business levels. There's little aggregation of threat intel data around standard models or that tie cyber activities to assets or business operations. Thus, there aren't decision-making support systems in arm's reach that would support, say, data mining activities to answer even typical descriptive questions such as "What hurt us the most over the last six months?" or more mature queries such as "What technology investments have we made with the highest return on investment cost vs. what has hurt us and what may be a threat?"
Too much information
How does an organization cut through the data noise to get to real, effective action? By following a simple formula for what I call risk intelligence. Remember the Pythagorean Theorem from ninth grade: a² + b² = c²? It's the basis for geometry, and it makes possible, oh, little things like relative location for GPS. Or what about Maxwell's Equations? Navier-Stokes? The Second Law of Thermodynamics? Shannon's Information Theory? The Fourier Transform? Or the most famous of them all, Einstein's Theory of Relativity, E=mc²? These formulas help us make sense of too much information, too much data. These formulas, once discovered, observed, and applied, have led to our modern age of radar, TV, jumbo jets, email, the Internet, and tweeting a picture of your cat wearing a shirt.
Enter a simple formula for useful cyberrisk intelligence vs. just collecting threat data:
- Risk Intelligence = (High-Level Threat Intelligence + Context) * Continuous Data Collection/Intuitive KPIs
Admittedly, my formula isn't a "real" formula. But it does demonstrate the same powerful insight that leads to real, applied science. In other words, it shines a light on the nature of the problem and hints at clear paths to real answers. In other words, it helps cut through the data noise, makes sense of seemingly unrelated data, and -- most importantly -- leads to practical solutions.
In the formula above, one arrives at risk intelligence by collecting and translating low-level threat data from all these myriad sources into a higher-level language an analyst can understand. By storing this data and giving it business-specific context relative to your business, your industry, technologies affected, and other data points that orient the threat to how it could (or did) affect you specifically, the data is made amenable to analysis.
As the formula indicates, simple analysis is often all that's needed to yield results. Using traditional business intelligence constructs called key performance indicators (KPIs), businesses applying the formula can create simple but powerful analytics. For example, in the financial domain, typical KPIs are things like utilization rate, profit-to-earning ratio, cash flow, net multiplier, and backlog volume. This process, when diligently performed over time, will yield critical insights for business leaders.
These kinds of KPI concepts can also be developed for cyberdata. And, in the end, they can yield important insights about, for example, the ROI for a given security investment or whether an organization has adequate security staff to achieve a given security goal. Much as with many of the key observations of our age, applying a simple formula for risk intelligence versus raw threat intelligence can produce usable and valuable results.