Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/27/2014
12:35 PM
Jason Polancich
Jason Polancich
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

A Simple Formula For Usable Risk Intelligence

How infosec can cut through the noise and gain real value from cyberdata.

As a few insightful colleagues have pointed out this year, "threat intelligence" is a confusing concept that isn't yet well-defined. Ask around a bit about "What is threat intelligence?" and you'll get descriptions of solutions and services that range from malware databases to signature detection tools and IDS/IPS systems to on-site consulting services -- and everything in between.

Yet, on first blush, the two terms seen together seem to immediately make sense. It's "intelligence," as in gathering detailed info on something, and "threat" -- that's what you're gathering info about. Just query Google for "intelligence gathering," and it's clear:

    In the broadest possible form, an intelligence gathering network is a system through which information about a particular entity is collected for the benefit of another through the use of more than one, inter-related source."

From a cyber perspective, the concept of gathering info on the bad things that could threaten your business, your networks, your software, your web servers, and everything in your connected world ought to be a no brainer. So why is cyberthreat intelligence so hard to pin down? For starters, isn't almost every security tool or cyberdefense activity a threat intelligence mechanism? And, if so, how do businesses make sense of (much less act on) all that data coming in at different levels to take any sort of action? The answers are "yes" and "not very easily." In fact, I believe that most enterprises gain very little real value from threat intelligence as it is performed (or not performed) today.

Most solutions in the cyber security space measure, track, log, or report on one thing or another. Any and all of these tools and processes produce data outputs that can be analyzed and, thus, could be called "threat intelligence." They pump out row after row of data, most of it at very low levels. In other words, the information produced about any entity is voluminous, super variegated, and rarely interrelated.

What's more, few organizations have implemented robust descriptive-predictive-prescriptive analysis efforts that clean all this up and support decision making at the highest business levels. There's little aggregation of threat intel data around standard models or that tie cyber activities to assets or business operations. Thus, there aren't decision-making support systems in arm's reach that would support, say, data mining activities to answer even typical descriptive questions such as "What hurt us the most over the last six months?" or more mature queries such as "What technology investments have we made with the highest return on investment cost vs. what has hurt us and what may be a threat?"

Too much information
How does an organization cut through the data noise to get to real, effective action? By following a simple formula for what I call risk intelligence. Remember the Pythagorean Theorem from ninth grade: a² + b² = c²? It's the basis for geometry, and it makes possible, oh, little things like relative location for GPS. Or what about Maxwell's Equations? Navier-Stokes? The Second Law of Thermodynamics? Shannon's Information Theory? The Fourier Transform? Or the most famous of them all, Einstein's Theory of Relativity, E=mc²? These formulas help us make sense of too much information, too much data. These formulas, once discovered, observed, and applied, have led to our modern age of radar, TV, jumbo jets, email, the Internet, and tweeting a picture of your cat wearing a shirt.

Enter a simple formula for useful cyberrisk intelligence vs. just collecting threat data:

    Risk Intelligence = (High-Level Threat Intelligence + Context) * Continuous Data Collection/Intuitive KPIs

Admittedly, my formula isn't a "real" formula. But it does demonstrate the same powerful insight that leads to real, applied science. In other words, it shines a light on the nature of the problem and hints at clear paths to real answers. In other words, it helps cut through the data noise, makes sense of seemingly unrelated data, and -- most importantly -- leads to practical solutions.

In the formula above, one arrives at risk intelligence by collecting and translating low-level threat data from all these myriad sources into a higher-level language an analyst can understand. By storing this data and giving it business-specific context relative to your business, your industry, technologies affected, and other data points that orient the threat to how it could (or did) affect you specifically, the data is made amenable to analysis.

As the formula indicates, simple analysis is often all that's needed to yield results. Using traditional business intelligence constructs called key performance indicators (KPIs), businesses applying the formula can create simple but powerful analytics. For example, in the financial domain, typical KPIs are things like utilization rate, profit-to-earning ratio, cash flow, net multiplier, and backlog volume. This process, when diligently performed over time, will yield critical insights for business leaders.

These kinds of KPI concepts can also be developed for cyberdata. And, in the end, they can yield important insights about, for example, the ROI for a given security investment or whether an organization has adequate security staff to achieve a given security goal. Much as with many of the key observations of our age, applying a simple formula for risk intelligence versus raw threat intelligence can produce usable and valuable results.

Jason Polancich is co-founder, app designer and digital marketing lead for Musubu.io. Polancich is also a linguist, software engineer, data scientist, and intelligence analyst. He originally founded HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/28/2014 | 6:35:52 PM
Re: Don't Forget To Supplement
Well, you are spot on.

I too have seen this time and time again. To me, I think the biggest problem is neither technical nor cyber-y. It's just most businesses still dont feel like cyber is "in their neighborhood" yet.  If your house has never been broken into, you start to not worry about daily diligence and having quick reflexes. Times they are a changin', as far as that goes. I really believe cyber will become virtually a daily management task for businesses over the next decade from top-bottom, bottom-top and sideways. Developers, CEOs, security professionals, employees, marketing, CFO shops..all the above. Well, unless a comet hits and our marketplace and personal lives become less connected or stop technologically advancing.

As to "but how to implement it from a technical perspective so that people are not milling around as much and feel the reality of the risk they must address?"...If youre interested in some further detail, drop me a line at [email protected] Several people have asked this week via email and social media since the article went online and I'd be happy to share.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/28/2014 | 6:26:12 PM
Re: ROI Ideal Justification
Good observation. ROI is one of those focal points for me of late.

The prevailing opinion in security/business has been that ROi is not possible with cybersecurity. I personally think this has been something of a contributing factor to businesses taking such a long time to begin to embrace tracking cyber the same way they do other things.

not only do I think it's possible, but it's actually time now to start again or, well, get selected against as things go on naturally.

much like physical therapy after a bad injury, businesses need to start over "learning to walk" all over again. baby steps, nothing assumed and an emphasis on the kinds of metrics you mention. to do it, they'll need to be collecting new types of seemingly un-cyber data, at new levels, in new ways, and analyzing it in new ways. just as you suggest.

as i point out in this piece, it's very rare to see businesses analyzing data in the context of their own operations and, as you mention, running continuous comparisions to help manage their own budgets and strategy. as an aside, what we need to fully support this is a cyber data service a la Standard and Poors.


lastly and personally, i think the number one contributing factor to the lack of the kind of oeprations you suggest?

the chasm between business leadership and security/INFOSEC leadership. nothing's going to really happen until both sides recognize that supporting this kind of true collab initiative around some risk intell "physcial therapy" will bolster the longevity of both domains in the long run.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/28/2014 | 4:13:47 PM
Re: Don't Forget To Supplement
I get that, Jason.  I think I have a knee-jerk reaction since I have seen massive budgets allocated to analysis, reporting and proposals _toward potential organization recommendations for cyber security_ and then watched the data stale, and the "potential recommendations" never turn into actual teams of techs dedicated to protecting data, preventing intrusion and performing forensics.  

If only the costs in both budget and time could be brought to a bare minimum through automation, interpretive templates and risk prevention recommendations against potential loss derived from the data analysis that could be used to quickly reach a decision on the part of companies who clearly need to fortify.  Let's spend less budget/time pondering and more budget/time doing.

Your formula make sense, but how to implement it from a technical perspective so that people are not milling around as much and feel the reality of the risk they must address?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/28/2014 | 12:32:59 PM
ROI Ideal Justification
I feel another variable in this equation for ROI in regards to Threat Intelligence needs to be postulated savings. By this I mean, comparative to other industries in your sector that were breached in that year, what relatvie safeguards/protocols did your organization take to ensure that you were not breached? What was the relative cost saved in terms of lawsuits, fines, reputation? I feel that this comparative analysis helps when providing the value of cyber security to the business side of the institution.
JasonPolancich
100%
0%
JasonPolancich,
User Rank: Author
10/28/2014 | 12:16:43 PM
Re: Don't Forget To Supplement
"Additionally, more emphasis should be placed on risk based security. Let's face it – business units do a very good job of business risk management, and security needs to do some catching up."


Amen.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
10/28/2014 | 12:15:03 PM
Re: Don't Forget To Supplement
There are two points I wish to posit. 1) The board (or leadership) of an organization needs to be held accountable for lapses in security. This would serve to motivate organizations to pay closer attention to their security posture, and allocate resources accordingly. 2) The security leader should be able to communicate the security message effectively. It is a given that IT goals should align with the business goals of the organization. At the same time, security goals must align with IT goals, and therefore by extension, business goals as well.

Inevitably, there is always contention for budgets, with each unit clamoring for more. Decisions are often made to favor those units who can most effectively communicate and justify their requests. This has always been a disadvantage for the technical units, many of which are led by technicians who have advanced their careers to the point of executive leadership. Unfortunately, many of these leaders have not had the advantage of thinking in terms of business, but rather in terms of technology. This is especially true within security units. This lack of effective soft skills often hinders a unit from achieving their goal of an increased budget, so it isn't always that the organizational leadership is at fault. After all, how can they justify increasing a unit's budget when the unit itself cannot effectively justify the request for an increase.

Additionally, more emphasis should be placed on risk based security. Let's face it – business units do a very good job of business risk management, and security needs to do some catching up. Risk intelligence is sometimes seen as some esoteric concept, and justifiably so since its importance has not been so prominent in the past. When executive leadership cannot easily see the impact on the organization's bottom line, it is easy for them to turn a blind eye to budget requests. In light of the recent huge breaches, it should be clear to executive leadership that cyber security is a very loud message. It is incumbent of all security leaders to effectively communicate how their planned expenditures correlate with the mitigation of existing threats.
JasonPolancich
50%
50%
JasonPolancich,
User Rank: Author
10/27/2014 | 1:52:16 PM
Re: Don't Forget To Supplement
Interesting and good points all, Christian. Wouldnt diagree with anything you have written. The subtextual intent of the piece here hinges on not taking away resources, but instead adding reources - but in a different place. right now everyone's clamoring for bigger cyber budgets and more spending, but that's just as liely to be more good money after bad.

businesses do very solid jobs across the board (usuallly) with well established business intell for most key biz opps areas (e.g. sales, marketing, prod dev, etc.), but certainly dont yet fund or commit to establishing similar programs for cyber business intelligence.

from a risk reduction perspective, that's not only puzzling, but troubling.

almost any enterprise would likely gladly pay to reduce any risk that's significant and a proven threat to their bottom lines, but most wont pay for something they dont fully understand (i.e. document with numbers ove time). cyber has been the exception to that. in the end, a solid business risk intell program is as much (if not more) about getting the right budget together (i.e. justifying it) to pay for those CTF courses than to stop any given threat. put simply, most cyber budgets these days are gussing games. everything you point out below could be proven over time with BI efforts focused on cyber risk intell just as with, say, sales and product dev.
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
10/27/2014 | 1:40:29 PM
Don't Forget To Supplement
So here's the thing.  Intelligence and prediction, analysis and planning – all of this is great stuff and industries are built upon it.  But as any "in the trenches" programmer and sysadmin knows, projects take valuable time away from actual work, and for the security-focused sysadmins, they all know that the data you spend a month analyzing and predicting against can change entirely by the time you implement.  Take away the risk intelligence work?  Not necessarily, but there are a couple things that should be done.  1) Trim all fat from your RI gameplan and keep the whole process as trim and operations-based as possible (automate, automate, automate).  And 2), supplement with talent who are part of the underground and who actually help to make cybercrime as difficult to predict and as evolved as it is.  Yes, you need people who ignore all the data from your RI and who can a) illuminate all those dark corners you're missing in the RI and b) pull intelligence from the underground that you are never going to get on your own to help prepare you for the next attack that everyone else will fall prey to because they are not keeping up with current penetration techniques and exploits.  And please, the next time you get budget for certifications, instead send your security people to CTF (capture the flag) camps and hands-on penetration testing workshops.  All the RI you can muster will not matter when that one really bad exploit comes along, but with the right experience under their belt, your security team can potentially prevent the worse from happening instead of just analyzing the data from the hit after-the-fact.
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16772
PUBLISHED: 2019-12-07
The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
CVE-2019-9464
PUBLISHED: 2019-12-06
In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
CVE-2019-2220
PUBLISHED: 2019-12-06
In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
CVE-2019-2221
PUBLISHED: 2019-12-06
In hasActivityInVisibleTask of WindowProcessController.java there?s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction ...
CVE-2019-2222
PUBLISHED: 2019-12-06
n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...