Mind Over Matter: The Importance of Intelligence in Your Threat Program

July 28, 2015 • Carole Fennelly

Threat intelligence is the art of providing actionable threat data that enables organizations to focus on the most critical risks to their IT infrastructure.

Essentially, threat intelligence is a fusion of data and human analysis and interpretation. The data component is a combination of various software and service solutions that automate data gathering and correlate the results for human consumption. The “intelligence” part follows, and that’s not something that can be allocated to a computer program no matter how many algorithms you throw at it. Intelligence is a function of humans, and it’s the weakest link in threat intelligence services.

The Data

The disconnect between data and intelligence is not necessarily the fault of the threat intelligence vendors, many of which do a fine job of collecting and correlating data from both external and internal sources and applying their expertise to data analysis.

The disconnect stems from this: The Web has a massive amount of threat data — external data — from vulnerability databases, chat forums, honeypots, known malware sites, botnets, malicious URLs, phishing sites, and more. Internal data includes vulnerability scan output, system logs, in-depth penetration testing results, system and network configurations, third-party audits, and other security metrics. That’s a lot of data to parse and process, but computer systems are very good at processing large amounts of data in a pre-determined manner.

Many threat intelligence services combine external and internal data to provide a more comprehensive view of the threat landscape.Some threat intelligence services also include a custom review of public data that tracks any mention(s) of their clients, either from external sources or from the client’s internal network, inadvertently exposing confidential data.

The trick to actionable, credible threat intelligence is to fine-tune the filtering so that the raw data is not overwhelming but that important data, potentially indicative of a threat, is brought to the forefront. Doing so requires some form of “intelligence,” a factor often neglected in threat intelligence programs.

The Intelligence

While computer programs are great at processing data, they lack the required emotional intelligence of humans. Technical people generally exclude emotion from decision-making because it distracts from pure science. However, emotional intelligence is the aspect that provides the “gut instinct” that can guide a detective to events that solve a case. It is difficult – if not impossible – to quantify but it is an essential part of the human experience and must be a factor included in a threat intelligence program.

Computers may be able to “create” based on pre-determined programming, but they cannot be “creative.” Computer programs follow strict rules; humans often don’t. True innovation is a combination of breakthrough creativity combined with expertise in a particular subject. For example, a great chef can create a delicious, cohesive meal from a basket of “mystery” ingredients.

Computer software may be able to parse a database of “recipes” to determine possible options based on the available ingredients, but it would not be able to create the recipe on its own, or add the finishing touches that elevate a common recipe. Innovation and unpredictability is where humans excel.

The Fusion

So what does creativity and innovation have to do with threat intelligence? It comes down to expertise.

An expert in a particular subject can look at the data and make the leap to a conclusion that may not be apparent to a software analytics program, even one with extensive programming rules. Most cyber security programs lack the creative element; the interpretation of threat data is left to technical security analysts who see the data “in black and white,” or maybe some executive manager who has a security background but not the technical analytical expertise required of the task.

What’s missing? The rest of the organization.

Expertise in the business drivers, legal obligations, human resources factors, and third-party relationships of the organization is required for this task. Far too often, the technical people work in a vacuum where they are blind to the bigger picture. This leads them to implement technical solutions that don’t necessarily address business risk. Or worse – they spend money on solutions that can’t be properly implemented because business leaders don’t have the time to provide input on what data needs protection, and the data should guide the implementation.

Billions of dollars have been spent on so-called “shelfware” products that collect dust. Oh, sure – you can say you spent budget on a Data Loss Prevention (DLP) solution, but is it actually configured correctly or even running? Humans have a tendency to look for the “easy button” and there simply isn’t one.

The Reality

Threat data tends to be ranked based on the difficulty and effectiveness of techniques used to exploit the vulnerability, not on the importance of the asset. Ranking of vulnerabilities’ technical impact has been long established through frameworks such as the Common Vulnerability Scoring System (CVSS), which was designed to provide a consistent method to rate the severity of vulnerabilities.

However, this rating does not include metrics for the business importance of the asset, among many other factors. An attempt has been made to adopt a Common Weakness Scoring System (CWSS) that includes integration of stakeholder concerns, but this isn’t gaining traction.

Why? Because it requires humans to make decisions about what’s important, for every single issue.

The CISO/CSO of an organization needs to have the support and input from the all of the business units, and, most importantly, the Board of Directors, which is often comprised of executives with a lot of business experience but little technical knowledge. From the Board’s perspective, security issues are a back office support problem that doesn’t benefit the bottom line. Articulating threat intelligence in business terms that the Board will understand goes a long way towards changing the perception.

The Bottom Line

An effective threat intelligence solution is one that automates data collection/aggregation and provides intelligence on both the external and internal threat landscape. It must also include input from the business units on their risk tolerance and acceptance

It’s important to understand the strengths and weaknesses of each component of a threat intelligence program. Computer programs are great at data collection and filtering but not so good on intelligence. External analysts know the external threat landscape and attack vectors but don’t know your business. Internal technical staff understands the organization’s infrastructure and have some insight into business priorities, but are limited by what the business units share with them.

Bottom line: a threat intelligence program will have limited effectiveness without human intelligence from executive management. When it comes down to it, you can’t outsource your business risk management strategy.

Carole Fennelly

Carole Fennelly is a freelance information security consultant based in the New York City area. You can connect with Carole on LinkedIn.