Security Intelligence Handbook Chapter 1: Why Security Intelligence Matters
October 29, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter one, “What Is Security Intelligence?” To read the entire section, download your free copy of the handbook.
Today, anyone with a desire to do harm — from your run-of-the-mill bad guys to nation-state attackers — has the ability to put your organization’s most sensitive data at risk simply by accessing underground marketplaces and easily purchasing off-the-shelf tools.
These adversaries assume you’re at a disadvantage, hindered by legacy vulnerabilities, a lack of secure code development processes, explosive growth of connected devices, and a dispersed workforce that’s increasingly difficult to secure.
By the time you see threat indicators on your network, it’s often too late — and you’re probably at least two steps behind your attacker. You need a way to take back control by proactively uncovering attack methods and disrupting adversaries’ efforts before they strike.
Fusing internal and external threat, security, and business insights empowers teams with the advanced warning and actionable facts needed to confidently protect your organization. Elite security intelligence makes this possible by putting actionable context at the center of every workflow and security decision.
Today’s most successful security intelligence processes share four key characteristics:
- A collaborative process and framework
- 360-degree visibility
- Extensive automation and integration
- Alignment with key business priorities
Learn why security intelligence matters in the following excerpt from “The Security Intelligence Handbook, Third Edition: How to Disrupt Adversaries and Reduce Risk With Security Intelligence.” In this excerpt, which has been edited and condensed, we’ll paint a clear picture of what security intelligence is, explore the elements that make up a successful program, and explain the key benefits.
Visibility Into Threats Before They Strike
Cyber threats come in many forms. Certainly some of them are cybercriminals who attack your network at the firewall. However, they also include threat actors operating on the open and dark web who come at you through your employees and your business partners. Some devastate your brand through social media and external websites without ever touching your network. Malicious or merely careless insiders may also wreak havoc with your data and your reputation.
By the time you see indicators of these threats on your network, it is probably too late. To prevent damage, you need advance warning of threats, accompanied by actionable facts in order to:
- Eliminate your most serious vulnerabilities before they are exploited
- Detect probes and attacks at the earliest possible moment and respond effectively right away
- Understand the tactics, techniques, and procedures (TTPs) of likely attackers and put effective defenses in place
- Identify and correct your business partners’ security weaknesses — especially those that have access to your network
- Detect data leaks and impersonations of your corporate brand
- Make wise investments in security to maximize return and minimize risk
Many IT organizations have created intelligence programs to obtain the advance warning and actionable facts they need to protect their data and their brands.
Actionable Facts and Insights
When people speak of security intelligence, sometimes they are referring to certain types of facts and insights, and other times to the process that produces them. Let’s look at the first case.
More than data or information
Even security professionals sometimes use the words “data,” “information” and “intelligence” interchangeably, but the distinctions are important.
Of course, the details of the data, information, and intelligence differ across political, military, economic, business, and other types of intelligence programs. For security intelligence:
- Data is usually just indicators such as IP addresses, URLs, or hashes. Data doesn’t tell us much without analysis.
- Information answers questions like, “How many times has my organization been mentioned on social media this month?” Although this is a far more useful output than the raw data, it still doesn’t directly inform a specific action.
- Intelligence is factual insight based on analysis that correlates data and information from across different sources to uncover patterns and add insights. It enables people and systems to make informed decisions and take effective action to prevent breaches, remediate vulnerabilities, improve the organization’s security posture, and reduce risk.
Implicit in this definition of “intelligence” is the idea that every instance of security intelligence is actionable for a specific audience. That is, intelligence must do two things:
- Point toward specific decisions or actions
- Be tailored for easy use by a specific person, group, or system that will use it to make a decision or take an action
Data feeds that are never used and reports that are never read are not intelligence. Neither is information, no matter how accurate or insightful, if it is provided to someone who can’t interpret it correctly or isn’t in a position to act on it.
Security Intelligence: The Process
Security intelligence also refers to the process by which data and information are collected, analyzed, and disseminated throughout the organization. The steps in such a process will be discussed in Chapter 3, where we describe the security intelligence lifecycle. However, it is important to note at the outset that successful security intelligence processes have four characteristics.
1. A collaborative process and framework
In many organizations, security intelligence efforts are siloed. For example, the security operations (SecOps), fraud prevention, and third-party risk teams may have their own analysts Chapter 1: What Is Security Intelligence | 7 and tools for gathering and analyzing intelligence. This leads to waste, duplication, and an inability to share analysis and intelligence. Silos also make it impossible to assess risk across the organization and to direct security resources where they will have the greatest impact. Security intelligence programs need to share a common process and framework, enable broad access to insights and operational workflows, encourage a “big picture” view of risk, and account for the allocation of resources.
2. 360-degree visibility
Because cyber threats may come from anywhere, security intelligence programs need visibility everywhere, including:
- Security events on the corporate network
- Conventional threat data feeds
- Open web forums where attackers exchange information and tools for exploiting vulnerabilities
- Dark web communities where hackers and state-sponsored actors share techniques and plot attacks
- Online marketplaces where cybercriminals buy and sell confidential information
- Social media accounts where threat actors impersonate your employees and counterfeit your products
Today, many organizations focus on conventional threat data feeds, and are only now becoming aware of the need to scan a broader variety and greater quantity of sources on a regular basis.
3. Extensive automation and integration
Because there is so much data and information to capture, correlate, and process, a security intelligence program needs a high degree of automation to reduce manual efforts and produce meaningful results quickly. To add context to initial findings and effectively disseminate intelligence, successful security intelligence programs must also integrate with many types of security solutions, such as security dashboards, secu- 8 | The Security Intelligence Handbook rity information and event management solutions (SIEMs), vulnerability management systems, firewalls, and security orchestration, automation and response (SOAR) tools.
4. Alignment with the organization and security use cases
Organizations sometimes waste enormous resources capturing and analyzing information that isn’t relevant to them. A successful security intelligence program needs to determine and document its intelligence needs to ensure that collection and processing activities align with the organization’s actual priorities. Alignment also means tailoring the content and format of intelligence to make it easy for people and systems to use.
Who Benefits From Security Intelligence?
Security intelligence is sometimes perceived to be simply a research service for the security operations and incident response teams, or the domain of elite analysts. In reality, it adds value to every security function and to several other teams in the organization.
The middle section of this handbook examines the primary use cases:
- Security operations and incident response teams are routinely overwhelmed by alerts. Security intelligence accelerates their alert triage, minimizes false positives, provides context for better decision-making, and empowers them to respond faster.
- Vulnerability management teams often struggle to differentiate between relevant, critical vulnerabilities and those that are unimportant to their organization. Security intelligence delivers context and risk scoring that enables them to reduce downtime while patching the vulnerabilities that really matter first.
- Threat analysts need to understand the motives and TTPs of threat actors and track security trends for industries, technologies, and regions. Security intelligence provides them with deeper and more expansive knowledge to generate more valuable insights.
- Third-party risk programs need up-to-date information on the security postures of vendors, suppliers, and other third parties that access the organization’s systems. Security intelligence arms them with an ongoing flow of objective, detailed information about business partners that static vendor questionnaires and traditional procurement methods can’t offer.
- Brand protection teams need continuous visibility into unsanctioned web and social media mentions, data leaks, employee impersonations, counterfeit products, typosquatting websites, phishing attacks, and more. Security intelligence tools monitor for these across the internet at scale, and streamline takedown and remediation processes.
- Geopolitical risk and physical security teams rely on advanced warning of attacks, protests, and other threats to assets in locations around the globe. Security intelligence programs capture data and “chatter” from multiple sources and filter it to deliver precise intelligence about what’s happening in the cities, countries, and regions of interest. ; Security leaders use intelligence about likely threats and their potential business impact to assess security requirements, quantify risks (ideally in monetary terms), develop mitigation strategies, and justify cybersecurity investments to CEOs, CFOs, and board members.
Get ‘The Security Intelligence Handbook’
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, vulnerability management, SecOps, third-party risk management, security leadership, and more.