Security Experts:

Cyber Intelligence-as-a-Service: In-House vs. Outsource Dilemma

Over the last few years, I’ve had the opportunity to meet and consult with companies about how they stay ahead of cybercrime threats to their businesses.

As an avid fan of all things analysis, this has provided me with some very interesting data fodder on how businesses view and use intelligence to help detect, mitigate, predict, prepare for and respond to cyber threats.

Right now, most businesses feel they should be actively engaged in pursuing a wide variety of cyber intelligence activities that are tied to their tactical cyber defenses in a direct and reciprocal way. What’s more, I’m starting to see that many businesses are finally beginning to view the cyber threat not just as a technical problem, but as real business problem with real business impacts.

These companies are seeking something more than just a bunch of threat intelligence feeds or an existing SIEM tool; a robust cyber intelligence function similar to many corporate and competitive intelligence teams that’s more than just technical.

Traditional, tactical and technical “depth of defense” approaches (and the myriad associated traditional threat feed firehoses that go with them) are certainly a huge part of an organization’s cyber defense, but they’re really only half of an overall solution - a solution that’s often too inwardly focused, inefficiently employed, disorganized, lacks accurate prioritization and triage, and is highly susceptible to hits coming out of the blue.

In other words, they lack… intelligence. It’s kind of like having an army of infantry troops positioned who have been cut off from their officer leadership to defend your headquarters with little to no information on who their enemy is, where they are located, how many of them there are and what kind of weapons they have.

An even more interesting thing is that, while most businesses feel they certainly should be pursuing these kinds of more robust cyber intelligence functions, most aren’t actually doing anything about it at all.

In many cases they’re quite often paralyzed by the following question:

Do we do this ourselves, in-house, or do we outsource to a “some kind of service” provider?

The question is a big one for many reasons as cyber intelligence:

• Can be very expensive

• Requires skilled human capital

• Must have clear lines of communication with standard ways of talking about and presenting data for analysis

• Needs specialized processes and tools to carry them out

• Much more...

Additionally, even after you have all this, it takes time to bear fruit and must be nurtured and evolved dynamically to meet new threats.

In short, there are lots to things to consider that turns a pause into paralysis. Let’s take a look at some pros and cons.

The In-House Problem

Pros

Access: No one knows you like you do, so starting a cyber intelligence gathering initiative has the benefit of perspective on every part of the business you’re trying to defend. On the other side of the access coin, any and all info from your intelligence efforts are right inside your walls and presumably easier to analyze and exploit expediently across the business.

Prioritization: It’s never helpful to try “boiling the ocean” in an intelligence approach and it usually helps to focus in on just your specific key areas of concern. Doing things in-house lends itself to better triage around what’s hot now and what’s just walking in the door, but in need of immediate attention.

Convenience: Gathering, evaluating and sharing information, as well as integrating collected data into existing SIEMs, decision support systems, Threat Intelligence Platforms (TIP) and the like should be more straightforward.

Cons

Cost: Even for companies with healthy cyber defense budgets, the in-house option to establish a robust intelligence program to address cyber threat planning is dauntingly expensive across the board as far as technology, human capital and organizational support go. In short, you need too many things like business support applications, analysis tools, lots of the right kinds of data and access, data repositories, analysts and more.

Time: Standing up an initiative to gather cyber threat data at varying levels, assess your own risk profile information across the enterprise, source special data with big cyber and business impacts such as Dark Web requires seeing things through for the long-term.

Talent: The specialized expertise required to conduct effective intelligence gathering and analysis means bringing hard-to-find new and different roles to your organization or re-purposing of existing resources. In both cases, achieving effectiveness is hard if not almost impossible in any short or intermediate term.

Data: Acquiring access to all the data sources you need to support a robust intelligence gathering and analysis effort for everything from viruses and malware to business threats like fraud or piracy is a herculean task.

The Outsourcing Problem

Pros

Talent: Service providers that specialize in intelligence services are typically highly specialized. They recruit, hire and train analysts and investigators steeped in intelligence methodologies.

Data: In most cases intelligence and analytics providers trade in access to sources, as well as a variety of aggregate data sets. What they don’t have, many are usually able to partner to obtain.

Time: Usually, once the “learning curve” coordination period is over, service providers with SLAs and QOS promises usually begin to deliver results much more quickly than in-house efforts.

Cons

Cost: Even when outsourcing, cost is a concern. Most providers are very expensive, but can often be somewhat productive much faster by virtue of their specialization, focus and experience.

Access: Unlike having everything in-house, with a provider or collection of service providers you’re usually at their disposal. Service providers who are inconsistent, absentee and late with information can be extremely frustrating. Most times, you don’t have any self-service, 24/7 access to your data or analysis.

Convenience: The ability to take produced intelligence and share it across your enterprise is always going to be affected when you depend on someone else. Integrating external data with your processes and environments is always a challenge no matter in-house or out.

Prioritization: No one is going to care like you do. Whether that’s about standing concerns or threats or new ones that pop up, there’s always going to be an urgency and importance gap. The issue these days with our pandemic cyber threat is that time-to-response has never mattered more.

Much like what the cloud and Anything-as-a-Service have done for software and data delivery now, by the end of the next decade it will likely be de rigeur that companies run intelligence programs that overlap cyber, operational, competitive and physical security domains. However, right now, the build vs. buy dilemma plus the almost total immaturity of the intelligence function in the cybersecurity domain means there will be a lot of growing pains as we evolve to a better way.

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.