Connect with us

Hi, what are you looking for?


Management & Strategy

Human Intelligence is Pivotal in a Data-Driven World

It’s Important to Enrich External Threat Intelligence With Context to Understand the Who, What, Where, When, Why and How of an Attack

It’s Important to Enrich External Threat Intelligence With Context to Understand the Who, What, Where, When, Why and How of an Attack

In cybersecurity, we tend to focus on technology to solve all our challenges and sometimes lose sight of the importance of people. For four years now I’ve talked about empowering the human element, a theme which was showcased at RSA Conference last month. As I walked the floor, listened to sessions and spoke to attendees, I was struck by the newfound appreciation for and recognition of the need to better enable the interplay between humans and technology as we strive to strengthen defenses. It’s a topic near and dear to my heart and reminded me of two stories.

This first is one I’ve written about before. It’s the story of Captain Chelsey “Sully” Sullenberg who famously made an emergency landing of US Airways Flight 1549 on the Hudson River, saving all 155 souls onboard. When technology was telling him to pull up and try to reach an airport, the results would have been disastrous had he simply listened. Instead, his intelligence, intuition and 29 years of experience as a commercial pilot kicked in. Informed by data, Sully was able to make the right series of decisions at the time to land the plane safely in the river. 

The second story is from a post I saw on LinkedIn a few weeks ago that reinforced the essential role human intelligence plays in data analysis and decision making. Coincidentally also related to planes, the post described how when Allied planes returned from battle after encountering Nazi anti-aircraft fire in World War II, the initial plan was to reinforce the areas of the planes that received the most bullet holes. It was mathematician Abraham Wald who pointed out that those were the areas strong enough to survive multiple hits and allow the planes to return home safely. The focus should be on reinforcing the areas that had no bullet holes as those were the areas that when hit caused planes to go down.

Both stories show the importance of having the right data to enable better decision making and actions. And sometimes that right data needs to be analyzed by a human. For those of us in cybersecurity it’s a reminder to get back to basics and empower teams for data analysis and decision making. 

Getting back to basics starts with context. And how do you get context? A key source is threat intelligence. But this doesn’t necessarily mean you need more threat feeds. Most organizations typically have more threat feeds than they know what to do with from commercial sources, open source, government, industry and existing security vendors. In fact, much of this data is ignored because it’s difficult to discern what’s noise and what’s important. Some intelligence feed vendors provide “global” scores but, in fact, these can contribute to the noise since the score is not within the context of your company’s specific environment. To gain a deeper understanding of your adversaries, you need a platform to aggregate these millions of global threat data points and translate them into a uniform format for analysis and action. 

Next, you need to ensure relevance by combining the data with internal threat and event data. Sources like security information and event management (SIEM) systems, log management repositories and case management systems contain events and associated indicators from inside your environment. Unfortunately, these systems aren’t being fully utilized because they are usually “owned” by different security teams that exist in silos – the Security Operations Center, incident response, risk management, vulnerability management, malware, network and more – which makes them difficult to access. With a platform that aggregates this data as well, you can enrich external threat intelligence with context to understand the who, what, where, when, why and how of an attack. 

Up to this point, tools and technology are doing the time-consuming and tedious work of gathering and contextualizing the data. This frees up humans who can take on the next important task, analyzing and determining the right intelligence to focus on first and which can be kept as peripheral. With the ability to change risk scores and prioritize threat intelligence based on parameters you set around indicator source, type, attributes and context, as well as adversary attributes, you can filter out what’s noise for you. 

Advertisement. Scroll to continue reading.

It’s up to humans, guided by instinct, intelligence and experience, to determine the right data, so they can focus on what matters to the organization, make better decisions and take the right actions. It’s how Sully and Wald were able to mitigate risk, and it’s essential for security professionals too.  

RelatedThe ART of Making Threat Intelligence Actionable

Related: CISO Perspective: How Cyber Threat Intelligence Fits into Security Strategy

Written By

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...