Security Experts:

Obsession With "Actionable" Undermines Effective Threat Awareness

Actionable threat intelligence. Actionable information sharing. Actionable threat detection and incident response. Actioned-oriented, actionable actioning around actionable actions. Over the last several years, if it ain’t actionable, it ain’t, uh, well, it ain’t anything.

Sounds silly, you say? Well it is - in more ways than one.

In fact, between myself and many of my peers, the whole actionable zeitgeist has become something more than just being silly.

Often, in conversations where we’re discussing something real, say, behavioral analytics for insider threat detection based on threat intelligence, one of us will inevitably say, “yeah, but is it...actionable?” and the group will erupt in laughter. It’s become a joke. And that’s the problem.

Over the last few years, cybersecurity operations in businesses around the world have become obsessed with mindlessly testing every single cyber intelligence activity, solution or information capability with the litmus test “is it actionable?” to the point that it no longer has real meaning.

Actionable IntelligenceMore dangerously, the obsession is undermining the adoption of fundamentally sound threat awareness activities that make businesses safer immediately - and over the long term.

The actionable litmus test is itself masking bigger, more traditional and systemic (pandemic) problems inside almost every cybersecurity operations team.

When most ask “is it actionable?” what they are really asking, sensibly enough, is “what do I do now with this information?” 

The problem here is that most cyber organizations today not only don’t know what to do about a given piece of information, they don’t know how to do it effectively. They don’t know how to repeat it, make it consistent, document it, track it, report on it or share it. They don’t know how to effectively use it to prioritize or triage daily tactical defense activities. They don’t know how to use it to strategize, plan or acquire software, hardware or human cyber resources.

Yet, if business would only get back to basics and resolve the underlying issues, they wouldn't need the actionable test at all. It would, in fact, be a by-product of better processes based on simple, effective threat awareness. In the search for “actionable,” businesses are ignoring the sources of the whole problem in the first place.

Here are just a few of many. (What’s more, these build on one another. Starting at the top of the list has a cumulative positive effect as you work down!)

Imbalanced Threat Awareness Focus

Most cyber operations focus almost solely inward. In other words, packet data, netflow, logs, signatures, SIEM and low-level Threat Intelligence activities rule the day with teams spending most of their time combing through alerts and indicators based on this data.

The result is that they become blind to big-picture threats to their lines of business coming just around the corner.

Continuous high-level situational awareness of relevant threats and how they’re executed against your industry, your software and hardware baselines, your customer technologies, your partner and supply-chain systems can help organize everything else you do and yield higher impact results (actions) against the highest impact threats.

The Wrong Organizational Structures

Although many business are currently evaluating or adopting cyber intelligence activities, most simply add them to existing SOC, NOCs and other lower-level watch activities. The issue is that the same people, processes and technologies that are already blinded by too much of a low-level focus serve to blind the new activities too. Like black holes with immense gravity, the traditional inward-looking, low-level needle-finding activities bend all toward their center.

Setting up new threat awareness activities outside these activities with clear lines of communication and standard operating procedures and protocols up and down the organizational chain from management to security functions allows complete focus on high-level situational awareness that informs more tactical operations.

The result is balance - something almost completely missing today. It also serves to bring the business side of things closer to the security side of things around shared risks management.

No Triage or Prioritization

Having the wrong threat awareness focus and the wrong organizational structures virtually guarantees inconsistent and skewed triage and prioritization of threats. Your team of expensive tactical cyber analysts tuning your expensive cyber defenses too often “play it by ear” each day, simply reacting to the latest alerts and indicators or “grab-bagging” from huge lists of available, possible threats.

The bottom line is, it doesn't matter what you do about something or how you do it if you’re acting against the wrong threats. With the imbalances that exist today, it’s easy to see why so many businesses are perplexed when their seemingly well-positioned defenses are circumvented by an unexpected hit.

Your resources crave simple triage and prioritization. With it, they’re better and more efficient. Re-organizing to emphasize better focus and organizational setup will allow for the adoption of simpler tools and processes.

No Effective Reporting and Sharing

In my day job, I often consult with cyber organizations around the effective use of strategic threat intelligence. The complaints I hear most often from both cybersecurity management and the professionals that labor under them have to do with gathering information, reporting on it and sharing it across their enterprises to appropriate organizations and levels.

For example, managers complain they can’t get consistent data for analysis from their teams they can disseminate out and up. It’s nearly impossible to report on threat data for specific risk areas or even general relevant trends in a way that’s consistently available and consumable by technical and non-technical analysts and leaders alike. As well, they often express major pain points with information latency due to the high level of effort (and strained staffs) associated with reporting to meet heavy compliance, regulatory and audit requirements.

On the security professional side, I most often get what’s on the other side of that coin:

• We don’t have time to prepare the data-driven reports before the data is “overcome by events”

• Gathering data from so many sources each week to meet ad hoc or standing reporting requirements takes up all my time

• We have too few personnel to effectively collect and report on data we have on hand

Fixing the problems outlined in this article will establish the people, processes and technologies needed to support fundamental, efficient institutional reporting and sharing.

In today’s cyber defense world as in other business domains, actions should speak louder than words. Yet, too often, being “actionable” is just that - a word with no meaning. Re-focusing on solutions for underlying organizational issues around fundamental threat awareness and how to communicate that information makes is mean something for your cyber defenses.

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.