While attending the 2015 RSA Conference last week, I committed myself to simply being an active onlooker and listener.
Specifically, I spent the week loitering around the various solutions provider booths “shoulder surfing” and eavesdropping on who’s saying what to whom and how each side – the solution seeker and the solution provider – perceive one another as it pertains to cybersecurity’s current up-and-coming rising star, Threat Intelligence.
It’s that damn Threat Intelligence. So much disruptive promise (way more in my opinion than persisting with updates to sacrosanct and rusting solutions), yet so much confusion and noise.
My info-gathering tour at RSA was enlightening, but when I combined it with what I heard from Forrester’s Rick Holland this week in his brief “Threat Intelligence is Like Three Day Potty Training,” a couple big insights emerged from the intersection of my data and Rick’s very thoughtful observations:
Many businesses right now think Open Source Intelligence (OSINT) is the totality of threat intelligence and many are willing to pay handsomely for this latest fashion trend without any real notion of how or why to put it to work.
In other words, as I listened to one after another vendor and solution seeker alike, each seemed to convey that gaining usable intelligence on potential cyber threats facing businesses was best accomplished by focusing on data that’s freely available on the uppermost parts of the internet each and every day. And they seemed very willing to pay for tools to exploit it in spades based almost solely on the shiny labels.
As Rick points out, and as I observed first hand on the floor, many companies get stuck in the immature, “low-hanging-fruit-grab” period of their threat intelligence development. The attractive, available lure of OSINT is all too gratifying to pass up.
But more disturbing for me, from the exchanges I witnessed (and a bit of a twist on what Rick presented), many companies seemed as if they’d be just fine to stick with OSINT-only approaches for what sounded like much longer than an initial period of time.
In fact, as I heard one after another describe how they handled threat intelligence activities day-to-day, far too many described a process for daily tasking, triage and justification based solely on a web article or a post.
In one case, I even encountered a major infrastructure firm who told me if it couldn’t be found on the web, it didn’t exist for them as a threat worthy of investigation or as justification for any specific cyberdefense investment!
As such, many were on the hunt for ways to “up the ante” on this process and splurge on a “real live” OSINT-only solution to get even better at the process. And they seemed more than happy to blow the majority of their shiny new threat intelligence budgets on it, leaving room for little else.
In reality, the beauty of threat intelligence is much more than skin deep. Open source data is just a small part of the threat intelligence picture.
In particular, making use of threat intelligence in your cyber defenses to…
• Raise cross-organizational situational awareness
• Manage risks across your internal org and supply chain
• Speed response (and pre-response) to incidents
• Prioritize effective use of tactical cyber solutions
• Collaborate, budget and strategize around cyber defense
• Educate and inform your workforce
…involves a whole lot more than just OSINT.
The web and all its blogs, sites, social media posts, memes and cat videos is a treasure trove of information. Well, sometimes. Even so, the internet itself is arguably the single greatest human achievement in our history on this blue-green marble, but it isn’t actually reality.
In fact, it isn’t even really a shadow of reality. It’s more like many groups of collections of individual pixels in several disjointed areas of one much bigger, 3D image. Sure, one spot may be dark blue, but without information to fill in the white spaces, it’s a guessing game as to whether the big picture is indeed a fat, funky blue whale or something else.
Effective threat intelligence involves comprehensive, continuous collection and analysis of the right data sources, from both inside your organization and out, and combining that with a high degree of relevancy to your specific business profile and characteristics. It’s an approach from many levels and angles. It’s the cliched 360 degrees and three dimensions.
OSINT tools and sources alone only give you a limited view into what you need to know to accomplish a proactive, effective cyber risk management function that helps better protect your business, its financial interests, brand and reputation, partners and customers and information technology baselines.
Effective threat intelligence requires a data collection and analysis approach across all the below…just for starters:
• OSINT – Websites, blogs, forums, breach databases, exploit databases, malware, vulnerability, Dark Web sources and myriad others
• Your Own Evaluated Threat Data – Your own team’s low-level data that’s confirmed as “real” or relevant and diligently recorded, analyzed (e.g. found Trojans or confirmed SNORT hits)
• Highly-Focused, Highly-Relevant Data Feeds – Commercial phishing feeds, patch management updates, Spam analytics, AV/AM, Government alerts and indicators
• Partner and Supply Chain Data – Extending reporting, sharing and data collection from your own “Private ISAC”
• SIEM Information – Evaluated events from SIEM analysis and exploration
• TIP Data – HUMINT analysis and other alerts, low-level data from “traditional” Threat Intelligence Platforms that can be confirmed as relevant threat events
What’s even more important, specific data about your own business, its products, technologies, employees, partners, customers, locations, third-party support providers, equipment, devices and more is a key ingredient needed to provide real data relevance you can act on. Yet many ignore this information as outside the realm of “threat intelligence.” To me, if you can’t map your vulnerabilities to what’s a threat, there is no risk management and there is no such thing as “actionable.”
The bottom line? If it isn’t comprehensive, perspicacious and relevant, it’s mostly useless.
As well, more than just data of any specific flavors, effective threat intelligence hinges on the ability to free data from security operations activities and communicate it, share it effectively, integrate it with other non-cyber systems and use it to inform non-technical business strategists, analysts, managers and leaders who steer the larger business. It must be timely, standard, consistent, easily intuitive and sensible.
In other words, it has to be “human compliant” too across a variety of roles, both technical and non-technical, or, yep, you guessed it, it’s mostly useless.
So, don’t get hypnotized by a narrow focus. OSINT is just one part of putting threat intelligence to work. Despite a shiny, sexy appearance, it can cost you a whole lot more than the high price you pay for it.