While attending the 2015 RSA Conference last week, I committed myself to simply being an active onlooker and listener.
Specifically, I spent the week loitering around the various solutions provider booths âshoulder surfingâ and eavesdropping on whoâs saying what to whom and how each side – the solution seeker and the solution provider – perceive one another as it pertains to cybersecurityâs current up-and-coming rising star, Threat Intelligence.
Itâs that damn Threat Intelligence. So much disruptive promise (way more in my opinion than persisting with updates to sacrosanct and rusting solutions), yet so much confusion and noise.
My info-gathering tour at RSA was enlightening, but when I combined it with what I heard from Forresterâs Rick Holland this week in his brief âThreat Intelligence is Like Three Day Potty Training,â a couple big insights emerged from the intersection of my data and Rickâs very thoughtful observations:
Many businesses right now think Open Source Intelligence (OSINT) is the totality of threat intelligence and many are willing to pay handsomely for this latest fashion trend without any real notion of how or why to put it to work.
In other words, as I listened to one after another vendor and solution seeker alike, each seemed to convey that gaining usable intelligence on potential cyber threats facing businesses was best accomplished by focusing on data thatâs freely available on the uppermost parts of the internet each and every day. And they seemed very willing to pay for tools to exploit it in spades based almost solely on the shiny labels.
As Rick points out, and as I observed first hand on the floor, many companies get stuck in the immature, âlow-hanging-fruit-grabâ period of their threat intelligence development. The attractive, available lure of OSINT is all too gratifying to pass up.
But more disturbing for me, from the exchanges I witnessed (and a bit of a twist on what Rick presented), many companies seemed as if theyâd be just fine to stick with OSINT-only approaches for what sounded like much longer than an initial period of time.
In fact, as I heard one after another describe how they handled threat intelligence activities day-to-day, far too many described a process for daily tasking, triage and justification based solely on a web article or a post.
In one case, I even encountered a major infrastructure firm who told me if it couldnât be found on the web, it didnât exist for them as a threat worthy of investigation or as justification for any specific cyberdefense investment!
As such, many were on the hunt for ways to âup the anteâ on this process and splurge on a âreal liveâ OSINT-only solution to get even better at the process. And they seemed more than happy to blow the majority of their shiny new threat intelligence budgets on it, leaving room for little else.
In reality, the beauty of threat intelligence is much more than skin deep. Open source data is just a small part of the threat intelligence picture.
In particular, making use of threat intelligence in your cyber defenses to…
âą Raise cross-organizational situational awareness
âą Manage risks across your internal org and supply chain
âą Speed response (and pre-response) to incidents
âą Prioritize effective use of tactical cyber solutions
âą Collaborate, budget and strategize around cyber defense
âą Educate and inform your workforce
…involves a whole lot more than just OSINT.
The web and all its blogs, sites, social media posts, memes and cat videos is a treasure trove of information. Well, sometimes. Even so, the internet itself is arguably the single greatest human achievement in our history on this blue-green marble, but it isnât actually reality.
In fact, it isnât even really a shadow of reality. Itâs more like many groups of collections of individual pixels in several disjointed areas of one much bigger, 3D image. Sure, one spot may be dark blue, but without information to fill in the white spaces, itâs a guessing game as to whether the big picture is indeed a fat, funky blue whale or something else.
Effective threat intelligence involves comprehensive, continuous collection and analysis of the right data sources, from both inside your organization and out, and combining that with a high degree of relevancy to your specific business profile and characteristics. Itâs an approach from many levels and angles. Itâs the cliched 360 degrees and three dimensions.
OSINT tools and sources alone only give you a limited view into what you need to know to accomplish a proactive, effective cyber risk management function that helps better protect your business, its financial interests, brand and reputation, partners and customers and information technology baselines.
Effective threat intelligence requires a data collection and analysis approach across all the below…just for starters:
âą OSINT – Websites, blogs, forums, breach databases, exploit databases, malware, vulnerability, Dark Web sources and myriad others
âą Your Own Evaluated Threat Data – Your own teamâs low-level data thatâs confirmed as ârealâ or relevant and diligently recorded, analyzed (e.g. found Trojans or confirmed SNORT hits)
âą Highly-Focused, Highly-Relevant Data Feeds – Commercial phishing feeds, patch management updates, Spam analytics, AV/AM, Government alerts and indicators
âą Partner and Supply Chain Data – Extending reporting, sharing and data collection from your own âPrivate ISACâ
âą SIEM Information – Evaluated events from SIEM analysis and exploration
âą TIP Data – HUMINT analysis and other alerts, low-level data from âtraditionalâ Threat Intelligence Platforms that can be confirmed as relevant threat events
Whatâs even more important, specific data about your own business, its products, technologies, employees, partners, customers, locations, third-party support providers, equipment, devices and more is a key ingredient needed to provide real data relevance you can act on. Yet many ignore this information as outside the realm of âthreat intelligence.â To me, if you canât map your vulnerabilities to whatâs a threat, there is no risk management and there is no such thing as âactionable.â
The bottom line? If it isnât comprehensive, perspicacious and relevant, itâs mostly useless.
As well, more than just data of any specific flavors, effective threat intelligence hinges on the ability to free data from security operations activities and communicate it, share it effectively, integrate it with other non-cyber systems and use it to inform non-technical business strategists, analysts, managers and leaders who steer the larger business. It must be timely, standard, consistent, easily intuitive and sensible.
In other words, it has to be âhuman compliantâ too across a variety of roles, both technical and non-technical, or, yep, you guessed it, itâs mostly useless.
So, donât get hypnotized by a narrow focus. OSINT is just one part of putting threat intelligence to work. Despite a shiny, sexy appearance, it can cost you a whole lot more than the high price you pay for it.