There has been significant chatter recently about threat intelligence management – specifically how a platform for managing such should be defined. Two industry analysts, Dr. Anton Chuvakin, of Gartner and Rick Holland, of Forrester have weighed in early and often on this topic and are two of the more thoughtful analysts actively covering this space.
Recently, Dr. Chuvakin blogged about what makes for a threat intelligence management platform (TIMP). Following Anton’s blog, Adam Vincent, CEO of ThreatConnect, blogged about how we should think about threat intelligence; the management of such; what the value of the intelligence is; and what the platform should resemble. ThreatConnect provides a threat intelligence-sharing platform, one of the formidable players in what I call the “Security Social Media” space around threat intelligence.
Defining Threat Intelligence
While my intent is not to pile on, the shaping of the threat intelligence management market is critical to its success, and there is much confusion about the very term “threat intelligence.” My writings are not to be taken as a response to any of the aforementioned individuals. They should serve simply another perspective on this overall developing market, and I encourage you to read their perspectives as well.
First, it’s important for you to understand that I am biased. I am a firm believer that intelligence is a process, not an individual thing. Intelligence is not “done.” It is “created.” Possessing some knowledge of the intelligence profession, I view intelligence as much more of an art than a science. Its results are similar to a Rorschach test, rather than a simple “addition of the parts.” It’s a natural dichotomy to try to use a science to reproduce an art. Intelligence is a profession, but one based more on critical thinking and gut instincts than a science itself. While science may provide an input into the intelligence creation process, science itself is not intelligence.
Typically, intelligence feeds into a course of events, or is considered when planning a course of events, or to better inform those about to embark on a course of events. It is very rarely treated as exact. Even when the credibility levels of the reporting are extremely high, the vetting process continues. There is also a lot of, simply put, bad intelligence derived from the wrong information; misinterpretation of information; or incomplete information. The association of the “threat intelligence” terminology and market with the traditional national and military intelligence concept is a bad one.
Why?
Because intelligence gathered by national intelligence and military capabilities is accomplished through some mechanism of spying. I’m using “spying” broadly, as to not have to write a dissertation on intelligence collection. But it is pursued by spying up close and personal and/or from a distance.
The “threat intelligence” market is serviced by a growing list of commercial companies, and they’re not spying. If they are I would – as should any customer – question the longevity of their business model. The collection of information is very different than spying. Those of us within this market collect information via technical means; the people who share information with us; our individual teams’ research; proprietary mechanisms; and each other. How we apply our individual tradecraft and capabilities to add additional value and capabilities to that information varies, which is why there is such a market and growing demand for such capabilities.
So if the foundation of the “threat intelligence” market is about acquiring and collecting information, then a platform for managing that information should focus on helping create knowledge for its end user, one that can enable the derivation of “intelligence.” The derivation of intelligence should support the tactical and strategic decision making of: an organization, a security operations center, an incident responder, an analyst or risk manager.
It should focus on constantly providing the information, (i.e. technical or non-technical means). The more information, and variation of sources, the better. The broader, geographic coverage of sources, the better. The more context that can support the provided information, the better. It is this corpus of information and constant collection and processing that, if not done well, will leave end-users without the knowledge they need to take that next step to formulating intelligence. (Or at least they won’t in an efficient and effective timeframe.) And yes, more is better. It’s better to have and not need than to need and not have. Finding needles in haystacks is often a result of very mundane information combined with very relevant information.
What this platform probably won’t be is an answer to every question the end-user may have. It probably won’t implement advanced artificial intelligence that spits out tactical and strategic intelligence for the first line of security operations support. It alone probably won’t solve the communications barrier between executive management and security operations. It won’t be the silver bullet. But it may make your organization more effective and efficient, and it better make them more knowledgeable when then need to be.
All of which brings me to my last point: We probably are using the wrong term for this market. It’s really about threat information. I often ask companies, “If I tell you that your company is a potential target for cyber threat actor, ‘Snoop Lion Panda,’ who has been known to use an array of XSS vulnerabilities as preferred tactics, techniques and procedures to compromise similar companies, what are you going to do?” “Intelligence” is not defined by knowing that an actor group referred to as Snoop Lion Panda has a known method of attacking specific companies. That is “information.”
It is ultimately human (end users) who derive intelligence from this information. How are they different? Intelligence is valuable and information is just information. However, you can’t derive intelligence without information and how that information is managed and delivered is what ultimately drives the overall effectiveness of deriving intelligence. So a TIMP shouldn’t provide intelligence in of itself, but the means for its end user to derive organizational and operational specific intelligence that can be tactically and strategically applied.
