In the business of domestic and military intelligence the sources and methods for how intelligence is derived are highly protected. This includes the technology and processes used as well as the relationships and intelligence assets leveraged. There is inherent trust between the consumer and authorized agencies and organizations gathering, synthesizing and distributing this intelligence. Both those consuming the intelligence and those providing the intelligence understand the equities issues and appreciate the need to safeguard at all cost these unique relationships and capabilities.
The IT security world has attempted to take a similar approach to protecting sources and methods when delivering cyber threat intelligence. Yet, for good reason, the providers do not have the inherent trust of the consumer. The threat intelligence space is early and still evolving and enterprise customers are still learning how best to use and action this intelligence. The latest trend is for threat intelligence providers to offer a derived valued, a ‘score’ or ‘reputation’, that represents risk, threat, or readiness level of a particular company, organization, network, sub-net, or IP. Ultimately the vendor is attempting to provide a quantifiable value to the end-user that indicates some form of risk and or acceptance threshold assigned to the entity. But what does it really mean? When asked, the common answer is: “that’s our secret sauce or intellectual property.” While threat intelligence providers certainly have the right to protect their intellectual property and capabilities, users want more. Without providing sources and methods, how is a consumer to trust the validity of the information being presented and take action with confidence?
The challenge for the intelligence consumer is determining the degree of confidence to place in the vendor provided score. Again for good reason, security professionals are some of the most skeptical individuals in the IT profession. More often than not, the level of trust that an end-user has in a vendor provided score is low, especially when it comes to a mitigation, enforcement or denial action. In my opinion, this can be attributed to the fact that many vendors do not reveal how their score or information was derived.
In conversations with customers, it is clear they want to understand how these values are calculated, how the intelligence is derived, and who backs the findings. They’re not necessarily interested in digging deep into the intellectual property, but need the ability to reference the sources and methods. This is no different than good journalistic reporting. Stories founded on strong sources and methods are more believable and carry more weight than those offered by anonymous sources. Those validated by more than one source are also more trustworthy than those standing alone.
Don’t get me wrong, they want a score because it is measureable and quantifiable. But they also need a degree of validation to determine whether the information, knowledge or intelligence is actionable, relevant and applicable to their domain of operation. Simply having a score based on means and modes, or flashy security terms like malware, botnet, or DDoS are not enough to gain their confidence.
With so many vendors messaging about intelligence driven ‘block lists’, reputation driven filtering, and organizational cyber scoring, instilling another degree of confidence in how those values were derived is critical. What were the sources that contributed to establishing these values, what weights were applied, and how did they factor into the decision process for arriving at the value? These are all valid questions and concerns from consumers that deserve consideration.
Taking it a step further, intelligence is not always an exact science and the value of intelligence varies depending on the consumer and environment. Organizations operate under different levels of risk acceptance and risk postures and how one organization handles a thread of intelligence may vary greatly from another. This is why it is so important to also factor in the end-user to any cyber-focused intelligence. They want the ability to weigh in on the process by applying stronger values of confidence in sources they have grown to trust and consequently to devalue sources that have been proven unreliable. They want to remain interactive and override certain sources or methods that may ultimately change derived values. Enabling the end-user to take an active role in defining what’s most important to them is critical to developing and fostering trust.
Consumers will continue to scrutinize threat intelligence, and they should. If cyber threat intelligence scoring is to be widely adopted and provide real value, it is up to the provider to deliver the trust consumers expect. Insight into and understanding of sources and methods play a major role in a company properly assessing intelligence within the context of their own organization.