Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

What is the Difference Between Information and Intelligence?

Those who read my pieces regularly likely realize that I enjoy writing on topics around which I see a lack of clarity.  Whenever possible, I try to provide actionable information and guidance based on my experience that can be implemented operationally.  After all, advice doesn’t do an organization much good if it can’t be leveraged i

Those who read my pieces regularly likely realize that I enjoy writing on topics around which I see a lack of clarity.  Whenever possible, I try to provide actionable information and guidance based on my experience that can be implemented operationally.  After all, advice doesn’t do an organization much good if it can’t be leveraged in a real world environment.

In this piece, I’d like to tackle a topic around which I often see a tremendous amount of confusion.  During the course of my travels, intelligence is a topic that arises frequently.  Perhaps that doesn’t surprise you.  What may surprise you, however, is the lack of clarity and understanding I see around the topic.

Granted, there are individuals and organizations that understand intelligence quite well, and it shows very clearly in their overall security maturity.  Unfortunately, there is a wide spectrum of understanding when it comes to the topic of intelligence.  Sadly, more individuals and organizations find themselves on the lower end of understanding than we’d like to think.

Information vs. IntelligenceInformation vs. Intelligence

When I hear some people discussing intelligence, quite often, what they are actually discussing is information.  There is a fundamental difference between the two, and it doesn’t appear to me that that difference is particularly well understood.  What’s the difference you ask?  The principle difference is that information is merely data.  Data by itself doesn’t include any context.  It doesn’t help us understand how to apply it to a specific problem.

Perhaps it’s easiest to illustrate this difference through an example.  I often hear people referring to data feeds and intelligence interchangeably.  For example, when speaking of their efforts to build, improve, or sustain their intelligence capability, people sometimes begin listing the different malicious domain name feeds they receive.  What’s the issue with this you ask?  The issue is that these data feeds often lack any context whatsoever.

Context is king.  To understand just how important context is, here are a few representative questions to illustrate the point:

● To what stage of attack are the data relevant?

● What is the nature of the activity associated with the data?

Advertisement. Scroll to continue reading.

● During what dates was the activity seen?

● Across what industry verticals was the activity seen?

● What size businesses does this activity usually affect?

These are just a few of the many contextual details that differentiate information from intelligence.  To use an analog world analogy, it’s like getting the price for a nice jacket you’d like to buy without knowing the currency that number is in.  Is that number in US Dollars, Japanese Yen, Thai Baht, Argentine Pesos, or some other currency?  As you might imagine, that context makes a big difference to how we apply, leverage, and act on that information.  In that regard, a malicious domain name without its associated context isn’t much different than the price of a jacket without its associated currency.  Only information and its associated context can be considered intelligence.  Otherwise, it’s just data.

Operational Application

Before we can fully leverage the power of intelligence, we need to understand to what problems we’re going to apply any intelligence we have the opportunity to work with.  Even the best intelligence in the world does an organization no good if it cannot be applied operationally to real world challenges.  Maximizing the value and effectiveness of intelligence without diluting its value through a flood of false positives requires a strong foundation built upon a strategic, risk-based approach to security, as I and many others have discussed in the past.  Intelligence can and should be appropriately mapped onto the relevant goals and priorities that result from approaching security in this manner.  This allows an organization to be far more selective and strategic in its pursuit of intelligence.

In other words, if organizations approach the intelligence challenge correctly, they can flip it on its head.  Most organizations purchase or otherwise receive intelligence and then look for a way to apply that intelligence.  Wouldn’t it be empowering for an organization to identify goals and priorities it needs to address and then pursue intelligence that suits those objectives?  This is a much different way of looking at intelligence, but it is one that generally produces far better results.

Perhaps it helps to illustrate the difference through an example.  Let’s assume I’m concerned about spear phishing attacks against my executives with the objective of exfiltrating sensitive, proprietary, or confidential information.  If I break that down into specific goals and priorities, I can then seek out very specific, reliable, high fidelity intelligence that facilitates mitigating that risk. 

For example, I may look at protecting mail as a vector, monitoring email for spear phishing attacks, monitoring unusual activity on executive systems or on the network, or any number of other goals.  As you can see, each of these goals is going to benefit from a different type of intelligence.  As I mentioned earlier in this piece, context is king, and it facilitates a much different way to approach the subject of intelligence.

Metrics and Iteration

Unlike a Ronco Rotisserie, intelligence isn’t a “set it and forget it” endeavor.  Making the most of intelligence is an ongoing process involving continual re-assessment and iteration.  In previous pieces, I’ve written of the need to properly source, vet, retain, and leverage intelligence, as well as the need to scientifically measure its value to security operations.  Although I won’t re-hash those points here, they are helpful and relevant to the larger discussion this piece focuses on.  A successful intelligence program is one that continually tunes, reassesses, and updates itself according to the changing threat landscape and risk mitigation objectives of the organization it finds itself within.

In the realm of intelligence, context is king.  Only with the proper context can data be considered intelligence, rather than simply information.  Maximizing the value of intelligence also requires the right framework within which to apply it.  Organizations that understand these points and practice them operationally reap far more value from intelligence than those that don’t.  It’s the intelligent way to do intelligence.

RelatedThreat Intelligence: Putting the Horse Before the Cart

RelatedDistinguishing Threat Intelligence From Threat Data

Written By

Joshua Goldfarb (Twitter: @ananalytical) is currently Global Solutions Architect - Security at F5. Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for nPulse Technologies until its acquisition by FireEye. Prior to joining nPulse, Josh worked as an independent consultant, applying his analytical methodology to help enterprises build and enhance their network traffic analysis, security operations, and incident response capabilities to improve their information security postures. He has consulted and advised numerous clients in both the public and private sectors at strategic and tactical levels. Earlier in his career, Josh served as the Chief of Analysis for the United States Computer Emergency Readiness Team (US-CERT) where he built from the ground up and subsequently ran the network, endpoint, and malware analysis/forensics capabilities for US-CERT.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem