“Actionable” Information vs. Practical Cyber Threat Intelligence

I am a practical guy. I don’t like to waste a lot of time and tend to gravitate to things that work, whether I originally thought up the idea or if someone else did. I’m of the “if it works then it works” mantra. Much of that attitude stems from joining the military and being thrust into a culture that demands outside-the-box-thinking. Assess the problem and work through scenarios, use past experience and lessons learned, use the right tool for the right job and lastly, be mission oriented.

When it comes to cyber threat intelligence (CTI), the key value can be unlocked by making it practical. What are the answers to the “so what” questions? Why would anyone want to spend budget on this? CISOs and like roles have a lot of headaches. How does this help that headache? How do I make this stuff useful to decision makers? Who are the decision makers? Why would they care?

The problem is the value from CTI is being misrepresented. What I’ve noticed is that there is an overwhelming drum beat towards tools — tools that will sprinkle pixie dust over your threats and make things “actionable.” But getting an avalanche of data is not the same as evaluated intelligence — and yet they get confused way too often.

Information is raw and unfiltered. Intelligence is organized and distilled. Intelligence is analyzed, evaluated and interpreted by experts. Information is pulled together from as many places as physically possible (creating an unnecessary and unrealistic workload for any analyst team to organize, distill, evaluate, etc.), and may be misleading or create lots of false positives. Intelligence is accurate, timely and relevant.

The reality is that “actionable” really just means a new alert/alarm/event that you now have to whack-a-mole. In some of the presentations I’ve given I’ve talked about the “actionable, actionating, actionator.” Sounds ridiculous right? That’s the point. But this is more common than it should be. And because of this teams are getting dragged away from productive efforts and into areas that are less productive.

This should not be surprising as many of the CTI vendors are tool builders, and no surprise, they push tools to solve the problem. However, here is where I will deviate, my background is that of a CISO, Program Manager, Team Builder. I am seeing a big disconnect between threats that are present in our industries and the practical application of resources — combination of people, process and technology — to reduce the likelihood of those threats from becoming a reality.

You see there’s a big difference between security tools and programs. Security tools (or feeds) are bolt-on and output-driven while security programs encompass people, process and technology … and they are OUTCOME-driven.

Threat intelligence should be outcome-driven vs. output driven. In my previous role as a CISO, I wanted and needed to know about threats that were specific to my organization. I needed to know what capability, opportunity and intent those threat actors had, along with a plan to ensure we were well-positioned before an event occurred (and in case we were not ready, that we had an effective plan in place as we moved from event to incident to breached).

So as you look at the many “threat intelligence” options out there, ask yourself this: will this intel drive the organization to make the right decisions and take the right actions?

Don’t try to bite off more than you can chew and start simple by focusing on evaluated intelligence. From there make your risks learnable by separating out random (or un-analyzed) risks from what is more likely so you can reduce your uncertainty — and then tie those learnable risks to the characteristics of your business.

Author: Adam Meyer

Adam Meyer has served in leadership positions in the defense, technology, and critical infrastructure sectors for more than 15 years. Prior to joining SurfWatch Labs, Mr. Meyer was the Chief Information Security Officer (CISO) for the Washington Metropolitan Area Transit Authority, one of the largest public transportation systems in the United States. Preceding his role as a CISO, Mr. Meyer served as the Director of Information Assurance and Command IA Program Manager for the Naval Air Warfare Center, Naval Air Systems Command one of the Navy's premier engineering and acquisition commands.

One thought on ““Actionable” Information vs. Practical Cyber Threat Intelligence”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: