Let me start off by saying that I am a marketer. I’ve been in the cybersecurity space for roughly 10 years with multiple companies focusing on different aspects that can be bucketed under the following segments of the market: endpoint security, network security and threat intelligence. In every segment there are buzzwords that seem to take on a life of their own.
In threat intelligence there are a few that really do us a disservice. The two that I want to pick on are “real-time” and “actionable.” Let’s dissect these:
“Real-time” Threat Intelligence
When I see this, to me it’s like nails on a chalkboard because “real-time” and “threat intelligence” cannot possibly go hand in hand. Threat intelligence requires analysis … by humans who have the expertise to do so. This does not and cannot happen in “real-time.” You can certainly get real-time information, but information and intelligence are not one in the same.
As my colleague Adam Meyer wrote in an article titled “Setting the Record Straight on Cyber Threat Intelligence,” information is unfiltered and unevaluated, available from many sources, and can be accurate/false, misleading and/or incomplete. Additionally, it may or may not be relevant to your business. The beauty of cyber threat intelligence is transforming all of that information into meaningful insights that drive better decision-making. That transformation process can be discussed in its own blog or collection of blogs, but the point I’m trying to make is that none of this is in “real-time.” I’m comfortable with near real-time because timeliness is an important attribute of intel … along with accuracy and relevancy.
“Actionable” Threat Intelligence
The word actionable isn’t bad, it’s just that we’ve overused it to the point it no longer means anything. Too many vendors equate information with actionable threat intelligence, but again, these are very different. A lot of information for you to research certainly creates lots of action, but is it actionable? To me, “actionable” means a decision can be made without requiring much, if any, additional research and analysis. If it is refined, final, actionable threat intelligence, all that prep work has been done and now you can make a sound risk management decision.
When I first joined SurfWatch Labs I had a friend who worked for an e-commerce business take me through a “day in the life” of how his company used threat intelligence. They took in a feed of low-level, tactical data and fed that into their SIEM, which spit out hundreds of alerts per day. The company had a team of analysts that would research each alert (which I was told could take as little as 20 minutes and sometimes up to a full day) and try to understand if they needed to worry about it and if so, how to deal with it. Every day this team of analysts had a lot of actions to take regarding their threat-related data. Just a few types of questions they needed to be able to answer:
- What was the actual threat?
- Was it relevant to their business and infrastructure?
- What was the potential impact? Did it impact sensitive information/systems?
- If it was relevant and important, then what steps and tools were necessary to mitigate this risk before it was too late?
Again, the information they received required lots of actions, but I would argue it wasn’t actionable intelligence at that point. Actionable intelligence takes that information and then runs analysis and correlation against the business profile where at the end there is a decision point and a method for addressing the risk. If you look at all the companies throwing around the term “actionable” I bet the majority provide an aspect of intelligence or a step in the direction of intelligence, but do not actually provide “actionable” intelligence.
Ok so why am I ranting about this? The above are just two of the more obvious examples where vendors are actively confusing the market and doing a disservice to customers trying to understand what threat intelligence is, what type of intelligence is right for them, and how to use it. Threat intelligence is not tangible like a firewall or some whiz-bang appliance, but if properly understood it can be extremely valuable to directing a cybersecurity program and reducing an organization’s overall risk footprint.