Cybersecurity Rant – Security Marketers Misusing Terms

Let me start off by saying that I am a marketer. I’ve been in the cybersecurity space for roughly 10 years with multiple companies focusing on different aspects that can be bucketed under the following segments of the market: endpoint security, network security and threat intelligence. In every segment there are buzzwords that seem to take on a life of their own.

In threat intelligence there are a few that really do us a disservice. The two that I want to pick on are “real-time” and “actionable.” Let’s dissect these:

“Real-time” Threat Intelligence

When I see this, to me it’s like nails on a chalkboard because “real-time” and “threat intelligence” cannot possibly go hand in hand. Threat intelligence requires analysis … by humans who have the expertise to do so. This does not and cannot happen in “real-time.” You can certainly get real-time information, but information and intelligence are not one in the same.

As my colleague Adam Meyer wrote in an article titled “Setting the Record Straight on Cyber Threat Intelligence,” information is unfiltered and unevaluated, available from many sources, and can be accurate/false, misleading and/or incomplete. Additionally, it may or may not be relevant to your business. The beauty of cyber threat intelligence is transforming all of that information into meaningful insights that drive better decision-making. That transformation process can be discussed in its own blog or collection of blogs, but the point I’m trying to make is that none of this is in “real-time.” I’m comfortable with near real-time because timeliness is an important attribute of intel … along with accuracy and relevancy.

“Actionable” Threat Intelligence

The word actionable isn’t bad, it’s just that we’ve overused it to the point it no longer means anything. Too many vendors equate information with actionable threat intelligence, but again, these are very different. A lot of information for you to research certainly creates lots of action, but is it actionable? To me, “actionable” means a decision can be made without requiring much, if any, additional research and analysis. If it is refined, final, actionable threat intelligence, all that prep work has been done and now you can make a sound risk management decision.

When I first joined SurfWatch Labs I had a friend who worked for an e-commerce business take me through a “day in the life” of how his company used threat intelligence. They took in a feed of low-level, tactical data and fed that into their SIEM, which spit out hundreds of alerts per day. The company had a team of analysts that would research each alert (which I was told could take as little as 20 minutes and sometimes up to a full day) and try to understand if they needed to worry about it and if so, how to deal with it. Every day this team of analysts had a lot of actions to take regarding their threat-related data. Just a few types of questions they needed to be able to answer:

  • What was the actual threat?
  • Was it relevant to their business and infrastructure?
  • What was the potential impact? Did it impact sensitive information/systems?
  • If it was relevant and important, then what steps and tools were necessary to mitigate this risk before it was too late?

Again, the information they received required lots of actions, but I would argue it wasn’t actionable intelligence at that point. Actionable intelligence takes that information and then runs analysis and correlation against the business profile where at the end there is a decision point and a method for addressing the risk. If you look at all the companies throwing around the term “actionable” I bet the majority provide an aspect of intelligence or a step in the direction of intelligence, but do not actually provide “actionable” intelligence.

Ok so why am I ranting about this? The above are just two of the more obvious examples where vendors are actively confusing the market and doing a disservice to customers trying to understand what threat intelligence is, what type of intelligence is right for them, and how to use it. Threat intelligence is not tangible like a firewall or some whiz-bang appliance, but if properly understood it can be extremely valuable to directing a cybersecurity program and reducing an organization’s overall risk footprint.

Author: Sam Erdheim

Sam Erdheim has more than 15 years of experience across all facets of marketing and product management for enterprise software companies. Mr. Erdheim has spent the past 10 years in the information security space, most recently serving as Director of Marketing for AlgoSec, a security policy management vendor, where he was responsible for leading the strategy and development of the company's corporate and product positioning, content and communications. Prior to AlgoSec, Mr. Erdheim served as Director of Marketing at Lumension, an endpoint security provider, where he drove a comprehensive demand generation program that supported more than a third of the sales pipeline and created an automated email nurture campaign that received a Gold Medal from MarketingSherpa. Previously, Mr. Erdheim served in product management and marketing roles for other technology companies such as Softek (acquired by IBM Global Services), iLumin (acquired by CA) and Thomson Financial. Mr. Erdheim is a graduate of Tufts University.

One thought on “Cybersecurity Rant – Security Marketers Misusing Terms

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s