Security Intelligence and Threat Intelligence are not the same thing

Enigo Montoya said it best in "The Princess Bride" - You keep using that word. I do not think it means what you think it means.

 

The last two months have been interesting. I’ve found myself in conversations where the phrases “threat intelligence”  and “security intelligence” have been used virtually interchangeably without thinking anything of it. Don’t get me wrong, I wouldn’t dare disparage this behavior too harshly. Some of the people who have done it are at the heads of their respective organizations. Before I really got wrapped into this on a daily basis I was prone to the same mistakes and misspoken phrases.

 

So what gives?

 

Wordnik defines Security Intelligence as “intelligence on the identity and capability and intentions of hostile individuals or organizations that may be engaged in espionage or sabotage or subversion or terrorism” while Threat Intelligence is largely left up to individual security vendors to define, but is largely believed to be a subset of overall security intelligence. Interesting … but doesn’t quite reflect the current thinking of smart people in the industry. Burnham’s definition in my original post on this topic still holds (as a colleague pointed out), but the distinction and relationship between security and threat intelligence needs to be made clearer.

 

I even posed the question to my colleagues[1][2][3][4] (many of whom have direct expertise in this field) and there was some dissention. Yet, these two are used interchangeably all the time. No good. Knowing this, it makes sense why so many intelligence teams within the enterprise fail to deliver on the promise of value. In a large percentage of the cases where I’ve been directly involved, say three out of every four, they can’t even agree on how to define value!

 

Let’s first try and make sense of these two terms, and once and for all at least establish that they are different. Then we’ll try and make some rudimentary distinctions between them.

 

First: Yes these are different. The security community’s consensus is that Threat Intelligence is a subset of Security Intelligence. I concur, mostly because a lot of people smarter than I am have worked hard to establish this difference, so I’ll simply support that for those of you reading this post. Understanding these terms are different means you accept they have different goals, different methods and processes, and different outcomes. Now we start to get to the value … but not yet.

 

Now, before we get to discussing value, let’s define how these two are different and why.

 

Security Intelligence is a superset of information an organization has on its overall security status. (I’m carefully avoiding using the word ‘posture’ here on purpose.) Security Intelligence incorporates a complete picture of your internal inherent and residual risks, active internal and external threats, and many other factors such as business climate, sentiment and more. This is all information that is collected, analyzed and acted upon in a timely fashion, otherwise it’s worth little. So you can see your organization’s Security Intelligence as the big picture of what is currently going on related to the security of your enterprise or organization.

 

Threat Intelligence is a subset of this big picture, providing information on threats. I think the definition Wordnik uses as Security Intelligence actually applies to Threat Intelligence in the enterprise space. I believe Threat Intelligence is the “… intelligence on the identity and capability and motivations of hostile individuals or organizations that may be engaged in espionage or sabotage or subversion or terrorism.This is called knowing your enemy, essentially. I changed the definition slightly from intentions to motivations because they are not the same, and while intentions may be interesting, motivations are what can help us make a decision. You see, to me and many others, Threat Intelligence is all about collecting, refining, analyzing, and prioritizing vast quantities of data in order to enable a tactical decision to be made about your defenses. That’s as simple as it can be.

 

As I read over the previous thread I had started on Security Intelligence for the enterprise, I realize that after many discussions I had ever-so-slightly adjusted my world view … so this post is essentially a course-correction on that, and though I still agree with Burnham’s definition of Security Intelligence, I think Security vs. Threat Intelligence is ill-defined in the community.

 

So look for the follow-up Part 3 on how to actually get value from your Security Intelligence program, and then a follow-up to that, which will go into getting value from a Threat Intelligence program, understanding they are not the same.

 

 

Thanks to Kyle Maxwell for some peer discussion on the topic.

 

References:

Comments
Richard Steven Hack(anon) | ‎07-31-2013 06:52 PM
As my suspicion is that less than one percent of organizations have either "security intelligence" OR "threat intelligence", I'd opine that this is another one of those distinctions meaningful onto to infosec practitioners.
Edgar Rojas(anon) | ‎08-01-2013 07:01 AM

Let me use soccer terminology (because this is the game I know). A Soccer team exists in two modes: Attack and Defend. And the definition is very simple: If a player in your team has possession of the ball, then you are in Attack mode. If a player from the other team has possession of the ball, then you are in Defensive mode.

 

In Defensive Mode all your roles within the team ( Striker, midfielder, defender, Goalie) change. The role of the striker is no longer to move around into available space positioning him/herself to receive the ball and create a goal scoring opportunity. The Role of the striker in Defense Mode is to be the first line of defense and move towards the opposing player who has control of the ball and SLOW DOWN THE ATTACK. The midfield players then move to provide Defensive coverage.

 

I can continue further explaining that our striker is now known as a First Defender, while the midfield players are known as second, third, and fourth defender. But what is the point of this?

 

If we are talking in general terms, then there is no reason to go down to this level of detail. There is no reason to say what is the difference between a Defender and First Defender. First Defender is an attribute that only exists in Defense Mode.

 

In infosec, we are always in Defensive mode. And if Threat Intelligence, or whatever the new buzz word is, is a subset or characteristic of Security Intelligence (assuming we all agree on the meaning of this term), then why do we try to compare both.

 

It seems to me we continue to strive to come up with clever terminology while the blackhats of this world don't care one way or another what we call it. My opinion is to keep things simple and not to delve too much into specifics when talking about such a broad subject unless the conversation warrants it.

 

 

 

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation