Security Intelligence for the Enterprise - Part 2

Security Intelligence. A very hot topic right now on the “to do” list of CISOs across the enterprise space.


In part 1 of this series on security intelligence I discussed some of the basics I'm assuming you've got down in this post, if you've not had a chance to read part 1 - give it a read first.


Here’s an inconvenient observation: Of the 20-plus mid-market enterprises I’ve spoken to about security intelligence in the last few months, less than five are actively using security intelligence for better defense. What gives? This post will describe for you what I believe it means to extract value from security intelligence. And more important, why I believe three out of four enterprises are still failing to get that value.



Getting Value


As is the case with nearly anything else, having a tool at your disposal doesn’t necessarily mean you’re benefitting from it. Buying a brilliant hammer doesn’t make me a master carpenter and all that. But what it does get me is something that requires more work on my part to realize value. What is this mythical value I keep talking about?


Value is a funny word. Maybe it’s more interesting to think about utility, and how we may derive utility from having a resource available to us. Alright, enough word play — let’s talk about what it means to get value out of security intelligence in your enterprise.


First off, let’s take a quick peek at your enterprise security program. If your organization is without a framework with respect to defending your organization and its assets, do not read further. Instead, seek out someone who will be able to help you build that framework, call it a security program, and come back.


Within the construct of your enterprise security program, you should have a framework for using tactical intelligence in such a way that it aids in your decision making and adjustment processes. The problem here is that roughly half of the enterprises in this mid-market space I’ve spoken with don’t actually have a construct for making tactical adjustments. Another quarter are lacking a solid enterprise security framework (otherwise referred to as a “security program”), which means any attempt to bring in tactical intelligence into that mess will likely result in something akin to yelling “Shark!” in a movie theater. (I’ll let you figure that one out yourself.)


Assuming you have a framework for consuming tactical intelligence — security intelligence — your organization can now start to incorporate some of those feeds and reports into your daily activities. The problem is, however, there is still a vast chasm between “We have a report!” and “We are acting on this report!” You see, getting value means converting information into action. To take that a step further: Getting value means converting information you receive into actions you take in a timely fashion, which enable you to make good decisions to protect your enterprise. This is my loose definition, but I think it works.


Value to me means that you’re able to convert the information you receive in a timely manner into meaningful actions to defend your enterprise against an imminent threat.


Of the roughly half of the organizations that I’ve spoken to that break down somewhere in this process, most of it falls apart at the meaningful and timely. They can usually read the PDF that’s sent to them, and at some time convert it into action, but it’s rarely meaningful, and almost certainly not timely. Let’s look at this a little deeper.



Failure to Capitalize


There are any number of reasons (or excuses) why enterprises are failing to realize that value just discussed. They’re missing at least one, if not many more, of the criteria that are required to claim value. This is clear. But the major issue from where I’m sitting is, in spite of that failure, budgets are still being widened to include security intelligence as a strategic purchase. This is rather disturbing because you’re wasting money, and likely your own valuable resources, in an investment you’re almost certain will not pay off.


I’ve always heard that the only way to fix a situation is to admit that it’s happening. In order to find your way back to the highway, often times we simply must admit to ourselves that we’re lost and stop and ask for directions. With that in mind I offer my top five.


Here’s my assessment of the top five major failures when it comes to getting value from security intelligence for the enterprise:

  1. Inadequate framework for response. First and foremost, if you don’t have a framework for consuming, transforming, and acting upon intelligence you’re receiving from outside parties, there is not a snowball’s chance you’ll actually see value. Sure, they say that even a blind squirrel finds a nut eventually, but if you don’t have a framework in place you’re hopelessly wasting resources and may actually be causing your organization harm rather than good.
  2. Unusable format. Ever wonder how you can convert that 10-page PDF into quick action? Same here. There is a format that lends itself best to consumption by your organization, and it is your job to find that format. Whether it’s a web portal, a PDF, or a XML-based data feed into your SIEM — it has to work for you. (Otherwise, it’s working against you.) The copy/paste-from-PDF- to-firewall rule is likely going to slow your organization down before it speeds you up. Remember this has to be converted to action in a meaningful amount of time.
  3. Timeliness failure. Sadly, many of the reports I have seen some of these 20-plus organizations receive, come at some regular interval. Maybe it’s Monday morning, or mid-week, or twice a month … either way, if they’re not sent in a timely manner — meaning as they’re needed — they quickly become irrelevant and are relegated to historical value. This doesn’t help you tactically adjust, you’re not the TSA here. I’ll just leave it at that.
  4. Unusable information. Information about adversaries and their tactics is fantastic, unless it’s not something you can do anything about. Let’s say you’re a mid-market banking organization who just received intelligence that your sector is being targeted by “foreign nation-states.” I was asked by a client what I would advise they do with a report like that … to which my answer was an unfortunate shrug of the shoulders. Without detail, these types of reports only seek to cause wasted cycles, and confusion, in my opinion. I know certain peers will disagree with me but that’s okay.
  5. Inadequate resources. Even if everything else is great, and your framework supports a response, you have timely, usable information in a usable format, there is still a good chance the people you’re hoping to task with this response activity are busy doing 20 other tasks. You see, even if everything else works out near perfectly, you probably aren’t staffed for this type of response, and the intense levels of activity it requires. And that, after all this, may be the root of the problem. Staffing is once again our Achilles Heel in the enterprise.


There you have it, all the reasons why you’re probably failing at making use of the security intelligence you are actually receiving. In part 3 of this series I’ll see if I can give you some practical advice (without giving away the program my clients pay for) that can help you convert information into action in a meaningful, timely time.


Until next time!

MichaelHyatt_(anon) | ‎06-11-2013 08:52 PM

The value in Security Intelligence comes from leveraging the data you're already collecting in isolated silos, from AD and HR to system and application logs to DAM, DLP and SIEM, to IDS and DPI.  Get all that data working for you, and then find some genuinely effective behavioral analytics to apply to it.  More data = good. More analytics = good.  


You stop the known attacks.  You detect the successful attacks.


THAT'S security intelligence....

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About the Author

Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation