Beware The Intelligence Driven Security Operation Fed By Poor Intelligence

Rick Howard | Aug 11, 2012

*Originally published in CSO Magazine

There is a growing consensus within the information security community around the benefits of establishing “intelligence-driven” security operations. A growing number of organizations are moving in this direction, based on the combination of increasingly network-centric operations and the complexity of today’s cyber threats. Without question, integrating intelligence into your security operations is beneficial, provided you are following a few core principles, one of which is working with accurate, deep and relevant intelligence.

The Reality Of The Cyber Threat Race

It is no longer possible to fully prevent every potential cyber attack. The threat landscape is too vast and fast-moving, and enterprise IT environments are too diverse and dynamic. A more realistic goal for threat management is to combine advanced intelligence into an operation that prioritizes threats and preventive measures, combined with a solid plan for incident response.

Verisign iDefense focuses on three elements of cybersecurity intelligence to ensure integration will help improve security operations:

  1. Avoiding information overload
  2. Following the full lifecycle of a threat
  3. Evaluating the accuracy of intelligence

Avoiding Information Overload Through A Focus On Relevance

In a world where the threat landscape is constantly changing, information about cyber threats and vulnerabilities is plentiful and inexpensive. But for corporate organizations that make strategic and tactical decisions, a simple information feed frequently isn’t enough. Too often, information lacking context and relevance overwhelms decision makers, complicating decision making. For organizations to better understand the security threats their adversaries pose, and their methods of attack, they need to establish their own cyber intelligence capabilities to methodically collate the data into information and turn that information into actionable intelligence.

Follow The Threat Lifecycle

The loudest chatter about high-visibility threats and vulnerabilities often coincides with vendor disclosure. This discussion often results in urgent activity to patch the vulnerability, but some organizations mistakenly assume that the patch will protect their businesses from that same threat indefinitely. The truth is that threats have lifecycles and are constantly evolving. A timeline for the lifecycle of individual threats or vulnerabilities can sometimes be measured in years. Constant monitoring and updating is necessary for complete coverage.

Free Intelligence Is Nice, But Accuarcy Matters

For years, security teams have gathered cyber threat intelligence from a variety of sources. “Free” intelligence is plentiful, primarily in unstructured data feeds, but also in newsgroups and larger solutions from vendors with proprietary offers. Organizations running complex environments or protecting sensitive information require accurate intelligence that comes as a result of a thorough validation of threats and vulnerabilities. Intelligence is not simply a data feed, nor is it purely information. The heart of intelligence is an assessment that transforms raw information into a tool for more informed decision making.

Organizations establishing an intelligence capability are moving in the right direction for maturing their security operations, but they need to give careful consideration to their sources and how the depth of analysis from those sources should impact their use of the intelligence.

Does your organization have a cyber intelligence capability?

*To learn more about how Verisign is working to keep you safe online visit our Cyber Security Resource Center