Threat intelligence is the art of providing actionable threat data that enables organizations to focus on the most critical risks to their IT infrastructure. Essentially, a fusion of data and intelligence. The data component is pretty well covered by various software and service solutions that automate data gathering and correlate the results for human consumption. This is where “intelligence” comes in and that's not something that can be allocated to a computer program.
The data – The disconnect between data and intelligence is not necessarily the fault of the threat intelligence vendors, many of which do a fine job of collecting, correlating and analyzing data from both external and internal sources. The reality is there is a ton of external and internal data to parse and process. The trick is to tune the filtering just right so that you aren't overwhelmed but also don't miss something important.
The intelligence – While computer programs are great at processing data, they lack the required emotional intelligence of humans. Technical people generally regard emotion with disdain - a quality that distracts from pure science. However, emotional intelligence is that aspect that provides the “gut instinct” that can guide a detective to events that solve a case. It is difficult to quantify but it is an essential part of the human experience and must be a factor.
Computer programs follow strict rules, humans often don't. True innovation is a combination of breakthrough creativity combined with expertise in a particular subject. Innovation and unpredictability is where humans excel.
The fusion – Human intelligence is usually limited to technical security analysts and maybe some executive management with a security background. What's missing? The rest of the organization, including people with expertise in the business drivers, legal obligations, human resources factors and third-party relationships. Far too often, the technical people work in a vacuum. This leads them to implementing technical solutions that don't necessarily address business risk. Or worse – spending money on solutions that can't be properly implemented because no one has time to give input on how it should be deployed.
The reality – Threat data tends to be ranked based on the difficulty and effectiveness of techniques used to exploit the vulnerability, not on the importance of the asset. Ranking of vulnerabilities' technical impact has been long established through frameworks such as the Common Vulnerability Scoring System (CVSS), designed to provide a consistent method to rate the severity of vulnerabilities. However, this rating does not include metrics for the business importance of the asset, among other factors. An attempt has been made to adopt a Common Weakness Scoring System (CWSS) that includes integration of stakeholder concerns, but this isn't gaining traction because it requires humans to make decisions about what's important. The CISO/CSO needs to have the support and input from the all of the business units, and, most importantly the board of directors, which is often comprised of business executives with little technical knowledge.
The bottom line – An effective threat intelligence solution is one that automates data collection/aggregation and provides intelligence on both the external and internal threat landscape. It must also include input from the business units on their risks.
When it comes down to it, you can't outsource your business risk management strategy.
This article ran originally on Recorded Future's threat intelligence blog. Carole Fennelly is a Recorded Future contributor and information security consultant.