Page 35 - index
P. 35
Navigating the Threat Intelligence Hype
By Chris Coleman, CEO, Lookingglass
Having returned from Black Hat USA 2014 it has become apparent that threat intelligence is
nearing the cusp of the hype cycle. As with any potentially disruptive method, the ability for
those interested in sorting through the chaff to understand the root benefit becomes
extremely difficult. In the spirit of transparency, I want to disclose up front that I have the
privilege of being at the helm of a for profit business in the cyber threat intelligence market.
My career path has afforded me exposure to this potential disruptive method for over a
decade.
Let me first explain why I refer to it as a method. The promise of threat intelligence in of itself
is not to be realized through technology alone, but by the method in which it becomes
implemented and adopted within the overall security operations process.
In order for an organization to be able to use threat intelligence they must first realize that
intelligence is derived by humans, and that an internal competency is required to effectively
convert information into organizationally relevant intelligence. At that point, and only that
point can the information be leveraged to create a dynamic security and risk posture.
So competency requires a plan, repeatable processes and procedures that can
operationalize the information set, deemed in this case, and for lack of a better term threat
intelligence.
While technology can provide a keen advantage to assisting in the collection, processing,
analysis and enablement of the information, it will require a competency reliant on people
and organizational processes and procedures to realize the benefit of this disruptive
capability.
Why does threat intelligence have the potential to be disruptive? While there may be many
different answers abound, my answer is that it is the first step in expanding our nearsighted
approach that we’ve been taking for so long. Security has been focused at and within the
perimeter. As a profession we have failed to extend our viewpoint to where 95% of the threat
originates – outside the perimeter.
Experts speak of kill chains, yet only through threat intelligence can we get in front of the kill
chain - adapting our security and risk posture based on threat information we receive. This
information may not spell out a traditional “to do” list. Rather, it requires a competency to
derive the telltale signs most important to your organization.
What kind of information makes up this threat-centric view? Another topic rich with opinions;
however, if we can agree that what we’re trying to achieve is a better informed security and
risk capability, then there needs to be a strong focus on understanding the unknown.
Understanding the unknown requires diverse information sets that when coalesced can help
drive decision support on how to react. Ultimately, we are trying to increase the mean time to
know; therefore, dramatically reducing the effect or preventing it all together.
35 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
