Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

12/1/2016
10:00 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

20 Questions Smart Security Pros Should Ask About 'Intelligence'

Threat intel is a hot but complicated topic that encompasses a lot more than just data feeds. Here's how to get beyond the fear, uncertainty, and doubt to maximize its potential.

To be perfectly honest, the topic of intelligence has always annoyed me a bit. Not because I don’t enjoy it or think it is important; quite the contrary, intelligence is one of those areas that has so much potential, but whose potential is lost and adrift in a sea of hype and noise. Allow me to illustrate this point through an example.

More often than not, when I discuss the topic of intelligence, people immediately jump to a frame of reference built around data feeds. This is unfortunate, mainly for two reasons:

  • Data feeds are about data, not about intelligence. Relevant, accurate, timely data can be considered information. Only that information, plus the appropriate context, can be considered intelligence. Semantics are important here.
  • Data feeds do nothing for my risk mitigation goals. Intelligence needs to be applied to real-world use cases,  for example, using intelligence to assess and prioritize risk, or using intelligence to investigate and understand a given event to assess the risk it presents to the organization. In other words, turning information into knowledge. 

How can astute buyers get beyond the fear, uncertainty and doubt to maximize the potential of intelligence and make sense of the chaos? You guessed it! Here are 20 questions worth asking anyone trying to sell you intelligence.

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

1. What is the underlying philosophy that drives your intelligence capability? If I am going to pay you for your intelligence, I want to be sure I understand what makes you as a vendor tick.

2. What kind of data do you collect? Don’t tell me it’s only one or two different types of data from one or two different sources. Real intelligence comes from a wide variety of data types and sources.

3. Where do you get your data? I don’t expect you to reveal specific sources and methods to me, but you should at least be able to articulate why your secret sauce is better than the next vendor’s.

4. In how many countries do you operate? You can’t tell me you can see what’s going on around the world when you’re only looking at one corner of it.

5. How many languages does your team speak? As I’m sure you’re aware, attackers do their work in many different languages.

6. Do you have a physical presence in specific local and regional attacker communities? As great as the Internet is, there is still no substitute for being there locally, and being on the inside.

7. How does a piece of information make its way from the field into your database?

8. What does the overall collection architecture look like? I don’t need you to reveal secrets to me, but you ought to be able to articulate how the data you collect is accurate, reliable, and high-fidelity.

9. In how many locations do you store and analyze the data you collect? In other words, please tell me you have high availability and redundancy. A power outage shouldn’t wipe out your entire operation.

10. What volume of data are you collecting on a daily basis?

11. How do you scale to the level required for that large amount of data?

12. How do you normalize all that data?

13. Do you have structured data, unstructured data, or both?

14. How many analysts do you have to chew through all that data?

15. What types of professional backgrounds do your analysts come from?

16. How do you analyze the data? I don’t expect you to reveal your tradecraft secrets to me, but I want to be confident that you have a sound methodology. I want to be sure you aren’t making educated guesses, or otherwise rolling the dice.

17. How do you ensure that the data guide your findings and conclusions, rather than your biases? We are all human and have biases. How do you ensure that your intelligence doesn’t succumb to the biases of your analysts?

18. Can I buy intelligence aimed at different audiences (e.g., the board, executives, analysts, incident handlers, etc.)? I’m trying to please a diverse audience, and I need a vendor who can help me get there.

19. How can you help me assess and prioritize risk? I know that doing so can help me optimize security spending and show good return on investment, but I need help.

20. How can you integrate easily into my workflow? Whether I am looking to leverage intelligence to help with alerting, adding additional context to investigations, or otherwise, I want to make sure that you aren’t going to create a bunch of additional work and manual labor for my already overworked team.

The pressure to make the right choices in acquiring information security products and services can be intense, particularly when it comes to a hot topic like intelligence. A game of 20 questions can help you interrogate the true capabilities of intelligence vendors. It’s the intelligent thing to do.

Related Content:

 

Josh (Twitter: @ananalytical) is an experienced information security leader who works with enterprises to mature and improve their enterprise security programs.  Previously, Josh served as VP, CTO - Emerging Technologies at FireEye and as Chief Security Officer for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Treadstone71LLC
50%
50%
Treadstone71LLC,
User Rank: Apprentice
12/1/2016 | 12:35:26 PM
Intelligence
Ensure the data is not technology biased.

Rate your vendors and what they send you.

https://cybershafarat.com/2016/11/07/fallacies/ 

Demand evidence, demand citations.

Ensure your vendors have structured methods surrounding analysis.

- Treadstone 71
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0258
PUBLISHED: 2020-02-17
Multiple incomplete blacklist vulnerabilities in the avatar upload functionality in manageuser.php in Collabtive before 2.1 allow remote authenticated users to execute arbitrary code by uploading a file with a (1) .php3, (2) .php4, (3) .php5, or (4) .phtml extension.
CVE-2015-6922
PUBLISHED: 2020-02-17
Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.33, 8.x before 8.0.0.23, 9.0 before 9.0.0.19, and 9.1 before 9.1.0.9 does not properly require authentication, which allows remote attackers to bypass authentication and (1) add an administrative account via crafted request to LocalAuth/setA...
CVE-2020-9043
PUBLISHED: 2020-02-17
The wpCentral plugin before 1.5.1 for WordPress allows disclosure of the connection key.
CVE-2020-1704
PUBLISHED: 2020-02-17
An insecure modification vulnerability in the /etc/passwd file was found in all versions of OpenShift ServiceMesh (maistra) before 1.0.8 in the openshift/istio-kialia-rhel7-operator-container. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privi...
CVE-2019-12954
PUBLISHED: 2020-02-17
SolarWinds Network Performance Monitor (Orion Platform 2018, NPM 12.3, NetPath 1.1.3) allows XSS by authenticated users via a crafted onerror attribute of a VIDEO element in an action for an ALERT.