I recently attended the CSO Confab event where I had the opportunity to meet and converse with many CSO and CISOs from various industries.
One of the sessions, titled Security Intelligence as the Next Frontier – Why it Matters, was of particular interest to me. While there were several important issues discussed in this session, I particularly enjoyed learning about how Visa measures its security program’s maturity and then compares and contrasts their program with peers in the same industry (see dashboard image on right).
Then, it was an insightful comment from Gary Warzala, CISO at Visa, that really sparked my interest: “We need security intelligence, but we need to be ready to consume it.”
So naturally, a second question came to my mind: If security intelligence is useful, but only to those enlightened few, how then do we ‘ready’ ourselves to be consumers of security intelligence?’
When I asked him about the issue, Warzala said that first you need to have the right people with the right skills (business analytics is in high demand). Only after this you may have a dream of consuming actionable security intelligence.
Second, you need to do the basics really well, and ONLY THEN can you move into more advanced technologies, Warzala said.
I posed that same question (how do we get ready to consume security intelligence) on Twitter, and received a wide variety of responses from the infosec community:
In addition, I also obtained some interesting comments via email…
From Nick Selby (@nselby), CEO of StreetCred Software, Inc, which builds criminal case management systems for law enforcement:
Security intelligence is the process by which an organization gathers data that may be relevant to its risks and threats; analyzes it, then produces actionable information in a form that can be understood, accessed and leveraged by the executives who need it to inform their tactical and strategic decisions. In short, it is the process that turns datapoints into organizational security knowledge. “Security intelligence” is also a noun, describing the product of this process.
An intelligence program must be a defined, funded strategic undertaking. it’s not a box you buy or a product you install. If I had to name one thing that interferes with the success of an intelligence program, no matter how good the raw intel and the analysis, it would be the failure to clearly define scope and fund the undertaking. I’m not saying that it needs to be expensive – it often does not have to cost much at all. But the scope must be clearly defined and agreed upon well in advance.
The second most important thing is that the intelligence program be empowered from a very senior place in the organization. Analysis, once created, must be read and if needed, acted upon. ’Dot connecting’ only works when an effort to connect dots meets executive desire, cross-stovepipe authority and application of technical and analytical resources.
From @P0lr_ (who requested anonymity):
The central idea to my response is that the business management processes surrounding the technology that we deploy should understand what is normal for the system and feed those expectations into the controls that we wrap around the solution. How would the IT practitioner know if the solution is intended for a Chinese audience? How do we know what actions a certain role should or should not be allowed to perform within an application? If we don’t understand what should be happening in the tech stack holistically, we can’t identify the anomalies.
The premise that you forward with your statement about threat intel is that we can somehow identify and communicate the identifying characteristics of the “bad guys” and we will be able to detect their activities and therefore protect ourselves. We already know from the world of endpoint protection that this is a failed model.
Assuming that you want to perform the best practices of the failed model, go ahead and send around your lists of IP addresses, IOCs, signatures, etc… But, if you want real security, you need to address the following questions:
1. What should the system do? – This is an incredibly difficult thing to define with the appropriate amount of granularity and most businesses won’t do it. This is what leaves us with the “best effort” approach that we currently evangelize in the security industry.
2. How am I ensuring that only the things that should happen can happen? – We tend to focus a huge amount of effort here, but we use a negative security model that usually stops when you rise above the infrastructure level of the tech stack.
3. How do I detect when something occurs that I didn’t expect? – Again, we incredibly expensive systems doing this, but they have neither the correct data nor the capability to put that data together to inform analysts of causation.
4. How do I feed what I’ve learned back into the release management process? – This is the feedback mechanism – the way we redefine and enforce “normal”. Most organizations never move past divisions between infrastructure, development and operations to perform this function smoothly or in a timely manner.
Now let’s take a look at recent data on the nature and methodologies employed in the majority of attacks that lead to the loss of sensitive data.
According to data from the 2012 Verizon DBIR, we can easily ascertain that the majority of attacks are not sophisticated in nature, and that most of the data loss that resulted could have been prevented with little effort or expenditure:
It’s clear to me that we first need to define what security intelligence is. From the various responses (and Twitter’s 140 character limit), you can see interpretations ranging from “threat intelligence” to “big data” and everything in between. Compliance still shows up in some conversations – surprisingly given that most people don’t associate compliance with intelligence.
But even with a good definition, we will need the right skills in order to ‘ready’ ourselves for action, and before we get to engage in some some really advanced security intelligence, big data analysis, haddop, threat intelligence and a myriad of other buzz words, we will need to be able to accomplish the basics first.
Then, and only then, will we be ready to consume security intelligence.
Title Image courtesy of ShutterStock