On "Intelligence"

A lot of attention has been given to cyber- or threat-intelligence. I think this is a great idea but I also have to say - at least based on what I've seen recently - the industry has a long way to go. The way some vendors roll, intelligence is just the latest fad, which would be a terrible mistake for the security community to make given the value good intelligence can provide. Let’s lay down a few givens before we go any further. For starters, “intelligence” is like “APT:” If you’re not using the proper definition, you’re just playing marketing tricks. Boiled down to its essence it works like this:

  • No matter how good the source, a discrete piece of “data” or a data “feed” is not intelligence
  • Intelligence is not a mashup of disparate data points; that’s “information”
  • Intelligence is information that is put into context and enhanced with expert (human) input that provides a consumer with insight.

No application, device or appliance is capable of providing you with intelligence. Such mechanisms may provide you with enhanced information, but without the human element it’s still just information. If machines could produce intelligence, a whole lot of people in this business would be unemployed.

Intelligence has to satisfy multiple "consumers" and every consumer wants something different from their intelligence product. The intelligence requirements of the C-level is of little utility to the incident responder on site, and vice versa. Intelligence products or services that do not allow for sufficient tailoring of their output aren't really satisfying the full spectrum of an organization's intelligence requirements.

Intelligence tells you something you don’t already know, but because you cannot know everything, there are no guarantees. Only the most generic and heavily cavetated output can be made to seem right 100% of the time. You don’t need to pay extra for people to tell you “maybe” and “possibly.”

The best intelligence is of little use if you are not prepared to act on it. History is replete with examples of decision-makers not liking or agreeing with flashing red lights in front of them (literal or figurative), and then a whole lot of people paying the price for their inaction. A full break-down on the flaws and fallacies people use to justify ignoring intelligence is something I can cover another day, but for now let it suffice that people, being human, will come up with all sorts of reasons to not think clearly about what is right in front of them.

"Cyber" intelligence is just one of many things that you can use to help defend yourself: it is not a silver bullet.