A lot of attention has been given to the need for better "intelligence" in support of computer security. I could not agree more, but I also have to say - at least based on what I've read recently - the generation of intelligence is not being done very well. The way some vendors roll, intelligence is treated as a fad or gimmick, which would be a terrible mistake for the security community to make given the value good intelligence can provide. Let’s lay down a few givens before we go any further. For starters, “intelligence” is like “APT:” If you’re not using the proper definition, you’re just playing marketing tricks. Boiled down to its essence it works like this:
- No matter how good the source, a discrete piece of “data” or a data “feed” is not intelligence
- Intelligence is not a mashup of disparate data points; that’s “information”
- Intelligence is information that is put into context and enhanced with expert (human) input that provides the intelligence consumer with insight.
No application, device or appliance is capable of providing you with intelligence. Such mechanisms may provide you with enhanced information, but without the human element it’s still just information. If machines could produce intelligence, a whole lot of people in this business would be unemployed.
Your organizational decision-maker(s) are your intelligence “consumers.” Every consumer wants something different from their intelligence product, which is where the human element comes into play. The intelligence requirements of the C-level is of little utility to the responder on scene, and vice versa. Devices and feeds in and of themselves cannot support either requirement. Any purveyor of “intelligence” that does not have a human between data and consumer is not offering intelligence. If you are not paying for someone to apply their little gray cells to your or their data, you’re paying a premium for something you can get for free.
Intelligence tells you something you don’t already know, but because you cannot know everything, there are no guarantees. Intelligence providers who claim to be flawless, or nearly so, are not producing content of value because only the most generic and heavily cavetated output can be made to seem right 100% of the time. You don’t need to pay extra for people to tell you “maybe” and “possibly.”
You can have perfectly accurate and timely intelligence and yet for whatever reason not act on it. Maybe the boss doesn't like what the intel says; maybe what the intel says you should do would cause problems in some other facet of your business...whatever the reason the point is that intelligence is just one of many things that you can use to help defend yourself: it is not a silver bullet.