Discover PerformanceHP Software's community for IT leaders // September 2013
Five challenges of security intelligence
HP security strategist Rafal Los counts off the key reasons why security intelligence may not do you any good—so you can reach the stage where it will.
By Rafal Los
An inconvenient observation: Of the 20-plus mid-market enterprises I’ve spoken to about security intelligence in the last few months, fewer than five are actively using security intelligence for better defense. That’s unfortunate, so let’s look at what it means to extract value from security intelligence.
Value is a funny word. Maybe it’s more interesting to think about utility, and how we may derive utility from having a resource available to us. The challenge varies for many organizations. Roughly half of the mid-market enterprises I’ve spoken with don’t actually have a construct for making tactical adjustments. Another quarter lack a solid enterprise security framework (i.e., a “security program”), which means any attempt to bring tactical intelligence into that mess will fail the “so what?” test.
Assuming you have a framework for consuming tactical security intelligence, your organization can incorporate some of those feeds and reports into your daily activities. But there’s a vast chasm between “We have a report!” and “We are making tactical adjustments!” The value lies in converting information you receive into timely and effective action to protect your enterprise against an imminent threat.
About half of the 20-odd organizations that I’ve spoken to in recent months break down somewhere around the “meaningful and timely” mark. They can usually read a report and follow up with some kind of action, but it’s rarely meaningful, and almost certainly not timely. Let’s take a little deeper look at this.
Failure to capitalize
The problem is that any given enterprise may be missing one—or several—of the criteria required to claim value. Yet despite this, budgets are still being widened to include security intelligence as a strategic investment. This is rather disturbing because you’re wasting money, and likely your own valuable resources, in an investment you’re all but certain will not pay off.
I’ve always heard that the only way to fix a problem is to admit that it exists. To find our way back to the highway, we’ve got to stop and ask for directions. With that in mind, I offer my top five major failures when it comes to getting value from security intelligence for the enterprise:
1. Inadequate framework for response. First and foremost, if you don’t have a framework for consuming, transforming, and acting upon intelligence you’re receiving from outside parties, it’s useless to you. Worse, you’re hopelessly wasting resources.
2. Unusable format. Ever wonder how you can convert a 10-page PDF into quick action? Same here. There’s a format that lends itself best to consumption by your organization, and it’s your job to find it. Whether it’s a web portal, a PDF, or an XML-based data feed into your SIEM, it has to work for you. Otherwise, it’s working against you. So get a format that lets you convert data to action in a meaningful amount of time.
3. Timeliness failure. I’ve seen that many organizations receive their reports at some regular interval: Monday morning, mid-week, twice a month … whatever. If the information is waiting for the assigned cadence rather than sent in a timely manner—meaning as it’s needed—it may be too late for that timely action.
4. Unusable information. Information about adversaries and their tactics is fantastic, unless it’s not something you can do anything about. Let’s say you’re a mid-market banking organization who just received intelligence that your sector is being targeted by “foreign nation-states.” I was asked by a client what I would advise they do with a report like that. I shrugged. Without detail, these types of reports only cause confusion and wasted cycles.
5. Inadequate resources. Even if your framework supports a response and you have timely, relevant information in a useful format, what happens when the people you’re hoping to task with the response activity are busy doing 20 other critical tasks? You’ve got to be staffed for this type of response and the intense levels of activity it requires. That may be the root of the problem. Staffing is once again our Achilles’ heel in the enterprise.
Those are the top reasons why you may not get much value from the security intelligence you’re receiving. Addressing the five points of failure above will take you a long way toward being able to convert security information into meaningful, timely action.
Rafal Los is a principal in strategic security services with HP’s Enterprise Security Services. This article was adapted from part two of his series on security intelligence at his Following the Wh1t3 Rabbit blog. For more on security intelligence, visit HP Security Research.