DarkReading, 7 May 2014
Everyone thinks everyone else is doing it, and most of the few people who are actually doing it aren’t doing it all that well.
Whatever the official theme of the 2014 RSA Conference was, any one attendee will tell you the unofficial theme — the message on every banner in the place, it seemed — was “Threat Intelligence.” But threat intelligence, as it was put to me by Eric Olson of Cyveillance, is a lot like teenage sex: Everyone is talking about it, everyone thinks everyone else is doing it, and most of the few people who are actually doing it aren’t doing it all that well.
There are lots of fashionable things to say about intelligence, and everyone gets all… cool when they discuss it, as if they have some dark, national secret that you don’t have. Balderdash!
Let’s cut through the mystery in two important ways:
- Threat Intelligence is not nation-state espionage. You’re bringing data together, and adding value to it by delivering usable information to those who need it. Put your cloak away.
- You’re not looking to solve Mideast peace. You’re looking to empower your decision makers to make your organization more secure. Keeping it simple helps drive success.
My observation from several circuits through the RSA Conference exhibition floor is that there is a classic conflation among data, information, and intelligence.
You can find many definitions of “intelligence” out there, but I’ll just go out on a limb and say that, without analysis, a nugget from a “threat feed” (in which you might learn that IP address 22.214.171.124 is “known-bad”) is not intelligence. It is a datum.
Even the database itself is not intelligence, per se. It turns out that a database is just a collection of data. Don’t get me wrong: The data within the database — or the threat feed — can be highly useful to the intelligence process. But (and I am not picking nits here) it comprises a data feed, not an intelligence feed (except to marketers).
Simply, albeit admittedly incompletely, put, intelligence is analyzed data that you can do something useful with.