Security is converging. No longer can we examine threat intelligence, fraud and risk, or physical security data in silos. More than ever, the modern enterprise needs better knowledge management and collaboration -- but achieving this is easier said than done.
First, you must consider your technology stack. There are probably redundant tools and and data streams that need to be consolidated and correlated in order to achieve maximum value and return on investment. Second, you need to think about your team. How do you make sure the subject matter expertise from the individuals on your team is getting communicated to others?
This is where the concept of what TruSTAR likes to call the “Enterprise Intelligence Officer” comes into play. Inspired by our co-founders and their intelligence agency backgrounds, an Enterprise Intelligence Officer can be defined as a leader who creates business value from cyber intelligence. They are in charge of setting intelligence collection requirements, managing multiple intelligence data sources, and working across multiple business divisions to architect security workflows while maintaining governance and control.
TruSTAR’s CEO Paul Kurtz recently tapped two subject matter experts in threat intelligence and cyber intelligence management to expound upon this subject. Below we’ve edited and condensed some of the live Q&A that took place. To listen to the full discussion, click here.
Paul Kurtz, Co-Founder & CEO of TruSTAR (PK): How would each of you define cyber intelligence? A lot of people grapple with the idea of threat data. Is it vulnerability data? Does it involve infrastructure?
Sean Kanuck, Former U.S. National Intelligence Officer for Cyber Issues and current Director of of Future Conflict and Cyber Security at International Institute for Strategic Studies (SK): When I think about cyber intelligence, I think about how you create, acquire, aggregate, assess, transmit and extract value out of digital information. It's not until you've actually structured or analyzed that information into something that you can derive value from or that can be actionable do you actually have what I would consider intelligence. So, I want to make that distinction between data information and intelligence.
Colin Connor, Threat Intelligence and Cyber Forensics Director at AT&T (CC): You need cyber intelligence to make informed decisions. Working in a SOC environment, I am always asking how can I make it more efficient, effective, predictive, and preventative. You must be able to use intelligence reports you receive from your partners to prevent an intrusion. You must tool your SOC to be predictive, so that you know when things are coming. Let's train our team, let's prepare them to catch certain vulnerabilities that we know are gonna be exploited.
WannaCry is a great example. EternalBlue came out in March of 2017 and was patched, then came the release from The Shadow Brokers a month later, which was weaponized and distributed into the wild. How can we utilize the information and be able to prepare our cyber defenses for that? When I think of cyber intelligence, it's augmenting your current program to make it more efficient and really prioritize those areas that you need to focus on, as well as draw attention that those gaps you need to close.
PK: When you think about siloed data and insights, can you give us a general example? When has walled-off data has inhibited getting to the bottom of a problem?
SK: Open-source information from the intelligence community can be directly applicable here. When I think about silos, the unfortunate obvious example is September 11th, 2001. Our nation realized that information that had been in law enforcement channels and FBI investigations, and other information that was in intelligence channels at CIA or NSA hadn't been fully merged. As a result we saw that entire Congressional-appointed commission that then led to the Intelligence Reform and Prevention of Terrorism Act, then creation of a new Cabinet-level department at DHS and a new intelligence organization at the Office of the Director of National Intelligence. I was in the intelligence community at that time, and those changes were enormous and enormously important in starting to break down silos and channels.
As my career progressed, I saw the creation of a new office of the National Intelligence Council to deal specifically with cyber issues and pull together the analytic data from 16 agencies. I had the privilege of leading that office, and even during my tenure we realized that there were still challenges at the SOC level or the operational response level, and that led to the creation of a further entity known as the Cyber Threat Intelligence Integration Center at ODNI. That entity deals with breaking issues and coordinating responses, policy, the intelligence community contribution, if you will, to policy-level considerations at the White House.
Classified siloed data needs to be considered and merged a need-based discussion. When this is actually appropriately being assessed at the C-suite, or in the government case, with the White House situation room, there really is no alternative other than to figure out ways to share the information and make it actionable.
CC: There's two key words for me, collaboration and communication. We've definitely seen more things get siloed, and that's when we decided to stand up a daily threat briefing. At a set time every day, we get on the phone and talk about things affecting us and what we need to take action on. Through that, our teams build relationships and then come to a common understanding on what we need to work on together to add business value and reduce our risk.
PK: How do you rate SIEMs, and are they useful? I'm not talking about asking you guys which SIEM is better, but I do think we get lots of enterprises leaning on SIEMs.
SK: Now that we're in a world where a lot of the hacking capabilities are for sale in the black market, and turnkey solutions are available to anyone with the right cryptocurrency to pay for it, intent matters as much as capacity of your would-be adversary. That's where people, processes and technology all have an interplay, and where all-source intelligence really matters. It gives you that context. Do you have a disgruntled employee who wants to bring down your organization? Do you have outdated policies and processes that prevent you from responding and remediating when you need to? What are your procurement policies? Are you subject to supply chain risk?
I look at successful companies like AT&T or some of the banks or others who now have internal threat intelligence units that to a certain degree resemble all-source intelligence analytic units from a government agency the way it used to be a few years ago. They're looking at the context, they're looking at geopolitical events, they're looking at personnel issues, to get the whole picture of where that intentional threat might be coming from and what the would-be adversary might be seeking to do. If you're a bank and criminals are coming after you, they're trying to steal money and not get caught. If a foreign nation-state is coming after you, they may be seeking to disrupt your operations and undermine your brand. We saw that with DDoSs against the banks in 2012 to 2013.
PK: There is this almost religious discussion in enterprises about, "Do I need to know the adversary? Do I not need to know the adversary?" But I think there is a reasonable point there, a very good point of, "Well, what's the motive?" Understand why a party may come after me. You may not know exactly which party it is, but what's the motive for attacking your infrastructure? Is it to destroy brand, is it after financial data, is it after intellectual property?
PK: A fair number of our listeners here today are leaning on a SIEM in some way, shape, or form to help them sort out events that are worthy of further exploration. How do you rate SIEM as useful?
CC: It’s about People, Process, Technology. SIEM is a technology, and it's only a third of the solution. We have to have the process and people as well, the proper skill set, as well as really define the use cases of the business value that we're trying to bring in with the SIEM. There's so much security event data, and what I like to say is you need to find the needle in a needle stack. When it comes to a SIEM, you really need to define your use case and what you’re trying to achieve.
Once I find something in the SIEM, I enrich that data with some of my intelligence feeds. Maybe I see an event and I don't have a complete picture from the data I'm collecting in the SIEM. Maybe I can enrich some traffic data to help me understand if there’s anything else that can be brought to the surface. Then, after further enrichment, you have analysts that can understand the data and build that story of what happened and try to understand the business risk. Is this something that was prevented by our controls, or is this something that's been executed, and now we need to take some action on?
PK: When we talk to companies or CISOs, a frustration that they have is capturing valuable historical data from closed tickers. A SIEM tees up an alert, that data is captured in a ticket pursued by a case management system, and then it's kind of like your analyst is moving on to the next problem. The common knowledge of the interface between what is generated from the SIEM and what the human analysts do in the form of case management is often left on the floor, or it's forgotten when the next operator comes in.
A lot of companies ask me, how do I gather all of that insight in one place about what's going on in their enterprise? My answer is that of course SIEMs are useful, but you have to capture the output of the SIEM and the human analyst that's looking at those alerts and be able to leverage that, not only today but going forward so that you're not continuing to reinvent the wheel.
Thank you Sean and Colin for this valuable insight!