What is intelligence, anyway?

July 20, 2015 Kevin Whalen


One of the smartest people I ever met was a house painter. During summer breaks in college, twenty-five years ago, I worked on a crew with a guy who was 15 years older than I was. He didn’t say much, but when he did, it was always on-point, whether it was about the job, or conversations with the crew on topics as varied as current events, sports, music or politics.

As I got to know him, I learned that he was once a metallurgical engineer at IBM. After a few years, he quit the corporate life to travel around the world. And travel he did. Five years with a backpack, moving through Europe to Nepal to southeast Asia and Central America. His comments, no matter the topic, were layered with context and insight gleamed from his travel experience. He told stories that made the issues instantly personal and compelling, and he did it quickly, with wit and humor. As a cocky college kid, he made me realize that book smart is only so smart. Intelligence is both gathering and distilling information.

What does “intelligence” mean in a security context? It turns out, pretty much the same thing. Last year, Wendy Nather, then of 451 Research, now Research Director at Retail Cyber Intelligence Sharing Center (R-CISC), published a great paper on threat intelligence that tried to bring order to the chaos.

Enterprise IT Spotlight: threat intelligence

Nearly every security offering out there today comes with a side of threat intelligence. The most valuable threat intelligence solution is the kind that brings data that you didn’t already have, and in a form that you can use as you wish. With so many vendors staking their claim in this market, you’ll need to go deep to be certain you’re picking the right product for your firm. Like the words ‘risk’ and ‘cloud,’ ‘threat intelligence’ has become a popular term in security, but its definition varies widely depending on the source.

I was re-reading something Arbor’s Director of Security Research Dan Holden recently wrote about “threat intelligence”, and I was reminded of my painter friend. There was a common thread, and it was context.

Given the influx of threats coming at you from every possible angle, entry-point and vector, what is really needed to stay ahead of attackers? Context. That context can help you gauge risk, prioritize your security operations team’s time, and move on to the next threat (among many) at hand. In other words, don’t focus on threat intelligence merely for threat intelligence sake – or because it’s the latest hot buzzword in the industry. Threat intelligence data not only needs to be actionable and proven, it also needs to be easily accessible for incident responders to be efficient and effective.

The goal of threat intelligence shouldn’t be corroborating bad data with more questionable data (because threat intelligence isn’t always proven), but it should be about searching out the best data that fits the risk profile of your particular organization, industry and risk. At the end of the day, threat intelligence is about tracking the threat actors; naturally everyone will have a different slant or specialty on this. Ultimately, threat intelligence should make a marked improvement over existing staff and processes. If you have a giant library and no time to read anything in that library, then all you have are a bunch of books. No action, no intelligence. Merely looking smarter doesn’t make you smarter.

In a few days, when my painter friend comes to visit, I’m going to thank him for showing me early on what true intelligence really is.

The post What is intelligence, anyway? appeared first on Arbor Insights - Our People, Products and Perspective.


Previous Article
When ‘average’ becomes a problem

When you think of the word ‘average,’ a few thoughts usually come to mind:...

Next Article
Advanced, Persistent and Costly: DDoS Grows Up
Advanced, Persistent and Costly: DDoS Grows Up

Just in case you haven’t noticed, DDoS attacks have become larger, more...