SC Roundtable: Turning data into actionable intelligence

Discussing 'Turning data into actionable intelligence', SC Magazine's latest roundtable saw a gathering of cyber-security practitioners to discuss threat intelligence.

Turning breakfast into lively conversation
Turning breakfast into lively conversation

Set to discuss ‘Turning data into actionable intelligence', SC Magazine's latest roundtable opened with a determined speech from Dr. Luke Hebbes, risk and security design manager at G-Research.

Hebbes said, “How do we go from getting data and feeds from third-party to vendors and turn it into something which I would class as intelligence?” According to Hebbes, a critical part of this is giving the data context.

The ability to give data context comes through training, according to Hebbes, who said his company train their developers and pen-testers by ‘wargaming', splitting teams in half and having vulnerabilities planted and found by each respective team. 

Thomas Naylor, director of Enablement.Tech said that in order to work, "training has to click with people". 


Dr Luke Hebbes and Charlie Timblin give some of the "takeaway" messages from the SC Roundtable:


Hebbes explained that his team get petabytes of data on what is going on in their systems, and they don't always have the time to sift through it all. 

Kasar Masood, director of technology & ops at Viacom Media International said, "Security at software developer level is key, we all need to learn to feedback properly." 

Even when it comes to patching, Hebbes says they have to be strategic about what they do and don't patch, for example.

He explains, “It could be that particularly attack vector does affect us, maybe somebody could breach us with that, but there are lots of different strategies to deal with that. Often a certain CVE affects a specific type of machine configured in a specific way, so it is up to us to decide, do we take the hit and take ourselves offline? Because maybe our information in the backend is so valuable we're willing to go offline to do something about it.”

Speaking on training, Gary Brailsford-Hart, CISO and director of information security for the City of London Police and City of London, explained, “One of the things we do with our analysts is indoctrinate them into the principals of the ‘anacapa' model.”

Invented by Anacapa Sciences, the model is designed for intelligence analysts and fraud investigators dealing with complex cases of internal or external fraud. A course provides training on using the intelligence cycle and discovering techniques of data collection and evaluation. They learn how to develop association matrices and construct analytical charts on various identified subjects.  

Brailsford-Hart suggested that it is another tool in the mission of sifting through the data which flows through an organisation. 

Mudassar Ulhaq, CIO of Waverton Investment said that he was "hoping to learn more about training and workflow management, to promote accountability in reporting."

Olivia Bosch, a former UNSCR 1540 Cttee (CT-CBRN) Expert-UK and former NATO advisory ICS Panelist agreed saying she was, "wanting to explore new mechanisms for reporting breaches." 

According to Charlie Timblin, co-founder of the Women's Security Society, more often than not, “there isn't enough modern dynamic training which tackles key security issues. And there is no strategy in place to tackle security issues once the tools had been deployed.”

She said, “People often look at things in a siloed way when working in Information Security. What we need is a way to collaborate with a chief risk officer who could make a decision on the risk you're looking to accept or mitigate.”

Horus Patel, head of data strategy at Reed.co.uk, said, "As we aren't strategic enough about data sharing, we need to introduce more software bug bounties to encourage it". 

Brailsford-Hart explained, “It's all about your risk tolerance, there is so much in that space.” 

Luis Bernardi, director of IT at Scientia Ltd, agreed and said that "we need to learn to identify what data matters to us and act upon it". 

Timblin concurred, and said it's a shame that “CISOs often think the risk is on them, and sometimes it's not actually. There was a graphic floating around LinkedIn recently that showed that CISOs are responsible for everything from budgets, audits, risk management, identity management and security architecture. But more often than not, it's the CTOs role who should be seeking guidance from the CISO. Collaboration is key in intelligence gathering.”

Following up on this theme, Brailsford-Hart mentioned the Security Network Analysis Platform (SNAP), a joint GDS/CERT-UK project, which aims to understand what attacks people with the same risk profile are suffering so they can give a much-needed edge when it comes to information security where two organisations may well face an identical threat profile.

The new National Cyber Security Centre (NCSC), set to join together sources of UK expertise, should help with this, according to Brailsford-Hart. In the next five years all data should be flowing through there, and it will be run by Ciaran Martin, currently Director General Cyber at GCHQ. Brailsford-Hart said, “There will be a feed [of data], but it's up to us to give it context”. 

Hebbes agreed and said, “Government data sharing is great, as many other people are in the same boat.”

Luke Beeson, vice president of BT Security, global banking & financial markets, observed, “We are failing and our adversaries are laughing at us, we need to start fighting cyber-crime through consequences enforcement. We need to up our game as we as UK PLC play a key role in wanting to clean out our internet data.”  

• If you would like to take part in any SC events, please contact us at SCeditorial@haymarket.com.