Different intelligence is actionable by different people in an organisation - from strategic for CISOs and the board allocating budgets and buying services down to blocking specific IPs at the operational and tactical level, so it's all about getting the right information to the right people to aid their decision making, concluded the most recent SC Media UK roundtable on actionable intelligence held in London last week.
Eleven distinguished guests engaged in discussion on the topic at the event, sponsored by LogPoint at the Duck & Waffle restaurant in London's Heron Tower; the session was moderated by SC's editor-in-chief Tony Morbin.
Guest speaker Sarb Sembhi, CTO & CISO at Virtually Informed, opened the discussion by stating how difficult it is to define actionable intelligence but how fundamentally it's about "using data to help you as an organisation make a series of correct decisions to reduce risk".
One of our expert guests, added: "To me, actionable intelligence can be broken down into three categories: strategic, operational and tactical."
However, he also said that organisations are still struggling to ascertain the true benefit of bought-in external threat intelligence: "When you talk about actionable threat intelligence – while it's undoubtedly interesting information – it's actual value to us as an organisation is still up for debate. For us, it still needs to be more focussed."
Russell Poole, Russell Poole, MD, UK&I Logpoint, concurred: "We've all got finite resources about how we can allocate people to respond to threats across our network. How do you align the right people to right parts of the organisation? By gathering information across multiple sources – security, access systems, HR systems – you can then use this information to put people in the right place. To make sure you've got the ability to react with the right people, with the right abilities in the correct time frames.
The value of the data provided by intelligence feeds was the source of much debate, with moderator Morbin suggesting that much of the information being delivered from threat intelligence feeds is already available from free sources such as Twitter.
"You wouldn't inherently ‘trust' the information you get from Twitter, though," was the group response.
Indeed, guest speaker Sembhi said it's choosing the right data source and then deciding how to use it that's key.
"There's a whole load of information you can get internally from sensors and lots of information you can get externally and it's then how you use this information for either strategic, operational or tactical reasons," said Sembhi.
"Take Formula 1 as an example. There are usually 20,000-odd sensors in a race car and these sensors aggregate lots and lots of information. That data is then transferred to the team that's at the side of the track as well as to a team at company HQ who use it in different ways. So, when we're looking at the tools that collect the data for your organisation, you need to decide what aggregated information you need at each level for you to make a decision.
"You haven't got the time to look at all the sources of information that are available, you need to be able to decide which source is going to provide you with all the information you need. Again using F1 as an example, let's say you get information that it's going to rain soon, you can then decide as a team that you're going to need to change your tyres for the next stage of the race," said Sembhi.
However, knowing what the end-goal actually is can often be the biggest challenge for organisations when assessing the value of actionable intelligence, as one of the guests explained.
"Using Formula 1 is a useful analogy because it highlights the problems organisations can face, particularly with external threat intelligence systems. When it comes to an F1 car, all the data you gather can be used to help you finish the the race – but for organisations it's sometimes hard to know what the end goal is," said one of our guests.
So, is the key to have your threat intelligence designed specifically for individual organisations? Indeed, how do we decide how much information we need and how do we sort it?
"A combination approach works best for us," said one of the expert guests. "We find that a lot of the best information we get comes from relationships with people through Slack channels, trust groups and the like. We generate a lot of the information ourselves but enrich this data with third party information to help us to flag up potential ‘iffy' behaviour on our networks."
He added: "So essentially we're using internally generated data for the day-to-day operational decisions and third-party data for wider strategic decisions."
The group agreed that actionable intelligence would be easier to achieve if more organisations were willing to share information, but that it is hindered in practice because of competitive issues.
Morbin used the banks and the financial sector as an example: "The Bank of England performed a simulation exercise (Waking Shark) that highlighted if a bank was to fall under attack then all the other banks would have the chance to protect themselves if it was willing to share that information. Which is fine in theory but in practice none wanted to be the first to share."
The conversation then shifted to how GDPR might affect actionable intelligence and the fact that all breaches will have to be reported and acted upon within 72 hours. Morbin quipped that there is likely "to be an apparent explosion in breaches".
This presents its own problems, argued one of expert guests: "On the one hand organisations are being asked to limit the data they collect on their customers, but also to hand over the data we do have in the case of a breach. This will cost organisations more because the data we do keep is increasingly toxic.
"I believe this needs to be sorted out with the regulatory bodies and the police because we're going to end up storing a load of data in case of a breach which costs the organisation money to store and which is risky to keep in the first place."
So, how do we get around the potential legal problems of storing data? Do we need greater visibility or is the answer to be more selective about the data we decide to keep?
"It's about collecting the appropriate data," said Sembhi. "Not just collecting everything because then you are going to get into trouble."
On the flip side, though, the new rules have helped to put security and the value of intelligence at the forefront of the board's minds who are historically notoriously tough sells when it comes to toughening up the security stance of an organisation.
The roundtable concluded with the guests outlining their thoughts with Beadle surmising: "It's finding the right balance between enough data and too much data – and how we handle it. And it's only going to get more difficult with the arrival of IOT and big data."