Saturday, December 03, 2016

Why Intelligence?

(Ghost-posted for Micheal Tanji) At the close of my first month at Wapack Labs, and as the company prepares to surge ahead for 2017, I thought it was a good time to articulate a couple of things I 
thought were important for everyone who is struggling with cyber security and trying to understand what role intelligence can play in overcoming those struggles.


First, the basics. 

Intelligence is not a “feed.” In a nutshell, the content hierarchy goes like this:

·         Datum
·         Datum + Datum = Data
·         Data + Data = Information
·         Information + Context + Methodology = Intelligence

Intelligence provides you with meaning, which is something that only human insight and intellectual rigor can provide. That X happened on Y date at Z time is news; who did it, why, and what implications X has for you, your people, or your business is intelligence.

You need intelligence to combat cyber security problems because intelligence helps you make decisions. Anything that complicates your decision-making process isn’t intelligence, its noise. Its more hay on the proverbial stack.

To produce good intelligence you need two key things: solid sources and sound methodology. Without good sources, you’re not even telling people news, you’re giving people your interpretation of the news based on what a guy who heard the news through the headphones of a guy he was sitting next to on the train told you.

The full spectrum of analytic methodologies is far beyond the scope of this post, suffice it to say that a true provider of intelligence subjects its sources and the data they produce to a range of processes and intellectual approaches to help derive facts, reduce ambiguity and provide the kinds of insights that consumers of intelligence so desperately need. That rare, clear signal amongst the ocean of noise.

It would also be a mistake to think that producing good “cyber” intelligence stops at technical analysis. Cyberspace is its own domain, but its underpinnings are physical and increasingly so are its impacts. Cyber-attacks are carried out by human beings, with myriad motivations. Only an analytic team that has “cyber” skills as well as cultural and linguistic skills, awareness of a range of geo-political dynamics, knowledge of economic, financial, legal and other matters can put all those bits and bytes into the proper context. 

Finally, there is no substitute for experience. You can run the smartest people through the most rigorous training and give them the most advanced tools, but they’re journey as intelligence professionals has only started. This is not an issue of gray-beards having better “guts” for the work (which is itself an intellectual trap that analysts can fall into – also, we could stand to lose a few pounds), but a factor of knowing what works, being able to enforce discipline and rigor in the process, and to understand that we are not writing book reports, but occupy a position of trust. That we’re a “civilian” intelligence organization doesn’t reduce the seriousness of what we do.

If you’ve spent money on something called intelligence that doesn’t meet the aforementioned criteria, you’ve bought a feed. You’ve made it that much more difficult to find the needle, and increased the probability that you’re going to get poked somewhere sensitive. It’s a common mistake because marketers treat “intelligence” like “APT” or insert your own buzzword here: they strip it of meaning and re-define it to match whatever they’re offering.

If you’re drowning in data, if you find it increasingly difficult to make good decisions about your cyber defense, if you’re struggling to define ROI for your security spending, intelligence – real intelligence – can help. And I’m glad I’m back in a position where my training and experience can make a difference.