How do we measure the value of intelligence?

Some questions designed to help security and risk professionals assess the value of any intelligence offering.

Retro Brain smart intelligence

Organizations seeking to integrate intelligence into their security and risk strategies are often tasked with navigating a vendor landscape that can seem opaque at best and convoluted at worst. With countless offerings and seemingly endless types of intelligence, it can be easy for even the most tenured professionals to lose sight of their organization’s needs and, more importantly, how to assess the value to be gleaned from any intelligence offering.

Above all else, we need to remember that the purpose of intelligence is not to detect the existence of threats, nor is it to collect indicators of compromise (IoCs) or keyword alerts. It is to inform decision makers of what they don’t already know so that, in response, they can make more effective decisions. While the true ROI of any intelligence offering ultimately depends on the extent to which it supports the needs of the organization consuming it, the most valuable types of intelligence tend to possess certain characteristics  – all of which are integral to effective security and risk decision making.

The following questions are designed to help security and risk professionals assess the value of any intelligence offering:

Is the intelligence derived from relevant data sources?

All intelligence begins as raw data collected from relevant sources. Indeed, the most relevant data sources typically exist within the Deep & Dark Web (DDW) – not the open web. After all, the primary facets of the cyber (and often physical) threat landscape tend to originate and develop within the confines of various underground communities. It’s often only after a potential threat becomes a full-blown security incident or breach that any indicators of the threat’s existence reach the open web. Even in the few instances where open web data are useful, the most successful intelligence programs recognize that such data rarely does more than warrant a need for greater visibility throughout the underground forums and marketplaces comprising the DDW.

To further complicate matters, the vendor landscape is laden with confusing claims and misleading offerings that sing the praises of “open web intelligence.” Typically derived from easily (and freely) accessible websites like social media platforms, public message boards, and online publications, open web “intelligence” isn’t really intelligence at all. At best, it is information; at worst, it is data. Unlike many DDW data sources, any context that an open web data source might provide pertaining to any given observation is rarely timely, comprehensive, or relevant enough to support effective security and risk decision making.

Is the intelligence truly “finished?”

The value of intelligence also depends on whether it is “finished.” Often considered the most consumable type of intelligence, finished intelligence is derived from relevant data that has been contextualized, deeply analyzed, and presented along with all requisite details needed to support decision making and spur action. In other words, finished intelligence is actionable in and of itself and doesn’t require users to seek additional context or analysis before making a decision.

For example, let’s say we have an in-depth report on an emerging strain of ransomware that includes the ransomware’s complete history, attack vectors, targeting patterns, mitigation recommendations, and IoCs. This report is considered finished intelligence because it could enable users to decide 1) whether their organization was susceptible to an infection and 2) if so, how to mitigate such an infection.

In contrast, let’s say we have a series of alerts showing matches for an organization’s pre-established set of keywords on a Pastebin site. However, these alerts are not enhanced with the additional context and actionable analysis required to decipher 1) why the keywords ended up on a Pastebin site in the first place and 2) what the organization should do about it. As such, they are not finished intelligence.

Can the intelligence support all lines of business across your organization?

Different types of intelligence can benefit different groups or functions in different ways. Although most of the intelligence produced and consumed by today’s organizations is derived from the cyber domain — particularly the DDW — the best intelligence can deliver value and support decision-making across the enterprise, not just among business functions rooted in cybersecurity. Intelligence that has been properly analyzed, contextualized, and applied can not only benefit all business functions, it can inform strategic decisions and address widespread risk throughout an organization.

I’ve written previously about the substantial value to be gleaned from various strategic and non-traditional applications for cyber intelligence, all of which hold true here. In addition to supporting cybersecurity teams, the right intelligence can also help reveal, for example, malicious actors seeking to compromise your executive team’s physical safety, threats posed by malicious insiders, unknown security vulnerabilities that exist within your company’s supply chain, or emerging fraud schemes targeting your company’s customers. Indeed, the more business functions and use cases intelligence can support, the more valuable it is.

Ultimately, the intelligence vendor landscape will always be complex and ripe with offerings of seemingly indeterminable value. While the three aforementioned questions can help security and risk professionals better assess this value, choosing an intelligence offering is a decision that shouldn’t be taken lightly. Organizations should seek vendors that provide the most useful intelligence not available elsewhere – particularly that which can service not just cybersecurity teams but also insider threat, vulnerability management, third party risk, physical security, and others.

As I mentioned, the ROI to be gleaned from intelligence depends on how an organization applies it. So while more mature teams might be quick to find value in unique intelligence, younger teams in the process of building out their programs and capabilities might find more value in obtaining intelligence and collaborative ideas from trusted peers. Regardless of what type of intelligence your organization opts to consume, it’s crucial to remember that the value lies not in how it is marketed, but rather in the extent to which it supports timely and effective decision making.

Copyright © 2017 IDG Communications, Inc.

The 10 most powerful cybersecurity companies