Intelligence Operations: We Need More Human in Cybersecurity Intelligence

Posted on by Roderick Chambers, CISSP, CISM

What is Cybersecurity Intelligence?

Threat actors impact every industry, keeping defenders reactive instead of operating in a preventive security posture. Security intelligence is the Swiss Army knife of security tools, with cybersecurity intelligence showing commitment to preventive security. Cybersecurity intelligence aggregates actionable information on adversaries and malicious activities, enabling defenders and stakeholders to reduce harm through informed decision making. Market trend analysis projects that the cybersecurity intelligence market will surpass $13 billion by 2025. The expanded market means abundant and expensive data that is often challenging to incorporate into actionable intelligence.


Cybersecurity intelligence inspires innovative and expensive ideas to identify, prioritize and assess critical threats. One idea is the “Single Pane of Glass” (SPOG) to view enterprise threats. The SPOG powered by threat feeds offer real-time access to hundreds of sources, such as deep and dark web sources, but they may not meet the organization’s needs without context. In this discussion, we will unpackage the methodology of the SPOG, threat feeds and how human intelligence analysts can efficiently provide decision makers with actionable intelligence.


The Single Pane of Glass (SPOG): What is it?

Security practitioners are familiar with the phrase SPOG, which sometimes induces a perspective of a centralized means of control, or it may evoke less pleasant experiences of how SPOG really stands for “single pain” instead of “single pane.” Independent of previous experiences, it’s worth discussing how a SPOG can help achieve actionable intelligence. Intelligence analysts use multiple security tools to collect indicators of compromise (IoCs) consisting of IP addresses, domains, URLs, data-leaked credentials, hashes and more in channels called threat feeds. That means there is a good deal of data flowing without any context. A SPOG that allows for single sign-on, or a unified view of the various security tools and threat feeds used, could be a game changer. 


Intelligence analysts focused on protecting the financial services industry might leverage the SPOG, tapping into threat feeds from the Financial Services Information Sharing and Analysis Center (FS-ISAC) and Information Sharing and Analysis Organizations (ISAOs). Within the FS-ISAC, members can coordinate possible suspects, and share IoCs of what cyberattacks were focusing on, who were the attackers, how they carried out the attack and prepare for future attacks. Most ISACs and ISAOs are free, or require an annual fee based on revenue or total assets. Intelligence analysts that leverage threat feeds from ISACs and ISAOs gain access to services such as on-demand intelligence services to ask a security provider specific questions about emerging security threats. However, realizing the value of a SPOG and its features relies on human intelligence analyst intervention to design a SPOG that produces relevant and actionable intelligence.


Actionable Intelligence Versus Situational Awareness

Consider a Global Positioning System (GPS). It’s great to know for my “situational awareness” that I am currently in a moving vehicle, but it would be actionable if the GPS confirmed the fastest route and informed the driver of any emergency issues. Aha, actionable intelligence! Filtered and analyzed intelligence will fall into actionable intelligence and intelligence for situational awareness.


It is common for vendors to provide detailed reports of 50–60 leaked credentials from data breaches such as Anthem, Target or Experian. In most cases, vendor reporting of exposed credentials is accurate. However, an analyst will ask whether the credential nomenclature matches the organization’s policies for strong username and password length and complexity. If so, then there is a problem with identity and access management, thus actionable intelligence. The intelligence offers steps for remediation to force password resets, educate employees to prevent social engineering attacks, discourage password reuse and advocate for two-factor authentication. If it doesn’t meet the organization’s policies, then this is intelligence for situational awareness. The intelligence was accurate at one time, but previous remediations lowered the impact and probability of exploitation by a threat actor.


Threat Actors Are Human, with Human Motivations

Hacktivists, organized criminals, nation-state actors, cyberterrorists and script kiddies have human motivations. They are thoughtful, developing their identities, understanding their strengths, weaknesses, capabilities, and building threat actor communities. Intelligence must reveal the identity and motivations of threat actors, providing context to ensure the information is actionable and applies to the organization. As cybersecurity intelligence collection matures, the security posture will transition from reactive to preventive security posture. Don’t forget to invest in the human component of intelligence.

Roderick Chambers, CISSP, CISM

Information Security and Intelligence Advisor, New York State Department of Financial Services

Analytics Intelligence & Response Human Element

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs