This post is part of a multi-part series about the Securosis Guide to the RSA Conference (download the RSAC-G PDF). Please scroll to the bottom for links to other posts in the series.
Every year we look at different aspects of the security space and the approaching storm that is RSA. One of the overarching themes we have driven ourselves into a frenzy over is the need for threat intelligence. On the analyst side, we are constantly taking briefings from new threat intel vendors claiming to be the next big thing, but we really cannot tell the difference between them. We even have a nifty acronym, "YATIV" (Yet Another Threat Intel Vendor). On the upside, they're still outnumbered by all the security analytics clones.
In keeping with our geeky theme, the essential questions when looking at these providers are: do you know how many Bothan spies actually died to bring you this information? What are you actually paying for in the end? Is your vendor force-choking you for a paycheck? In other words, does this data actually help you make security decisions which will stop some farmboy from wrecking your (small) moon-sized investments?
When the escape pod jettisoned with the droids on board they weren't blasted by the Imperial troops. As a result the plans for the Death Star ultimately fell into rebel hands. That was really the type of information the Empire could have have used to make better decisions. You almost have to wonder if Family Guy was onto something with the lines, "'Hold your fire'? What, are we paying by the laser now?" "You don't do the budget, Terry, I do!" Are you receiving valuable information from your threat intelligence vendor? Does it even come close to the level of what the Bothans managed to deliver? Or are you paying for intelligence about the possible threat posed by the bounty hunter Boba Fett, while he is already lodged in the gullet of the Sarlacc? You need to peel back the layers of fear, uncertainty, and doubt to reach the meat.
Ask tough questions, and don't believe the answers.
Take into account the cautionary tale of the threat intelligence vendor, Norse, who recently imploded in such spectacular fashion that even Industrial Light and Magic was jealous. Norse was known for an animated threat intelligence map that, well, let's be honest... really had zero value. The "pew pew" map would show animated attacks blasting all around the tubes of the Internet. But did it ever provide you anything remotely actionable? No, I didn't think so. It was a photogenic gimmick.
You need to understand that threat intelligence is not as simple as plugging it in and flipping a switch. These products are new and evolving. The data is only really useful if an analyst can make use of the data as provided. More isn't always better—just ask Jabba.
When the rebels got their hands on the plans for the Death Star they found a weakness. Not simply because they had the data, but because they were able to properly analyze it. Are you able to find the thermal exhaust port with your threat intelligence?
You have to wonder: is that information that you paid top dollar for really the work of Bothans?
May The Norse (Not) Be With You.
— Dave Lewis
Check out the complete series: Introduction
Theme posts: Threat Intelligence & Bothan Spies, R2DevOps, Escape from Cloud City, The Beginning of the End(point) for the Empire, Training Security Jedi, Attack of the (Analytics) Clones
Deep Dives: All Threats, All the Time..., Data Security Deep Dive, Cloud Security Deep Dive