Applying Security Intelligence to Your Enterprise Threat Mitigation Program – Introduction

Categories: Advanced Security,FirstWatch

Intelligence is no longer solely relegated to the world of the clandestine.  It is no longer the exclusive domain of roguish characters featured in heart pounding novels nor is it the sole dominion of the prototypical ‘geek’ pounding away on a keyboard at a secret government facility (or van) near you.  No. Threat  Intelligence is part of our lives and we experience it daily at work, at home and on the go.   This is true for you and me and for enterprise organizations.

The world has changed.  It’s a fact that can no longer be avoided.  People and enterprise organizations alike are being taught a lot about intelligence in particular the types of intelligence that impact their lives through cyber channels and non-cyber channels alike.   In this blog we’ll introduce the concept of intelligence, its collection and most importantly its application in our daily lives in the environments we work and play in.  People love knowing (or believing they know) something that someone else doesn’t   It can be an intoxicating thing to be privy to information that is shared and known by a select few.

More important than the level of biochemical and emotional response this evokes is what we do with the intelligence we have.  The idea that all intelligence is equal, as we’ll see, is farcical.   We’ll investigate how grading and weighting intelligence can help in its application and how this application of intelligence can ultimately lead to a more stable, secure organization with a keener understanding of its risk posture and the risk posture posed by its constituents.

Collection

Intelligence collection is as much an art as it is a science.  It requires a great deal of insight into traditional and nontraditional areas of interest that an organization may concern itself with.  There are myriad ways through which one can collect intelligence; organic and inorganic.  For the purpose of this blog (as we’re only touching on collection here as opposed to diving deeply) we’ll assert that intelligence collection is a people, process and technology driven proposition that strives to obtain (through the marriage of disparate intelligence disciplines) a composite perspective that accurately represents an organization’s worldview and itself (and its user population) within the context of that world view as potential targets.

The goal should be the obtainment or achievement of high fidelity intelligence that is salient and actionable.  Anything less is unacceptable.  The real question is how do we apply this intelligence once we have collected it?  And how can we ensure that the intelligence is acted upon in a timely manner thus preventing or narrowing the likelihood of a potential attack?

Application of Intelligence within the Enterprise

For enterprise environments, the application of intelligence – regardless of the intelligence type, begins with verification and classification.  If these steps are forsaken, and one assumes that the intelligence that one has collected is irrefutable without first having vetted it, mistakes can be made and vulnerabilities introduced to the enterprise environment that can lead to compromise.  As a result, the verification process (inspection of what you expect) is key to successful application of intelligence along with appropriate classification of the intelligence itself.

Prioritization will – once verification and classification have been completed, become the focal point of the application of the intelligence as it is brought to the attention of those within the enterprise organization concerned with its analysis.  At this point any number of actions may be taken with respect to the intelligence in question.

Updates in the form of new firewall rules, network and host base signatures or filters, web and mail protection may all come into effect alongside the application of threat feeds  and parsers such as the ones my team, RSA FirstWatch produces for the consumers of technology.  Regardless of how it is applied within your enterprise you’ll need to consider doing so if you have not already begun doing so.  In this blog we discuss very high level scenarios regarding intelligence collection and application.  In subsequent blogs we’ll be exploring these concepts in more detail leaving as few stones unturned as possible.

We hope you’ll keep reading!

Will Gragido
Author:

Mr. Gragido possesses over 18 years of information security experience. A former United States Marine, Mr. Gragido began his career in the data communications information security and intelligence communities. After USMC, Mr. Gragido worked within several information security consultancy roles performing and leading red teaming, penetration testing, incident response, security assessments, ethical hacking, malware analysis and risk management program development. Mr.Gragido has worked with a variety of industry leading research organizations including International Network Services, Internet Security Systems / IBM Internet Security Systems X-Force, Damballa, Cassandra Security, HP DVLabs, and now RSA NetWitness. Will has deep expertise and knowledge in operations, analysis, management, professional services & consultancy, pre-sales / architecture and strong desire to see the industry mature and enterprises & individuals become more secure. Will is a long-standing member of the ISC2, ISACA, and ISSA. Mr.Gragido holds the CISSP and CISA certifications, as well as accreditations in the National Security Agency's Information Security Assessment Methodology (IAM) and Information Security Evaluation Methodology (IEM). Additionally, Mr.Gragido is a Faculty Member of the IANS Institute where he specializes in advanced threat, botnet, and malware analysis. Mr.Gragido is a graduate of DePaul University and is currently preparing for graduate school. He is the co-author of Cybercrime and Espionage: An Analysis of Subversive Multi-Vector Threats and is currently hard at work on a new book due out in the summer of 2012.