“Whatever you put out I’m gonna buy it, so what’s your latest? I wanna try it”
From “I’m a sucker for your marketing” by Sarah Jaffe
Every year we seem to have a new buzz term in security. As someone who lives in the security product marketing world I’ve seen trends come and go. Terminology that was once mandatory in every piece of collateral suddenly becomes stale and cringe-worthy (APT is becoming one of these). We’ve had a bunch of buzzwords and phrases; some were pretty good and some were really terrible. I should know I helped propagate some of these buzzwords.
Here are just a few of the popular security marketing buzzwords and phrases from the past 5+ years: “SaaS”, “cloud-based”, “people, process and technology”, “risk-based”, “adaptive”, “defense-in-depth”, “Layered”, “cyber” followed by almost any word in the dictionary (warfare, espionage, strategy, spending, spy, defense etc.) and of course “Big Data”.
“Big Data” is so ingrained in our culture that I’m pretty sure EMC legally obligates me to say it in every presentation I give. And guess what? It is not going away any time soon so we better get used to it. Though like most buzz terms the inferences of it will change over time.
So what is the next marketing buzzword in security? I declare 2013 to be the year of “Intelligence”.
You heard it here first. In 2013 almost every vendor you talk to will be be bringing up “intelligence” or “intelligence-driven security”. Even RSA Conference is getting in the game. This year’s theme is “Security in Knowledge”.
I happen to believe that promotion of intelligence as a vital part of a security strategy is a good thing, and it marks the beginning of a new way of thinking about security (or at least a new way of talking about the way many already think about security). So now that you know what the buzzword is going to be, you know how to differentiate between those who can help you with an intelligence-driven security strategy and those that are just cutting and pasting buzzwords into presentations? (e.g., most technologies and vendors can’t actually provide you much to actually help “defend against APTs” but they all talk about APTs in their materials)
When hearing claims about intelligence and security here is what you need to know:
Quality vs. Quantity: Vendors will often quote the number of intelligence feeds, sources or analysts they have since it’s one of the few ways you can try to compare offerings. However, you should not fall into a trap of figuring out who has the most robust security intelligence features based on the quantity of those features. In fact, the quantity rarely correlates to quality when it comes to intelligence. Vendors may quote various sources that are either filled with information that is not particularly helpful or overlap significantly with other sources. You should seek out those that offer sources and information that are unique and proven to make a difference when looking for and understanding threats.
Intelligence needs to be operationalized: Clearly I love a good blog post. However, while posting blogs and sending emails about security threats and intelligence is a good educational exercise it is not necessarily going to translate into you finding new threats unless that information is operationalized. Operationalized intelligence means that the information you’re receiving can be fused with your internal data so you can understand it in relationship to your environment. If you’re looking into purchasing intelligence feeds from third parties that don’t directly integrate with your technology you should understand what you’re going to do with that data. Organizations should have a plan to take that intelligence and take action. At a minimum you should have people on your team dedicated to educating themselves and figuring out how to turn this information into something that will lead to results. Every security team should have headcount, or at least a portion of the team’s responsibilities, dedicated to security intelligence.
Intelligence needs to provide context: The goal of intelligence should help you to understand what to look for and to better understand what you’re looking at. Everything else is just noise.
For more about on this topic I’d suggest checking out Art Coviello’s blog on moving to an intelligence-driven security model. For a bit more on Art’s thoughts, also check out his interview with the RSA Conference team from last October.
Another great resource is Will Gragido who heads up the RSA FirstWatch team, who recently wrote a blog on intelligence collection. He’s a lot smarter than me so if you read this far you should take two more minutes and read his thoughts.
Finally, for a product focused perspective check out the RSA Live intelligence service. This is RSA’s intelligence delivery system that not only gathers intelligence but operationalizes it by fusing it with your data with RSA NetWitness and RSA Security Analytics.
What other classic security buzzwords do you remember? Do you think “intelligence” will be the new “APT”? Is intelligence driven security just marketing hype or a legitimate strategy?