“The concept is simple, but it can be operationally difficult to do,” he told Computer Weekly.
The combined knowledge of many is always going to be more powerful than the knowledge of any single organisation, but there are challenges to realising the real benefits, said Goldfarb.
First, if an organisation is to benefit from intelligence about the types of activity it should be looking out for, that process has to be integrated into the security workflow.
“Security intelligence should never be isolated, but used to generate alerts that are fed into the security workflow like any other alerts,” said Goldfarb.
Second, security intelligence is a “predatory field”, and while there is a growing number of organisations that claim to provide security intelligence, not all these services are equal, he said.
more on security threat intelligence
- GCHQ launches pilot to share cyber threat intelligence
- Does your SIEM integrate threat intelligence feeds?
- Threat intelligence versus risk: How much cyber security is enough?
- Cyber threat intelligence is getting crowded
- Infosec 2014: People vital to security intelligence, say experts
- Threat intelligence, detection and visibility: A CISO weighs in
- How threat intelligence can give enterprise security the upper hand
According to Goldfarb, many simply provide “security information”. But that is not the same as “security intelligence”, which includes context of what that data means, what it relates to and how it can be used.
“The challenge is choosing valuable and reliable sources of intelligence, but in a rapidly growing emerging market it is a case of let the buyer beware,” he said.
Goldfarb suggests several approaches to meeting this challenge. First, he recommends that information security professionals become a “known player” in their security community.
“Ensure that other members of your community know who you are, and that you are seen as a serious professional who is intent on building a serious information security programme,” said Goldfarb.
“This means you will be able to ask your peers which are the best sources of security intelligence for your industry, and they will tell you honestly what they think, based on their experience,” he said.
Where intelligence sources are inherited or long-standing, Goldfarb recommends a scientific approach of measuring the ratio of false positives to true positives.
“Any source of intelligence where the signal is being drowned out by the noise is not really adding value and should be replaced,” he said.
Crest assessment for security intelligence
In the UK, however, information security professionals can benefit from assessments by Crest, the not-for-profit organisation that represents and certifies the technical information security industry.
On behalf of the Bank of England, Crest has done an assessment of organisations offering security intelligence services in the UK and set some minimum criteria.
“Service providers which pass the assessment using these criteria become members of Crest in the same way as providers of services in penetration testing, incident response, and simulated attack and response,” Ian Glover, president of Crest, told Computer Weekly.
Crest membership for a supplier of security intelligence means they have met the minimum requirements in terms of the technology and social engineering
Ian Glover, Crest
Crest membership for a supplier of security intelligence means they have appropriate processes in place for managing the intelligence they provide, which ensures that it is being sourced legally and ethically.
“It also means they have met the minimum requirements in terms of the technology and social engineering side of things, which means they understand the geo-political landscape as well as the technical landscape,” said Glover.
“And finally, it means they have access to sufficient information for them to draw inference, that they are an organisation that has access to appropriately skilled people who can provide the information they require, and that the organisation and staff adhere to an enforceable code of conduct,” he said.
A code of conduct means that if an organisation is not happy with a security intelligence service or has any problems, a complaint can be made to Crest.
“We ask the hard questions about how the service is run and we continue to monitor the organisation in terms of its performance, providing support for suppliers and consumers,” said Glover.
Crest hopes that its assessment for security intelligence will become eventually become a de facto standard, with both suppliers and consumers recognising the value of Crest membership.