Why Are Information Security Tools and Cyber Intelligence Like a Hammer and Nails?

By Dori Fisher, VP Intelligence Solutions

Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.

Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.

Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.

What is Intelligence?

Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”

The common thread in definitions of intelligence is that it is information analyzed to create value.

Stages of Cyber Intelligence

Cyber intelligence, like classic intelligence, consists of a number of major processes:

Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)

Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)

Filtering and aggregation: Filtering and combining bits of information.

Analysis: Understanding the information and its value.

Conclusions and deliverables: Insights about the information analyzed and packaging of the information.

Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.

Intelligence vs. Information

Many of the deliveries called intelligence (or CTI) are in fact, information.

Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).

Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”

For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.

Cyber Intelligence as a Nail and Information Security Tools as a Hammer

Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.

The technological information is the delivery but not the essence.

High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.

 

SenseCy Update

Hi all, it has been a busy month for us here at SenseCy and it’s time to share a quick update of what the team has been up to.

Image

We have participated in Infosec Europe conference, held in London (read all about it here), and in the GOVSEC conference in Washington D.C. where we’ve met with industry leading vendors and potential partners. Following these we ventured to Barcelona to participate in the Check Point Experience (CPX) conference, where it was announced that we, along with six other prestigious vendors, will be taking part in the Check Point’s ThreatCloud Intellistore, which will allow us to offer our intelligence feeds to Check Point’s massive clientele.

you can find the press release and related information in the following link: http://www.checkpoint.com/press/2014/check-point-pioneers-revolutionary-cyber-intelligence.html

Later this week Mr. Assaf Keren, our CTO, will deliver a speech about Cyber Intelligence at the Cybercrime Security Forum 14, held in Hilton Cyprus, Nicosia, followed by a talk by Mr. Gilad Zahavi,Director of Cyber intelligence at ISS World Europe, Prague, where he will present SenseCy methodology for tracking hackers using Virtual HUMINT methodology on June 4, 2014. 

Last but not least we have some very exciting personnel changes – this month we have welcomed Dimitry, our Director of Technical Intelligence, and Nir, an analyst who will be handling the Chinese arena. Ms. Sheila Dahan will be taking the role of Customer Relations Manager and will assist the sales and marketing various activities. Stay tuned for more updates.