Why Are Information Security Tools and Cyber Intelligence Like a Hammer and Nails?

By Dori Fisher, VP Intelligence Solutions

Information security (“cyber security”) has rapidly evolved in recent years, and as a result, we need to reinvent and redefine concepts that were once considered clear and concepts that have not yet been addressed. One of these concepts is cyber threat intelligence, or CTI.

Market Guide for Security Threat Intelligence Services, a Gartner paper from October 2014, lists 27 companies in its CTI category. These include two very different Israeli companies, Check Point, known originally for its firewalls, and SenseCy, which is known for its intelligence.

Yet one-dimensional market categories do not reflect the specific activities of various companies. In other words, CTI, like DLP (data leakage protection) and other terms, is implemented in various ways and expresses different needs. Sometimes, with all the marketing hype, words lose their meaning. One of the biggest challenges with “CTI” is that it refers to intelligence when what is actually delivered is information.

What is Intelligence?

Intelligence, according to the FBI, is “information that has been analyzed and refined so that it is useful to policymakers in making decisions.”

Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice.”

The common thread in definitions of intelligence is that it is information analyzed to create value.

Stages of Cyber Intelligence

Cyber intelligence, like classic intelligence, consists of a number of major processes:

Developing sources: Where do you look and how do you get there? (For example, how do you become a member of a closed Indonesian carding forum?)

Collection: What do you look for and how do you find information? (For example, using various languages, automatic or manual tools, etc.)

Filtering and aggregation: Filtering and combining bits of information.

Analysis: Understanding the information and its value.

Conclusions and deliverables: Insights about the information analyzed and packaging of the information.

Computers have proven themselves efficient at collecting, aggregating, and filtering intelligence. However, human beings are still better at developing high-quality sources, analyzing, and drawing conclusions – despite the great promise of various analytic technologies.

Intelligence vs. Information

Many of the deliveries called intelligence (or CTI) are in fact, information.

Examples are information collection by means of honey pots, attack servers, network forensics, social networks, Internet networks not accessible through a Google search (the Deep Web), or networks requiring special browsing software (the Dark Web).

Without information collection there would be no intelligence, but the mere act of collection from one source or another does not make the information “intelligence.”

For example, a quote from a closed group that is planning to attack a certain bank on Christmas is important information, but the modus operandi, the tools to be used, the ability to actually carry out the attack, and the likelihood that the attack will take place is important intelligence.

Cyber Intelligence as a Nail and Information Security Tools as a Hammer

Psychologist Abraham Maslow noted that “it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.”

In the ancient world, when Joshua sent spies into Jericho, his tools were mainly between his ears, and the intelligence took form accordingly. Today, with firewalls, information security management systems, data leak prevention, and endpoint protection, we sometimes confuse intelligence with technological information like IP addresses and signatures that can be inserted into the products that we buy.

The technological information is the delivery but not the essence.

High-quality intelligence can sometimes also be expressed in technological deliveries, but the quality of intelligence can be measured based on the ability to act upon it, whether by updating firewall rules or redefining strategy or tactics in regard to a certain topic.


Gartner Identifies Machine-Readable Threat Intelligence as One of the Top 10 Technologies for Information Security in 2014

Last week Gartner, a leading information technology research and advisory company, highlighted the top ten technologies for information security and their implications for security organizations in 2014. Analysts presented their findings during the Gartner Security & Risk Management Summit, held here through June 26.


The top ten technologies for information security are:

  1. Cloud Access Security Brokers
  2. Adaptive Access Control
  3. Pervasive Sandboxing (Content Detonation) and IOC Confirmation
  4. Endpoint Detection and Response Solutions
  5. Big Data Security Analytics at the Heart of Next-generation Security Platforms
  6. Machine-readable Threat Intelligence, Including Reputation Services
  7. Containment and Isolation as a Foundational Security Strategy
  8. Software-defined Security
  9. Interactive Application Security Testing
  10. Security Gateways, Brokers and Firewalls to Deal with the Internet of Things

We at SenseCy are great believers in article 6.

We have been providing contextual intelligence for the past several years (and will continue to do so), but felt that it was time to take this to the next level by providing structured feeds that can link directly into SIEM and other security infrastructure and automate to a greater degree the threat intelligence implementation process. Although we believe that M2M will take a greater role in cyber security, the role of the analyst will not be diminished, as there will be a greater need to analyze and filter the results prior to us releasing the feed to our clients (to maintain a very low false-positive alert rate). We also aim to engage the malware supply chain at an earlier phase than most, effectively obtaining and analyzing malware before widespread distribution, thus allowing our clients to prepare their security infrastructure by adding concrete identification parameters prior to infection.