Lesson 1: Data is Not Intelligence
By Mike Mimoso
One thing we’re good at in information security is conflating terms—and there are no shortage of mistakes on this front. For example, vulnerabilities are not exploits, worms are not viruses, and data is not intelligence.
Data in the context of threat intelligence is just that: raw and often voluminous. It’s typically collected in an automated fashion from relevant sources according to an organization’s intelligence requirements and stands as the bedrock of an intel program.
Data on its own, however, isn’t of much value to an enterprise security decision maker without some threads of context sewing it together to find a solution to a problem. IP addresses, malware hashes, and other indicators of compromise (IOCs) are invaluable data points, but without understanding how they connect to a threat actor—or how they point to the next potential target—they aren’t much more than IOCs on a spreadsheet.
A human analyst and a machine learning engine are the quickest paths to turning that data into an actionable piece of intelligence. An experienced subject-matter expert with extensive information security and/or military know-how will best understand how to connect subtle dots in relevant data points to arrive at an optimal conclusion.
A malicious domain, for example, may fire off an alert in a security information and event management (SIEM) platform, but you’ll need more than an urgent email or text message to know that domain has been linked to other attacks against peers in your industry. You’ll need to ask questions of the data to turn it into intelligence: is the domain a first- or second-stage launching pad in an attack? Is the malicious activity happening during only certain hours of the day (i.e., during the normal work day in China)? What vulnerabilities are being exploited? What exploits are being deployed? Are they exfiltrating data from compromised machines? If so, what kind of data? Is this a targeted attack against your organization? Or are others in your industry seeing the same thing?
All of this data goes into a virtual blender and is processed to arrive at a conclusion about an adversary or threatening scenario. The outcome is intelligence, and that’s what informs decisions about risk.
Data should never be conflated with intelligence, because the latter requires an enormous amount of cross-examination and interpretation to cook up an actionable, finished product. And this applies to all facets of business risk—beyond cyber—that require intelligence, encompassing fraud, insider threat, executive protection, and other facets of physical and corporate security.
People are at the core of finished intelligence, providing the nuance, logic, experience, and understanding needed to derive actionable insight and solve complex problems. No machine can mimic the tradecraft necessary to access a closed-source illicit community. No algorithm can understand and communicate with regional and language-specific slang when engaging in conversation with an adversary. Automation can and does reduce the time it takes to collect technical indicators, but intelligence requires patience with data to effectively inform an appropriate course of action.
Data and intelligence are very different things. Data is often unstructured and almost always represents a simple declaration of facts: an IP address or a malicious domain address, for example. To arrive at finished intelligence, data must be given structure and therefore evolve into relevant information that, when given additional analysis and context, can be used to inform decisions about risk.
Michael Mimoso brings over a decade of experience in IT security news reporting to Flashpoint. As Editorial Director, he collaborates with marketing, analyst, and leadership teams to share the company’s story. Prior to Flashpoint, Mike was as an Editor of Threatpost, where he covered security issues and cybercrime affecting businesses and end-users.
Prior to joining Threatpost, Mike was Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won several ASBPE national and regional writing awards. In addition, Information Security was a two-time finalist for national magazine of the year. He has been writing for business-to-business IT publications for 11 years, with a primary focus on information security.
Earlier in his career, Mike was an editor and reporter at several Boston-area newspapers. He holds a bachelor’s degree from Stonehill College in North Easton, Massachusetts.