Another Paradigm Shift - I'm Getting Motion Sickness

Monday, July 08, 2013

Jim Palazzolo

888605c6c25c19e41bbbb986ea6d43c1

It’s been quite some time since my last post.  Let’s take another walk down the road of Cyber Security, but this time let’s talk about the Intelligence Paradigm.  

Within Information Security Operations the derived value is in the response to correlated data.  These sources typically tend to scale horizontally as organizations buy into further hard assets to assist them in mining the Big Data for answers.  However, recently I had the opportunity to study this process and found that many, if not all organizations, still struggle with getting in front of the data. 

When I consider this challenge I envision a mighty river that engineers are attempting to redirect for natural resource value.  If they can control the direction of this river then they can extract its power and provide natural power to several cities.  Past experience has proven that with insightful analytics security events can be found and responded too, but after spending hours with Security Operations personnel I have found that the task is becoming more complex; and, that the data is becoming more disparate. 

Eventually I found myself recognizing that the best practice is the greatest deficit in the determining of an acceptable success metric when mining the data for answers.  What do I mean by that?  Years ago someone said that best practice was to pull all the data back into centrally managed source that the enterprise can tap into.  However, this is counter intuitive to the direction of the business.  Therefore, individual(s) end up believing they can stand in the middle of a raging river and not get swept away.  It is not natural for an enterprise in today’s computing culture not use cloud resources.  Business after business is looking for cost effective ways to save money on the IT bill. 

What this means for the business-to-security relationship is that you can’t stop the tide, but you can enjoy the ride.  What I have determined is that there is huge focus on tools, and very little focus on process; and, even less on internal Intelligence.  There are hundreds of resources that security professionals can pull against for information, but if internal Intelligence is not embraced than the whole process of Data Management for Security is bunk. 

There needs to be a shift in the paradigm from media marketing to common sense about the battle space.  Yes – battle space.  It does not matter if you are a business, government, mercenary unit, mom-and-pop store, web warehouse, or any other type of functional name plate the game is still the same.   There are two portions to an Intelligence program:  Internal Intelligence (self awareness) and external Intelligence (situational awareness).  Marketing hype has made us believe that if we have great external Threat Intelligence that all of our problems will be solved.

Nothing could be further from the truth.  The paradigm is mistaken and misunderstood.  You cannot accurately answer the value of ‘y’ if your value of ‘x’ is incomplete; and, if you are attempting to achieve an absolute truth of ‘1’ then neglecting internal Intelligence is a thought failure.  The rivers of information have always been there and the data to perform the analysis is in no short supply, but it’s the thought leadership behind the paradigm’s architecture that has failed us.  We need to leverage internal Intelligence with external Intelligence to paint the complete picture that management can accurately react to. 

To conclude:  it is not about what Gartner says is good for you; it’s about the way we practically perceive a healthy security environment.  So before you protect the data, find the data.  Before you create security controls, find the assets.  Before you think about the future, find the blueprints for today.  Before you attempt to know others, know yourself first. 

Possibly Related Articles:
8082
Gartner Information Security Intelligence
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.