The 3 Pillars of Intelligence: Shaping Policy
January 13, 2015
In today’s world of evolving threats and a geo-political landscape that opens up attacks on private organizations by nation-state sponsored entities, security is a game. Inside every game, there is a strategy put in play to win. You base your strategy off of your opponent’s strengths and weaknesses, as well as your own. This is where intelligence comes in.
For intelligence to support an organization’s security strategy, it requires an ecosystem built around stakeholders at the strategic, operational and tactical levels. The consumers of strategic intelligence are the executives and leadership of an organization. For operational intelligence, it is the security analyst performing daily, SOC-style operations. On the tactical level, it can be split between security operations and incident response teams or the CSIRT. This dynamic approach creates an ecosystem that ensures coverage of intelligence throughout the organization and provides overall situational awareness as well as tailored analysis.
This blog series will cover how to effectively use intelligence in the game at all three levels, defining the purpose of each level as a pillar used to hold up the security program. The first pillar we will discuss is how strategic intelligence can help an organization Shape Policy.
If you were to ask a CISO “What drives security?” you would receive a number of answers, ranging from budget to technology to people. In reality, policy is what drives security operations.
Policy defines controls and provides justification for purchasing and implementing technologies as well as obtaining the personnel to manage and monitor the infrastructure. Policy establishes how an enterprise meets and maintains any number of compliances and federal regulations. The policy enacted for the organization directs proper user behavior (e.g. who can access critical infrastructure and user account privilege). In the end, it is policy that defines what security should be. Strategic intelligence is a driving factor in shaping and establishing that policy, from the boardroom down to the end-user.
This level of intelligence is tailored to deal with more long-term analysis of threats or problems that an organization will face based on its size, industry and current state of the security program. It also delivers intelligence to operations and senior leadership needed for policy, planning and resource allocation. The decisions made at this level directly influence the next two levels.
One of the major components of strategic intelligence that helps shape policy is risk management. This goes beyond identifying cyberthreats an organization may face, concentrating instead on the risk associated with these threats. Once that is determined, leadership can create or modify policy to reduce the level of risk the organization faces.
The image above is a high-level view of four strategic threat groups that a majority of organizations encounter. The key is in determining how these threats relate to your business. For example, an organization in the retail industry has a higher likelihood of encountering threats from a financial gain actor than from a hacktivist. A company specializing in agricultural manufacturing or energy faces a greater threat from a nation-state sponsored actor. Once these threat groups are prioritized (High – Medium – Low), the policy creators and analysts can determine risks associated with these threats based on policy and technologies currently in place and then adjust the policy as necessary.
Intelligence requirements are the basis for defining what analysts are concerned with when collecting and analyzing information and enable the timely dissemination of an analytical product. Strategic intelligence supports senior leadership’s overall strategy to reduce risk, and it is their responsibility, as the consumers of the intelligence, to provide identify and task the appropriate intelligence requirements. Once identified and tasked, these requirements focus the collection and analysis of operational and tactical intelligence as well. This interaction between the levels of intelligence will build the necessary ecosystem for intelligence operations.
Flow of Intelligence: An Ecosystem
Threat Intelligence is a learning ecosystem that cannot be purchased. Strategic, operational and tactical intelligence all play off each other to reduce risk associated with defined threats and enhance decision making at all levels. Strategy Shapes Policy and defines intelligence requirements that are prioritized to Drive Operations on a daily basis and Lead Response in the event of a breach or incident.
In the next part of this series, we will cover the second pillar of this ecosystem - Drive Operations - to see how intelligence can provide greater situational awareness in daily security operations.