Managing Network Security

Corporate Security Intelligence

The Oxymorons

Some of the commonly cited oxymorons are 'military intelligence' and 'central intelligence'. While there are certainly times when the intelligence communities seem to get it wrong, today, we will be defending these intelligence practices and expanding upon them in the area of corporate intelligence.

Government intelligence agencies certainly have their failures. There are many occasions when they draw incorrect conclusions and taken questionable actions. But if you look at the history of failures in intelligence (see for example "Military Intellignce Blunders" by Colnel John Hughes-Wilson) you will often see That the problems stem from capabilities that are misused or good information that is ignored by decision-makers. One such blunder, in my opinion, was the US intelligence community actively limiting research in information protection in the United States between 1960 and 2000, thus helping to create many of the dangers we face today in the critical infrastructure protection arena.

On the other hand, these same intelligence agencies have done some things that have saved many lives and fortunes as well as altering the course of nations. Without intelligence operations, top government decision makers would have a hard time making reasonable decisions, Wars would likely be more commonplace and more destructive, and delicate negotiations would more often go awry.

The government intelligence perspective has not apparently translated as well into the corporate world as it might, and as a result, many corporate decision makers make decisions lacking good information. The lack of good intelligence and decisive action taken as a result of that information has had a particularly negative effect on corporations in the information protection arena.


Corporate Intelligence

Corporations have long been involved in some aspects of intelligence operations. Market intelligence has been and continues to be key to the success of most major corporations in existence today. The widely used SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is used in many of not most marketing processes as a way to inform decision makers about strategic decisions.

SWOT analysis is essentially an intelligence process designed to get at the market issues a company faces. In SWOT analysis, the process includes all of the classic intelligence steps:

The SWOT analysis is a reasonably well defined and widely used intelligence technique for corporate decision-making, and is a good example of the translation of the classic intelligence process into the corporate setting.


Marketing is Not the Same as Security

Clearly the translation from marketing methods into effective protection methods is not direct, but just as clearly, doing an effective job in information protection today must involve some sort of intelligence process. This is done on an informal and ad-hoc basis today, and this is something that must change.

Developing a more formal intelligence process for information protection is not a trivial exercise, but there are some guideposts along the way, so I thought I would address this issue in the remainder of this month's article. But before I begin, I should note...

Today, effective information protection organizations do a great deal of intelligence. There are many sources of information that we use for this process, and we often pay consultants very high fees, in large part because they have access to or the time to keep up on this intelligence. Organizations ranging from SANS to LogiKeep to Gartner group to CERTs to SecurityFocus do one form or another of intelligence gathering with the objective of providing useful intelligence products. Some are free to the user, while others charge up to $10,000 per month for access to this information. Indeed, a small market is beginning to emerge in this arena, and this market will likely grow substantially over the coming years. The question of what form this market takes and what direction is will go in is still up in the air, but it seems clear that this is a burgeoning area of growth.


A More Formal Intelligence Process

Companies need to develop more formal techniques for the intelligence process in information protection, but the classic intelligence methodology is likely to fail because of the very diverse intelligence needs and the large range of time frames involved. In some sense. the very existence of the Internet has driven the intelligence requirement toward a different functional structure.

Michael Wilson has looked at the issues behind the intelligence process and has come up with a framework he calls "Continual and Complete" intelligence. This process follows closely the classic intelligence process (e.g., set direction, plan, task assets, gather and collect, process, analyze and create products, distribute products) but adds the notion that all participants may act in all of these roles and that the process is not a periodic process, but rather a continuous one.

This notion - that many individuals may participate in many roles and that the process is continual seems ideally suited to the needs of information protection in the corporate environment. In particular, there are different sets of roles that different people play and the intelligence needs of those people in those roles are quite different. The following description is not exhaustive, but I hope it captures some of the essence of what we need and when we need it.


Roles and Needs

Typically, there are at least 5 roles requiring intelligence about information protection issues:

The needs and time frames for these intelligence customers are widely varied, and yet all of the decisions require some substantial amount of common information and knowledge. For example, at some level or another, all of these decisions require that threat and vulnerability information be gathered and fused with the business situation in order to inform decisions. Unfortunately, today, the intelligence process is poor and thus different facts and summaries are used by different parties and poorly coordinated protection is one of the results.

Ideally, an intelligence process within an organization should allow all customers to be served at the time frames appropriate to their need, with proper controls to prevent information overload, inappropriate access, or exploitation, with a common basis that allows facts to be compared in a sensible way, and with the ability to get at the underlying data should detailed questions arise.


Process

The process by which the needs for these roles may be fulfilled fits clearly within the realm of the intelligence process described for SWOT analysis and that used throughout the itnelligence community over the ages, with minor variations:

It is likely that the technologies used for these processes will continue along these lines for some time, but the set of available information and its price will probably change rapidly in the coming months and years as this industry goes through high growth followed by market maturation, creation of niches, and so forth.


Cost efficiency of corporate intelligence

Unfortunately, in almost every organization today, including most governments, the costs of building and running such an intelligence process are too high to justify the investment. Instead, companies waste time and money here and there in an inefficient and somewhat ineffective effort to get as close to the intelligence they need for as close to the price they can afford. But this is changing.

The marketplace is starting to adapt to this situation by providing the economies of scale needed to make cost effective intelligence capabilities widely affordable. While it is not cost effective for most organizations to do this function on their own, it is cost effective for some organizations to do a lot of this effort and supply the intelligence products to the other corporations to fill their need for intelligence products.

In this emerging market, the cost benefit trade-offs are not completely clear today, but some things are quite clear. For example, in order to stay pretty much up to date on a few platforms, a technical security person has to spend about 3 hours a day sifting through security events to find the relatively small number of items that are relevant to their job. About 2 of these hours can be saved by having a service that gathers the data from the same sources, sifts out the irrelevant part, and provides what is needed to these folks.

If a technical staff member of this sort is valued at $100,000 per year, and if we assume that we can save 1/4 of their time by this process, this function is worth $25,000 per year per technical security person involved, assuming that this savings can be translated into requiring fewer of these experts or doing their job that much better.

The companies that sift through security-related data for a living typically employ on the order of 50-100 full time employees who spend their full time doing intelligence work. They look at many more sources than a typical security professional working for a normal company would look at, and they do more in-depth analysis than most companies could afford to do. When they do their job well, they produce intelligence products that allow your security people to spend very little time on intelligence and far more time on the more direct part of addressing your security needs.

Here are some common objections:

In any job involving significant analysis, there are intelligence related costs. Specific costs for specific people in specific jobs vary. In cases like information protection, where the cost of intelligence can be substantially lowered while quality and performance improve, there is a strong case to be made for buying the intelligence you need.

For most technical information security staff situations, outsourced intelligence is a cost effective performance enhancement measure. A suitable source should be found and engaged if this situation holds for your organization.


What about technical management?

This briefing is a strategic intelligence product whose audience is technical management and top management. It represents a different sort of intelligence product than that which is needed for technical staff members and it therefore involves different trade-offs.

Good technical managers in the information protection arena spend a substantial portion of their time dealing with the application of resources to address corporate needs. Most of the of the decisions taken at this level are based on situation-specific understanding informed by strategic understanding of technology and related issues within the corporation.

The goals of an intelligence product directed toward these decision makers are to help them (1) make better decisions, (2) carry out these decisions in a more effective manner, and (3) sell these decisions within the corporate environment. This sort of intelligence is particularly important in long-term high consequence decisions, but is also of great aide in improving the communications between technical staff and technical management.

Historically, this sort of intelligence has been provided by consultants. For example, it is fairly common for a security director to call in a consulting firm to help them assess a decision on some technical issue. The consulting firm has three roles in this situation. (1) They may reduce risk to the decision maker by providing a trusted outside recommendation. (2) They may provide added technical expertise and experience to help better evaluate technical staff and vendor information. (3) They may provide added personnel time needed to get all of the tasks done in the time frame required for the decision. While there are select times when a consultant can be used to address such a need in one-day visit, the typical cost of a study related to a key decision starts in the $25,000-$50,000 range.

As in the case of technical staff, there are cost efficiencies to be gained from the fact that many decision-makers in this field have very similar decisions to make. Many $25,000-$50,000 studies can be replaced by a combination of a far less expensive intelligence product, such as this one, and the application of some site-specific knowledge. This can be augmented with the creation of tools to aide the decision-maker in making these decisions. Another potential advantage of the strategic intelligence information is that it removes the dependency on the consultant that most consultants try to foster in order to get ongoing business. Like the difference between teaching a person to fish and giving them a fish, a good intelligence report teaches the reader how to get to the solution, it doesn't just provide a solution.

The most serious limitation of the good strategic intelligence product in this arena is that the specific topic you may need to address may not be available in the time frame you desire. For example, if you just finished a $25,000 consulting study to determine whether or not to purchase an intelligence capability for your technical staff and this report answers most of the same questions, the lack of availability of this information when you needed it may have just cost you a substantial amount of money. A cost effective solution to this problem is a system that allows you to request strategic intelligence on subjects you are interested in.

If a high enough volume of managers have similar issues to be addressed, the intelligence firm can do the study and make a profit while each of the customers saves a substantial amount of time and money. This report is an example of a study generated as a side effect of a substantial number of technical managers asking about these issues, and it represents an economy of scale savings of this sort.


Other Customers

Similar cases can be made for intelligence for top management. These are typically best served by executive briefings such as those provided by the University of New Haven, in which top flight security directors from companies like Microsoft give executive briefings and lead exercises over a two-day period. In this case the cost efficiency comes from (1) gaining nearly simultaneous access to sets of top flight individuals that would be very expensive to bring together for a single corporation's top management and could not be brought together for very many of these customers, (2) the benefits associated with the interaction between top management at different organizations on the subject of information protection, which would be very hard to accomplish in other venues, and (3) the resultant set of knowledge and understanding of issues that these decision makers come away with would be very hard to get them to understand by feeding it to them piecemeal.

In the case of marketing and public relations groups, no current intelligence products are available that meet this particular niche. This represents a market potential that may be fulfilled in the future if someone can figure out how to make this a cost effective product suited to those specific customer needs. For now, this audience is served by what they read in the papers and trade magazines and what they pick up through experience.

For end users cost efficiency has only been gained in general security awareness niches where there are periodicals, signs, video-tapes, and other similar items that can be purchased for corporate use. This appears to be a result of the need for each corporation to customize its user intelligence to the specifics of the environment and the situation.


Conclusions

An effective intelligence process is in widespread use in industry today - in the marketing arena. A similar process is likely to be highly effective in other corporate functions, and the information protection area is a prime candidate for this process today.

Substantial intelligence products in this space are available today. In many cases, they offer exceptional value by reducing hidden costs companies currently pay for this function and making employees with responsibilities in this area far more effective. They benefit from an economy of scale that few organizations can afford to get on their own, and thus they are an excellent choice for outsourcing. In addition, outsourcing this security function is low rigk and high benefit.

In the coming years, the market will produce a wide range of intelligence organizations capable of addressing a wide variety of the most common needs and niche markets are already in place. If you want high quality intelligence for a very low cost, with the exception of articles like this one, it's not available today. But low quality for low cost is available, as is medium quality for moderate cost and high quality for high cost.

In the coming years, the intelligence process will become as staple a part of the information protection field as access controls and audits are today. The only real question is how you will best use the intelligence processes to bring advantages to your organization and how the intelligence organizations that form will expand into the broader market of overall corporate intelligence over time.


About The Author:

Fred Cohen is thinking inside a bigger box as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs at Fred Cohen and Associates, and educating defenders over-the-Internet on all aspects of information protection at the University of New Haven. He can be reached by sending email to fred at all.net or visiting http://all.net/