Some of the commonly cited oxymorons are 'military intelligence' and 'central intelligence'. While there are certainly times when the intelligence communities seem to get it wrong, today, we will be defending these intelligence practices and expanding upon them in the area of corporate intelligence.
Government intelligence agencies certainly have their failures. There are many occasions when they draw incorrect conclusions and taken questionable actions. But if you look at the history of failures in intelligence (see for example "Military Intellignce Blunders" by Colnel John Hughes-Wilson) you will often see That the problems stem from capabilities that are misused or good information that is ignored by decision-makers. One such blunder, in my opinion, was the US intelligence community actively limiting research in information protection in the United States between 1960 and 2000, thus helping to create many of the dangers we face today in the critical infrastructure protection arena.
On the other hand, these same intelligence agencies have done some things that have saved many lives and fortunes as well as altering the course of nations. Without intelligence operations, top government decision makers would have a hard time making reasonable decisions, Wars would likely be more commonplace and more destructive, and delicate negotiations would more often go awry.
The government intelligence perspective has not apparently translated as well into the corporate world as it might, and as a result, many corporate decision makers make decisions lacking good information. The lack of good intelligence and decisive action taken as a result of that information has had a particularly negative effect on corporations in the information protection arena.
Corporations have long been involved in some aspects of intelligence operations. Market intelligence has been and continues to be key to the success of most major corporations in existence today. The widely used SWOT (Strengths, Weaknesses, Opportunities, and Threats) analysis is used in many of not most marketing processes as a way to inform decision makers about strategic decisions.
SWOT analysis is essentially an intelligence process designed to get at the market issues a company faces. In SWOT analysis, the process includes all of the classic intelligence steps:
Frame the objectives: Objectives are framed by the very definition of the SWOT process. The object is to figure out strengths, weaknesses, opportunities, and threats.
Plan: Planning is done by those tasked with SWOT analysis coming up with a means to get to the goal.
Communicate the objectives: Most SWOT analyses involve many participants and there is a communications process whereby those tasked with the analysis communicate the objectives to the participants.
Gathering and collection: The data on strengths, weaknesses, opportunities, and threats is gathered and collected by the participants, typically by having different participants tasked with different aspects of the problem. Results are brought together for use - typically in either a central location or one of a number of 'war rooms' set up for the process.
Processing results: Raw data is typically fused together into tables or a database of some kind in order to make it accessible and put it into common terms. For example, a roll-up of competitors and business conditions that comprise threats might be generated by one group, while strengths might be collected from all divisions of a company.
Analysis and perspectives lead to products: The collections of data on different aspects of the problem are typically merged with a business philosophy and a sense of what the organization can or will be willing to do in a particular time frame and the results are provided in terms of relatively short summaries that reference the underlying data as their basis. These summaries might include several recommended courses of action or options and expected results.
Distribution of the intelligence product: The write-ups are then provided to the various parties involved in the decision process, decisions are made as appropriate, and the content is used to inform further action.
The SWOT analysis is a reasonably well defined and widely used intelligence technique for corporate decision-making, and is a good example of the translation of the classic intelligence process into the corporate setting.
Clearly the translation from marketing methods into effective protection methods is not direct, but just as clearly, doing an effective job in information protection today must involve some sort of intelligence process. This is done on an informal and ad-hoc basis today, and this is something that must change.
Developing a more formal intelligence process for information protection is not a trivial exercise, but there are some guideposts along the way, so I thought I would address this issue in the remainder of this month's article. But before I begin, I should note...
Today, effective information protection organizations do a great deal of intelligence. There are many sources of information that we use for this process, and we often pay consultants very high fees, in large part because they have access to or the time to keep up on this intelligence. Organizations ranging from SANS to LogiKeep to Gartner group to CERTs to SecurityFocus do one form or another of intelligence gathering with the objective of providing useful intelligence products. Some are free to the user, while others charge up to $10,000 per month for access to this information. Indeed, a small market is beginning to emerge in this arena, and this market will likely grow substantially over the coming years. The question of what form this market takes and what direction is will go in is still up in the air, but it seems clear that this is a burgeoning area of growth.
Companies need to develop more formal techniques for the intelligence process in information protection, but the classic intelligence methodology is likely to fail because of the very diverse intelligence needs and the large range of time frames involved. In some sense. the very existence of the Internet has driven the intelligence requirement toward a different functional structure.
Michael Wilson has looked at the issues behind the intelligence process and has come up with a framework he calls "Continual and Complete" intelligence. This process follows closely the classic intelligence process (e.g., set direction, plan, task assets, gather and collect, process, analyze and create products, distribute products) but adds the notion that all participants may act in all of these roles and that the process is not a periodic process, but rather a continuous one.
This notion - that many individuals may participate in many roles and that the process is continual seems ideally suited to the needs of information protection in the corporate environment. In particular, there are different sets of roles that different people play and the intelligence needs of those people in those roles are quite different. The following description is not exhaustive, but I hope it captures some of the essence of what we need and when we need it.
Typically, there are at least 5 roles requiring intelligence about information protection issues:
End users: These people need information that keeps them aware of how to behave, both in general, and during periods of increased crisis. This is typically communicated through a periodic training and awareness process and augmented by alerts of some sort to inform them of a virus they need to react to right away or some other condition of immediate need. This process is typically filtered so that the end user only gets information specifically required for their job function. This allows the end user to proceed in relative ignorance of protection issues except when some action is required on their part.
Systems Administrators and Technical Support Staff: Technical people need technical information. The most timely needs typically include current system status, details of immediate potential causes of harm such as viruses spreading right now, and newly published known vulnerabilities, exploits, and patches of services on platforms they use. This is currently communicated largely through a combination of different high-volume sources with sorting provided by the recipient, however, companies like LogiKeep and SANS now provide services that filter this at a rudimentary level. At a less timely level are product information, changes in overall threat conditions, technology changes, and similar items. This need is currently filled by individual vendor notices, conferences like those at the Computer Security Institute (CSI) and MIS Training Institute (MIST).
Technical Management: Managers need to make immediate decisions based on a general knowledge of issues, specific understanding on the environment in which they operate, and advice of technical decision-makers. This requires ongoing situational understanding but not specific technical details of every item that comes up. This comes from a combination of business knowledge, information typically provided by technical staff members, intelligence feeds of raw data from sources like SANS, LogiKeep, and similar organizations, and the media. They also need periodic updates on the sorts of events they can expect to experience, and trends that effect their decisions. These sorts of updates are commonly provided by organizations like CSI and MISTI and are customized to business needs by the managers' decisions about which subjects to keep up to date on. Finally, managers need to get strategic information on industry trends that affect the business environment and assistance on long-term issues involved in technology investment. These are generated on a piecemeal basis today by managers seeking information from a multitude of sources of varying degrees of reliability and by human networking with other managers, sometimes in formal fora, but more often by word of mouth. They also seek consulting services for some of this function.
Marketing and Public Relations: The PR and Marketing departments need to have intelligence on internal situations like security incidents because they have to deal with media and customer questions in a manner that presents the business in the most favorable light. This requires a background that allows them to translate the technical issues into words the customer base and public can understand and gain comfort with. This is fulfilled today by limited interaction with technical staff and technical management, select training for public relations and marketing people in this area, and observation of how others in the media react. In the medium-term, marketing and public relations needs to get information to allow them to do market intelligence (as described above), and this comes from a long-term gathering process.
Top Management: Top management usually tries to avoid getting into tactical situations relating to information technology. If they need to be involved, it is generally at the level of making an official statement or taking an official position on some key issue of a particularly timely matter. They are generally informed by technical management in these situations, although others in the organization and consultants may be involved. For longer term issues, internal staff is augmented by newspapers, magazines, occasional industry meetings, and books.
The needs and time frames for these intelligence customers are widely varied, and yet all of the decisions require some substantial amount of common information and knowledge. For example, at some level or another, all of these decisions require that threat and vulnerability information be gathered and fused with the business situation in order to inform decisions. Unfortunately, today, the intelligence process is poor and thus different facts and summaries are used by different parties and poorly coordinated protection is one of the results.
Ideally, an intelligence process within an organization should allow all customers to be served at the time frames appropriate to their need, with proper controls to prevent information overload, inappropriate access, or exploitation, with a common basis that allows facts to be compared in a sensible way, and with the ability to get at the underlying data should detailed questions arise.
The process by which the needs for these roles may be fulfilled fits clearly within the realm of the intelligence process described for SWOT analysis and that used throughout the itnelligence community over the ages, with minor variations:
Frame the objectives: Intelligence objectives are always best set by the customers. In other words, end users, systems administrators and technical support staff, technical management, marketing and public relations, and top management all have to have input into the intelligence process at all times. They need to be able to ask questions and get answers in a timely fashion. Of course, to get high quality answers to all questions instantly is not feasible under any realistic scenario, but for the majority of questions related to information protection, answers can be made available in a suitable time frame by understanding customer needs and planning on fulfilling them.
Plan: The plan in today's environment starts with the list of what is needed when. From that, the intelligence organization searches out the likely sources, preferring fast, reliable, open source, and free - but settling for degradations in all of these parameters as suits the need. Different operatives and capabilities are more likely to be effective at getting different sorts of information, and thus the tasking is developed.
Communicate the objectives: Tasking is usually communicated to those carying out the tasks by simply telling the people assigned to gather things what they are to gather, however, there is this little thing called budget that sort of goes along with the request and limits its effectiveness. Depending on the organization, the whole vision may or may not be supplied to all collections points. Clearly, government intelligence is highly secretive about objectives because it goes to sources and methods which may cause those sources and methods to no longer remain available. In the corporate world, and in the information protection world, the vast majority os this information can be disseminated as desired to the individuals participating in the activity, and it is likely that with a deeper understanding of the overall objectives the participants will be more effective.
Gathering and collection: This activity involves many aspects, including listening in on mailing lists to participating in IRC sessions, automatically looking for changes in web pages, other sorts of technical collection, human collection, attendance at conferences and meetings, contacting experts, talking to vendors, select deceptions, experimentation, and a wide range of other techniques. The information gathered must be put into a usable form, typically either a sequential feed, a web-based mechanism, or a database of some kind. This collected information in the appropriate form is then made available for search, analysis, and correlation by different analysts for different purposes. The initial creation of such a mechanism pales by comparrison to the ongoing updating process, which involves periodic recollection or reassessment, ongoing expansion of content over a long period of time, and provision of ongoing access with integrity, accees controls, and use controls. Eternal feedback requirements persist to evaluate the reliability and authenticity of data based on its source, the history of that source, what metrics are provided by the source, and the metrics used in the overall system.
Processing results: Once the colleciton of data is available and being updated, a fusion process is required to allow search, historical trending, and various sorts of correlation by analysts. In order for this to be effective, the customers have to be able to ask questions in an easily expressable form and get reasonably accurate and timely asnwers in an easily usable form. While classic intelligence systems involve human analysts writing up reports for their intended customers, near-real-time intelligence simply cannot be done cost effectively by constant human write-ups. On the other hand, the vast majority of raw intelligence data in this field is made up of either network activity logs or human written descriptions. The human descriptions are clearly searchable and readable. Processing commonly involved sorting processes and this involves an association process whereby some set of search terms are associated with every piece of incoming information. This may be done by humans and or automation and may have automated elements relating to items such as the information source, type, and language. As information arrives, it may be used in 'live feeds' if real-time or sequential data is required for the analysis, or it may be arranged in a searchable database of some sort, perhaps accessed via a web site, if real-time data is not as important as the ability to search and analyze in depth.
Analysis and perspectives lead to products: Analysis invariably involves human beings who review some portion of the material gathered and produce intelligence products for customers. In this arena there are several important challenges; (1) The analysts must have an efficient way to find the information they need from the mass of information available, attribute it to sources at some level, and associate reliability information with it. (2) The analyst must be good at taking this information, fusing it into something of value, and translating it into a form suitable to the readership. (3) The time and effort required to do this must be justified by the fees generatable from customers. For processes on the time frame of hours or greater, analyses and write-ups of this sort are feasible. Typically, this product will be produced by a combination of subject matter experts, people who have been in positions similar to those of the customer base, and editorial staff. Most such reports take on a standard format to allow readers to find what they are seeking quickly and get similar information about similar topics on a consistent basis.
Distribution of the intelligence product: Most participants in today's unclassified intelligence industry provide feeds in at least two forms, (1) email or some other similar sort of alert or periodic notice mechanism (push technology) and (2) web-based systems (pull technology). Push technology can be in plaintext or encrypted and is intended primarily for alerts or periodic reminders of availability of information on pull technology. Pull technology is typically implemented over an encrypted link and is most useful because it affords the ability to selectively access content, drill-down for more details when desired, and use remote databases to sort and select information based on specific criteria. In today's environment, push and pull technologies are typically combined and email and physical mail are most often used for push (depending on time frame and audience) while the Web is almost universally used for pull technologies. Similarly, email and the Web are typically used for selecting information to be pushed out and communicating intelligence needs to service providers.
It is likely that the technologies used for these processes will continue along these lines for some time, but the set of available information and its price will probably change rapidly in the coming months and years as this industry goes through high growth followed by market maturation, creation of niches, and so forth.
Unfortunately, in almost every organization today, including most governments, the costs of building and running such an intelligence process are too high to justify the investment. Instead, companies waste time and money here and there in an inefficient and somewhat ineffective effort to get as close to the intelligence they need for as close to the price they can afford. But this is changing.
The marketplace is starting to adapt to this situation by providing the economies of scale needed to make cost effective intelligence capabilities widely affordable. While it is not cost effective for most organizations to do this function on their own, it is cost effective for some organizations to do a lot of this effort and supply the intelligence products to the other corporations to fill their need for intelligence products.
In this emerging market, the cost benefit trade-offs are not completely clear today, but some things are quite clear. For example, in order to stay pretty much up to date on a few platforms, a technical security person has to spend about 3 hours a day sifting through security events to find the relatively small number of items that are relevant to their job. About 2 of these hours can be saved by having a service that gathers the data from the same sources, sifts out the irrelevant part, and provides what is needed to these folks.
If a technical staff member of this sort is valued at $100,000 per year, and if we assume that we can save 1/4 of their time by this process, this function is worth $25,000 per year per technical security person involved, assuming that this savings can be translated into requiring fewer of these experts or doing their job that much better.
The companies that sift through security-related data for a living typically employ on the order of 50-100 full time employees who spend their full time doing intelligence work. They look at many more sources than a typical security professional working for a normal company would look at, and they do more in-depth analysis than most companies could afford to do. When they do their job well, they produce intelligence products that allow your security people to spend very little time on intelligence and far more time on the more direct part of addressing your security needs.
Here are some common objections:
Objection 1: We don't spend anything like 3 hours per technical security person per day on intelligence-related functions.
Repose: Either you are already using a service like the ones I cited above, you have an internal intelligence function like this, or your technical security person is not spending enough time per day on these issues to do the job well. Perhaps there are a few exceptions to this, but there are very few in the networking environment of today.
Objection 2: We can't afford anything like that much.
Repose: Fortunately, the cost of these services is low enough that many of the intelligence needs can be fulfilled for far less than that cost. Services start in the $25,000 per year range.
Objection 3: I don't like outsourcing such a vital security function.
Repose: Nobody does, but the options are limited. In truth, the vast majority of the sources of information you likely use now are 'outsourced' in that they come from sites on the Internet and the news media. It seems unlikely that you can do this job better than the professionals who do it today.
In any job involving significant analysis, there are intelligence related costs. Specific costs for specific people in specific jobs vary. In cases like information protection, where the cost of intelligence can be substantially lowered while quality and performance improve, there is a strong case to be made for buying the intelligence you need.
For most technical information security staff situations, outsourced intelligence is a cost effective performance enhancement measure. A suitable source should be found and engaged if this situation holds for your organization.
This briefing is a strategic intelligence product whose audience is technical management and top management. It represents a different sort of intelligence product than that which is needed for technical staff members and it therefore involves different trade-offs.
Good technical managers in the information protection arena spend a substantial portion of their time dealing with the application of resources to address corporate needs. Most of the of the decisions taken at this level are based on situation-specific understanding informed by strategic understanding of technology and related issues within the corporation.
The goals of an intelligence product directed toward these decision makers are to help them (1) make better decisions, (2) carry out these decisions in a more effective manner, and (3) sell these decisions within the corporate environment. This sort of intelligence is particularly important in long-term high consequence decisions, but is also of great aide in improving the communications between technical staff and technical management.
Historically, this sort of intelligence has been provided by consultants. For example, it is fairly common for a security director to call in a consulting firm to help them assess a decision on some technical issue. The consulting firm has three roles in this situation. (1) They may reduce risk to the decision maker by providing a trusted outside recommendation. (2) They may provide added technical expertise and experience to help better evaluate technical staff and vendor information. (3) They may provide added personnel time needed to get all of the tasks done in the time frame required for the decision. While there are select times when a consultant can be used to address such a need in one-day visit, the typical cost of a study related to a key decision starts in the $25,000-$50,000 range.
As in the case of technical staff, there are cost efficiencies to be gained from the fact that many decision-makers in this field have very similar decisions to make. Many $25,000-$50,000 studies can be replaced by a combination of a far less expensive intelligence product, such as this one, and the application of some site-specific knowledge. This can be augmented with the creation of tools to aide the decision-maker in making these decisions. Another potential advantage of the strategic intelligence information is that it removes the dependency on the consultant that most consultants try to foster in order to get ongoing business. Like the difference between teaching a person to fish and giving them a fish, a good intelligence report teaches the reader how to get to the solution, it doesn't just provide a solution.
The most serious limitation of the good strategic intelligence product in this arena is that the specific topic you may need to address may not be available in the time frame you desire. For example, if you just finished a $25,000 consulting study to determine whether or not to purchase an intelligence capability for your technical staff and this report answers most of the same questions, the lack of availability of this information when you needed it may have just cost you a substantial amount of money. A cost effective solution to this problem is a system that allows you to request strategic intelligence on subjects you are interested in.
If a high enough volume of managers have similar issues to be addressed, the intelligence firm can do the study and make a profit while each of the customers saves a substantial amount of time and money. This report is an example of a study generated as a side effect of a substantial number of technical managers asking about these issues, and it represents an economy of scale savings of this sort.
Similar cases can be made for intelligence for top management. These are typically best served by executive briefings such as those provided by the University of New Haven, in which top flight security directors from companies like Microsoft give executive briefings and lead exercises over a two-day period. In this case the cost efficiency comes from (1) gaining nearly simultaneous access to sets of top flight individuals that would be very expensive to bring together for a single corporation's top management and could not be brought together for very many of these customers, (2) the benefits associated with the interaction between top management at different organizations on the subject of information protection, which would be very hard to accomplish in other venues, and (3) the resultant set of knowledge and understanding of issues that these decision makers come away with would be very hard to get them to understand by feeding it to them piecemeal.
In the case of marketing and public relations groups, no current intelligence products are available that meet this particular niche. This represents a market potential that may be fulfilled in the future if someone can figure out how to make this a cost effective product suited to those specific customer needs. For now, this audience is served by what they read in the papers and trade magazines and what they pick up through experience.
For end users cost efficiency has only been gained in general security awareness niches where there are periodicals, signs, video-tapes, and other similar items that can be purchased for corporate use. This appears to be a result of the need for each corporation to customize its user intelligence to the specifics of the environment and the situation.
An effective intelligence process is in widespread use in industry today - in the marketing arena. A similar process is likely to be highly effective in other corporate functions, and the information protection area is a prime candidate for this process today.
Substantial intelligence products in this space are available today. In many cases, they offer exceptional value by reducing hidden costs companies currently pay for this function and making employees with responsibilities in this area far more effective. They benefit from an economy of scale that few organizations can afford to get on their own, and thus they are an excellent choice for outsourcing. In addition, outsourcing this security function is low rigk and high benefit.
In the coming years, the market will produce a wide range of intelligence organizations capable of addressing a wide variety of the most common needs and niche markets are already in place. If you want high quality intelligence for a very low cost, with the exception of articles like this one, it's not available today. But low quality for low cost is available, as is medium quality for moderate cost and high quality for high cost.
In the coming years, the intelligence process will become as staple a part of the information protection field as access controls and audits are today. The only real question is how you will best use the intelligence processes to bring advantages to your organization and how the intelligence organizations that form will expand into the broader market of overall corporate intelligence over time.
About The Author:
Fred Cohen is thinking inside a bigger box as a Principal Member of Technical Staff at Sandia National Laboratories, helping clients meet their information protection needs at Fred Cohen and Associates, and educating defenders over-the-Internet on all aspects of information protection at the University of New Haven. He can be reached by sending email to fred at all.net or visiting http://all.net/