Do you use threat intelligence? Are you getting the value you expected?
It’s a crowded space swirling with confusion. I don’t write about it often because it’s hard to sift through the jargon to get down to what actually matters.
Josh Lefkowitz of Flashpoint
I recently had the chance to talk with Josh Lefkowitz, the CEO and Co-Founder of Flashpoint . Josh spent the majority of his career focused on applying intelligence to support counterterrorism. During our conversation he talked about pivoting from threat intelligence to business risk intelligence.
It clicked with me.
I was so excited about the pivot that we invited him as guest on Startup Security Weekly ( episode 19 ). It’s an interview I’ll watch again just to take notes.
After the discussion and interview, I invited Josh to share his insights on how security leaders can cut through the confusion of threat intel and pivot to business risk intelligence.
Why is there so much confusion about threat intelligence?One of the biggest challenges, honestly, is that there are so many convoluted definitions of threat intelligence due to a mix of poor understanding, mixed marketing, and would be intelligence vendors with little to no true intelligence vision or leadership. Because the definition of threat intelligence has become so vague, it’s making it even more difficult for security and intelligence practitioners to determine exactly what intelligence ― if any ― they are actually getting.
The three primary problems I see are:
Open web “intelligence” is not intelligence. It is data.
Too many people are touting “full coverage” of the deep and dark web based on automation or spidering, and that is not achievable with those methods.
This notion of predictive intelligence based on analyzing the past is creating false expectations for buyers who later realize they aren’t getting new information.
Threat intelligence must improve risk profiles and the ability to manage risk -- not just in cybersecurity operations, but also physical security and supply chain risk, among others -- in order to make better decisions. And if it can’t do that, then that uninformed “data” otherwise described as intelligence just wastes time and resources. More data does not equal better intelligence. However, contextual intelligence derived from deep and dark web data can deliver truly invaluable insights for better decision-making when gathered and processed correctly, securely, and by individuals with ample skills.
That means understanding what is actually important to the organization. How do you figure that out?
No company is alike, regardless of the same industry, size, geography. They all have different business and security challenges, and even profiles of executives, so they need to be treated as such. It’s always best to start by analyzing their unique needs and challenges to provide contextual intelligence versus just data. In our case, during a new customer’s first 90 days, we work together with their teams to evaluate their current cyber intelligence collection capabilities, assess what is mission critical to the organization, and then turn these needs into intelligence requirements.
We also discuss relevant emerging threats to their industry, geography, and supply chain. Since there are countless ways to approach and develop a Business Risk Intelligence program, we try to be as comprehensive and proactive as possible. It’s also very important for us to be in constant communication with our customers. We all know that threats and breaking research findings occur often in this industry, so we need to make sure our customers are always as informed as possible. This includes ensuring they have direct access to our multilingual intelligence analysts, as well as welcoming them into our customer community ― a close-knit, trusted network of peers and industry-specific security professionals that fosters sharing and collaboration in real-time as threats emerge.
It boils down to asking, “What decisions do you want to make better?” Can you offer some examples?
This relates to the onboarding process, and how different every organization is and needs to be treated as such. Just as individuals have unique needs and require a sensitivity to their perspectives when making decisions, so do organizations. Whether an organization has an entire department of seasoned intelligence analysts, or a smaller team that needs more daily support, it demands a mix of the right people, data, and technology.
In one example involving supply chain risk, Flashpoint’s intelligence derived from an underground community revealed a vulnerability pertaining to an upstream supplier of medical software used by over 100 U.S.-based hospitals and health care facilities. We were able to provide early warning to organizations relying on the software to manage sensitive patient data and communications, thus creating an opportunity to mitigate risk prior to an incident.
The second example addresses physical security, which is too often overlooked in the context of cyber threat intelligence. As the overlap between the cyber and physical threat landscapes expands, threat actors active in illicit online communities pose serious risks to organizations’ physical security. But, as most enterprise physical security teams lack visibility into the cyber threat landscape and vice versa, organizations often are not fully aware of relevant physical threats.
When this particular customer had a high-profile executive from a Fortune 100 company plan to attend a popular public event, the company’s physical security teams used our Business Risk Intelligence to identify and investigate previously-unknown threat actors located in the vicinity of the event. This visibility enabled security teams to leverage a threat-based approach by deploying resources in priority areas to protect their executive and reduce risks to physical security.
What is the difference between threat intelligence and business risk intelligence?The reason we talk about Business Risk Intelligence, or BRI, is that it broadens the scope of cyber intelligence beyond threat detection to provide relevant context to business units not traditionally afforded the benefits of intelligence derived from the deep and dark web; BRI goes beyond the empty “data” of other claimed intelligence offerings we spoke about earlier. It also requires highly skilled deep and dark web teams with the ability to go far beyond automation in exploring the dark web to support our clients.
BRI was developed to better serve organizations’ diverse needs by addressing a gap in the cyber intelligence market. This gap emerged years ago after cyber intelligence’s role as a fundamental necessity was initially established within corporate America under the recognized label of Cyber Threat Intelligence (CTI). The CTI function facilitates a highly-reactive approach to security, as it is largely anchored across industry verticals by way of Indicators of Compromise (IoCs). It’s important to note that since CTI was developed solely to serve cybersecurity teams, it does little to support other business functions or foster cross-enterprise collaboration.
BRI’s widespread versatility enables organizations to not only bolster cybersecurity but also confront fraud, detect insider threats, enhance physical security, assess M&A opportunities, and address vendor risk and supply chain integrity. Organizations with robust BRI programs have successfully gained an increased understanding of the impact, relevancy and corresponding business risks from malicious insiders, hacktivist groups, nation state and cyber threat actors, and radical jihadists.
How can a security leader embrace and get ahead of this opportunity?Many of our current customers are thought leaders in their own right, in how they have stepped up to implement BRI programs in their organizations. Some have used the intelligence and RFIs that we provide to them to create their own internal “fusion centers” for intelligence sharing, not only within their intelligence or cyber teams, but their physical security, legal, and other teams that could be privy to third-party risk. For our customers, some of this is driven by the the community we have invited them into, which I discussed earlier, and they have based some of their internal sharing on our sharing model. Sometimes this includes an FYI on industry happenings they might’ve missed, or more often it includes very enriched intelligence reports. I’ve seen this also foster cross-company collaboration, where companies in similar sectors enter into discussions about our reports and share information that they have seen, in order to best protect their industries as a whole.
While business can be competitive, true security leaders understand that there’s no room for intelligence “hoarding” when it means a safer landscape for everyone potentially impacted by an actor or cyber threat.
