E-Book
E-Book, Englisch, 200 Seiten
Liska Building an Intelligence-Led Security Program
1. Auflage 2014
ISBN: 978-0-12-802370-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
E-Book, Englisch, 200 Seiten
ISBN: 978-0-12-802370-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
As recently as five years ago, securing a network meant putting in a firewall, intrusion detection system, and installing antivirus software on the desktop. Unfortunately, attackers have grown more nimble and effective, meaning that traditional security programs are no longer effective. Today's effective cyber security programs take these best practices and overlay them with intelligence. Adding cyber threat intelligence can help security teams uncover events not detected by traditional security platforms and correlate seemingly disparate events across the network. Properly-implemented intelligence also makes the life of the security practitioner easier by helping him more effectively prioritize and respond to security incidents. The problem with current efforts is that many security practitioners don't know how to properly implement an intelligence-led program, or are afraid that it is out of their budget. Building an Intelligence-Led Security Program is the first book to show how to implement an intelligence-led program in your enterprise on any budget. It will show you how to implement a security information a security information and event management system, collect and analyze logs, and how to practice real cyber threat intelligence. You'll learn how to understand your network in-depth so that you can protect it in the best possible way. - Provides a roadmap and direction on how to build an intelligence-led information security program to protect your company. - Learn how to understand your network through logs and client monitoring, so you can effectively evaluate threat intelligence. - Learn how to use popular tools such as BIND, SNORT, squid, STIX, TAXII, CyBox, and splunk to conduct network intelligence.
Allan Liska has more than 15 years of experience in the world of information security. Mr. Liska has worked both as a security practitioner and an ethical hacker, so he is familiar with both sides of the security aisle and, through his work at Symantec and iSIGHT Partners, has helped countless organizations improve their security posture using more effective intelligence. In addition to security experience, Mr. Liska also authored the book The Practice of Network Security and contributed the security-focused chapters to The Apache Administrators Handbook.
Allan Liska has more than 15 years of experience in the world of information security. Mr. Liska has worked both as a security practitioner and an ethical hacker, so he is familiar with both sides of the security aisle and, through his work at Symantec and iSIGHT Partners, has helped countless organizations improve their security posture using more effective intelligence. In addition to security experience, Mr. Liska also authored the book The Practice of Network Security and contributed the security-focused chapters to The Apache Administrators Handbook.
Liska
Building an Intelligence-Led Security Program jetzt bestellen!
Autoren/Hrsg.
Weitere Infos & Material
Chapter 2
What is intelligence?
Abstract
This chapter begins by identifying a useful definition of intelligence before delving into the intelligence cycle and the different types of intelligence. The chapter also discusses the transformation of intelligence into a profession, separated from political influence. It ends by touching on some of the great masters of intelligence throughout the ages.
Keywords
Intelligence
intelligence cycle
operational intelligence
tactical intelligence
strategic intelligence
denial and deception
Sun Tzu
Julius Caesar
George Washington
Bletchley Park
Information in this chapter
• Defining Intelligence
• The Intelligence Cycle
• Types of Intelligence
• The Professional Analyst
• Denial and Deception
• Intelligence Throughout the Ages
Introduction
Intelligence is just starting to come into its own within the realm of cyber security, but intelligence as a discipline has a long history in the world of the military and government. In fact, intelligence has existed since before it was a formalized discipline. As discussed later in this chapter, leaders like Sun Tzu and Julius Caesar had very rigorous and well-documented intelligence processes that they followed. These processes contributed greatly to their success – and allowed other leaders to learn from them.
Likewise, today there are many security teams that, knowingly or unknowingly, engage in many of the best intelligence practices. But most of the time, intelligence practices are haphazardly implemented without an eye to the big picture.
The goal of this chapter is to help the reader understand some of the best intelligence practices outside of the realm of network security. By first understanding the fundamentals of intelligence, as a discipline, organizations can take the best practices and use those practices to improve the effectiveness of the network security teams.
A single chapter is not enough to cover all aspects of the intelligence discipline, or to dive deeply into any one topic. Instead, the hope is to start a discussion about changing the way network security is thought of within an organization and improve the ability of teams to effectively address the most important challenges facing their organization.
Defining intelligence
Despite the fact that the military and governments have engaged in intelligence activities for thousands of years, there is surprisingly little consensus about the definition of intelligence. A quick review of literature shows a range of definitions, none of which seems complete.
The CIA defines intelligence as (CIA, 1999):
Reduced to its simplest terms, intelligence is knowledge and foreknowledge of the world around us — the prelude to decision and action by US policymakers.
On the other hand, the FBI uses the following definition (FBI, 2014):
Simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions – specifically, decisions about potential threats to our national security.
The Department of Defense (DOD) defines intelligence as (DOD, 2014):
The product resulting from the collection, processing, integration, evaluation, analysis, and interpretation of available information concerning foreign nations, hostile or potentially hostile forces or elements, or areas of actual or potential operations.
The FBI and DOD definitions of intelligence view intelligence as either a product or a process, and there is no doubt those are important parts of the definition, but they are also limiting. The CIA definition is broad, may be even too broad, but it takes into account that intelligence involves understanding the context of the data collected.
The definition of intelligence has been debated in scholarly journals for years. One problem in creating a more focused definition is that different groups have different uses for intelligence. A military commander in the field has different needs than a legislative body attempting to write policy based on intelligence.
No matter the role of the end user for intelligence, intelligence, at its core, is information. However, not all information is intelligence. As Michael Warner (2007) writes in Wanted: A Definition of “Intelligence”: Understanding Our Craft, “For producers of intelligence, however, the equation ‘intelligence = information’ is too vague to provide real guidance in their work.” After his review of the literature, Warner (2007) comes up with the following definition:
Intelligence is secret, state activity to understand or influence foreign entities.
This gets pretty close to a workable definition, but it ignores the fact that not all intelligence is secret. Especially in the age of Google, open source intelligence (OSINT) has become a critical tool in the arsenal of the intelligence analyst.
Gill and Phythian (2012) noticed the same deficiency in Warner’s definition and they expanded on it in their book Intelligence in an Insecure World with the following:
Intelligence is the umbrella term referring to the range of activities – from planning and information collection to the analysis and dissemination – conducted in secret and aimed at maintaining or enhancing relative security by providing forewarning of threats or potential threats in a manner that allows for the timely implementation of a preventive policy or strategy, including, where deemed desirable, covert activities.
Although this definition is longer than Warner’s, it is more complete and it makes an important distinction: what data being collected should be kept secret from the enemy, but the data itself does not necessarily have to be secret.
Even though Gill and Phythian’s proposed definition is among the most complete, there is still a nagging problem with all modern definitions of intelligence: the focus is only on the external. Stepping back from modern definitions for a second, Sun Tzu (2012a), who is often quoted by network security professionals, wrote the following in The Art of War:
Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles.
A well-run organization cannot have an effective intelligence program without a complete and honest assessment of its own strengths and weaknesses. Not only is that assessment critical, it should be performed on a regular basis – this allows leaders to make informed decisions as to the best preventive policy or strategy.
Without attempting to rewrite the definition of intelligence, keep in mind that knowing what is happening within an organization or even country can be just as important as what is happening outside.
The intelligence cycle
To create a successful intelligence program, an organization needs a framework within which it can operate. A framework helps to establish the ways in which intelligence will be gathered and delivered. It should be open enough to operate in multiple environments and timeframes, and be usable by different groups in the organization. At the same time it should be restrictive enough that it helps push a professional environment with clearly defined roles.
Most organizations use a variation of the intelligence cycle outlined in Figure 2.1 as their framework for building and maintaining an intelligence organization.
Figure 2.1The intelligence cycle.
The intelligence cycle in Figure 2.1 works because it has clearly defined roles built around a specific mission. The model is also portable enough to be used for both large-scale and small-scale missions, often simultaneously. On the one hand, the mission could be “Protect the United States”; it could also be “Determine al-Shabaab’s Weapons Capabilities.” Note, that the two missions are not necessarily mutually exclusive: learning more about the weapons capabilities of the terrorist group al-Shabaab could increase the security of the United States. One intelligence cycle can inform other cycles.
Another important aspect of the intelligence cycle is that is intentionally designed as a circle, because the cycle is continuous. Once the mission has been assigned planning and direction are handled by the organization’s leaders. Data is collected, processed and delivered to an analysis team for review who publish the data to the required parties. The results of the intelligence analysis drives new intelligence requirements which leads the leadership to task the collection team to begin gathering data, and the process continues.
In addition to being a continuous loop, there should also be feedback from different groups within the organization throughout the process. A well-run intelligence organization does not rely on leadership to facilitate communication between the various teams. For intelligence teams to operate effectively, there has to be open communication and information...
Bitte ändern Sie das Passwort
