How Not To Define Threat Intelligence
At this year’s RSA Conference, there was a podcast recorded about threat intelligence. Weh-hey-hey, you say, that’s unique! Now, for reasons that escape explanation, HelpNet Security has transcribed an apparently pay-for-play infomercial featuring John Czupak, CEO at ThreatQuotient, and Jonathan Couch, Senior VP of Strategy at ThreatQuotient, talk about what’s important to know about the difference between threat intel versus threat intelligence platforms, how threat intelligence changed over the past few years, and much more.
I am a connoisseur of propaganda. The single best one-night stand in my life was with a gorgeous Israeli army lieutenant who stated proudly that propaganda was her job description (my God, you should have seen her).
Yet here is something special: propaganda that is notable for being both (a) utterly incapable of defining its own message, while (c) confusing the marketplace.
On its face, “What is threat intelligence?” is a great question to handle in the world of propaganda, because lots of people actually are interested in the answer. So let’s just take the first question, which is not that (how one can begin a propaganda set-piece without defining what it is one is speaking about is beyond me, but there it is), but rather, “How do you differentiate all the threat intelligence programs out there?”
Actually, here is the question verbatim, as transcribed by HelpNet’s Mirko Zorz:
Let’s get into this conversation. Couch, most people have heard of threat intelligence, but can you give us a quick overview of what’s important to know about the difference between threat intel versus threat intelligence platforms? Where does ThreatQuotient fall into this kind of market that we have here?
Ladies and gentlemen, that is what we in the business refer to as, “a softball,” meaning that it is a question that is so easy to answer, so completely fundamental to what the person receiving the question does every day, that the person should be able to slam the answer like a big, fat, slow-pitched softball, right out of the ballpark. Instead, Couch’s answer is insufferable, jargon-packed, and managed to aggravate the problem our industry faces (namely, that few people can cogently explain what “threat intelligence” is and why one might want it).
Couch defines a word with the word, then uses the word again and again, to not answer the question:
Here is Couch’s answer, again, as transcribed by Zorz:
“Definitely. I think one of the key differences is really the fact that threat intelligence provides you a lot of information and intelligence about what the threats are to your network, and what you need to focus in on from a security perspective. But threat intelligence platforms are, really, that next step in the operational chain. It’s how you actually use, consume and utilize the threat intelligence that’s out there.”
Blink. Blink. How does one screw an unscrewable pooch?
To illustrate why I think this is so noteworthy, let me substitute some words:
Me: Oh, say, Couch, most people have heard of cancer treatment, but can you give us a quick overview of what’s important to know about the difference between cancer treatment versus cancer treatment centers? Where does Sloane-Kettering fall into this kind of market that we have here?
Couch: “Definitely. I think one of the key differences is really the fact that cancer treatment provides you a lot of treatment about how the cancer affects your body, and what you need to focus in on from a medical perspective. But cancer treatment centers are, really, that next step in the operational chain. It’s how you actually use, consume and utilize the cancer treatment that’s out there.”
First, people must simply stop answering questions with the words, “definitely,” and “absolutely,” and also, they must stop answering questions beginning with the word, “So…” When they do this, they sound like an idiot.
Second, lest you think I am cherry-picking what Couch said, and taking his lead-in out of context (a lead-in! For a softball! On his own podcast!), this is the transcript of the next thing Couch said after the first perplexing pile of gobbledygook Couch ejaculated into the microphone:
It’s not just the creation of threat intelligence, but it’s that consumption, it’s bringing it in, figuring out what the context is around all those threats that are out there, and figuring out the relevance. Does your business, does your organization care about it? And then, how do you utilize that within your network? How do you deploy it out to your sensor grid? How do you communicate with the executives in your company? How do you work with other business units in the company? So, threat intelligence platforms are there to really enable that consumption and use of threat intelligence within your environment.
Anyone who knows what Couch is describing, and how it differentiates “threat intel” from a “threat intelligence platform” raise your hand – and Couch…put your hand down.
To hear someone who makes sense in this area - that is, propaganda that’s actually useful to those trying to understand the topic - consider Eric Olson’s 2014 Cyveillance (now Looking Glass Cyber) presentation, Concrete Steps to Deploy an Effective Threat Intelligence Capability, which goes beyond jargon and into definitions of what threat intelligence is, and how one might conceivably use it to defend one’s business.