Tuesday, February 26, 2013

Lessons from Journalism in Threat Intelligence

Seth Godin has a great blog post that is relevant to information security professionals. He discusses the problem that the closer to the event, the more expensive and less reliable the information is. This problem directly correlates to issues we face in trying to get reliable information about threats, vulnerabilities or other news. That's because as time goes on the story gets shaped and influenced by multiple accounts, investigations and analysis.

Try this experiment. Find all of the Twitter messages about China and Hacking from the last 6 months and read them, as well as the linked articles. I'll wait. Ha - just kidding that'd take you years to take in (if you did exactly what I said I apologize - don't follow every instruction you read on the internet)! Now go take a look at a few articles on China and Hacking in a reputable business periodical like The Economist, Time, etc. In 45 minutes you're up to date on everything from 6 months of twitter feeds. 45 minutes versus 1+ years. That's a huge difference in terms of cost.

And reliability also suffers. In going through the Twitter exercise (again, really sorry about that lost year) you probably found that lots of the info was bogus, misleading, bad conclusions, duplicated, etc. Acting on that bad information costs money too (unless you spend lots of money to try and eliminate the bad information, but that again costs money).

Most companies have figured out that it's expensive to stay up to date on information. That's why there's a big business in Threat Intelligence services. Companies outsource that function. But it's still important to keep in mind that you'll never have a perfect picture of the news just after it's happened. Think of it like a Polaroid picture. No matter how much you blow on it or shake it, it still develops at the same speed.