Jon Watada is the Director for Cyber Solutions at Lockheed Martin's Information Systems & Global Solutions business serving the Federal, Commercial, Global, Defense & Intelligence communities.
Remember the last time that you went to an all-you-can-eat buffet and had a difficult time determining which food group to start with? (I often ask myself, should I start with a salad or head straight to the good stuff?) And do you remember that overstuffed feeling you had once you finished overeating and waddled your way out of the restaurant?
Cyber data is the same way. Almost all of your devices within your IT enterprise produce some data that should be analyzed. Firewalls, routers, servers, antivirus devices, traffic analyzers, and mail scanners all reside on many of the larger IT enterprises. Additionally, scores of commercial companies have cropped up to offer access to everything from aggregated raw cyber data to finished cyber intelligence and everything in between. Understanding what cyber data to put on your plate and how to consume this buffet of data is a crucial step in protecting your enterprise.
For starters, your enterprise should be its own best source of cyber data. This is the only way to really understand the threats that your organization faces and what data your adversaries are after. Your cyber data should serve as the primary basis from which your analysts can create the cyber intelligence that is needed to take proactive steps to protect the enterprise. Ask yourself this question, "if I wanted to penetrate my network and steal my data, what information would I find valuable and what barriers would I have to cross to get at my prize?" Once you know that, you can determine what cyber data is important to protect this prized information and what is not. You can also determine what cyber data will provide you with the early indicators that the adversaries are getting too close to your prized data.
Today, many commercial companies offer cyber intelligence or cyber data for your analysts to use. This data may include lists of threat actors (people or groups who have been known to cause harm to computer networks), techniques the actors use to access or harm your systems, trends in cyberattacks and forecasts of future attacks. Many organizations viewed these providers of cyber intelligence as the cure-all for solving their cyber woes and soon found themselves drowning in too much cyber intelligence and data. Externally produced cyber data intelligence or data from commercial providers is best used to enhance the understanding of the cyber data that your enterprise produces. Sourcing external cyber intelligence data without applying it to your data will yield very little value to your analysts.
However, when you examine the use of external cyber intelligence or cyber data, the most relevant and meaningful external sources of cyber data and intelligence for your organization would come from organizations that possess data or information that is similar to yours. Therefore, cyber intelligence sharing that begins at the grassroots level with organizations that are similar to yours, will provide your cyber analysts with the information to form a more complete picture of your adversaries, their patterns of behavior and their attack vectors.
So the next time your team is staring at a smorgasbord of cyber data -- go for the good stuff first – your own data and then selectively fill the rest of your plate with sources of external cyber data or cyber intelligence that complement your data. In the end, your cyber analysts may be full, not bloated, and will have the relevant data to develop a more complete picture of the unique threats that face your enterprise.