Several years ago, I decided to take a course on Strategic Intelligence Systems in order to solidify my ever-growing interest for the topic. My affinity for James Bond and Jack Ryan movies since I was a kid and my interest in how information was used to take action by agencies has grabbed my attention and compelled me to learn how it was done. The best part about this training was that, as the lessons progressed, I started to notice that the concepts I was learning were mostly applicable to security, as the flow of information from the defined sources was analyzed and then disseminated to the entities in charge of taking decisions. Let's take a look at how understanding the cycle helps us make sense of Security Operations.
The cycle itself has been defined in several ways in the past, but the one definition I like includes the following steps which happen in sequence:
- Dissemination and Utilization
Let’s review them individually and analyze how they relate to security.
1. Planning: Assessing Security Vulnerabilities & Risks
This phase usually involves determining what the main objectives are, determination of main targets, assessment of vulnerabilities/risks and the determination of the attack surface, and the value of the most important assets.
This stage relates to the benchmarking we usually do in Security to assess or weaknesses, strengths and our most valuable assets in the organization. This phase helps us to understand what we are defending, how we defend ourselves and what are the main threats and/or risks.
2. Investigation/Collection: Gathering Information
This is the part most of us live for and the most exciting for all of us that grew up in operational areas where we learned how to get our hands dirty.
Investigation/collection is comprised of the techniques and tools that we use to gather the information that we have deemed as cruciual in the Planning phase.
This part is achieved through what is known as “tradecraft”, which is the practical application that operational security personnel carry out of those tools and techniques according to their criteria and experience. Good investigative techniques and tradecraft produce information with a high degree of reliability, which builds trust towards stakeholders – one of the objectives of a security program.
This phase also involves the selection of the sources of information that are relevant to our Security operation and the way we tap into them in order to extract what we need.
3. Analysis/Production: Analyzing Data to Extract Insights
We’ve reached the stage where we must make sense of the information we have collected in the previous phase. Analysis involves applying thought processes to the data we have collected in order to make it useful.
This stage requires that experienced personnel apply analysis tools and techniques that filter unnecessary or irrelevant information and also that assemble relationships between the data given a specific context (i.e. a possible scenario that may have different outcomes).
To me, the most interesting fact about Intelligence Analysis is that it is made up of techniques that have application in many professional disciplines like Security, Political Science, Business and even Sports, to name a few. One favorite text of mine that covers this topic extensively is “Structured Analytic Techniques for Intelligence Analysis”, by Richards J. Heuer and Randolph H. Pherson.
4. Dissemination: Delivering Information to the Relevant Individuals
Once we have analyzed information thoroughly and we consider that it’s ready to be consumed, we need to deliver it using a reliable method of dissemination. Nowadays, massive repositories like portals and collaboration sites provide format-agnostic platforms that effectively share information among groups of related individuals.
These tools make distribution of information reach groups of individuals that might have a common goal or that benefit from a collective (or specific) access to information. It seems like modern trends are leaning towards tools that provide Analysis and Dissemination capabilities bundled together.
5. Utilization: Solving Day-to-Day Operational Problems
The last step is the use of the actionable information we have disseminated in order to obtain results. While the Dissemination process establishes how we distribute the information, Utilization has to do with how the information is used and this is also related with who will use it.
This is where we determine if the information is suitable for operational/tactical teams whose goal is to solve problems that occur as a product of day-to-day operations or if it will aide line managers in setting medium or long-term goals that will shape the Strategic aspect of the Security practice. Think of who should have access to what kind of information, based in needs.
Understanding the Intelligence Cycle sheds a light on the logical and natural way information flows in Security. It also helps us understand, in very broad strokes, how Security Operations happen at the conceptual and procedural level.
It should also be understood that many other activities might be appended to the cycle itself as support actions, but the cycle serves as the conceptual model for InfoSec Ops.
Carlos F. Lerma, Senior Information Security Architect, Beam Suntory Inc, holds a bachelor’s degree in Accounting from Universidad Autónoma de Tamaulipas (Ciudad Victoria, Mexico) and a Master of Science in Telecommunications and Network Management from Syracuse University. His research interests are cyber intelligence systems, threat management, SIEM systems and the use of strategic intelligence in information security management.