What Exactly Makes Intelligence Actionable?

The term “actionable intelligence” is often bandied about. Why? Because data insight can palpably add to an enterprise’s business value.

Let’s say you’ve spotted an insider threat: an employee, on their way out the door, stealing some data from your company. Security protocols alerted you to this transgression. What then? How do you take action against this employee? How do you pinpoint everything they stole? How do you prevent this from happening again?

When considering security investments, the term “actionable intelligence” is often bandied about. And unlike other marketing tactics, these are not just buzzwords. Because, as Forbes recently pointed out, data insight can palpably add to an enterprise’s business value.

In recent years, there’s been a tendency to focus on information-management systems, such as SIEMs, which enable humans to monitor multiple logs of data at the same time. But in this post-Target, post-Home Depot, post-Yahoo breach world, enterprises are realizing that knowledge isn’t power if it can’t be acted upon immediately. The most efficient security platform is one that uses machine learning to detect breaches with enough speed and analytic detail to spare you a protracted (not to mention expensive) forensics process.

According to a Forrester study, only 29% of companies admit they are “good at connecting analytics to action.” Meanwhile, SC Magazine reports that “roughly 40 percent [of security employees] have far less than two years of experience with threat intelligence.” This means that not only is threat intelligence essential, the clarity of how that data presents itself is just as important. Their platform’s interface must be cogent enough to make sense to a security practitioner as well as the executives, board members, stockholders to whom that employee must answer.

Additionally, what makes intelligence actionable is that the platform automatically outlines the context of an attack—the all-important who, what, where, when details. This enables human resources and law enforcement alike to take action against employee. It also allows an enterprise to prove federal and state compliance. And these learnings can be used to cyber-hunt or prevent future attacks.

CSO recently polled security practitioners about threat intelligence. “Most of the complaints about what passes as threat intelligence these days,” they reported, “is that it’s flat data with a narrow focus.”