We’re increasingly using threat intelligence to move our organizations to a more proactive security posture, making them more resilient against cyberattacks. It’s a combination effort to make the SOC both efficient and effective.
Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest Jason Steer, CISO, Recorded Future.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Recorded Future
Full Transcript
Intro
0:00.000
[David Spark] We’re increasingly using threat intelligence to move our organization to a more proactive security posture so it’s more resilient against cyber attacks. It’s not just getting the SOC to be more effective. It’s now how to be more efficient.
[Voiceover] You’re listening to Defense in Depth.
[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. And joining me for this very episode is Steve Zalewski. Steve, say hello to the audience.
[Steve Zalewski] Hello, audience.
[David Spark] And then Steve, do you want to tell the quick story that you just told me seconds ago from your experience at RSA?
[Steve Zalewski] Oh, sure. So, [Laughter] I was at a small conference of 40 CISOs just amongst my peers, and one of the CISOs I hadn’t met before came up to me and he goes, “Hello, Steve.”
[Laughter]
[David Spark] I love that. That’s awesome. We’re available at CISOseries.com. If you haven’t gone there, we have five shows on our network. And if you haven’t checked out our newest show, Security You Should Know, the fastest growing show ever on the CISO Series list of shows, go check it out. Our sponsor for today’s episode is Recorded Future – get ahead of present and future attacks with Recorded Future. We’re going to be talking about that actually all throughout this show, but we’re going to specifically talk about what Recorded Future is doing a little bit later in the show.
Now, Steve, let’s get to our topic at hand. You recently shared on LinkedIn how we’re shifting the way we see threat intelligence, increasingly using it to build resilience rather than just react to the latest threats. Now, you questioned the whole idea of making the SOC more efficient. Being effective is not enough anymore. Becoming efficient requires getting rid of waste and taking advantage of AI when possible. And by the way, there’s a lot of players in this space. So, the great thing about these posts are you learn a lot from the community. So, I’m just going to ask you high level, what did you learn from the community?
[Steve Zalewski] When we were making this post, I was thinking you got to be better at stopping the attack. But what we clearly learned here is that while effectiveness at stopping the attack, being efficient at ingesting so much more information from a threat intelligence perspective that’s not just logs is kind of the more near-term issue that we have. And so, we’re having to double down on the efficiency component of being able to find the right needles by consuming magnitudes more information.
[David Spark] Very good point. And we’re going to delve into the detail of all of this with our guest, who I’m very excited is joining us. The CISO over at Recorded Future, our sponsor guest, none other than Jason Steer. Jason, thank you so much for joining us.
[Jason Steer] Well, thank you, David, for the opportunity and looking forward to the conversation.
What are the complaints?
2:55.059
[David Spark] Larry Whiteside of Confide said, “The challenge has always been how to correlate general threats to your specific business and utilize that to make your team more efficient.” And Ryan Franklin of Amazon said, “Threat intelligence is a sunk cost unless we use it to drive initiatives that reduce business risk.” I like that. “I don’t need more indicators or more updates on what random APT groups are doing.” It is cool, though, I will say that. “Instead, I need more white papers on the different ways the business operates that pose the greatest risk to our customers and profitability. Give me more data to drive the change we actually need to move the needle.” So, I like this point of like threat intelligence. We’re supposed to do it, but it’s a sunk cost unless you are actually connecting that to business risk. Where have you been able to do that, Steve, or where do you see others doing that?
[Steve Zalewski] So, between Larry and Ryan, they’re actually taking two different views here is what we were struggling with, which is Larry saying threat intelligence is bringing in other types of data to be able to understand how we become more efficient at stopping the important things, and Ryan saying, “I need the threat intelligence to be able to tell me what is important to the business to protect.” And therefore, how do I stop those important things for the business? One is efficiency, one is effectiveness. But when you pull back, what you’re seeing here is, but we need to ingest a lot more other types of data than just our traditional logs. And there are a couple of ways that we’re going to have to crack this nut for the SOC to be more efficient at stopping the key attacks [Phonetic 00:04:45].
[David Spark] Really, really good point, and I’m glad you sort of pointed the differences, but the value of both of them. What’s your take on this, Jason?
[Jason Steer] Oh, David, there’s definitely some strong opinions in those quotes there that I think we at Recorded Future hear regularly, every week, every month. And threat intelligence is so different to many other security tools in our technology stack, that it’s so contextual based on the organization and its appetite for risk. And I think this becomes the defining challenge of threat intelligence, which is where do we start our threat intelligence journey? Because the first quote about the SOC, you don’t have to do threat intelligence programs beginning in the SOC, for example.
Look at the media headlines right now, supply chain risk. Supply chain risk is something that threat intelligence does a great job of identifying risks and threats. The SOC, the vulnerability management team, there’s so many areas of scope for threat intelligence that are not just about more IOCs to make our job harder. If I’m talking to someone that I don’t know about threat intelligence, I distill it down to a very simple two words. Threat intelligence, when it’s well-defined, is about decision advantage. What decision can I make today that I wouldn’t be able to make without the context of threat intelligence on this vulnerability, on this product, on this company, on this employee that enables me to mitigate the downstream risk of me not doing something?
[David Spark] Let me get just to the correlation. What is sort of the business data that’s coming in and the threat intelligence that’s coming in that says, and there’s that crossover that alerts you, to this you have to pay attention to now? Can you give me an example? And I know that’s kind of a very grandiose question but give me one or two examples of that.
[Jason Steer] I can give you a personal example, David, of something we’ve been working on now for three years, specifically related to identities of contractors and employees. And this relates to a contractor who logged on to a non-corporate device with their Recorded Future credentials, and that device was infected with infostealer malware, and that identity was stolen and able to be accessed by criminals. The fact that we were able to identify that as soon as it was advertised on criminal markets enabled us to reset the account, lock out the account, do incident response, and mitigate that risk. There is just one really simple example of we work in different continents these days in different timeframes, and we don’t always have purview of employees, devices, assets, training, and how do we try and find these risks that do end up creating big problems for us?
Where does this effort fall flat?
7:26.210
[David Spark] Andrew Wilder of Vetcor said, “I have never been able to find a good business value in threat intelligence programs.” Oh, my God. “What I would like to get out of it is effective prioritization of vulnerabilities. AI hasn’t been able to do that yet.” Well, maybe you’ll be able to prove him wrong here, Jason. Hold on. Viresh Garg of TechDemocracy said, “Security tools create too much work for operations, too much data, noise, and manual effort to assess severity and response. Security AI must evolve from isolated visibility to automated contextualized response intelligence. We have enough data. Let’s not focus on getting more data but get the best out of existing data first.” Okay, I think Andrew needs to be convinced here, and Viresh also wants to know how this AI environment, that we just came from RSA and many vendors were telling us our AI is wonderful, you gave us a great example, what would you do to convince Andrew Wilder that there is good value in threat intelligence programs, and it can be connected to your business?
[Jason Steer] Yeah, I think the really important word in that statement, David, was “can” and how do you enable a vulnerability management program to be effective? I deal with this every single week as well, which is what does my technology stack look like today? Because that’s the bit that we’re dealing with is we’ve got new vulnerabilities, zero days emerging every single day, but they’re so dependent to software versions and hardware versions that it’s a very quick moving target for many organizations. And I think this becomes the hard part of is this vulnerability, is it something I have to deal with today or not? And this, I think, becomes one of the biggest challenges of threat intelligence programs for vulnerabilities, which is what are my assets on my devices touching the internet today? What do I need to patch and what do I not? And that is a real problem that creates a lot of noise and makes it really hard for vulnerability teams to determine what the path of action is. And the reality is, is that’s something we’re working really hard on to get those list of assets and version numbers in real time out of asset management tools to try and help cut that noise to actually give, “Here’s the things you need to care about today.”
[David Spark] So, as I understand, this is literally Recorded Futures charge, to answer this call that everyone’s saying. All right, I’m going to go to you, Steve. The AI world is really kind of coming upon us now. Are we seeing better value in terms of AI creating some valuable signal better than we saw before, better when you were a CISO?
[Steve Zalewski] I would say AI right now is like an eight-year-old. In a few cases, we’re able to demonstrate that the eight-year-old has some words of wisdom.
[David Spark] Happens every now and then.
[Steve Zalewski] Right. But we’re still far from making that reproducible wisdom that we believe. Now, having said that, I don’t want people yelling at me. What Andrew was saying is if I’m focusing on vulnerabilities, I need AI to be better at providing additional context. Take all this threat intelligence of a traditional perspective, augment it with all this new type of data that is now being considered threat intelligence compared to the traditional definition, and because of that, give me context on the vulnerabilities for me to do something. So, therefore, use AI as a context consolidator for certain needles. Whereas what you’re hearing Viresh say is, “I’m being overwhelmed with more and more data under the guise of threat intelligence.” So, now what I need is an AI that’s able to parse through all that and find me the needles that I should be interested in. Again, we have two different perspectives here as to what the definition of threat intelligence is and how AI is either being used to augment the human or how the human is being augmented by AI.
Sponsor – Recorded Future
11:47.795
[David Spark] Who’s our sponsor this week? Well, I mentioned it’s Recorded Future, and we’re thrilled to have them on board. So, in cybersecurity, your greatest fear isn’t the threats you see coming, it’s the critical signals lost in the noise, kind of what we’ve been talking about so far. So, ones that could have prevented damage to your reputation, business, and trust. Every day, security teams face an impossible challenge, sorting through millions of threats, each potentially critical, but somewhere in that noise are the signals you can’t afford to miss.
So, that’s why Recorded Future was built, to give you the power to outpace threats through precision intelligence tuned specifically to your needs. Advanced AI detects patterns human eyes might miss. While threat intelligence experts, veterans of military and intelligence services provide context that machines alone cannot. So, with Recorded Future, you gain the confidence to know what matters most and the precision to act when it matters most. So, learn why more than 1,900 customers, including 45+ sovereign governments, trust Recorded Future to increase their ability to detect a new threat and get more than 350% ROI in a year. You just got to go to their website, recordedfuture.com.
What’s the optimal approach?
13:14.722
[David Spark] Antony Shebanov of SOC Jedi AI said, “From what I’ve seen, automating repetitive tasks and using AI for real-time analysis can drastically improve efficiency. The goals should be actionable intel that not only helps defend but also builds resilience. It’s about acting quickly, not just identifying a threat. One thing I’ve noticed is a gap between threat intel and the SOC. Bridging that gap could speed up response times and make decision making more efficient.” Both of you, I see, nodding your heads on that one. “AI also can help fine tune the value of threat intel, making it more focused and relevant. Efficiency isn’t just about saving time. It’s about making the right moves faster.” I think we all can get behind that.
Tony Gonzalez of Innervision Services said, “Effectiveness of threat intelligence programs measures how thoroughly threats were identified, prioritized, and appropriately mitigated or remediated. Efficiency of your program is a measure of how effortlessly you collect intelligence, assess impact and identify affected assets, and prioritize your actions to mitigate or remediate vulnerabilities and threats from them. So, effectiveness relies heavily on the process and resourcing sources you use to gather threat intelligence. Efficiency relies on a number of hygiene activities and processes.” All right. These are monster good quotes, both of them. I know that you were talking about effectiveness versus efficiency. Your take, Steve, do you think Tony gets it here?
[Steve Zalewski] I would say Tony represents what I would call the classic CISO, which is what he’s trying to say is, “I need this technology in order to be able to secure the company. Trust me. I need it. Give it to me. And these are the ways that I’m going to try to measure success.” Whereas what Antony’s doing is, “Here’s the metric that I want to be held accountable to, and I’m getting resiliency by looking at efficiency, but not just in getting more out of my people, but in being able to go faster to address a threat.” Okay? And that fundamentally is what threat intelligence has always been about, but we’ve limited its scope in how to do that, and now we’re having to integrate it deeper into our success criteria.
[David Spark] You were nodding your head through all of that practically on both quotes here, Jason. I’ll just keep it open to you. Which one do you want to tackle here first, between Antony’s or Tony’s?
[Jason Steer] Yeah. These are really good quotes, David. I’ve lived the world of both of these personas who want to do this. I actually want to strip it back to a simple problem statement about threat intelligence, which is that piece of information you provided to me, that piece of intelligence, can I do anything with it or not? If I can’t do anything with it, you’ve essentially made my job harder and just give me another email, another report to archive and not look at.
And I think that this comes to the heart of the whole problem of threat intelligence programs of what are the things I’m trying to monitor and look for that actually my team can make decisions on that impact our security posture day-to-day, hour-to-hour? Both of these statements from both individuals reflect that problem, which is now, are we clearly identifying the problems that our threat intelligence program is here to solve? Everything else is built upon those foundations, and if those foundations inside the SOC, inside the other teams, are not there, then we’re just setting up for failure, unfortunately. And I think this is where the establishment of the priority intelligence requirements becomes really, really critical. It’s really healthy to have that revisited regularly to make sure that we’re actually looking for the things that we need to make a decision on.
We talk about credentials, we talk about identities, we can talk about vulnerabilities, but in my experience of talking to clients around the world is they never get revisited. They start, someone changes roles, the team leaves, the CISO leaves, and those requirements never get revisited regularly enough. So, they’re always out of sync with what the business actually needs, and I think this is the biggest challenge we have to tackle, which is how do we get the threat intelligence program connected deep into the business inside all the functions of the security team?
[Steve Zalewski] Well, and I’m going to riff on that because there’s a point here we didn’t talk about, which was how many resources do I have to do it? The SOC teams are not growing. Okay? Security resources, human resources, are becoming scarce. So, part of this also is how do I do less with less? How do I black box this so that it tells me what I need to do to manage exposure, not strictly vulnerabilities, that it doesn’t demonstrate how my team is working hard, but how am I protecting the business? And I think that underlying theme is adding a lot of pressure to how we traditionally have tried to position the value of threat intelligence versus the need to black box it and have it actually own the problem rather than being here to help me with the problem.
Sometimes it’s really not that difficult.
18:27.698
[David Spark] Duane Gran of Converge Technology Solutions said, “For most organizations, threat intelligence should be impersonal. Just highlight the vulnerabilities that are actively being exploited. Few organizations have the target value or sophistication to concern themselves with threat actors or their motives, and if you want to be efficient, focus on what they are breaking, not who they are.” And Kristy Westphal of Spirent Communications said, “I think if organizations start with actually designing and supporting a program for threat intelligence, that’s half the battle.” So, it’s interesting. I like what Duane and Kristy say here.
And I’m going to start with you, Jason. It is true – a lot of companies don’t have the sophistication to take on threat intelligence nor the bandwidth. You were referencing the having staff, Steve, in the last segment. But Kristy also said you got to kind of set yourself up to use the threat intelligence. So, please address both of these, Jason. Like the organizations, I guess those who just can’t afford it or just don’t have the capability to, and what does it take to set yourself up? Like what is the perfect customer walking through your door like, “Oh, you’re going to kill it with threat intelligence because you’ve already got this set up”?
[Jason Steer] Such a good question to really dig into, I think, David. If we look at our not most mature clients, because there’s scales of maturity in terms of security programs, capabilities, and resource, but for our maturing clients, let’s say, just simple things like domains. What are the domains I care about? What’s my email addresses that I care about? What’s our executive team’s name [Phonetic 00:20:10]? What can I do to observe who’s talking about them? Because for those maturing organizations, understanding who’s talking about them, where, and why is a really good starting place to address some of the biggest gaps that they will get value from very quickly, and then you can work into the vulnerabilities and other bits. But just our brand footprint’s online. Are criminals talking about me is a really big win.
Kristy’s point about designing and supporting the program, and I think we talked about that earlier, is what are our top three priorities? What are the biggest gaps that we think we could improve on that would be a good starting place? My personal observation of this being done is clients try, in that rush to get value from their product early, instead of going for 3 or 4 use cases that are done really elegantly from end to end, is they try and do 20 use cases really quickly in three months and never actually get them fully baked. And every client I meet, always recommend go slow, go steady, and make sure that your use cases are actually valuable to the business and ensure you get that feedback from all your stakeholders to say, “Yeah, this is really helpful,” rather than 20 use cases that are firing noise and alerts over the fences to everyone else and actually causing more work and more harm to your intelligence program.
[David Spark] Steve, your take on being ready for an intelligence program and those people who believe they can’t do it because of their resources themselves.
[Steve Zalewski] So, this gets back to expectations. Threat intelligence wants to sound like it’s complicated, that it takes a lot of people. Traditional threat intelligence is, “Who’s attacking me? When are they attacking me? And why are they attacking me?” That is valuable, to Kristy’s point, which is if I’m trying to get in front of the board and just give them appreciation, is it script kiddies? Is it social hacktivists? Is it organized crime? In essence, who are my key threat actors that I’m trying to protect against? Because understanding that gives me the context to know what my security perimeter should look like. That threat intelligence is traditional value proposition. That does not have to be expensive. That does not have to take a lot of time. It’s just a periodic reevaluation of what’s hitting my shields. But a lot of the conversation today, where Duane is going, is that we’re trying to take threat intelligence to the next level. We’re realizing it provides context to the active attack surface, not just a view of who the attackers are. And I think that’s the transition around resiliency and being efficient at the speed with which we can take action versus just reporting what’s happening.
Closing
23:00.343
[David Spark] That brings us to the portion of the show where I’m going to ask both of you, which quote was your favorite and why? And Jason, I’m going to toss to you first. Could you tell me which quote was your favorite and why?
[Jason Steer] Thank you, David. I’m going to take Kristy with her quote because, and I think Steve’s point was really personal to me, which is tell me about the who, the what, the how, and the why. This is something I still do every single month for our business about the who, the what, the how, and the why. I’ll also add one more question to the end of that, which is, “So what? What am I going to do now for the business now that I know the who, the what, the how, and why? What can we do differently to be proactive and be ahead of what we anticipate to happen next?” And I think that’s the bit I want to add now. “So what?”
[David Spark] And by the way, that is literally the theme of this episode of, it is one thing to get the intelligence, and in fact, it’s pretty much all over the place. There’s no shortage of it. It’s the what the frigging hell am I going to do with now that I know this? It’s like, “Oh, my God, someone’s breaking in. I know they’re breaking in. What do I do?” [Laughter] Kind of a thing. All right, Steve, I throw it to you, your favorite quote and why.
[Steve Zalewski] A couple good ones today. I am going to go with Antony Shebanov and one particular part of his quote, which is, “Efficiency isn’t just about saving time. It’s about making the right moves faster.” And I think that is a great way of summarizing this efficiency versus effectiveness, contextual speed for resiliency, that that is where we’re taking the conversation going forward.
[David Spark] Well, that brings us to the very tail end of this show, and I do want to thank our guest, and that would be Jason Steer, the CISO of Recorded Future. And a huge thanks to Recorded Future for sponsoring this very episode – get ahead of present and future attacks with Recorded Future. As we said, this is something that Recorded Future does. So, if you would like help of what do I do with this threat intelligence and also get some really darn good threat intelligence, I suggest you go check out recordedfuture.com or even talk to Jason. Actually, Jason, do you have any last thoughts or offers or anything you’d like to say to our audience?
[Jason Steer] I would say, yeah, come to our website. We’ve just launched our new malware intelligence features to help our clients think about understanding malware. Or go and get our new identity report and see what identities your organization have been exposed on the dark web and get that and get a sense of what’s out there.
[David Spark] Well, thank you very much, Jason. Thank you very much, Steve, as well. And thank you to our audience. We greatly appreciate your contributions. Seriously, as you can see, there would be no show without it. So, thank you very much for contributing. Thank you for your contributions and for listening to Defense in Depth.
[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at [email protected]. Thank you for listening to Defense in Depth.