[00:00:00] Speaker A: If a company is truly, like, an intel driven organization, they know the value of having intel permeate in every different aspect of that company, and that's how decisions are made and just enriches their cyber operations. And it helps reduce incident response times by having this intel.
[00:00:25] Speaker B: This is KBCS as a primary target.
[00:00:29] Speaker A: For ransomware campaigns and performance risk and compliance.
[00:00:34] Speaker C: We can actually automate that, take that.
[00:00:36] Speaker A: Data and use it.
[00:00:40] Speaker C: Joining me today is Mary D'Angelo, cyber threat intelligence solutions lead from Philly Grant. And today we're discussing democratizing cyber threat intelligence. So, Mary, thanks for joining and welcome.
[00:00:51] Speaker A: Yes, thank you so much. I'm excited to be here.
[00:00:53] Speaker C: Okay, so let's start right there. What do you mean by democratizing cyber threat intelligence? It's a term that I think you're talking about a lot on LinkedIn and some of your posts. So I'm keen to sort into a little bit more.
[00:01:05] Speaker A: Yeah, so democratizing cyber threat intelligence, it's a bit vague. Right? And so there's a ton of different meanings behind it. But really, how I see it is it refers to making cyber threat intelligence more accessible, more usable, more valuable to a broader range of audience. Because if you recall, like, historically, CTI was a very niche practice about, like, ten years or so ago.
It was limited to just a few experts, and what they did was just produce very long, detailed reports and other cyber offer durations, didn't find it to be as valuable. And so, over time, as there's more, increasing the accessibility to different data, open sources, different feeds, that came out, that started the process of democratizing threat intelligence, and that also had to do with the standardization of it through Stix, which is a framework used to represent threat intelligence, just to make it easier to operationalize it, and then, as well as having it more bi directional sharing. So not only would I be the one to receive the intelligence, but also I would, in turn, give the intelligence back to the appropriate folks in my experiences, my insights, my thoughts on how this would be useful. And so all of those parts play a huge component in the democratizing of cyber threat intelligence. I will say especially OpenCti, the open source threat intelligence platform, played a very pivotal role in this, as it made threat intelligence easier. I guess it lowered the barrier for those who wanted access into threat intelligence. And so that not only you were like a large Fortune 500 company who had access to this type of intel, but even smaller organizations had the ability to start and then build their capabilities as they continue to learn.
[00:03:10] Speaker C: Okay, so you said before, more usable and more valuable so what do you mean by that?
[00:03:15] Speaker A: Yeah, so there's different types of threat intelligence. Right. So we have the three main buckets. You have your strategic, your tactical, and your operational threat intelligence. Your strategic has to do with more high level what is done at the executive level. Tactical is usually responding to more on a daily basis. Things that are happening right then and there. So responding to certain alerts and then operational is just in between both of them. So what you're doing on a daily basis, and most of the time it's hard when you're getting intel because you can't really. Intel is only important when it's relevant, when it's actionable, and when it's timely. And if it doesn't fit those three points, then it's not very useful. And so back in the day, they used to write just very long, detailed reports that didn't hit on any of those points. And so by the time it got to the right hands of the folks who needed it, the data might have been old, probably not relevant, and not something that they could use for the broader security operations team.
[00:04:23] Speaker C: Yeah, that makes sense because I was an analyst before, specializing in more the reporting side of it. And I guess from my point of view, it's like, well, if I've got all of this information on this data, but I can't do anything with it, it's kind of obsolete, it's redundant. So how do you think now it's sort of shaping. Is there more to your point? Is there more, is it more relevant? Is it more actionable? Is it more timely now with things that you're sort of seeing with your role?
[00:04:49] Speaker A: Yeah. So there's a few parts into it. I guess it's hard because there is an increase in the amount of intel that's out there. Just within the past few years or so, we've seen Mandian recorded future, all of these companies popping up, providing a ton of different intel, which is awesome. It's really, really great for the community, but then it's a matter now of how to synthesize it, how to break it down, and then how do we disseminate it into the right folks for them to offer action upon it. And so I think there is, and that's why we have, like, standardizations in place, which I do think some of them need to be a little bit more refined. But the standardization process really helps so that you can make, make the process of gathering this intel was more easily without having to create custom solutions for each different source of intel. It's great with all the intel that we have there, but now it's a matter of, okay, how can we make sure we're actioning upon it in the best way possible?
[00:05:55] Speaker C: So can I ask more of a rudimentary question? Would you say historically with everything you've mentioned, would you say that companies in the past have like, yep, tick in the box, we've got thread intel, but then as a result did nothing with it because like you said before, maybe it wasn't relevant, it wasn't actionable, it wasn't timely. Would you say originally it was just we've got the thing, we've done our job. But to your point before, no one's really disseminating it properly or synthesizing it or making any insights derived from all of this intelligence. Would you say that was a thing?
[00:06:26] Speaker A: Yeah, it was kind of, it was like about ten years or so ago. It was very a practice that was done by a few number of experts or those in government. And beyond that really most organizations didn't see the value in it. And as it changed over time, then it became especially like with incident response teams that became something that they realized it was crucial to their operations. So it's definitely changed. It actually, it changed pretty quickly, I would say as well from what we've seen.
[00:07:02] Speaker C: So with your experience, you said before, synthesize, how would you go about synthesizing all of this intel, for example?
[00:07:09] Speaker A: Yeah, so there's usually pretty good solutions out there to do that. So like opencti for example, the platform that was mentioning, the open source threat intelligence platform, they do an incredible job at synthesizing it. There are other tools and capabilities out there, but it just requires doing it manually, just requires a lot of effort, and it's probably not worth the amount of time spent in it. So if you have something that can follow all the stages that you know of the threat intelligence life cycle, then it could break it down for you. And then if there are, you know, duplicates of certain threat actors or terms, it'll, it'll, it'll break it down so that it won't have to, it won't be so redundant with doing your investigations.
[00:07:58] Speaker C: Okay, so walk us through the threat intelligence life cycle.
[00:08:02] Speaker A: Yes, so the threat intelligence life cycle. So it's made up of six stages. So you have your first your direction and planning, then your collection and compilation, your processing, analyzing and reviewing, and then your dissemination piece, and then finally is the feedback and then using that to continuously improve your process. So with a threat intelligence platform, you would have components where you would bring in the intel that would match up to each part of those stages, and then you can follow it along so that you're making sure when you get to the dissemination point, the intel is going to the right folks that need it.
[00:08:43] Speaker C: Okay. So from your experience, where would you say the main issue had sort of live? I know you've touched on before around the dissemination side of it, but what about the direction, even way at the beginning, do you think people are still a bit lost, perhaps even from the start of the life cycle?
[00:09:00] Speaker A: Yeah. So the start of the life cycle is probably where people that and the dissemination part, or I think where people struggle the most, just because, one, it requires gathering tons of different intelligence, and oftentimes there's too much intelligence you don't know which is where to begin. Right. And so that can be kind of overwhelming. And then with the dissemination piece of it, you have to know as you've narrowed it down, you have to know exactly. Okay, who, what team would best be able to respond to this information. And so that kind of trips people up as well.
[00:09:39] Speaker C: So how would you sort of navigate who's the best team?
[00:09:41] Speaker A: From your experience, organizations will know this themselves pretty well. So if you're dealing with, like, tactical intel. So if you're dealing with iocs, that would go mostly to security operations teams, if you're dealing more with strategic intelligence. So if you're looking at like, you know, the overall, let's say you're tracking a ransomware group within your sector and you're seeing their, their trends and you know, where, who they generally target, what geographical areas that would go more at a c level so that they can build a plan for their security team to make sure that it is protecting against any of those points. So again, it kind of breaks it up into those different buckets of what would be strategic, what would be tactical, what would be operational, and then from there, you'd be able to disseminate it into the right folks.
[00:10:35] Speaker C: Okay, so that sort of leads me more to my next sort of question or point. Now, your view, Mary, is that threat intelligence should be available for everyone, as you've mentioned already, and to your point earlier around, if it's more strategic intel that we should be tracking, them should go the sea level. But I want you to walk us through perhaps that recent example of the lockbit targeting us hospitals. So maybe talk us through it.
[00:10:57] Speaker A: This is a really good example because this is how sort of the path that I came down into finding the company that I am right now about really the importance of democratizing cyber threat intelligence. So last year, it was around November October, timeline of 2023. This was when lockbit was going pretty crazy. You know, they were hitting hospitals hard. What's sad about hospitals is most of the time, you know, they are so overworked, over staff, understaffed, and they don't have the right security stack to respond to this, let alone intelligence. And so what we were seeing is an initial access broker was selling. It was like almost every single day was selling on the dark web, new credentials for a hospital within the US. But they were very, you know, they're very smart about it. They make sure not to name the hospital. They just say where the hospital is generally located. And then the revenue sides of the organization, they do that on purpose because they don't want the hospital to get a notification like, hey, your credentials are being sold. Right? So it's a little bit sneaky, but there were so much of it happening that. And, you know, these hospitals don't have access into this intel. And if they did have access, it would. It wouldn't be through their own means. It would probably be something, you know, either working with law enforcement, with some government agency, or maybe with an ISAC. And at that point, by the time it reaches that hospital, it kind of. It might be too late. And so when I saw, and I guess I have more of a soft spot when it comes to hospitals because, you know, there's real lives on the table here. And so, you know, saw this, like, this information needs to be sent out to the hospitals ASAP. But they. We didn't have a system in place. And even if we did have a system in place, there's also, again, back to the standardization is how then do we feed them this intel and how do we help them action upon this intel? So it was a kind of. It was very eye opening for me to see that there was a major gap here because we had the intel, there was something we can do about it, and yet the hospitals weren't able to receive it. And that's also not to say that if they had this intel, it would have stopped a cyberattack. We don't know that for sure, but I think it would be more helpful if the hospitals were able to have this intel.
[00:13:31] Speaker C: Absolutely. So this is interesting.
So from your point of view, and you obviously have explained it quite well around. They didn't use their name, they redacted the name, or else they would be an alert. It's a lot more, you know, obvious. Take that example. So should people go hunting for this then in terms of, like, well, we don't know. And like you said, like, it's, you know, people's lives is very, very different, too. I mean, I worked in a bank in security. It's kind of different to, you know, the money side of things because you can always replace the money, but, you know, when it's people's health records and stuff, it's a bit more sensitive. So what would be your advice then for there's probably another hospital going through the exact same sort of situation again, their name being redacted. What's your thoughts, then on sort of countermeasuring this?
[00:14:15] Speaker A: Yeah, so that's. It's really difficult because at some point you want to say, like, okay, the hospital should invest in a robust cyber threat intelligence program, but, you know, after that costs a lot of money, and finding great CTI analysts is hard to find. And so in order to build a program up like that from the bottom up would cost a lot of time and money as well. And so that doesn't seem like a realistic solution here. I think that's where sharing the intel would kind of come into this space. And I don't want to say that we don't do enough sharing, because I think we do. I mean, much better than we have, you know, five to seven years ago. And especially with ISACs, you know, HS, ISaC is an incredible job of giving these hospitals who wouldn't have access to any of this intel, access into some of these intels that are only available to very large organizations. But I do think that there's a gap, something that is being missed. There has to be a way of how we can streamline this intelligence to the right hospitals so that they receive it on a timely and actual relevant timeline. So I think from now, that's something we have to think about. And obviously, we'd have to work with certain private companies who specialize in this intel and then how they think would be best to feed it.
[00:15:40] Speaker C: Yeah, most definitely. So I think. Okay, so you said before that's not the most, you know, cost effective solution. So do you think that companies out there are thinking, like, all of this process that you're discussing here with me today is, oh, it just costs too much. Like, it does make sense, but maybe if I don't know what's there, I won't have to deal with the problem. Do you think there's a little bit of that in there?
[00:16:01] Speaker A: I do think there's a lot of, I would say, like, perceived lack of value and that's kind of why a lot of people sort of gatekeep intelligence or they're not so on board with sharing their intel with other industry folks or or even internally, you know, within their internal cyber ops is they think they can see it as being like, okay, cool, like, we have this piece of intel now what? Like, because they don't see any sort of immediate or clear benefits. And so with that, they might want to invest less time into CTI, where they feel like they could spend more time in different parts of cyber.
[00:16:40] Speaker C: Okay, going back to the sharing for a moment. Now, if you envision, just say you're a utilities company and you've got two of the largest competitors. Do you think they're really wanting to share with their competitor? Have you seen that? Now, I know that sounds like a, you know, as a security person, you want to think, you know, our goal is to combat, you know, the cybercriminals. That's the real adversary. Right. However, I have seen people saying, well, I don't want to share my threat intelligence with my competitor. That's their problem. How are we going to sort of, you know, close that gap?
[00:17:14] Speaker A: Yeah, so I see that point. But I also think within the cyber community there, they have. And just dealing with, you know, my clients and partners in the past is they have pretty good. Like, for example, oil and gas is who I work with very closely. Even though most of them are major competitors with each other. They all seem to, you know, have either slack channels or different ways to communicate with one another. So if something comes in, let's say they receive a notification from the dark web that an initial access broker is selling credentials for a large oil and gas firm. They immediately it doesnt say the name of the oil and gas firm, but they immediately know its someone was in their industry. And so whoever sees it first will then take the initiative and share it with each other because there is sort of no one, even though theyre your competitors, no one really wants it hurts the industry as a whole if one of them gets. If one of them gets hit. I guess what's nice about the cyber community is they kind of look past the piece of being competitors, and they're very good. At least I can speak to oil and gas and maybe financial services as well as being able to share the intel.
[00:18:32] Speaker C: And look, I asked that question because I recently interviewed G two Patel. So he was formerly the executive vice president of innovation in cybersecurity for Cisco. I think he's got a new title now, but he was talking all about this, on how we actually can work together to combat cybercriminals rather than each other. But just in my experience, I have seen a bit of that, of people like, well, I don't want to share because they're a competitor, but it's not a zero sum game. So what do you think in terms of how do we, how do we sort of move forward from that mindset? Now, I asked this question as well, because I'm in media. When people go and have breaches, I go and approach them, and I've had people say no. And I've actually said to them, well, your competitors or people in your sort of arena want to know, like, how they can potentially not go down the same mistake. And I've had people just say no, I don't want to comment on that. So I know it's sort of different to threat intel, but when I'm on the other side of it, I'm trying to get a response from companies that have had a cybersecurity incident or being breached. I'm getting the no comment side of it as well. And that doesn't really help the industry.
[00:19:37] Speaker A: But see, it's funny because I feel like I have a totally different experience. I think there was recently a large gas room that was hit maybe a few months ago or so, but it was kind of kept on the DL, but everyone was in the sector knew about it. And then because of that, they were working on it because they were trying to figure out what were some of the ttps the threat actor was using, how did they gain access into it? And then could they also replicate the same into our environment? And I guess it was nice to see that these companies, even though they're all competitors, they were doing a very, very good job of working with each other, sharing the intel, so that it could, if not help mitigate, but stop from happening to other oil and gas firms. Yeah.
[00:20:27] Speaker C: And maybe because you're in the other side of the world, it could be that. It could be that I'm in Australia, maybe things are different here. But you mentioned something before around people sort of, you know, they don't quite understand the value add of threat intelligence. Do you think that's changing, though, over time? I mean, having you talk on the show, obviously, is demonstrating the value add, et cetera. But will we start to see people understanding a little bit more fidelity, would you say?
[00:20:52] Speaker A: Definitely. I think it's shifted a lot within the past few years or so. I think mostly at the higher, larger organization level, they definitely see the value, especially when it comes to feeding the intel into other parts of an organization. So if a company is truly an intel driven organization, they know the value of having intel permeate in every different aspect of that company. And that's how, you know, decisions are made and how it just enriches their cyber operations and it helps reduce incident response times by having this intel. So I think right now it's more so on. Maybe the smaller, as I mentioned, like hospitals or smaller organizations that are coming around to, I think they see the value of it, but it's more so a costing, and if it's something they feel like they don't think they can justify just yet. And so that's hopefully, I think that will certainly change within the next couple of years.
[00:22:04] Speaker C: So your sort of view or philosophy is making it more accessible. Would that also mean then that cost is sort of reduced then a little bit more, like you said, if it's a cost thing for some of these companies, like hospitals, for example, I mean, costs can always be reduced. So do you start to see that now coming through a little bit more? So it is a little bit more ubiquitous? Moving forward, I like to look back.
[00:22:28] Speaker A: At that lockpit example with the initial access folk were selling all of those credentials at that point.
I think that intel should have just been given to those hospitals for free, because that would have saved not only lives, but it would save these small hospitals, you know, so much money if they were hit with the cyber attack. But I do understand the importance, and I think isacs do a really great job of being able to have the right, you know, being able to gather strong threat intelligence reports that might only be used for larger organizations, but then reducing the price on it so that there's like a lower barrier of entry so that smaller organizations can gain access into it as well. So not necessarily having to be free, although I will say there are a ton of open source solutions out there, I mean, open CTI being one of them, where anyone can sign up and learn how to track their intelligence lifecycle and depending on what their maturity level is and how they want to grow and how they want to gather and use, use that intel. And there's also other places there with a lot of free intel feeds as well. And I do think that there's various government programs that you can reach out to that could help you with not only providing you with intel, but also showing you how to action upon it.
There are resources there and not all are free, but I think it's. It's getting to that point where I think the community is really realizing truly the value of this intel. And intel is just like one piece of a puzzle. It's only effective if you can connect it with the whole puzzle itself. And so that's where the sharing component comes into it.
[00:24:22] Speaker C: Okay, so I want to maybe get into, you said before the threat intel report, talk me through it, what typically is covered in those reports, to get actionable insights that, you know, people can, you know, act upon.
[00:24:35] Speaker A: Yeah. So they, so they vary depending on who the audience is. I think for some, like for more strategic, high level, it would have to be usually ports or reports around various ransomware groups and threat actors in your sector. You know, what their ttps are, who they generally go after, what they're, you know, sort of what their history looks like and where we see them heading towards. So that's one example of a threat intelligence reports. Others are just things that, and usually these come from ISACs or like common vulnerabilities that we might be seeing IOCs that we're seeing that you want to ingest into your platform so you're made aware of it, and that's more of on the tactical side.
[00:25:26] Speaker C: So in terms of moving forward, what are the things you'd like to sort of see happen? As you mentioned, I know it's more accessible. Like, what's realistic that we're going to start to see? So is it that people can't afford, you know, threat intelligence, so maybe they should head over to OpenCtI. But then with that comes its own challenges of time, you know, resource understanding, you know, upskilling themselves, et cetera. If they don't have that internal capability or the other way is, well, if you don't have all of that, you can just pay a company to do it. Right. So that's typically how it goes. But you sort of, you starting to see that sort of emerge more. But what other things can people sort of expect now? Because as you said with the hospital, it makes sense. We want to see a reduction in these types of things happening. We want to see more threat intelligence sharing. But talk me through more of your thoughts.
[00:26:13] Speaker A: I think this is more, more of a positive perspective on this. I think, and I know, you know, you've probably talked to a lot of people about the emergence of AI and how it's, it will play a role in various topics. But I think with this particular example, when it comes to sharing of threat intelligence or threat intelligence in general, I think AI will significantly transform and make the process so much better. Of course, there will be, there's always going to be some cons and some challenges and risks involved with it. Well, first of all, I do expect to see more of an increase volume of cyber threat data out there right now. We're already seeing so many players in the marketplace right now, and it's only expected for more to come. And so with AI being part of that, what I would imagine is AI being able to structure and process that intel more effectively. And so now that we have all this influx of intelligence using AI to do the standardization for us, and then, you know, sometimes you might get data in all different types of formats if it's a PDF report or raw data streams. Right. Having the AI break it down and convert it for the end user so that they can actually operationalize on it, which I think is, is pretty exciting. Also helping with, you know, the decision making and the actionability when it comes to the threat intelligence. And that's a, that's a very difficult piece, especially for a CTI analyst, once the data has been processed. Okay, great. Now what to do?
How can I action upon it? And so I think AI will definitely play a big role in that, identifying who some of these threats are, where they're coming from, and what would be the appropriate strategies to mitigate it. And then lastly, just again, the standardization, because I think my biggest issue right now within the industry is there's, you know, each vendor has their own name for these different threat actor groups. Like I was looking up earlier today, like, muddled Libra, they were in hacker News, and there was like a million different aliases for it. And that's so hard to track. Right. And so having something like AI, which will combined all of those aliases together, or just, or even just standardizing across the industry, like, this is the name we will be using for this threat actor, so that it could help with redundancies and definitely help push through some of these processing much quicker.
[00:28:57] Speaker C: Okay. There's a couple of interesting things in there that I want to just hear your thoughts on. So you said, I, with AI, you can break it down and then convert it. What do you mean by convert it?
[00:29:10] Speaker A: Yeah, so, like, I think of it as convert it into something actionable. If, like, a piece of intelligence comes in and let's say, usually there's going to be at this point where I'm talking about, like, you know, in the future, there's been an influx of intelligence coming in. And so the AI would have to basically do a lot of deduplication, cross checking, making sure the intel that's in is relevant and also accurate. Right. We don't want a bunch of fake information out there. And then now that we have this, the next step would be, okay, how can I make this actionable for different stakeholders across the organization? And that's what it would do. It's a, this is something that would be, you know, incident response team would need to take a look at. This is something maybe more of a, you know, CISO would like to take a look at as it talks about the greater threat campaign landscape and so making it something that is, you can action upon.
[00:30:11] Speaker C: Okay, so then I want to flip over to, you know, with AI is a tool to help, you know, increase decision making, etcetera. The only question I have around that is what about sort of like the hallucination side of things and then there, therefore it says you should take path a because the AI said that, or in actuality you should have taken path b. How do people sort of discern that information?
[00:30:37] Speaker A: Yeah, that's always a tough thing to deal with. I think that's why it's important to have humans involved in this process as well. Even though AI will play a very critical role, especially with fast tracking, especially in the beginning, fast tracking the intel pieces. But when it actually comes to actioning upon it, that's something you would want a human to take a look at and, you know, confirm if that's the right thing to do. I would not ever suggest having AI run your entire CTI program, but I think it would be a very powerful tool, especially in the early stages of gathering that intel to help with it.
[00:31:22] Speaker C: So effectively having AI in place collects all this information, puts it in a way and converts it, that makes sense, then creates a decision slash. But then people at that point would really need to intervene and assess whether that makes sense to do the thing.
[00:31:38] Speaker A: Yeah, yeah, definitely.
[00:31:40] Speaker C: The only thing I am worried about is because people are quite fatigued and everything like that. It might be something that's super small, like, oh, well, you know, it's not a big risk if I just go and do this, but it actually may be the wrong path. But, you know, I guess these things do happen. Even if there is a human that intervenes, it could just be perhaps they've overlooked something and it might not be the right thing to do. What are your sort of thoughts on that?
[00:32:03] Speaker A: I definitely do see something like that happening, although I will say at that point, once you're at the dissemination process of threat intelligence lifecycle, there's a few other stakeholders involved. So if someone gets this piece of intel, AI suggesting this is how you might action upon it. They might then send it to someone else on the team to do the actioning on it. And so you have a few more sets of eyes looking at it. It depends on how the gravity of the action might be. But at that point, I think by the time the real action takes place, there'll be more confidence behind it, given the amount of different people that had to sign off on it.
[00:32:53] Speaker C: No, that totally makes sense. So just going back to the decision making then for a moment, would you say historically or even now ish, people thought, okay, well, what do I do now with this? And then as a result of not knowing or feeling fatigued or unsure, perhaps, do you think some of these things went by the wayside? Perhaps it's like, well, I don't know what to do with the thing, so I'm just going to perhaps ignore the thing.
[00:33:16] Speaker A: I do think there is a struggle in that because threat intelligence is most effective when it permeates all aspects of an organization. And so if there are more people involved with the process of gathering the intel, evaluating the intel, use, actioning upon the intel, then I think it's way more successful. But if we're talking about working in silos, so if it's just, you know, we have a CTI team off in the corner, we are the one, you know, they're the ones that are supposed to work the role of intelligence and then pass it off to the right folks. I think that's kind of where more of that struggle might come in to and where I think it would be better if, again, you know, something I'm very big on is making it available, making it more a larger part of the organization and less of the siloed piece.
[00:34:17] Speaker C: What do you mean by larger part of the organization?
[00:34:19] Speaker A: Making it top of mind, making it more sharing of threat intelligence, more of a cultural thing. So from the very top of the organization to the bottom, cyber threat intelligence is of the most important. And that's just within the culture of the organization and not just something that is seen for a small department within security to be the ones that, you know, run. We have cyber threat intelligence. You know, they sit in the corner. They're the ones that are doing it. But more so it being part of every single part of the organization for, you know, risk management to incident response.
[00:34:58] Speaker C: So how would you go about engendering this threat intelligent, being larger part of the organization? Because I get it. I just think that, like I've spoken to so many cyber people on, like 40, 50, 60, 70 topics, etcetera. And every time someone speaks to me about something like, oh, that's so important, but then the next person I interview, like, but that's more important. So what would you do about that? To encourage that sort of adoption towards threat intelligence with your experience?
[00:35:25] Speaker A: There has to be a little bit of a pr campaign around it, first of all. So you have to definitely demonstrate the value of how this intelligence can help your operation. This is how it could help your ROI. Basically, you'd have to start, I would say, top down, dealing with the sea level, showing how threat intelligence can help you help your team focus on what's important right now. So these are the main threat actors that are targeting our sector. These are their ttps. This is, you know, these are some of our vulnerabilities because we have this intel, we now could have the team focused on responding to all of that. And then also it helps with budgeting as well. So then, you know, okay, so if these are some of my weaknesses, these are things I need to keep track of. Maybe if my biggest weakness is what you can see right now is, like, human error. And most of the third actors that are coming for us specialize in social engineering. Okay, let me then devote resources and money to building out a more social engineering program for the folks at the organization. And so kind of starting it from that way, from the some to talk down, showing what their pain points are, understanding their pain points, and then saying, this is how threat intelligence can play into it. And this is why you'll see an Roi on it, because it really, if done correctly, they really will see the Roi. I mean, some of the best organizations that I've worked with, they have, you know, the best. They are what I call a very threat intelligence driven organization. And you can see it across the whole organization. It's something that they really value and they listen to. But it definitely took time. You know, it took time to get leadership on board because that right away, it's not something you see. You don't see the immediate effects right away. It, you know, it has to take time. So if you can start small, and especially a top down approach, I think that is how it would be most beneficial.
[00:37:39] Speaker C: So, Mary, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:37:44] Speaker A: I think for those who are on the path of kind of playing around with cyber threat intelligence, I really do encourage you. There's a ton of different open source platforms out there, different feeds out there and just really devoting some time into seeing how it could benefit you and your organization. I was just speaking with someone recently, a couple days ago, I think it was at black hat, and he was saying that he never really saw the value. He's working on the sock team, and he didn't really see the value of threat intelligence until he attended a talk at Black Hat. And he was so inspired by it, he went online and downloaded all these open source platforms and these different feeds, and now he's totally, he's like, you know, he's started off very knowing nothing, and just after a couple of weeks, he feels like he's built out a stronger, more resilient cyber program for his company.
[00:38:54] Speaker B: This is KBcast, the voice of Cyberez.
[00:38:58] Speaker C: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
[00:39:06] Speaker B: This episode is brought to you by Mercsec, your smarter route to security talent. Mercsec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and midstream sized businesses scale faster and more efficiently. Find out
[email protected] today.
