Watch On-Demand: How CTI and Risk Management Unite as Cyber Soulmates

Jerry:
Hey, everybody. We’re gonna get started in just a minute or two. We’re there’s been some problems with the the platform sql.io this morning, and so we’re just gonna give it a few minutes, um, for people to get in. We even had some hard time getting in and using it this morning. So hang with us. We’ll get started in just a minute or so. Okay. Alright. Well, thank you everybody for joining today. Apologies for the problems we’re having with, uh, SQL. It is not a query problem. I have no idea what the issue is here. It’s just one of those things where if it can go wrong, it does go wrong. Um, but I wanna thank you all for taking the time to join us on this join us on this webinar. Uh, we’re here to talk about we’re gonna have some fun. Joe, uh, Joe and I are gonna have some fun on this one where we talk about how CTI and risk, uh, find their match and switch cyber soulmates. And, yes, those are words you’ve probably never heard from a tech company before, but if you’re not having fun, I’d argue you’re doing something wrong. So I think well, they can let me go to slide two. It’s gonna be a really short presentation if it didn’t. Um, so I’m Jerry, by the way. I am a risk guy. I run our risk, uh, business here at ThreatConnect. So just to give a quick overview, ThreatConnect, um, is real is a is a company where our goal is, uh, threat informed, uh, threat informed risk defense. So in other words, we’re combining threat intelligence, risk quantification, and control effectiveness in order to help companies understand what the impact of a threat is, what they should do about it, and what are the right compensating controls. I do risk. I am a risky person. And in fact, I’m so risky that my colleague, Andy Pendergrass, who was supposed to join me, was not able to join. That’s why you’re looking and going, who is this guy? Who is this random person? Who is who is this random per he this that’s actually Joe Miller. Andy Pendergrass couldn’t join. Joe, why don’t you introduce yourself?

Joe:
So you’re me. Good to meet you, everybody. Uh, as Jerry said, my name is Joe Miller. Um, I run, uh, some of the product teams here at ThreatConnect on the polarity and the CAL side. So I’m a threat intel slash data guy more so than a risk guy. And I’m excited to talk about how we, you know, we fall in love between threat and risk.

Jerry:
Like I said, this is gonna be the most unique presentation I think that’s been done in cybersecurity. So when we when we started talking about this, uh, the question you might ask is why are we doing this? Like, why are we here together? And the reality is often we think about security and security terms. The business thinks about the business and risk terms and and the two do not meet. But the reality is they are meeting. They should meet and they have to meet. And they have to meet because in the impact of breaches is high. The ability of threat teams to get through all the threats and analyze them correctly is low. And we have to do something different. And that’s really what we’re here to talk about today. Okay. So this topic has been near and dear to our hearts for a while. So we we at ThreatConnect have been working on this problem for a while now. But I think what are the and you can actually see that in the bottom right hand corner. That is a presentation from, uh, RSA back in 2016 when Wade Baker, who’s now runs a company called Ciente Institute, uh, was at ThreatConnect that he talked about the marriage of threat intelligence and risk assessment. Now it’s been nine years. We haven’t been working on it, uh, continuously for nine years, but we were working on it for a long time. Um, and then a couple of years ago, a year or two ago, Mandy had, uh, put out a paper called Better Together. It talked about integrating cyber, uh, threat intelligence with risk management as well too. And the reason they did that, if you actually go through and read the white paper, it’s a decent paper. It’s a decent paper that talks about the theory of what can be done, not the practicality of what you should do. So it was it was great to kind of provide that guidance, but how do you actually do it and actually what that means is is a little bit harder. And so what we wanted to talk about today is actually guide you through, like, we we jokingly talk about it as, you know, cyber soulmates, but the reality is there are a lot of practical, tangible things you can and should be doing and we’re gonna talk about those, uh, today. Alright, Joe. So why does this matter? Because we’re a match, Joe. You know, we’re we’re a match here.

Joe:
We just don’t we just don’t fully know it yet. We are a match.

Jerry:
Um, I I don’t I don’t know about you, Joe. I’ll talk I’ll talk about my experience and I’ll ask you to kinda to answer the same question with the question being, do you see threat and risk teams work together? Now and I’ll say, I see a lot of our risk teams and threat teams, even when they are all under Cisco or in the security organization, they really don’t talk or work with each other. I don’t see a lot of cross pollination. I’m not sure if you see that.

Joe:
Um, not as much. I think we’re you’re starting to see it a little bit more, and people are starting to have those conversations and be a little bit more interested. Like, the, you know, the the profiles are popping, but there nobody’s swiping yet or anything. Yeah. No one’s swiping.

Jerry:
I’ve been married a long time, so, thankfully, I don’t know whether it’s right or left. I think right is good and left is bad, if I remember correctly.

Joe:
Uh, I should know this. I met my wife on a dating app, and I think that’s right.

Jerry:
Alright. So we’re not we’re not getting the CTI team and the risk teams to swipe right on talking to each other. And I think, um, part of the reason why is because, well, you know, there’s a book that says men are from Venus, women are from Mars, or the other way around. I think the problem is, you know, CTI teams and risk teams talk differently. Joe, how does CT you know, why don’t you take the first one and talk about the the the threat intelligence piece?

Joe:
Yeah. I mean, threat intelligence lives in the world of of a threat. Right? It’s like I have this doctor that is potentially trying to hack me. I have this vulnerability that I need to pay attention to or I need to patch. I have these IOCs or these incoming indicators that I need to triage and I need to pass down to my SIM to be alerted on, to block. So then we talk in the in the realm of these actionable things like IOCs and attack patterns and these actors that I have to pay attention to and develop reports around and things like that. It’s just not and then I don’t I don’t look at it in the term of, oh, is this is this actor a risk to me? I look at the term of, oh, this actor is I need to pay attention to it. I need to monitor it, and how can we stop the actor from getting in.

Jerry:
And risk teams look differently. Right? They’re thinking about, well, what would happen if our key system where we generate our revenue goes down for five days? Or what happens if all of our data gets stolen? Or what happens if our supplier from this foreign country gets impacted? Or if you happen to live on the East Coast, I think in the Southeast and you’re dealing with hurricane Aaron coming through. What happens if one of our What happens if power gets knocked out to our offices? How do our people work? They think about impacts to the business. And so what we end up with is different languages. We talk past each other. And I think that’s been a common challenge is how do you define a lingua franca? How do you define how do you create a way for the two organizations to talk to each other? Yeah. So I I love this this note about, um, I’ll I’ll talk about the the the the risk piece, and that’s is that doctor Phil in the middle? I think that’s is that doctor Phil? I’m

Joe:
pretty sure that’s doctor Phil.

Jerry:
Yeah. Okay. That’s doctor Phil. Sorry. But, uh, I think this is funny. Right? So if you think about it, when we when we think about risk, when we think about risk quantification, we were just talking about this this morning internally at ThreatConnect. You know, risk quantification is a function that is a is a feature that we use to basically say, does a threat that’s facing my organization actually matter based on the impact and the compensated controls I have in place. Um, and Joe, I know CTI is a little bit different. Like, you talked a little bit about this, but you you you kinda have a different view of of risk there as well too. Right?

Joe:
Yeah. Yeah. Right. We’re looking looking at risk from that angle of the the actor from the IOCs. Like, is this is there a risk in this person getting into my environment and accelerating or executing ransomware or sending a phishing email to somebody in the product team that they click on and they shouldn’t click on. Right? Like, we look at it from those types of risks, not a, like, overall risk perspective.

Jerry:
Yeah. And I think and I think that’s where we’re starting to see some of these things actually come in. And so whoops. And so the question is, now because we decided to have fun with this one, is how do we help risk and threat find love together? For those of you who don’t know, and I admit I read this book a couple years ago, the five love languages, and you can read them there. Acts of service, quality time, words of affirmation. Um, now physical touch and receiving gifts. And we’re not gonna talk about all of them. We’re just gonna pick on a couple of these.

Joe:
Because People are only two. Right? Not everybody is all, so. Really? Yeah. Yeah. Yeah. Most people have two main love languages.

Jerry:
Okay. See, you know what? You do this presentation and you think you’re gonna share knowledge and instead you gain it. I love that. Very cool. I mean, yeah. Okay. Now now Joe’s got me thinking, so anyway, I’m getting distraught here, but this is a good problem. Um, we’re not gonna talk about all of them. We’re gonna talk about three, not two. We’ll talk about three of them. That’s good, Joe. I like that. Uh, come on, machine. Alright. Um, so, Joe, why don’t you start with this one? Why don’t you start on the threat side? I’ll I’ll jump in.

Joe:
Right. So on on the threat side, like, I kinda alluded this before. Right? On a threat analyst, right, you spend time drilling into the data. Right? You’re reading Twitter. You’re reading a blog. You’re reading a new report that was put out by Mandiant or CrowdStrike. You’re taking that. And then if you’re a hunter, right, you’re hunting and you’re actively going through your data to see if there’s anything that might stand out or anything that’s anomalous. Um, you’re doing the research that’s there. You’re reverse engineering malware that’s come through. You’re doing the IOC correlation in the thing like like ThreatConnect. Right? You have a lot of IOCs coming in. You’re calling altogether, helping to prioritize it, and then push that down to other things to to catch it and block it or or things along those lines. You’re doing CVE research. Right? If there’s a new vulnerability like the SharePoint vulnerability that came out a few weeks ago. Right? It’s okay. Is this thing in our environment we have SharePoint? Do we need to patch it? How are we gonna patch it? What are we gonna do? And then you have to take all that, put it together, and you have to report out. Right? You have to know what is happening, what is here. If if SharePoint, we do have SharePoint, I need to come up with a report on how why we’re affected, if we’re not affected by it. Um, what are we doing about it. Right? You have to report that out to your stakeholders, whether that be a SOC team or your shareholders or the CISO or the board or whatever it is, you’re doing those different levels of reporting.

Jerry:
And it’s funny because the on the risk side, we think about the lot of things that are different. So SEC filings. Um, the SEC not that long ago, a year or two ago, basically said to companies that if they have a material breach and breach, they need to publish it. Or they need to publish a, uh, I think it’s a 10 k or an eight k, uh, or 10 q, I forget now, um, on it. And they also need to, as part of their annual reports, actually talk about their risk management processes. Riveting stuff. Kinda interesting. Some people put a lot in, some people don’t. Um, you know, we talk about enterprise risk meetings. We talk about impact versus likelihood calculations. Like, I can’t tell you, like, the those two words impact and likelihood are part of almost my calculations of my children on a regular basis as well too. I will admit lunch is one of my three favorite meals of the day. Um, so it’s it’s up there for me. Um, and then heat maps. We talk about heat maps and how much we hate them and how much we love them. Um, but really, you know, the whole goal of risk is to help organizations understand and create a strategy for accepting, transferring, and mitigating risks. That’s that’s really what it is. That risk mitigation planning is huge. And then you’ll notice at the bottom there we actually have stakeholder reporting because, shockingly, we actually do have to report to stakeholders about risk. And so you start to see there are ways to kinda link the two things together. So we do have commonality. Now what feeds into a stakeholder reporting for a threat analyst might be different, but the conversations are linked because the threats that Joe was mentioning are materialized as risks. And so the question then is, what might that look like? So this is the risk side. I’ll give Joe, and then in a minute that I think yours is the next slide where you can talk about what’s coming up there. Um, but in terms of stakeholder reporting for a risk analyst, heat maps and then risk register. So you can see a heat map there. And I’m I’m normally not a fan of heat maps only because most people treat heat maps as a thing that says, hey, take the dot and just move it a little to the left, or move it a little to the right, or move it down. When it’s backed by empirical data, I’m comfortable with the heat map. And so that’s how we we approach that problem. Um, and then on the risk register side, that is kind of the crux of what risk management really boils down to, which is and if you think about nothing more than a than a risk identified in a risk register, it’s what is the item I’m looking at? What’s the description? What’s the severity? What’s the impact? Likelihood. Um, and then some metrics and action plans so you can either choose to mitigate or accept that because not every risk has to be actually mitigated. So that’s what we think of in terms of stakeholder reporting. And, uh, there’s a question. I’m gonna kind of address it here. Uh, if you have questions, please feel free to to drop them in. And the question is, does Direct Connect have any capabilities to provide a geofocused heat map? Possibly. I mean, definitely reach out. I’m I’m not a 100% sure what you mean there. We have something that might help you. Um, I don’t know. But, uh, if you would like to reach out, we’re happy to walk you through kind of how we approach that problem. Maybe we do. Maybe we don’t. I’m I’m not sure.

Joe:
We don’t have built in we don’t have built in maps. We do have a heat map that you can build in the platform. So and I do believe we work with GeoData. You can define your own attributes. So there might be something we can do to to take a look at that. I guess it would just depend on what type of heat map you’re referring to. If you’re looking at a globe where certain, um, countries are highlighted in different colors, we don’t currently have that capability today. But we do have native heat map stuff built in, which we can talk through.

Jerry:
Yeah. So, Joe, you wanna talk about reporting for a threat analyst?

Joe:
Yeah. Yeah. Right. So if you’re looking at a threat analyst, right, and how stakeholder reporting works here is threat analyst now have spend a lot of their time in the the TTP world. Right? You’re looking at your the micro attacks and mapping adversaries to what you have, um, what you have covered in the the attack space. So I can say, hey. We’re really, really good at phishing controls. We really have this down. So we know we know this is this is good here. Right? But, um, so when something comes through and I’m reporting on it and writing a report for that stakeholder, for example, I can say, hey. Our phishing our phishing controls are very good here. We know that this we have we’re covered here, for example. But on the other side, right, if something comes through from a a ransomware or anything along those lines, we we aren’t covered here. And we know that we have gaps from the security standpoint and what that can mean. So we try to, um, essentially write a write reports and tailor that around these attack techniques.

Jerry:
Yeah. And so this can be to Joe’s point, this can be anything from CTI, detection, engineering, threat hunting. Like, there this I think the number of times I think I think MITRE is kinda becoming, Joe, if if I said it, the the lingua franca for for this kind of It is. For threat

Joe:
analysts. For sure. Yeah. We’re seeing a lot of customers and prospects and and folks start to start to look at threat from this this space. Right? How do how do my threats map into this attack space from the MITRE standpoint? And then you’re also seeing folks take that a little bit further now with the MITRE defend frameworks and the attack as well. MITRE MITRE MITRE.

Jerry:
Sorry. My computer decides that it doesn’t wanna work together. So do the two look good together? Now we have to throw in a Harry Potter thing because, you know, this is, uh, two tech guys talking at the end of the day. Even though Joe and I don’t get to write code anymore, we both grew up writing code. Um, because we’re still speaking different languages. Right? We’re still speaking different languages. But there is there is potential here. We we can start to to link these things. So in terms of words of affirmation, I’ll go first with this one. You know, one of the things we love to hear on the risk side is that the board is pleased with how we’re reporting and managing arrests. Right? That’s really important because at the end of the day, boards typically are have a not only a fiduciary responsibility, they have a liability when it comes to risk as well too. So it’s important that they feel like that’s being done well for them as an organization. Um, you know, metrics. So you think there’s no metrics in risk, cautious metrics in risk. Like, hey, we closed out 10% more, uh, risk than we did last year. But I think I think the biggest one that every risk analyst wants to do, nobody wants to just be good at reporting or closing tasks. They wanna provide tangible value to the business. And so when an analyst when a risk analyst can say, you know, I identified a risk. It’s gonna cost them money this much, but we put a mitigation plan in place and it’s and it’s gone. That’s what that’s the goal. Right? The goal is not just to report on or talk about. The goal is to mitigate risks. Now, again, we can talk about mitigation or transfer, acceptance. At the end of the day, we wanna we wanna get risks out of the organization. And so that last one is huge for us. And so, Joe, I know you’ve got some different a different view on this one.

Joe:
Yeah. And then for us, right, as a threat analyst, what you wanna hear is, hey. From your SOC team, hey. The article you published really helped. We’re able to find something in triage based on the new report that you put out. That that feels great to us. Um, were you, uh, we were able to automate and remediate x number of IOCs. Right? So as a threat analyst, you’re coming up with, hey. These are the new IOCs to pay attention to. This is the priority. And on the the other teams, right, they’re taking that and automating that and remediating things. So those IOCs can’t hit our environment and they’re blocked and things along those lines. And then finally, right, it’s it’s a, hey. We’ve we found a threat in the system that hadn’t been detonated and we sent it. Right? Like, that’s the that’s a great thing for us. Right? It’s, hey. We know there’s this threat exists that’s out there. We found it from a threat hunting perspective. Right? And we stopped it. We know that they just got in yesterday. We’re able to identify it very quickly based on a report that you put out, and we stopped it. We blocked them from going through. We shut it off on the systems. We stopped them before they got anything or did anything that could have been devastating to us, which we we I mean, that’s those are those are ideals for us.

Jerry:
Right. And then again, we are getting into potential matches. So we’re starting to find through these two different love languages while there’s some differences, there’s actually similarities in in how we approach, um, how we approach these these problems. And so then the question is, how do you link them? Right? And and the very first first thing you have to do is build that shared language. We kind of alluded to it. Right? I mean, Joe, we talked about this. This is, I think, where MITRE is a is a way up. Yep. I mean, you you mentioned you see this. How often is how often are you seeing MITRE in in kind of the SecOps slash ThreadOps world?

Joe:
Oh, it’s it’s constant. It’s the it’s the way people are starting to communicate now. It’s everything is TTPs. Everything is mapping actors to TTPs and mapping IOCs to those, and it it’s it’s the way forward. It’s it’s definitely that that middled that language that’s been adopted across a lot of companies. And then some companies that are less mature, right, they might not be there, but they’re trying to get to that space.

Jerry:
So what’s interesting is, um, I spent a lot of my days working with risk teams, and I’m finding the risk teams fully understand MITRE as well too, which is which really surprised me at first when I first started hearing that. So they’re talking about risk using MITRE as well too. And part of the reason is they’re worried about different kinds of attacks and different kinds of things happening. And so but even still within organizations, we don’t see them linking up together. And so but I do think we’re starting to find that that common, um, that common language. Um, and so being able to then link the inputs with the reporting through some workflows lets the Pacmans meet in the middle. I like the Pacman. You can tell, uh, we have some fun building this slide deck. Next slide. So, now we talked about common language in terms of MITRE, but I think there’s more than this as well too. So what what you’re looking at today is is is a risk, period. That’s a risk, right? It’s a threat end of times of vulnerability equals the risk. So the threat is, as an example, a known ransomware group is targeting companies like us at a decreased frequency, the vulnerability, maybe our EDR controls are weak, we actually have a literal CVE, we don’t train our people well for phishing emails, by the way. I’ll give ThreatConnect credit for this one. We do. Because yester apparently, my I didn’t even realize this. I celebrated a five year anniversary here, and I got an email from my boss. Well, no. Here’s a gift card. I’m like, that’s not right. That’s just not right. And he talked to me later. He goes, no. That’s legit. I’m like, no. It’s not. He goes, yes. It is. I’m like, no. I can’t click it. He goes, you can click it. It’s okay. I sent it. Like, we do train well, and even people like me can learn. So if people like me can learn, vulnerabilities can be reduced. But then those cost those those create a risk. And so this this common language this is by the way, if you’re if you’re in security, this is the CISSP formula for for for, uh, risk. This is not like super special sauce. This is three bullets in a PowerPoint. But the point is, yeah, there is a common language. This can be done today, and it is relatively simple. But how would CTI support, uh, CRQ, Joe?

Joe:
I mean, it’s kind of along the lines of what you said. Right? Like, having that prioritized actor and profiles. Hey. Here is our industry. Here is the the biggest threats to our industry. And then, hey. We’ve seen these things from an external, from internal perspective. We have all this vulnerability intelligence that’s out there. How can we take that intelligence and map that to what we currently have from a risk perspective and and send that over to the risk team to communicate there? Um, and then again, you can even get more granular on, like, the detection engineering side if you’re looking at malware and detections and and how we can help make that and send that over to you to become more resilient. Right? Because, hey, we have this we have this new detection engineering team now that helps to fill the gap for us because maybe maybe now ransomware is not gonna get detonated anywhere because we’re able to catch it and that helps to mitigate mitigate those risks for your team.

Jerry:
Love it. Um, I I will say what doing risk, I do see I am starting to see some of this come in. Like, um, you know, we we get asked all the time, hey. Can we take a an actor that we’ve seen only in our SOC? Right? We’re we’re not publishing it. This is not publicly known. This is unique and custom to us. Can we see what that risk would be if that actually attack works? It’s seen we can and and so we are sitting starting to see that internal threat sightings be a big deal, um, that companies wanna know what it really means to them. Because it’s, I guess, the way I’ll say it’s it’s your bespoke threat intelligence instead of kind of the off the shelf, um, threat intelligence.

Joe:
It’s a big space now, especially from an insider perspective, because that’s been a tough topic over the past year or two. Right? It’s like, hey, what are my internal threats as well?

Jerry:
Yeah. Um, and of course, you know, we’re finding, um, great ways for risk to support CTI. Um, you know, I’ll back up a second here. I’m not like I said, I’m not necessarily a TI guy, but I’ve been with ThreatConnect long enough to know how to spell TI. And one of the things that I’ve I’ve heard often is TI teams, CTI teams struggle with showing the value they bring and the why or the how does this matter to the business? And so I think one of the things that risk can provide them is business context for prioritizing threat intelligence. You know, if you’re worried about so I’ll give you a really specific example. Uh, we’re working with one of our customers on the TI side, he’s a TI customer. And he said he came to us and he said, look, I I report to the board, and I was a little surprised at this, pleasantly surprised. He said, I report, um, I have a list of the top 25 threat actors we face, uh, we’re worried about as an organization. I said, cool. He goes, look, I call those, I analyze this, I create the top 10, and I and I send it to the board. He goes, but it’s not it’s not really data driven enough. It’s not catching the board’s attention. They want it, but they don’t do anything with it. I said, what if we can help you show the impact of a successful attack by those threats and and where you’re missing those controls? And that’s exactly what we need. And so he’s using that to help operationalize his threat intelligence, turn it into action. Right? I mean, at the end of the day, knowing something is good, acting on that knowledge though is what we’re in security really all about. And I think that’s how CRQ can and does and will support CTI in the future. Yeah. That’s me not cursing, um, on a webinar that’s being recorded. So it’s interesting. When you think about it Joe, I don’t know the intelligence life cycle. Well, do you wanna explain that that’s I I’m not that guy.

Joe:
Yeah. Yeah. I mean, it’s it’s it’s a life cycle. Right? There’s different ways in this different life cycles that are start to pop up now, but it’s essentially planning and detection. Right? Planning planning and direction. Sorry. Not detection. The text engineering side of me is coming out. Um, planning and and direction. Right? So taking intelligence, how can we plan? How can we gather what we need based on that plan? How can we process it? Take the intelligence and information we have. Right? Process it and then help to prioritize or analyze that production, and then disseminate that information out to the stakeholders that we that we talked about before. Right? So it’s that constant that constant cycle of, I have this information. I’ve disseminated it. Okay. Cool. There’s this new thing. How can I plan? What can I do? I gotta get the information. I have to analyze it and process it, and then we disseminate that out.

Jerry:
And then on the risk management side, you end up with similar you end up with similar concepts where you have to have both identify, analyze, assess, treat, and then continually, um, monitor it. But we do see that linkage in the analysis. Right? Because you’re analyzing risk, you’re analyzing intelligence, linking the two together enables you to do something that says, well, alright. So what if for example Joe’s team comes up and goes, look, here’s a threat actor I’m worried about. This is their motivation. We see them using 23 techniques and four exploited vulnerabilities. That alone doesn’t tell me much as a business. It’s nice to know, but it’s not something I can go act on. Whereas if you can add the risk piece to that and go, well, actually, turns out that CLOP is actually coming after these two systems. Turns out we have some control deficiencies here. We know that there’s a billion dollars in revenue at risk, and it’s got a lot of sensitive data. Oh, okay. That made the informative risk something I have to deal with, and then b, it gave me ways where I can actually go fix it because I know what my control deficiencies are. Is there anything I missed on this one, Joe, because that you need to add to this?

Joe:
No. I mean, it just being able to give that context and then that feeds back into the the CTI teams and then the other teams on the security side to go be able to get the money or whatever it is for the business to support them to control those risks and reduce to control the to implement the controls and reduce those risks. It kinda makes that makes it in and of itself a nice cycle.

Jerry:
Yep. Love it. And then reporting. What does that look like? There’s there’s lots of ways to think about this from a reporting perspective. Um, again, the way we like to think about it, one of my one of my, uh, soapbox items, and I have a handful, But one of my soapbox items is when you’re communicating threat and risk, because I do believe the two go together, like a double helix DNA. But when you’re communicating them, you’re gonna want you should talk about them linked or or at least with a traceable view, uh, all the way from the board down to the bite. Right? And so what a board thinks about, uh, is things like, what are the business assets? Where’s my revenue? Where’s my records? Like, where’s my business data that I as a board member, I as a profit and loss center manager, somebody managing a line of business worry about? What do I worry about? By the way, I don’t know if it looks like it, but the lines in my slides are straight. I don’t know what is going on with SQL, but they don’t look right. Do they?

Joe:
No. They look they look straight, to me at least. I don’t know. By anybody else.

Jerry:
I remember my monitor’s crooked. Sorry. I got two monitors. One’s level. One’s not level. Sarah, this is I blame our our our events coordinator, Sarah. I mean, he’s a threat we have to deal with here. That is just something we normally, um, move past, and now I’m gonna get in a lot of trouble for that one. I will pay for that later. Um, so what is what is the so, again, if you think about linking the risk all the way down, um, from the board down, it’s what is the risk? Well, I could lose a $150,000,000 because my system got hit because I’m bad at detection controls, for example. And then Joe Joe can come in with the CTI or the SecOps perspective, and he can talk about kind of what that means as as an example.

Joe:
Yeah. So right. So you have this this threat that’s there. You have a group, whether it’s pop or player or whatever that’s out there. Right? They have these these particular CDs they use to exploit, and they tend to go after these types of crown jewels, whether it’s a a database server for credit cards or whatever it is. And then there’s these seven ways or seven methods, the TTPs, that they use to execute and go and and attack that system. And by having that context, right, feeds back into the risk side to say, hey. There is this cycle here now. So now we can now we can know from the threat perspective and provide that context to risk. It says, hey. Yeah. Here’s the things that are tracking us. Here’s how they work. And then, oh, by the way, based on what you said, we don’t have that control in place or we do have that control.

Jerry:
And then it gets us so this has been so if you notice in this reporting section here both on this slide and on this one, um, if you’re a risk person, you’re starting to see the value, you’re starting to see, yeah, I get this. Um, if you’re, um, um, running a line of business, this is great. You you get these kinds of stuff. On the threat side, it makes a lot of sense, but you’re probably like, man, there’s gotta be some more meat to it. But the reality is there there is more meat to this as well too. You can tie down to vulnerabilities and specific endpoints. Right? You can get literally as granular as you want to go here’s what I’m dealing with, here’s that revenue, here’s the data, here’s the crown jewels, CVE1234Technique1059, and I don’t know what those two are. And then what, uh, on what endpoint. Like linking that asset down all the way to the endpoint I think is incredibly unique. And then when you look at it like this, you can see, well, alright, so as an organization I’ve got threats that hit my business assets, I got threats that hit my IT system, I got threats that beat controls, I got threats that beat vulnerabilities, or that that, uh, use vulnerabilities, I got threats that exist on endpoints. Threat intelligence and risk are completely intertwined. I just think most people haven’t linked them together. I don’t know if I’m missing anything on this, um, Joe. No. That’s exactly right. And then finally, we get to the fun part. Right? Which is report why don’t you tackle this one? Because this is, I think, the where we get into some combination of risk feeding TI.

Joe:
Yeah. So this is in in all caveat caveat. This this is available today. Right? You can do this today in the platforms like Jerry’s kinda mentioned to you before. But from that threat perspective, right, you’re living in the world of MITRE, you’re living in the world of TTPs and mapping these threats to TTPs and indicators to threats and and so on and so forth. But now with the combination of that risk, I can have an a complete understanding and say, hey. We know that based on our industry, if this particular control or this particular TTP not control, uh, would have been executed or something would have happened here, it’s gonna cost us x amount of money. Right? And you can tailor that based around your your company, based around scenarios you’re running, and really kinda get granular to say, hey. We have these controls in place, and it’s gonna cost this much money if this thing fails or anything happens here. So as a threat team, you can now have that risk perspective or that financial aspect and say, hey. Okay. We need to prioritize and monitor the threat actors and IOCs and and everything else that’s exploiting this particular attack technique or this particular attack technique so we can help to mitigate that risk and lower that exposure. The combination of two is very powerful from a prioritization perspective, from a threat team.

Jerry:
And so this is an example we took from a customer. Um, so we got asked by one of our customers, and again, I think I got asked this question by one of my customers, one of the CISOs we work with. Um, they said, uh, they’re worried about a group called RipperSAT that’s attacking universities. Not a TI guy. First thing I did did was, am I being told the truth? Is that a real name? Who is Ripper Sec? I’m sorry?

Joe:
I said, who is Ripper Sec?

Jerry:
That was my first question, Joe. Yes. You might know better than I do. I had no idea who that was. Um, but I looked it up, and it’s a legit threat group. I was like, okay. That’s kinda interesting. So as, you know, a a non threat person, leadership in the university had no idea who this was or what this group was. And and the challenge is we knew what the TTPs that the group is using, but the university by almost definition or mission is wide open. Right? It’s open to visitors, students, and faculty with very limited interest purposefully. Like, universities are built for collaboration. And so the the struggle they were having was how do you communicate again, you heard me say it’s I didn’t know who the 3% people were or what it was. But how do you communicate to leadership that they have to change something when it, a, is against their culture and mission, but b, that the threat is real. And so what the CTI teams did was they went and actually looked at the exploitation trends, they looked at the behavior, they looked at similar groups who who who have done these kinds of things. Um, they’ve looked at the attack vectors, and and they’ve said, how is this how does this all fit into our overall threat profile? What the risk team did was the risk team went in and said, okay, you know what? Let’s go in and let’s see what happens if we were to get hit with something like this, or what the operational impact was. And And by that I mean, even if you don’t lose money or they don’t steal data, like, you still have to clean these things up. Right? You’ve gotta go in and refresh machines, put in your Like, it costs money to clean these things up. Mhmm. And so, at the end, the outcome similar to the output, something similar like this, not the exact numbers, were was an analysis that said, hey, you know what? If you were to, you know, your impact is about $10,000,000, you know, 25 to 50% likely. We we kept it really, really simple. And and what you needed to put in place was some anti DDoS controls. Um, and then your ROI on any investment, if you were to do this, would be about 25%. So it really became very easy for the organization to have to understand what not understand necessarily all the details about the the actor, but understand that this is a threat that’s facing us and here’s the impact and oh, by the way, we have a way to fix this. Like, and I think that’s the piece that’s been missing when it comes to threat intelligence which is what do I like, how do you say till you talk about it? Am I affected? Is that is that how you you talk about it?

Joe:
Does this matter to me? Am I affected by this? Do I do I need to care about this as a threat analyst? Right? You look at you look at data all the time constantly. And how can I know that I need to care about this? How can I prioritize it?

Jerry:
Yeah. And I think that’s I think that’s just incredibly important. Go ahead. I’m sorry.

Joe:
Oh, no. No. Yeah. Go ahead.

Jerry:
K. Alright. Final thoughts. I think we’re wrapping up. I think this is our last slide or maybe we have one. I think this might be our last slide. Um, so if you have questions, feel free to ask. Otherwise, uh, we’ll we’ll kinda hear our last slides and final thoughts. And then, you know, one of the best things we can do for you is always give you time back in your day. Like, you’re technically in a meeting till 01:00, I think. Right, Sarah? Is that how long this is on the calendar for? So people are seeing meetings in their calendar till one and they’re going finish fast so I can have time back. Um, she she didn’t tell me yes or no. Uh, see I told you I’d get in trouble for making that joke from before. Oh, yes. So here’s, we’re gonna flip the roles. Joe and I are gonna flip our roles right now, Cause I’m gonna read and talk about the first one and he’s gonna talk about the second bullet. I believe, this is a belief, that for threat intelligence not just to evolve, but to be really, really useful for an organization, it needs to show business value. Period. Otherwise, it’s a nice to have, not a need to have. I think threat intelligence has to be tied to business value, personally.

Joe:
Joe, what do you think about risk? Yeah. I mean, I think risk is the the the missing piece in a lot of the security world in in in my opinion. Right? There’s you have all of these and and by risk, I mean, business risk. Right? It’s we we have risks. That cyber has risks, the threat actors are risk. This but after using this IOC is is a potential risk, and it’s just a different risk appetite. But that business risk is necessary for an analyst to say, hey. This this matters to the business in in me. Right? It’s not just this actor I need to pay attention to, but, hey. There is this value associated with this. We know that this is something we need to pay attention to from a business perspective just helps that that prioritization that much better. And it’s it’s key, and it’s a it’s a big missing piece. Yeah.

Jerry:
Um, we do see them coming together. Right? We do see them coming together. MITRE attack, I think it’s gonna be the big one. Like, we’re seeing more and more organizations use MITRE to link the two together and then communicate up. I think that’s one of the very concrete ways we’re gonna see that up. Um, and then finally, one of the I still I I still think it’s critical. I’m not, you know, kinda watching this one. I’m, again, with Joe, I’m not an expert, so if I say this incorrectly, please feel free to jump in and correct it. But, you know, it’s the threat profiles, um, when they’re prioritized with threat and risk intelligence together. I think that’s critical. But anyway, so my final thoughts are, I’ll I’ll give you my parting words, I’ll I’ll ask Joe to kinda give you his parting thoughts, and if there’s no questions, we’re gonna give you at least eighteen minutes back. Um, I think risk and threat go together sorta like peanut butter and jelly. If you think if you’re running, if you’re a threat analyst or you’re working in a threat or vulnerability world, I think you need to talk to your risk team. Um, I do, because I think that I think they can help you tremendously. And I think vice versa, I I encourage all my risk customers and and folks I talk to to work with your threat teams because you guys are you guys compliment each other. You really do. And so please continue to do that.

Joe:
Yeah. And and on my end, just tie it all back into the the initial dating app. Right? Like, we need to we we have profiles. We need to start swiping right as as Jerry alluded to.

Jerry:
We need

Joe:
to we need to start, um, figuring out that common language and how we can talk to each other more and get the business risk integrated into the the threat intelligence space and into SecOps as an analyst, um, might be a tier one analyst. But if I know that this is risky to me, I can prioritize it that much more for myself, and it allows me to take more ownership of things. So, again, like, we need to we need to start updating our profiles and swiping right more.

Jerry:
That’s good. I like that one. Alright. So we’re gonna that’s the takeaway, swipe right more. Um, I don’t think I have anything else for anybody. Uh, I wanna say thank you for the time. If you guys have any questions, feel free to reach out to us. We’re always here. Um, it’s been a pleasure. Sarah, I think this means I could probably hit the big red button that says end session. Um, you but you can’t see, but I can see Sarah in the background. She’s she’s either she’s giving me a thumbs up. So thank you all for joining. If you have any questions, please don’t hesitate to reach out. We’re always here. And thank you for your time. Yeah.

Joe:
See you, buddy. Have a good one.