Looking at the Past, and to the Future, with Recorded Future

Posted: 10th February 2015

A Chasm Crossing Superstar

Recently, Randall Cronk at the request of the MIT Enterprise Forum of Cambridge, sat down with Recorded Future’s CEO, Christopher Ahlberg to learn about the company’s five-year history, and discuss the future of threat intelligence, what it means to the enterprise market, and how Recorded Future plans to address the needs of companies looking to improve intelligence gathering. The podcast of their conversation (January 14, 2015), can be found here.

Focusing on a Very Specific Problem

“The Web is becoming the place for cyber threat information,” says Ahlberg. While intelligence gathering is not new—governments have been employing intelligence staff for centuries (think: The First Punic War)—enterprises have been watching as peers get hacked, have their data stolen, and suffer the consequences. In many of these cyber attacks, the warning signals were there, if only someone had been looking and acting upon those signals. Ahlberg explained to Cronk that companies are becoming more and more aware of cyber threats, analyzing where they are coming from, what tactics and techniques the attackers are using, and trying to apply lessons learned to their information security programs.

“If you’re a bank,” says Ahlberg, “you might be worried about hacktivists taking down your Web banking infrastructure, like what happened with the al-Qassam Cyber Fighters back in 2012.” To understand the true risk posture of the bank, he continues, the bank’s security and risk staff might look at Russian or Ukrainian forums to see what’s being written. They may scour Pastebin to find the stolen credentials that allowed hackers to penetrate the bank’s network and gain access to vital infrastructure. Cyber criminals are using “ingenious ways” not to signal their plans, but digital data leaves a trail, one that can be found with the right technology, time, and people.

The Perfect Storm

Cronk asked why Ahlberg decided to found the company back in 2010, and why he chose to focus on cyber threat intelligence. What made the market attractive, and what has allowed Recorded Future to be successful?

“With threat intelligence, under the larger umbrella of cyber security,” shares Ahlberg, “there is a ‘perfect storm’ brewing.'” What he’s referring to is the spate of cyber attacks on companies like Sony, Target, Home Depot, the government, etc. that ratcheted up the need for better, more timely, and actionable information on cyber threats.

Back in 2010, Ahlberg saw that larger companies, the ones most in need of this information at the time, were looking for new ways to arm their analysts with tools to assist in data collection. With cyber signals scattered all over the Web, in different formats and languages, analysts needed some way to collect this information and make heads or tails of it. But with “95% of [large companies’] budgets allocated to maintenance of things they already own,” he had to come up with a solution to a problem that was very specific, very urgent, and could provide value to a team already dedicated to finding threat information.

That solution was to introduce the idea of using machine data to help find, collect, sort, and present the data so that patterns can be found, analyzed, and acted upon. “Companies are so used to dealing with data and patterns” Ahlberg says, that education wasn’t a barrier to adoption for Recorded Future’s future customers. The company was able to penetrate commercial markets by identifying a specific problem—how to more efficiently and effectively find cyber threat intelligence—and offering a unique solution.

Crossing the Chasm

Recorded Future now serves four out of five of the largest US companies. It’s because it enables customers to receive important threat insights so quickly and easily that it’s been successful.

Recorded Future mines the open Web to automatically collect and organize over 600,000 sources in real time, in seven languages. This allows customers’ analysts to research emerging threats, forecast cyber events, and scan the horizon for future events—a very specific need.

Crossing the Chasm, a book published by Geoffrey Moore in 1991, was the inspiration for Ahlberg’s growth plans for Recorded Future. He initially started selling to large government entities that had the need and track record of working with threat intelligence. After demonstrating value in the government market, the company began targeting large enterprises, those emulating government techniques of intelligence gathering.

Recorded Future has been successful because it has been able to cross the chasm by solving a specific problem in a unique fashion. Ahlberg is quick to point out the current infrastructure market allows all of this to happen relatively easily, whereas 10 years ago, they would have had to build their own massive infrastructure. Because they don’t, the company can focus on what it does best: turning the Web into analytical data that can be used for intelligence. “We’re not trying to reinvent threat intelligence,” concludes Ahlberg, “we’re just trying to help threat intelligence analysts do it more effectively.”