How TIAA Uses Threat Intelligence to Enhance Security Awareness

Posted: 8th September 2016
How TIAA Uses Threat Intelligence to Enhance Security Awareness

Security awareness and strategic threat intelligence are mandatory elements of any organization’s ability to ward off cyber events. The threat landscape can appear vast and unwieldy, putting additional barriers in the way of creating a successful threat intelligence program.

During a recent webinar, Joe Walbert and Mike Kirk, senior information security analysts with TIAA, explained how they and their team use Recorded Future as part of a holistic threat intelligence program to promote security awareness while giving the organization the tools to proactively, effectively, and efficiently identify threats.

TIAA is the leading provider of financial services in the academic, research, medical, cultural, and government fields, with $854 billion in assets under management.

Enhancing Security Awareness

Walbert began the webinar by explaining that threat intelligence teams can assist security teams with awareness campaigns by providing information about threats that resonate with multiple audiences inside the organization, both technical and non-technical. He said that sharing relevant security stories with cyber contacts at TIAA pays large dividends.

External reference monitoring, he continued, helps them identify information that might pose a threat to the business. Technical indicators, sensitive information such as leaked passwords or usernames, and reference publish times can all be analyzed and correlated within Recorded Future to alert on potentially impactful future threat actor activity.

Kirk next shared how, through Recorded Future, organizations can monitor external references from social media, news stories, forums, etc. related to domains.




Recorded Future empowers users to monitor the open, deep, and dark web for credential leaks.

This search returned a rather large pool of results, but Kirk continued to demonstrate how Recorded Future provides the ability to further refine results. The number of references for a given URL then begins to bubble certain stories to the top of the list, helping threat analysts focus on what really matters to the organization. These “relevant contextual news stories,” said Walbert, “whether they’re technical or non-technical, will promote security awareness and let your organization’s employees get a sense of the threats and trends within a global context.”

Bringing Imminent Threats to the Forefront

The pair then demonstrated the Recorded Future API and how TIAA uses it to automate the application of threat intelligence. Using the API, analysts will “begin to see patterns emerge that may be included in strategic planning efforts."



TIAA uses real-time threat intelligence from the web for proactive event alerting.

Kirk also reviewed an approach to identifying all new vulnerability events reported within a given time period. The ability to focus in on a specific timeframe can offer up a clearer picture to threat analysts, and help them warn the organization about imminent threats.

Again, showing a query in Recorded Future, Kirk selected an event against a vulnerability and identified CVE to search within a source set for the NVD. This provided an authoritative list of vulnerabilities published within a certain period which could be exported and used to develop a threat framework and tracking mechanism for all related CVEs that a threat analyst could review, process, and rate.


Intelligence Cards™ for IP addresses, hashes, and vulnerabilities have risk scores.


Intelligence Cards™ include the latest information about a CVE published by NIST NVD.


This section summarizes other entities reported together with the primary entity for the Intelligence Card™.


Intelligence Cards™ include a timeline(s) of entity reporting for the last 60 days.

Additionally, Walbert showed Recorded Future’s alerting feature, which helps with “a programmatic approach” for vulnerability intelligence.

Turning Data Into Threat Intelligence

Kirk and Walbert wrapped up with a demonstration of how TIAA uses the Recorded Future Intelligence Cards™ and partner integrations to cross-correlate events and find additional situational awareness and context for threat indicators.


Intelligence Cards™ supply an on-demand summary of essential information related to a specific IP address or CIDR.


Intelligence Card™ Extensions provide complementary threat intelligence from other security providers.

The key, said the analysts, is to understand how an organization can operationalize and integrate threat information “to work smoother, faster, better, smarter, etc.” They continued to say that, by integrating with the Intelligence Cards™ and applying different available data sets, an organization’s analyst or incident responder is “better armed.”

To learn more about how Recorded Future is helping TIAA with situational and security awareness, watch the full presentation.