Challenge Your Threat Intelligence Assumptions: An Interview With Gavin Reid

January 11, 2018 • Amanda McKeon

Gavin Reid

We interviewed Gavin Reid, who recently joined Recorded Future as the chief security architect, focusing on next-generation threats and the role that threat intelligence can play in identifying and combating them.

He serves as a subject matter expert on information security architecture, threat intelligence analysis, and associated compliance initiatives. Reid also works with cybersecurity groups to ensure Recorded Future has the needed sources of data and relationships to be the premier provider of threat intelligence. Previously, Reid served as vice president of threat intelligence at Lancope, Inc., a network visibility and security intelligence company.

With over 25 years of experience in threat intelligence, he was a driving force behind the development of big data analytics and threat identification. This experience is exemplified in his role at Cisco Systems as director of threat research for security intelligence operations, where he led a team that developed new data analytics technologies to detect and remediate advanced cybersecurity threats. Reid also created and led Cisco’s Computer Security Incident Response Team (CSIRT), a global organization of information security professionals responsible for monitoring, investigating, and responding to cybersecurity incidents.

In addition to his time at Cisco, Reid also served as the vice president of the cyber threat intelligence group at Fidelity Investments and oversaw IT security at NASA’s Johnson Space Center.

Recorded Future (RF): Tell us a bit about your background in security. What inspired you to enter the cybersecurity world?

Gavin Reid (GR): I came to Recorded Future from Lancope (acquired by Cisco) where I was their VP of threat intelligence. At Lancope I looked into threats, how they were detected, and how could we make the product better based off those detections.

Previous to Lancope, I worked at Fidelity where I led their audit and pentest teams and created and led their first threat intelligence function.

Before that, I spent 15 years at Cisco. The last two years I created and led Cisco’s threat research and big-data teams, called TRAC (threat research analysis and communications). That team ended up combining with Source Fires VRT (vulnerability research team) to form the much larger team now known as Talos.

And for the decade before that, I created and lead Cisco’s CSIRT. That team started with me, grew to four in the first year, then steady growth over the decade until the team had 80 plus employees when I was pulled into starting TRAC.

And back in 1999, I came to Cisco from NASA at the Johnson Space Center. At NASA I started doing IT architecture, and eventually, took a role in charge of IT security for the site. I had a server that got hacked in the early 90s, while I was an admin at NASA — and my response to that event ended up with me getting all the security projects, and later, a full-time job in security, long before most organizations were even thinking about cybersecurity.

RF: Given the many career paths within IT security, how did you become a leader in threat intelligence?

GR: Being in charge of a large enterprise computer security incident response team, I quickly found that our incident detection tools were only as good as the intelligence we put into them. At the same time, other teams were coming to similar conclusions across the globe. With very little common research to go on, threat intelligence was one of the fastest-moving and highest-growth areas of security. That nexus of new capabilities to design and learn alongside huge growth is exactly what I find fun and interesting, so it was hard to keep me away.

RF: What can an aspiring security practitioner learn from your own career path that might inspire them?

GR: I believe that having IT operational experience as a base to build security expertise is an important step. I would recommend that people wanting to get into cybersecurity start with understanding how to plan, design, build, and operate large IT infrastructures. I have found that employees with strong operational IT experience have a much deeper understanding of security issues and potential impacts than someone who has spent a career fuzzing applications. Layering security abilities on top of existing IT skill is much easier than teaching a security “expert” enterprise IT management.

RF: Let’s talk about you joining Recorded Future. Can you describe your role at Recorded Future?

GR: As chief security architect, my focus is on next-generation threats and the role that threat intelligence can play in identifying and combating them. I work with large customers on how they mature their SOC, CSIRT, and threat intelligence teams. I help Recorded Future understand what these teams need and how to meet those needs within the product. I also work with marketing, public relations, and sales to help grow Recorded Future’s reputation in the security marketplace.

RF: What motivated you to join Recorded Future, and why now?

GR: I was a customer first. We used Recorded Future at Cisco and at Fidelity as a source for external threat intelligence. While leading Fidelity’s threat intelligence program, I visited Recorded Future’s Boston campus and was impressed with both the culture of the company and its direction. Recorded Future is positioned at the right time and place to become the source for how organizations consume massive amounts of external threat intelligence data curated to their business needs.

So I liked the company, I believe in the capabilities Recorded Future provides CSIRT and security teams, but even more importantly, it is a fun place to work with tons of smart, energetic people to work with. I am intrigued at the prospect of working with big data and analytics and believe that this study will be a part of the next stage of human development. Lastly, I really enjoy the founder, Christopher — if I had my own company I would run it just like he does with Recorded Future.

RF: Having used Recorded Future, how would you explain its value for customers and CISOs?

GR: Mature organizations have become very astute at understanding and responding to incidents within their corporate domain. Deployments of full packet capture and other security detection capabilities have provided in-depth understanding of events inside their organization.

Recent large-scale hacking incidents, however, have shown us that looking insularly is not enough. Mature organizations need a way to access external threat intelligence that is complete, curated, and easy to use. Doing large-scale collections of data from say, just one source of social media, then being able to process that data into something that is expertly categorized, deduplicated, and usable is hard and resource intensive. Multiply that across hundreds of other high-volume sources, and then add criminal forums and dark web sites — it becomes apparent that while an organization needs the output of such collections, the design, care, and feeding of such efforts is well out of scope. The work itself is not core to the business and a great opportunity to outsource.

Recorded Future does the work of all the collection, analysis, and presentation, so an organization doesn’t have to and can focus on what it should be paying attention to — the data itself.

RF: What cyber threats should companies be most worried about?

GR: Organizations only need to start with focusing on one. You will get breached — most likely through email, and after that hackers will command and control your organization over the web and spread latterly. Once you have good capabilities for detecting and interrupting that, you can work out from there.

RF: What should companies use to defend against threats?

GR: Start with having a complete inventory of everything that makes up your IT infrastructure. Make sure you pay particular attention to third-party dependencies. Understanding equals verification. Make sure that you have verified what you think you know by validating what you think makes up your network. For all large companies I have worked with, what they thought they had network and application-wise was wildly different than what was found by discovery/audit. Make sure you do that regularly. Once you know what you have, ensure you have the correct abilities to see/detect security issues appropriately applied across the board. This will be a mix of technologies, people, and process. Make sure you test all three of those on a regular basis.

Again, challenge your assumptions. I guarantee it will be worthwhile. Concentrate your efforts and prioritize your resources based on actual attacks that are commonplace — tactics, techniques, and procedures (TTPs) like phishing, active directory compromise, and vulnerabilities with external exposure — and then use threat intelligence to keep on top of actual vs. theoretical attacks.

Lastly, work out what your crown jewels are and make sure you have additional security controls, authentication, separation, and amazing visibility into events.

RF: What do CISOs need to understand about threat intelligence?

GR: Good intelligence is a force multiplier across all of your incident response capabilities. One of the big problems, or myths, of the security industry is that we can get data, add magic, and find the bad guy. This works to detect automated attacks but fails miserably at hard, human-lead compromises. The fact is that often, to find the problem, you have to do it just like law enforcement — start with a clue. Threat intelligence is that clue. When you give your deep packet inspection, netflow, advanced malware, DNS, and host/network intrusion detection good, well-curated lists of IOCs and TTPs to look for, the value is realized.