Security Intelligence in the Digital Transformation

November 11, 2019 • Monica Todros

As organizations become increasingly complex in their push for digital transformation, the need for actionable, automated threat intelligence for everyone has never been greater. On this week’s show, we tackle that very topic with Recorded Future’s chief of intelligence solutions, Stuart Solomon.

We caught up with Stuart at Recorded Future’s RFUN: Predict 2019 conference in Washington, D.C. to discuss threat intelligence, the notion of security intelligence, and some practical considerations for integrating these kinds of tools.

This podcast was produced in partnership with the CyberWire.

For those of you who’d prefer to read, here’s the transcript:

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 133 of the Recorded Future Podcast. I’m Dave Bittner from the CyberWire.

As organizations become increasingly complex in their push for digital transformation, the need for actionable, automated threat intelligence for everyone has never been greater. On this week’s show, we tackle that very topic with Recorded Future’s Stuart Solomon.

We discuss threat intelligence, but also the notion of security intelligence, as well as some of the practical considerations for integrating these kinds of tools. I caught up with Stuart at Recorded Future’s RFUN: Predict Conference in Washington, D.C. Stay with us.

Stuart Solomon:

I’ve had two parallel career paths that both converged to be the perfect fit here at Record Future. I started off as an officer in the U.S. Air Force many years ago. In fact, I just had my 20 year class reunion a couple of weeks ago. I left active duty in the early 2000s and found my way to Bank of America. At Bank of America I was responsible for a number of different components of their internal cybersecurity components. I started out in the insider threat arena, worked my way into identity and access management, crisis management, and a number of other areas. Along the way, the Air Force looked at that while I was still in the reserve at the time and said, “hey, this is a terrific concept that we like as well.” As the two paths cross, I’ve moved into what was the beginning of U.S. Cyber Command and did a number of activities there.

I’m still active as a senior officer in the Air Force Reserve, specifically in the Air National Guard and running in parallel with that, obviously my career path here led me to Recorded Future.

Dave Bittner:

What were some of the things that, having the time that you had in the Air Force as an officer there, what are some of the things that you take from that and bring to your private sector experience?

Stuart Solomon:

Obviously the intangible skills, but the one that I like to talk about the most is dealing with the ambiguity. Understanding the dynamic nature of the adversary, whether it’s in a physical battle space or in a logical battle space and being able to think ahead a little bit and being able to adjust to scenarios that you didn’t otherwise prepare for, falling back on, most importantly the people around you and trusting in the knowledge and experiences that you have. Those skills translate day in and day out. The more logical ones that you would expect around organization, around focus. But really at the end of the day it’s dealing with the ambiguity that I learned the hard way.

Dave Bittner:

Is there a difference in how you approach things like resources, the tools that you need to do your job, is there a major difference there?

Stuart Solomon:

There isn’t a major difference there. In fact, one of the things that being an officer taught me early is my primary responsibility was getting the job done and taking care of my people to get them there. Giving them the tools, resources, and training they needed to be able to accomplish whatever mission was laid out in front of them. That’s exactly the same responsibility that I have today in leading functions within Recorded Future is to make sure that everybody doing the work has the tools to be able to do it, to satisfy the client’s needs. It’s a remarkable parallel actually.

Dave Bittner:

What is your day-to-day like these days at Recorded Future?

Stuart Solomon:

Chaotic.

Dave Bittner:

Okay. But you’re smiling, so I guess it’s a good chaotic?

Stuart Solomon:

It’s the best kind of chaotic. I am the luckiest man alive that I get to show up every day and do a job that I love and that I believe in and be surrounded by the people who really are truly experts in their fields, which is not something to take lightly. My day-to-day is really organized around trying to help be a strong advocate and a unifying force for moving our product forward and enabling the people that are doing the work day in day out with our clients to be able to satisfy their needs either through direct interaction and consultation or in actually making our product better. Adding new features, new capabilities, new data sources to be able to solve for the client needs.

Dave Bittner:

How much of what you do is serving as a translator between, I don’t know, I’m thinking a client comes to you and then says, wouldn’t it be great if the product could do this?

Stuart Solomon:

Absolutely.

Dave Bittner:

You have to bring that back to your team and you’re selling in a different direction there. Right?

Stuart Solomon:

It’s always selling. Actually, I like to think of myself as client number one. To your point, the first thing is every client always wants something, but that doesn’t always make good business sense and it may not actually be what they need. They might have a requirement that doesn’t necessarily translate to an action. Part of my job is being able to prioritize. The second component of my job is being able to appropriately create that balancing act. Then the third piece is the translation layer, as you just mentioned. All of that has to come together in a feasible way that makes sense for our product roadmap and our priorities and/or to influence the way that we put our few resources that we have against the biggest problems.

Dave Bittner:

How would you describe your own leadership style?

Stuart Solomon:

Involved. I like to be involved, but at the same time I like to very much set a tone and an expectation and then allow the really smart people to solve the really difficult problems.

Dave Bittner:

We’re here at RFUN, which is a Recorded Future’s annual conference and you have some interesting developments to share, new flavors of threat intelligence that you’re introducing today. Can you share with us what that’s all about?

Stuart Solomon:

Absolutely. At Recorded Future, at our very core, what are we good at? Our core element is our ability to go out and identify sources, collect, index, correlate, and represent back disparate components or bits and bytes of information through a threat intelligence lens.

In the process of doing that, things that have a digital presence or a digital footprint married with all kinds of enriching data points from technical information, from human-based actions, from analytical capabilities, come together to formulate structured, unstructured queries into these data that makes sense.

Well that process, that very being and the things that we’re already collecting and touching and correlating, have applications far beyond traditional threat intelligence use cases. While we will continue to always stay very, very focused on our core intelligence user, the questions that intelligence users or intelligence analysts in our client environment are being asked to answer, are far broader than perhaps the industry has focused on historically.

The broader nature then, takes the form of things like brand protection and digital risk components like third-party risk. More importantly, always asking that very basic question of now that I know this, what do I do with it? Answering that question of what do I do with it starts to have greater implications inside of workflows, inside of security operations, inside of operational risk reduction scenarios, inside of reputational and brand scenarios, and inside of the more traditional threat intelligence realm.

What we’re really focused on is understanding all of these different use cases that the application of the intelligence is being applied to and that the consumption of our intelligence is being used for. We’re focused very much on the onward use and the onward consumption. Therefore, thinking through all the different ways and flavors that the intelligence should be structured for either human-based consumption or machine-to-machine-based conveyance and onward use. Which in turn actually goes back and starts to influence the different sources that we’re pulling from in the first place so that we can create this holistic view that solves for many different problems using the same underpinnings and platform.

Dave Bittner:

It loops back on itself? What comes out goes back to the beginning …

Stuart Solomon:

Absolutely correct. Following a traditional intelligence life cycle of understanding the questions we’re trying to answer, thus identifying the sourcing plan and the sources necessary to do so, the collection of that intelligence and then looking back to make sure that what we’re representing is useful to ultimately answer those actionable questions in the first place. In so doing, we’re following a traditional intelligence life cycle, but really what that’s opening up is the opportunity to plug into additional users and use cases as I was just articulating a moment ago.

Dave Bittner:

Can you walk me through an example? From a real-world practical point of view, I’ve been a traditional user of Recorded Future’s products and now there’s some new opportunities for me to have some enhanced tools. How’s that going to play out for me?

Stuart Solomon:

Yeah, a number of different ways. I think that the first and most important way is that we recognize that you are not actually the ultimate consumer of our intelligence. You’re likely preparing a work product, whether it be a written work product that’s consumable by an individual or that you’re passing on indicators in bulk or indicators with context into your security operation center. We recognize that you’re not actually probably the end user. You have a client.

As a threat intelligence analyst, your client is most likely going to be in some security operations function, or inside of the third-party risk function, or inside of a vulnerability management function. We want to help you to structure your questions, ask those questions and get answers with relevant actionable data as quickly as possible so that you can move further up your value stream in satisfying the requirements that have been levied on you. That’s a tangible way that this is happening today. But also recognizing that even in so doing the next person you pass it on to probably has a client as well.

We actually have to think a step further and begin to anticipate what that next question is going to be by the next individual or function within that workflow. All of our product strategy right now is very focused on creating actionable data that is conveyed in ways, via integrations in particular or via upgrades and continuous improvement in our user interface to be able to plug into those workflows.

Dave Bittner:

It sounds like there are time savings opportunities built in there as well, but customization as well I suppose?

Stuart Solomon:

That’s an interesting component of the dynamic. Absolutely time savings is a critical part of this. The ability to customize is essential, but it’s also our responsibility to be able to create enough of a scenario where we’re solving for 60 to 70 percent of the answer upfront and then helping you to apply it in the last mile in the environment. We don’t want to be too custom, we don’t want to be too cookie cutter. It’s finding that right balance but ultimately creating efficiencies in the process by anticipating the needs.

Dave Bittner:

I often hear when I speak to people about threat intelligence in particular that there is a notion that perhaps not every organization is ready for threat intelligence. That you need to have a … You could be at a certain maturity in your security operations before it’s time to plug in threat intelligence, time to engage with threat intelligence. First of all, do you think that’s an accurate description?

Stuart Solomon:

I used to. I used to as the threat intelligence world started. As the sub segment of our market really got underway. That was absolutely the case. Human curated intelligence really needed a very thoughtful analyst on the other end of it, almost a pitcher and catcher scenario of equal skill, of equal knowledge to be able to effectively distill the intelligence into an actionable format.

Frankly, what attracted me to Recorded Future in the first place, and the reason why I came here, was because they solved for that unsolvable problem that I’ve been trying to deal with for so many years. It’s the idea that … It’s almost this notion of the democratization of intelligence in that the same product can be used by the most analytically advanced capability, where they’re really doing really unique deep dives and custom research, as well as those that have a little more of a nascent capability. That they’re still working to mature their processes and they may not be able to have the right analysts on staff yet, they may not have the right resources we plan to bring them on, they can still use the product extremely effectively to be able to create an intelligence outcome.

I think part of the reason why is two fold. One the user interface itself and the API, which conveys the data points from the user interface in a rather simple fashion, it’s very easy to have a rudimentary interaction with. If you can go in and type, put together a search query, you can certainly go in and create some element of intelligence from our product. It’s a very useful element of that. We’ve taken it a step further with the introduction of things like the intelligence goals library. We’ve basically looked at the most common queries that our clients use or those that are the most relevant to a particular segment of our client base and we’ve pre-programmed it, pre-prepared basic queries that make the most sense for our clients to use. They’ve got a starting point. Even if they’re not advanced users or have deep analytical skill coming out of the intelligence community or the military, our platform is absolutely able to service their needs. It’s the same platform that an advanced user can also use with far fewer constraints put upon them to go ahead and use their analytical prowess.

Dave Bittner:

Right. For that new user, they’ve got some guardrails on them. Reminds me of when my young son goes to a birthday party at the bowling alley and they put those little bumpers up on the side so you stay out of the gutters, you can keep those new users, to begin with, right down the center of the lane.

Stuart Solomon:

There’s an element of that, to your point, which is also a conundrum that intelligence professionals have always faced, which is actually access to too much intelligence can sometimes be a bad thing. You can get lost in the detail, you can be looking for that needle in the haystack and go off kilter a little bit from where you want to focus your effort.

I’d rather not look at it in that negative light though. I look at it in a positive light. Which is very similar to this notion of learning a little bit more from the community that you’re now a part of. If you get to a Y in the road, and 80 percent of our clients have probably made a right hand turn, you’re looking to make a left hand turn, it’s good to baseline a little bit against those that have been successful and dealt with the same problems that you’re dealing with and thought about the way to prosecute the intelligence, to be able to create the right outcome.

I look at it in a positive way, which is to say that those very guardrails are in fact time savings efforts because we’ve pre thought of and preconceived ways that you can be most successful in prosecuting the intelligence in the first place.

Dave Bittner:

Yeah. You’re not on your own. You’re benefiting from the knowledge of all those other users out there. From their combined wisdom.

Stuart Solomon:

Combined wisdom and our collective wisdom as subject matter experts as well, to help give you that guiding foundation. That’s correct.

Dave Bittner:

How do consumers of threat intelligence measure the return on their investment?

Stuart Solomon:

ROI is a really difficult component of the threat intelligence space and it’s definitely been an area that’s been a high focus for a long time. You referred earlier to time savings. I think time savings is one of the most critical and primary ways in which threat intelligence ROI is derived.

If you think about it, anything that has a digital footprint in some form or fashion will find its way into our product. Just the ability to go out and scrape or find or locate that information in the first place, no less to pull it back, no less to deal with language and nuances, colloquialisms, the nuts and bolts of taking this information, of indexing and correlating and bringing it together to make it useful, even if you were able to find it, even if you were able to collect it at scale. All of those things take time. They take expertise, they take knowledge. That’s number one.

Number two, then being able to prosecute that information once you have it in one place and being able to make decisions based upon it through correlation efforts, through enrichment efforts and just through basic knowledge of research. That’s a second time saving.

The third time savings that you can think about is then the onward convenience, so building an intelligence report or pushing a list of indicators that have been put together for you from thousands and thousands and thousands of data points to be able to enable an onward automated or orchestrated action or even to enrich a single event or an incident that’s underway in your environment. All those things take time and take expertise. We’re helping to shrink the world.

One analogy I like to use in a scenario like this, we always talk about things in terms of finding the needle in the haystack in the threat intelligence space. I actually take that a step further back. I look at an unplowed field and I say I’m going to harvest everything and I’m going to organize it into logical haystacks in the first place. Organizing into those haystacks is actually much harder and foundational before you can even go and find that needle in the haystack in the first place.

What are we helping to do? We’re helping to shrink things down into manageable chunks and then allow you to prosecute effectively into that chunk. I think that’s one area to derive ROI, but ultimately the real ROI indicator from my perspective is, are we giving you anything that’s actionable? Are we giving you things that are actionable, that aren’t just interesting, but actually allow for the ability to create a decision? That, for me, is the ultimate ROI. Sometimes the decision can be to do nothing because now you’re more educated on a particular threat. Sometimes it may be to create a decision that will ramp up efforts or will allow you to at least have a deeper understanding of what you’re looking at. In all of those scenarios, our ultimate responsibility, the ultimate ROI is are we driving action that allows for you to take a decision that you wouldn’t have otherwise taken?

Dave Bittner:

What do you find people experience in terms of unexpected delight? Of, I came to my experience with threat intelligence expecting something, expecting one thing. Are there aha moments there that you find commonly occur where people say, “I didn’t expect to be able to do this” or “I didn’t expect to get this from this information”?

Stuart Solomon:

Yeah, that’s a great question actually. I think that there are two aha moments and I’ve alluded to both through the conversation. The first one is that you don’t have to be a true classically trained intelligence expert to get intelligence value out of Recorded Future. That’s pretty exciting when you realize that. When you can turn it on, start working, sit down, interact with the product, interact with our expert consultants to help you derive value right away. That’s not trivial.

The second part is, as I was speaking to a moment ago, the notion of taking the intelligence and plugging into so many other workflows at scale that you weren’t necessarily able to do before. Taking the same intelligence and stripping it down and making it relevant and logical to somebody who’s working through a huge queue of alerts inside of the SOC is just as important as building a strategic intelligence product that goes up to executive management. Also then looking at the same thing that’s going to go over to your operational management team or operational risk team to help them better understand the proliferation of a particular threat against business decisions that they’re making. All derived from the same platform, all utilizing the same core intelligence capabilities and data sources and allows you to basically go as deep as you want or as high as you need to, to be able to service multiple different users and onward workflows with the same product. That’s actually really an exciting component. In other words, I don’t need to go look in lots of places to be able to solve lots of problems.

Dave Bittner:

Yeah, and I suppose also the same bit of information, that same piece of actionable intelligence may have different meaning and value to different people throughout my organization.

Stuart Solomon:

Exactly. I think that’s exactly the concept. And our strong desire. As we spoke of earlier as we look at the different applications of intelligence, as we look at the different technical integrations that we want to do, it’s all predicated on the same fundamental principles that make our platform today and are the same data sources that we pulled today. It’s the onward conveyance and usage of those in structured ways that we preconceive with you, or that we help to build an integration for, or that we can via our API that you program on your own, are all different ways that we can satisfy the client need.

Dave Bittner:

Our thanks to Recorded Future’s Stuart Solomon for joining us. We sat down at Recorded Future’s 2019 RFUN: Predict Conference in Washington, D.C.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Monica Todros, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.

New call-to-action

Related Posts

Curating Your Personal Security Intelligence Feed

Curating Your Personal Security Intelligence Feed

September 21, 2020 • Caitlin Mattingly

Our guest is Sal Aurigema, associate professor of computer information systems at the University of...

Passion, Curiosity, and a Dash of Mischief

Passion, Curiosity, and a Dash of Mischief

September 14, 2020 • Caitlin Mattingly

Kevin Magee is chief security officer for Microsoft Canada He joins us with his story of early...

The Highest Security Intelligence in the Shortest Time

The Highest Security Intelligence in the Shortest Time

September 7, 2020 • Caitlin Mattingly

Craig Adams is the chief product and engineering officer at Recorded Future He joins us with...