Broadening Your View With Security Intelligence

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 162 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Alex Noga is a solutions engineering manager at Recorded Future, and on this week’s show, he joins us to share his insights on enhancing organizations’ ability to make the most of the information they’re gathering by adopting security intelligence. He explains how this approach helps analysts connect the dots and empowers them to focus on the signals that matter — all while blocking out the noise.

Alex Noga:

I knew I was going to be in IT from an early age. Back in high school, early high school, I had family that was in tech. And from there, I always heard about the latest and greatest devices that were coming out at the time. And from there, I had a lot of computer equipment at home that I would just start tinkering with, and rebuilding computers and tearing them down, and then seeing what I could make out of them.

Dave Bittner:

What era are we talking about in terms of computers here?

Alex Noga:

Ah, so more so in the early 2000s. From there, it was mainly we had just gone from dial-up internet to a dedicated line. And from there, just continuing to tinker a bit. For me, there was an “aha” moment of this that is pretty cool. At least from the hardware side, I really got good at it, mixing and matching and building computers, and getting more into that.

Probably another year or so later, I happened to be browsing online, looking for cheat codes for the game I can't remember right now, but —

Dave Bittner:

As you do, right?

Alex Noga:

And so I found this cheat code. It was great. I had a great time with the game. And shortly after, the computer started doing some wonky things and the telltale signs for a virus or any kind of malware that you might see today. And so that intrigued me and I was like, "Well, I got to fix this." I can't have a computer at the house with popups flailing across the screen and everything else.

I started researching that — the different error messages that were coming up. At the time, I was looking a lot into Symantec, and they happened to have an article on how to manually remove this virus and get your computer back to normal. I followed that. And after that whole process, I was like, "I've got to stick with this. This is really cool." I want to —

Dave Bittner:

You were hooked.

Alex Noga:

Exactly. And then family and friends from there, it was helping them out and going through it. At that point, I had an idea that not only was I going to be in IT or in tech itself, but I was going to do more of something in the security realm, and cybersecurity wasn't a thing yet.

Dave Bittner:

Right. And so at this point are you still a teen?

Alex Noga:

I'm still in high school. From there, I hadn't even started looking for college, where I wanted to go to school yet. I ended up being able to tailor all of my interested schools and colleges that I wanted to look at around IT, and specifically around any kind of IT security that may have been available.

Dave Bittner:

And so did you then head off to school?

Alex Noga:

I did, yeah. Right after high school, I went right into undergrad. From there, I was able to find a school with a program that had a bachelor's in IT with a concentration in network security, and I was able to minor in computer forensics. That allowed me to go down a little bit more of the security rabbit hole and grow the skill set in that area.

Dave Bittner:

And then what was the pathway to lead you to where you are today at Recorded Future?

Alex Noga:

After undergrad, I decided to go straight into grad school. I got my master's in computer information systems with a concentration in security again, to then level up once more. And while I was doing that in grad school, at night I was able to work fulltime for the same institution starting out as help desk. I started from the ground up, if you will, and ended up working there. I ended up doing patch management and any kind of malware triage that happened to those desktops while I was in that role.

And from there, I moved into the security team at the same university and was able to do a little bit more security level work, more security operations and identity and access management. Working with permissions and a little bit of auditing of not only the user permissions, but then the network traffic that you might see — like a network status for the day of the organization.

And then from there, after I finished grad school, I had an itch that I needed to scratch and I wanted to work in a SOC, get that experience, that exposure. I ended up working for an FFRDC — a federally funded research and development facility — that was spinning up a 24/7 security operation center. I was the second person onto that team, helped them build their policies and their procedures that everyone in the SOC was going to follow. And that was a great experience to learn from the ground up and start triaging security alerts that might be coming in.

From there, I moved into more of a security operations role, an engineering role where I was managing and maintaining different security tools that the organization had and needed maintained. And during that time, I was reached out to by Recorded Future and had the opportunity to go in a more customer-facing role and work with the clients that are here at Recorded Future, and pull that threat intelligence data that's provided down into different tools and the workflows that organizations are using today.

Dave Bittner:

Well, I want to dig in with you and go through some of the ways that threat intelligence is being used. I know there's a real focus there at Recorded Future on this notion that you're calling security intelligence. Let's start with that. I mean, how do you define that?

Alex Noga:

For me, in some of the things that I do within the threat intelligence space and the notion of security intelligence encompasses a bit more than just what we traditionally think of as threat intelligence. It's a bit more of a broader view within the intelligence space of not just focusing on maybe the reactive piece of threat intelligence, where you're going back and you're looking at indicators or something that has already happened. But security intelligence doing a bit more of a proactive approach, where it's giving organizations the ability to use threat intelligence or security intelligence as something to help their organization build that wall and help make sure that nothing gets in.

Dave Bittner:

Well, let's walk through together. I want to start by reviewing some of the tools in use today, the ways that threat intelligence is integrated into today's tools. Let's start with things like SIEMs and incident response. How is it being applied there?

Alex Noga:

In those two aspects, we think of those as maybe traditional use cases or reactive use cases. From a SIEM, which stands for the security incident and event management tool, in that case, we're doing a lot of enrichment and correlation that you're seeing in the industry today. Those use cases will be, you have maybe IPs coming in from your firewall that are being stored in a SIEM. And then from there, you want to see maybe how malicious those IPs are that are being allowed through the firewall, so you can get an idea of the riskiness of the traffic that's coming into your network. That is some of the enrichment capabilities that can happen.

And from a correlation standpoint, you can certainly take a lot of those different logs that you might have in a SIEM environment, and then pair that with the threat intelligence data to give you much more detail and context around maybe where that traffic is coming from, where else in the world that's been seen using.

Dave Bittner:

And that's really the trick I suppose is turning that a stream of data into actionable intelligence.

Alex Noga:

Absolutely. And being able to know or have any sense of what that data or where it's been right then and there without having to do any research is the biggest value point with having intelligence at all within the system.

Dave Bittner:

Now, it's my understanding that there are some emerging use cases for threat intelligence, things we're hearing about in the industry like SOAR and use in firewalls and things like that. Can you take us through some of those things that are on the leading edge?

Alex Noga:

Yeah, absolutely. If we take a look at some of the things that are starting to emerge, as you mentioned, EDR — so endpoint detection and response — you're starting to see a lot more data being pulled into those tools. So that, depending upon where organizations are in their current workflows, is taking their analysts to go ahead and make decisions. We're going in and threat intelligence as a whole is being brought into those different workflows. If an organization's workflow and their analysts are working out of an EDR solution, then threat intelligence is starting to be funneled into there to be actionable — so providing any kind of enrichment on indicators that might be in there already.

And that's the same with a SOAR tool as well. Security, orchestration, automation, and response tools where you're automating maybe a workflow that an analyst may be doing manually. What threat intelligence or security intelligence is allowing organizations to go ahead and provide enrichment or context to make a decision and continue the automated workflow without somebody. And some of those other tools include ticketing systems. If organizations mainly might be seen in SOCs where they're working a lot of out of different ticketing solutions, having that enrichment and that intelligence within the tickets themselves saves a lot of time because maybe someone is just looking at a different tab within a ticket and they're able to then quickly make a decision on if this ticket needs to go to the next level.

Dave Bittner:

What's the real-world implications of this, the benefits of having this, I guess, contextual information along with the data I'm receiving? If I'm someone operating in one of these environments, what's the advantage it gives me?

Alex Noga:

The advantages will include being able to take action faster without having to take that time to go and do the research on the indicator that might be within that tool. Being able for resources, an analyst, to work on other bigger projects versus having to triage alerts or investigate incidents that may have happened that it may take you a prolonged period of time to take care of those actions or those processes and procedures. Where this intelligence is then allowing you to quickly go ahead and take that action forward.

The intelligence will be able to allow organizations to save time because the intelligence in that context they need to make a decision will happen a lot faster than if they had to do the research themselves. And then it will also allow that team to spend time on maybe other higher priority tasks that may be important to the organization because the different incidents that have to be triaged, we'll be able to remediate faster.

Dave Bittner:

What are your recommendations for an organization who's starting out this journey, who's thinking about integrating this sort of thing into their systems? What's the best way to get started?

Alex Noga:

Take a look at your current workflows that you're working on now, the different tools that you're working in. Where does that path begin from start to finish? What tools are you stepping through? What are you doing in each tool? And then get an idea of where you think that that intelligence would best serve you and what kind of intelligence. From there, you can get an idea of what some of the capabilities are and then start exploring different options for how that intelligence can serve you best in those tools.

Dave Bittner:

Is this a walk before you run sort of thing? Are most organizations better off starting with a smaller integration in part of their system to, I don't know, ease in and see how it really works with the way they do things? Is that a valid way to go at it?

Alex Noga:

Yeah, and every organization's going to be different depending upon the maturity of their team itself, as their security team or their threat hunting team, whatever it may be, depending upon how much maybe they've had exposure to intelligence before or used it in the past will certainly help determine maybe how many tools or what tool to start with.

In a lot of the different use cases that have been seen over time, a SIEM tool is always the best place to start because that's where a lot of an organization's data, their logs from whether it's firewalls or endpoints are all funneling into that one location, and having the enrichment and the correlation done within that tool is certainly some of the best and most useful places and rewarding out of that tool.

And then it goes back to, that's the best place to get the data out of, but where does your workflow take you? If you're spending ... And it also depends on the team as well. If you're working with a threat hunting team, for the most part, maybe they're working out of an incident response tool most of the time, or a SIEM. But maybe if you're working a team that is more so on the security operations side or maybe the network operations side, they may be working more out of a ticketing system depending upon different changes they have to make or monitoring of different aspects of the network. Maybe having that intelligence within a ticketing system would be more helpful to them.

I think one of the other aspects that would be great to touch on is the notion going forward of using intelligence to do proactive blocking. Within firewalls, intrusion detection systems, and intrusion prevention systems, you're starting to see intelligence walk down the path of being used within those tools — almost thinking of these as IOCs or indicators that should be used on a blocking level. You might add these into your block list within your firewall or IDS or IPS. You're starting to see that come down the pipeline, and we'll see more of that as time progresses.

Dave Bittner:

Our thanks to Recorded Future's Alex Noga for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly, Executive Producer Greg Barrette. The show is produced by the CyberWire, with Editor John Petrik, Executive Producer Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.