The Highest Security Intelligence in the Shortest Time

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 174 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Craig Adams is the chief product and engineering officer at Recorded Future. He joins us with insights from his decades of experience in the industry, including valuable lessons learned while developing security and business strategies at Akamai.

He shares his thoughts on organizations choosing the best mix of security services to meet their needs, the importance of modularity and extensibility, and how to best optimize their investments through security intelligence. Stay with us.

Craig Adams:

I started, like many folks of a certain age, in the ERP world. Where we were looking at how software solves some of the most complex problems that big companies are facing? After a time in ERP though, this internet thing was certainly going to last for a bit. So I pivoted over and then spent 20 years at Akamai Technologies in a variety of different roles, frankly, helping to build that business to what it is today.

Dave Bittner:

And then did that take you directly to where you are now at Recorded Future?

Craig Adams:

It did. And in fact, one of the interesting things about my journey at Akamai that helped make Recorded Future such a natural extension is that Akamai, it's primarily known as a content delivery provider, a CDN for short. But one of the trends we started to notice is that the security perimeter was changing. And as organizations went from, essentially at that time, self hosted to looking for distribution, it started expanding the attack factor. And so, as we know, and your listeners all know, that the threat landscape is just radically changing as technology has gotten more and more complex.

What we found at Akamai is as threat mitigation techniques were moving from, what am I doing at my origin environment, whether that's my cloud hosted or something on prem, and how do I move it to the edge? What became very, very clear is the real threats you need to worry about aren't the ones that you see at whatever your edge is. It's the things lurking behind the corner that your sensors, your indicators or systems don't give you visibility into. That's where I came across Recorded Future and couldn't be more excited with both what I found as well as what we're going to do next.

Dave Bittner:

So what is your day to day like these days? What things are under your responsibility at Recorded Future?

Craig Adams:

Sure. So I'm fortunate to work with a brilliant team of scientists and engineers who are really focused on how we help customers protect against the threats that they both don't see today, as well as they're starting to register in their environment. So specifically it's looking at how we extend our security intelligence graph and our data science work. It's continuing to expand both the intelligence we have, as well as how customers consume it, whether it's through a UI, a native app, or through a browser extension, as well as focusing on the fundamental use case. Because this world of security intelligence is expanding so significantly in terms of what customers are looking to solve, how do we have a streamlined solution to solve it?

Dave Bittner:

Something that I know a lot of folks at Recorded Future have been talking about is this shift, this evolution, even, from the notion of just threat intelligence toward something that you all refer to as security intelligence. Can you explain what exactly does that mean? And what's the impact of that?

Craig Adams:

Yeah, so threat in my mind is a classical definition of an adversarial relationship, there's a threat that you need to address. As security becomes woven into the fabric of just fundamentally how companies operate across so many different areas, it's beyond an aspect of what is the adversarial threat I need to worry about? And now it's simply putting, how do I have the intelligence that is going to help me identify where the biggest security risk is coming from? As an example, if I have a SOC that I'm using and alerts are constantly coming in, as anyone that's spent time in a SOC knows, helping me better address those individual security threats that are coming in or security incidents that are coming in and give me intelligence that compliment it, that is historically different than what you'd consider threat intelligence by itself.

Dave Bittner:

Can you take us through some examples of organizations of different sizes? Obviously all different types of businesses need different amounts of these services and they can afford different amounts of these services. How do you calibrate what works with a different size organization?

Craig Adams:

Yeah. So first, unfortunately, as many of our listeners know, the threat organizations and security organizations have to worry about a multitude of different things. And regardless of if they're big or a small enterprise, just the only question on the table is how many hats is that one security professional wearing?

If I look back at Akamai, my former employer, they have physical security concerns of how they protect the buildings and executives that I have. There is an extensive vulnerability management program of how we look to constantly keep our software and systems protected. Akamai runs security operation centers where they monitor their systems. They need to constantly and rapidly address each of the threats that are coming in. There's focus on, as SaaSification has occurred, even their own technology increasingly became third parties. They needed more sophisticated ways of managing those third parties, as well as understanding the risk. And finally, Akamai was no different in terms of looking for brand risks that would exist in the organization. Whether it's fake accounts or fake websites that could represent an entirely different paradigm.

So that's an example of a company that has different departments focused on different things. But if I speak to many of our customers today and I ask, which one of those things do they care about? Unfortunately, they care about all of them. And so what we're finding is these use cases of security professionals are spread throughout. Different organizations may have different priorities, but the key comes down to how do you design something in a way that allows them to get the highest intelligence for the use case they're trying to solve in the shortest amount of time. Because every security professional knows that time is truthfully the most precious and in demand thing we have when evaluating risks to our organizations.

Dave Bittner:

So how do you do that? How do you turn those dials and adjust those levers to fit an organization's needs?

Craig Adams:

First, it starts out with designing from the beginning. So if I'm designing a solution to meet one of our customers that operates a SOC, then I know that I'm probably going to be integrating into one of their natural systems that they have, as well as I'm going to look at what specific type of enrichment that I can provide is going to enable more rapid alert triage and mitigation.

I also know if I'm dealing with organizations managing vulnerability risk, some of these organizations may be less technical, they may not view themselves as security professionals. But having insight into what's being exploited in the wild may radically change their prioritization process. So how do I have a custom designed experience for those end users?

So I think the direct answer to your question is you need to ensure that you have something purpose built for the problem you're trying to solve. That gets the most efficient and effective utilization of insight you can provide.

Dave Bittner:

How can a company know when they're ready for this sort of thing? When they've hit a level of maturity or size, or whatever the measurements that we take to know that it's time to take this next step to implement these types of services?

Craig Adams:

I think the answer to this one is simply answered through two different questions. Number one, if you're focused on the efficiency of your own teams, you're ready to look at how you make your own teams more efficient through the enrichment intelligence we provide. And number two is if you're worried about the things you can't see and wherever your own end points are, or your own systems that you have, then you're ready for the additional intelligence solutions that we would provide.

Dave Bittner:

Can we talk some about modularity about the ability to scale up and scale down as a company grows and evolves, changes? Companies get bigger, but we've seen a lot of companies these days have had to get smaller.

Craig Adams:

Yeah. And I think this is where if you think of modularity from a customer perspective, what every customer cares about is how things elegantly operate together. We want, maybe using a Google link example, that if I send a link to someone that doesn't have permission, it prompts me in the tool that I'm in that I need to change my permissions and I can do so inside of that tool itself. That's a great example of interconnected modularity. What it allows is different entry points to solve the problem that a customer has at the exact moment, while elegantly allowing you to expand out if your needs change in the future. The inverse side of that of modularity is when you have concrete doors. When you need to leave one door to get into the kitchen and close the door behind you, and then come out of that door to go into the living room, that then provides the rigidity that, frankly, can slow down operational effectiveness.

Dave Bittner:

Do most organizations recognize when they're in that situation when things start to bog down?

Craig Adams:

What I say is that most organizations look at solutions when there's a specific problem they want to solve. And so typically we see organizations looking at, I have a use case, I have a problem, there's a threat or a security incident I'm concerned about. And then from that point, what they want to look at is the extensibility of that across the horizon.

And so the example I would describe is, if you're buying a computer or a piece of hardware, you're probably buying it for a specific purpose. You absolutely know you want to be able to use that beyond the purpose if you would so choose. If you look at in the intelligence and security space, it absolutely has that same parallel where customers are going to start with the thing that they know about, the thing that presents the immediate ROI, but then they have the ability to extend out as additional threat vectors appear or security concerns appear, or frankly, their own business evolves and forces a different dynamic change.

Dave Bittner:

And I suppose that speaks to being able to engage with various providers, not just for threat intelligence but for all kinds of security tools, to make sure that they're going to be able to grow with you.

Craig Adams:

I think that's right. I think that's right. And I think one of the things that I've always encouraged customers I've been working with, throughout my career, is how do you have something that best of breed solves your problem today, as well as provides you the ability to grow if you so choose. And in this case grow means solve the problem that may not be an immediate concern. Inside of the security space, it's a prime example. My primary focus could be, I have a SOC suffering from alert fatigue, how do I make them more efficient? Well, the tools that I'm using inside of my SOC may change. So even if I have an integration or a system I want to connect to in place, I may want the flexibility as my own organization changes to know that I've made a durable decision so that my processes, my expertise, my knowledge can become ramping up over the horizon.

Dave Bittner:

I think about it as just an example of if I am a business that relies on internet connectivity to do my business. In other words, I have to have internet for my employees, for me to do our business and if that goes down, then we're losing money. Well, chances are, I'm going to have more than one provider coming into my building, or I'm going to have a backup plan. If my primary internet connection goes down, there's going to be some way that I'm going to be able to throw a switch or do something to quickly keep everybody up and working. And I bring that up to ask this question, which is how valuable is it for organizations to have more than one supplier for the things that they deem to be critical to their security? Is there true value in that? Or does it ... Can you get in a situation where you're increasing complexity and the downside outweighs the potential upside?

Craig Adams:

I think the unfortunate answer is it depends. And let me explain more. Which is, we all know that one of the most common security risks is interconnectivity between systems. In a perfect world we have consistent policies that immediately flow between the tools and perhaps vendors that I'm working with. But in the real world, we know that inconsistencies are incredibly common. Endpoint protection on an individual user's computer. The facilities that I may operate, and the technology or routers that are upstream of those. And so I think the answer is it has to be evaluated on a case by case basis.

There's absolutely a case for reliability if I have unlimited budget, unlimited staff, but then most of our customers are faced with the challenge of trying to constantly do more with less, or constantly be pressed with, to do more, but not have enough funding to accomplish all of their missions. And so that means they have to look very carefully at when they can consolidate the number of different organizations they're working with, looking at removing the dependency of connectivity between systems, and then as a result, get better economies of scale.

Dave Bittner:

How much of these sorts of things is you can pay me now or pay me later type situation? Where I could imagine organizations saying, "Gosh, this stuff is expensive." Something like threat intelligence or security intelligence. If I can put that off for a while, I'm going to save some money here. But again, I suspect, boy, it doesn't take more than one breach or one incident to make you take a second look at the value proposition there.

Craig Adams:

Yeah. I think the case that we often find in security is that there's security officers that worry about the threat of the day, but most of them are worried about the unknown unknowns. They're worried about what might come next. And I'll share a favorite anonymized example that I've heard of. And I picked this example because it may resonate with many of our listeners. There were a bunch of customers I was speaking to that uncovered inside of our platform a physical threat to one of their facilities. And specifically it was a proposed drone strike that we found in a code repository. If I had gone and said, are you worried about physical threats to your facility? You would have gotten this abstract answer, which is yes, of course, but that is approximately number 82 on my list of priorities.

But the flip side is the notion of the impact, both of life, limb, and property, of a physical attack on a facility outweighs any preventive measure that one could have. And so the rule that I typically operate under is if you're concerned about an outcome and you're investing in the outcome in this case, physical security by itself. My goodness, the intelligence to make that outcome more effective tends to be a fraction of your spend overall. And that's where security intelligence comes in. If you look at the challenges that our CISOs have everywhere, how do they make their existing spend more effective? Often spending a little more can save an incredible amount downstream.

Dave Bittner:

Yeah, that's funny. It reminds me of a colleague of mine who was a commercial insurance salesman and he often referred to asking his clients to visualize what he described as a Wile E. Coyote smoking hole in the ground.

Craig Adams:

I think that's a vivid analogy. And unfortunately, that's probably an analogy that most chief security officers can relate to. Because the day-to-day life probably feels like Wile E. Coyote with a giant smoking hole in the ground. That probably is what we call Tuesday for many years.

Dave Bittner:

Right. So what are your recommendations for folks to get started with this? As people are shopping around and they're checking out different vendors trying to decide what is the best fit for them? What are the types of things that they need to keep top of mind?

Craig Adams:

Sure. The first thing is, always find a partner that has purpose designed a solution for your needs. All of us know the old hammer statement, which is when you have a hammer, everything looks like a nail. If you've got a specific problem or a specific opportunity that you can see the capture, find something purpose designed and built for it. It will save you an incredible amount of heartache and hassle downstream.

The second is look for things that are extendable. Look for the partners that can meet needs, perhaps that aren't your top priority of today. That means as you're integrating into systems, it's just a matter of extending out how to utilize it as opposed to something radically different, both a process of integration or a process of training people at the end. Those two pieces, look for something purpose built and to look for something extendable, those are pretty good counsels no matter the problem you're looking to solve.

One of the biggest challenges we tend to see is integration between systems. And let me spend an extra second on this one. So in the world of security, there is no such thing as the singular tool vendor that solves every single problem imaginable. I would love to say that's Recorded Future, but of course, let's be honest, we know that we exist in an ecosystem. Each of our environments are a collection of tools and things. Now I would encourage all of our listeners to be thoughtful around choosing things that integrate into their existing technology stack. Because as we find, one of the things we talked about earlier is this big concern of the silos that exist between systems and the security risk those pose as things that have native integrations or can integrate in a way to bring enhanced visibility to what you're already using, tend to deliver significant ROIs.

Dave Bittner:

Our thanks to Recorded Future's Craig Adams, for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.