Curating Your Personal Security Intelligence Feed

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 176 of the Recorded Future podcast. I'm Dave Bittner from the CyberWire.

Our guest is Sal Aurigema, associate professor of computer information systems at the University of Tulsa. He shares his experience in nuclear engineering and serving aboard submarines in the U.S. Navy, his shift to the intelligence community, and his pivot to teaching in higher education.

We’ll learn about Sal's approach to inspiring his students and why he emphasizes the importance of curating their own personal security intelligence feed. He also explains why he believes there’s a place in cybersecurity for people from all walks of life, and not just those with an interest in computer science and technology.

Sal Aurigema:

My undergraduate degree was actually in nuclear engineering, and I went straight into the Navy, into the submarine force. About seven years in the submarine force I transferred over to the intelligence field and when I finally left active duty, I went into the IT profession supporting the department of the Navy, an organization called SPAWAR. And I did a lot of IT, and that eventually became security-related duties for command centers, primarily out of the Island of Oahu for the Navy and for some joint commands. And then eventually decided to stop working a real job, went and got my PhD. And now I'm a college professor teaching some of the things, basically teaching students how not to make all the mistakes I made in real life.

Dave Bittner:

What kind of mistakes are you thinking of there?

Sal Aurigema:

It's interesting you say that because last night I had my introductory online masters cybersecurity class, and I was trying to tell the students that I didn't go out there looking to become a cybersecurity professional. I actually didn't even like cybersecurity that much because at the time when I was doing IT, security was bubbling up in the department of defense, but it wasn't really fully embraced in all areas.

Some people would come in and put down security rules and restrictions that would prevent you from fulfilling your mission. So you had to fight these folks to get them to go back and forth and get to the point where you have both security and operational success. So that was one of the challenges. And after a while, I found that, "Hey, that's actually kind of fun," getting to the point where you can do your job while still preventing bad things happening to you. It just took me a while to get there. And I mean, I'll admit almost everything I teach in fundamentals of security classes, I will have violated by accident or on purpose because at some point or another there was a security rule or mechanism in place that stopped me from doing something that I was required to accomplish.

And I see that happening every day still. And people still wonder how come phishing is so prevalent. Well, because people have to do their jobs. And it seems like no amount of phishing training is going to overcome someone's basic need to accomplish tasks. So I definitely make sure that when I talk about cybersecurity, I talk about, first and foremost, we know it's important, but we also understand that sometimes there's cost, but there's always benefits. If you don't mix those benefits and costs the right way and be able to articulate them, there'll be problems. And then I'll give some examples on how I either purposely or accidentally violated some rules in the past. But of course I would never do that now.

Dave Bittner:

Having the experience and background that you have, having been in the military, having served in national defense and intelligence and those areas, how does that intersect with you being a professor now in the world of academia? Are you a bit of an odd duck there among your fellow folks in that educational world?

Sal Aurigema:

Well, that's one of the interesting things that I think you know quite well from all of the interviews you do on the CyberWire and on Recorded Future. There's such a breadth of experience in the cybersecurity field. And that goes back to the fact that cybersecurity, it's two words, but it covers just a tremendous environment of different tasks and information and requirements and things that people need to do. So when someone says, "Oh, I do IT," or, "I do cybersecurity." I'm like, "You need to be a lot more precise on what that means, because I really don't know yet."

And so in education and security, yes, we have some traditional, incredibly smart, brilliant people that come through and they'll go and get their PhD and go straight in and they'll do some amazing technical or behavioral or psychological research that helps with cybersecurity. And then fortunately, we do have a lot of folks now coming back into academia that are bringing with them five, 10, 20, 30 years of real-world technical and procedural experience to bring that common sense focus to not only the research that's being done nowadays, but also bringing it to the classroom.

So our goal, especially the University of Tulsa with the diversity of instructors we have, is to try to have our students when they walk into that first job doing cybersecurity-related tasks, that they have a good grounding of what reality is, as opposed to what a theory a textbook says. I am seeing a greater variety of people getting involved in formal cybersecurity education. And I do hope that continues and it doesn't just have to be IT people or CS backgrounds. We do a lot of interdisciplinary work, organizational psychology, folks that are in finance, all these great disciplines that have learned a lot of things in different areas can really help out the fundamental need we have to improve in all ways when it comes to cybersecurity at a personal and organizational level.

Dave Bittner:

What about the students themselves, are you seeing a similar breadth of experiences as they come to you?

Sal Aurigema:

Well, yeah. So at the undergraduate level, we are getting a lot of folks that are coming straight out of high school, traditional college students. For our master's students, we are definitely seeing a wide range of people that are interested in cybersecurity. I will say that a lot of those folks do have an IT background, but we are getting more and more folks coming in, and we're really glad about this, that aren't necessarily developers or network engineers. They're folks that have said, "Okay, I do policy, I do tech policy writing, and I can't really think I can do a good job at tech policy writing if I don't understand the fundamental security and privacy issues that are related to the cloud or cross country data sharing and GDPR and CCPA and all these other things that go into it."

And in our interdisciplinary group, we have lawyers that are getting more engaged. And so the students that are coming in are usually like, "Hey, I know this person who teaches law here. I'm really interested in cybersecurity law." And so we're getting this wide range of folks in, and it is a little challenging at times to process that you have such a diverse audience of participants. But I do believe that while cybersecurity is hard as a whole, I think if you chop it into pieces that are small enough and work at it, you can understand just about everything that there is to do. It's just like a loaf of bread. You don't try to eat the whole thing at once. And the same thing goes to cybersecurity.

Dave Bittner:

Do you feel like we're doing a better job at getting the word out there, that there is something for everyone within cybersecurity?

Sal Aurigema:

I think we have a ways to go with that. Part of the problem is, folks immediately, at least the ones I interact with whether I'm doing presentations to parents or to companies that need a speaker, they think cybersecurity is mysterious computer programming and they really stop there. They think it's just technical and too hard to understand. And therefore we only have to let engineers worry about it. And of course, all of us in cybersecurity want to say, "Well, no. The engineers make great products and manage stuff, but all of the policy and the work that goes beyond that, it requires everybody to participate." So I do think that we need to have more emphasis on that, you don't have to necessarily just be a computer scientist or an IT person to be involved in cybersecurity.

Matter of fact, we know we need more people on the human side of cybersecurity, but getting folks interested is always a challenge. So yeah, I'll say we have a ways to go. And part of that is when you hear about the shortage of people for the cybersecurity job market, you're hearing about, everyone looks for that unicorn who's got 30 years of experience in Kubernetes or something like that, which of course hasn't been around that long, but everyone wants that. And they would also like them to have all the knowledge and all the experience, and if they wouldn't mind working for a reasonable wage, that'd be great too.

I think what we really need to do is to normalize cybersecurity outside of super brainiac tech jobs and make it more attainable and understandable for all the other fields that we have really smart, hardworking people in. And I think we have a ways to go in our field to get to that point.

Dave Bittner:

Now, in your own teaching, you have some pretty interesting and unique programs that you put your own students through that have to do with threat intelligence. Can you share with us, what do you do there?

Sal Aurigema:

Well, I teach undergraduate introductory information security classes in a business school, and I also teach some more advanced courses as part of our online master's in cybersecurity degree program that's housed in our computer science. And one of the things that I find that's most humbling about studying, researching, teaching, and nowadays working in cybersecurity, it's just the breadth and velocity of information that's available. I mean, there are so many long established specialty areas of security, like network, software security, applied cryptography, social engineering, policy compliance, and auditing, and all the things we talked about previously, the list goes on and on. And each of those areas is deep and can be quite complex.

And for many of us in the field, when they say, "Hey, you're a cybersecurity professional," you're expected to know a lot about all of these things, as well as keep up with the latest trends, the products, future predictions. And we only have so much capacity to understand these topics. We then have to translate that to some of these deeply technical and theoretical concepts into something that non-security professionals not only will understand, but will be able to act upon.

So given the fact that the field is broad and things are changing so fast, we need help from organizations and individuals that are out there that are finding the data, analyzing it, processing it, making information, and then making it available to us in a way that really focuses our effort on what information we're looking for and how we can use it. So one of the things I do in not only my undergraduate introductory courses, but also at the graduate level, is I implore my students to create their own dedicated pipeline of resources to stay current on information security-related news, as well as to start identifying trustworthy sources to use when, when not if, they're eventually tasked to investigate some new or maybe even old topic related to security.

So I call this process developing their personal threat intelligence feeds, and what it really boils down to is developing and using a reliable list of security-related media that does the hard work for you in terms of the background research and the analysis and packages in a way that helps you stay aware and is trustworthy enough that you won't feel foolish if you go, "Hey, Buzzfeed just said that there's a new vulnerability out there on my car." I'm like, "Well, maybe we should try to find something a little more focused on automobile security before you go there." So these personal threat intelligence feeds, it's very early in the semester. Matter of fact, my first class, that was pretty much the first major topic I talked about with my master's students. I went through what I considered a short list of different media and I said, "Here are the things I really recommend you start with just to get a taste and then build up more and do some more research and develop your own threat intelligence feeds."

Dave Bittner:

And how do they respond to that? Do you find that different students bring their own preferences to that?

Sal Aurigema:

Well, let me tell you how they start and how they end. So I can tell you that I survey the students before we even get to the first class. And I ask them, how do you get your cybersecurity news? You're interested enough to take this course. For the master's students, you're working full time most likely, or if you're not, you've decided not to work so you can study cybersecurity. How are you keeping current and finding out what is important? And especially for those folks that are going to be going into research, how are you identifying the gaps out there that you want to help fill in the knowledge of cybersecurity? And it's really interesting, my number one answer I get every semester for probably a past several years is, “I really have my Google newsfeed tuned in.”

And I'm like, “Yeah, you, don't.” Not that Google news feeds aren't great. I mean, I have mine on my phone and the articles I like to get are there. But what about all the things that aren't in your feed that you don't even know to tag? And they're like, “Well, those things might not be important to me.” I'm like, “Well, how do you know if they're important?”

So that's why I try to introduce them to things like the CyberWire podcast and Recorded Future’s Cyber Daily, things that give them what's going on currently. Here's the information. And, oh by the way, here's some analysis to help you to try to understand why this matters, because until I get to the section on vulnerabilities and I say there's a hundred thousand CVEs, not all of them are going to be important to you, but the ones that are important to you could take you down if you're not paying attention to it and taking the right actions. But how do you know? Well, you can wait for things to get published with CVSS scores and wait until your vulnerability scanner is updated with a good signature. And you're going to do those things anyway. But if you're not keeping track on what the breaking news is, if you have a piece of critical information or a system out there, well, then you could be on the wrong end of a Krebs on Security article, and none of us really wants that.

Dave Bittner:

Well, and so then what happens throughout the semester when you revisit it at the end, what's changed?

Sal Aurigema:

So what I do throughout the semester is I prove the value of having good variety and reliability of sources throughout the semester. So when we get together, if it's an online course, if we're doing weekly get togethers or in person for undergraduates, at least weekly I will bring up a current cybersecurity topic, and I'll just say, “Hey, did y'all hear about this?” And it doesn't necessarily have to be breaking news. It could be something that has happened in the past, but it's coming back up. And I find out if students care about it and if anyone has read about it and have the students talk about it.

And the folks that listen to the security podcasts and read the newsletters and sign up for them, they start getting more and more into learning about the topics. So that by the end of the semester, I may not even have to bring up a topic. My job may have to be, we don't have time to talk about 10 of these today. Let's vote on three and who's going to take the lead on this and start talking about it. And what I find by the end of the semester is you'll see the influence of these curated resources really having an impact on students.

When they hear about something, they go beyond just the title they're looking at, there's a vulnerability. Here's why it matters. Here's what organizations can do about it. And here's what you should be looking for. And beyond just vulnerabilities, it's like, wow, we have this new regulation coming out. How could this impact us? So one of the topics I'm going to talk about this semester is TLS version 1.3 and ESNI. And those are easy things to look up, but it's harder when you start talking about are there ethical considerations in terms of turning on TLS version 1.3 and ESNI? Maybe there are, and you might have to influence people on those decisions so let's find out about it.

And to be honest with you, if you don't have a personal threat intelligence feed system, as a cybersecurity professional you're always going to be chasing stories or tasks that your organization comes to you to ask about. I prefer to be at least more aware than my supervisors on cybersecurity for my organization, at the very least more aware and definitely prepared to answer do we have to worry about X thing that was just reported on CNN?

Dave Bittner:

It strikes me too, that there's a time management component here as well. Who has the time to dig through all these things? And the answer is, some folks at the CyberWire and Recorded Future Cyber Daily have the time to do it, but they're paid to do that. But most people don't.

Sal Aurigema:

Yeah. That is really the key thing. And that's the number one thing I focus on, I mean, I'm not saying I'm tricking my students or anything like that, but I'll come in the first few weeks and I'll start spouting out things like I know everything about cybersecurity and really I'm probably talking about the things I heard on my daily CyberWire podcast in the last two or three days that make me sound much smarter than I am.

And I'm not doing that to impress upon them that I am smarter than they are. I'm trying to impress upon them that, well, if I could get that in the 20 minutes it takes me to get from door to door, in my car, or when I'm taking my dog for a walk, or when I'm pretending to exercise, getting information from people that are doing the hard work for you, distilling it down to the key points that may be of interest to you, that is super valuable.

And the fact that the CyberWire and Recorded Future daily, those resources are out there and either free or very affordable, it's a cybersecurity gift. And like the CyberWire Pro, you and I talked about this in the past, I did not appreciate the depth of the material and just the great resources that are available for very little money in terms of the value I get.

I do a lot of research, not just for my academic research, but companies will come up and say, “We want someone to talk about this new policy or disinformation,” or something like that, that I'm not an expert in. Well, if you have those personal threat intelligence feeds built up, you'll probably be able to find a good resource to get you where you need to go and places like CyberWire Pro and Recorded Future, they do a lot of that work for me. I am very happy to let someone else do a lot of hard work and me take credit for it. Of course, I'll cite them. But I prefer to do less work. The military has taught me that if you can get to the destination by doing less work than more, it's not bad.

Dave Bittner:

Yeah. What sort of advice do you have for those students who might be considering a career in cybersecurity, or maybe someone who's thinking of switching careers, going down a new path? Do you have any words of wisdom?

Sal Aurigema:

Two things, if you are in a career that is in cybersecurity now, awesome. You are bringing domain knowledge that people that are in cybersecurity already may not have. I have a woman in one of our classes, she said, "I'm not very technical. I've been working more on the finance and the human resources side," Fantastic. You know what cybercriminals want? They want our money and who do they go after? Our HR professionals. And she understands those fields so much better than I ever will because she has a decade or two experience. So what I'll say is, if you are outside of cybersecurity and you're thinking about coming in, you're not at a disadvantage just because you don't know the technical side yet. You'll learn that. You're at an advantage because you have domain knowledge and the things that you learn in cybersecurity, you will be able to relate to your experiences in your job or in your previous education.

So please join us. There's room. We really need the extra help, and we need to not be in an echo chamber of saying the same things to ourselves. We need new ideas and people coming in to tell us, "You can tell me not to click on a link, but how bout you just don't give me the link to click on if it's bad?" Things like that really can impact how we build our tools in the future.

For students coming in, don't be overwhelmed by the amount of things that are called cybersecurity. It takes time, it takes experience. You have to get some hands-on knowledge. You have to go out and do stuff, but build a good foundation, be humble, be willing to learn. And most importantly, I'll say, once you learn something teach it to other people, help the field grow. And even if folks aren't going to go in cybersecurity, raising the bar so that those cybercriminals don't have easy pickings on us, that's a contribution to society. And I think everyone in cybersecurity should be doing their part to educate the masses.

Dave Bittner:

Our thanks to Sal Aurigema from the University of Tulsa for joining us.

Don't forget to sign up for the Recorded Future Cyber Daily email, where every day you'll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes Coordinating Producer Caitlin Mattingly. The show is produced by the CyberWire, with Executive Editor Peter Kilpe, and I'm Dave Bittner.

Thanks for listening.