The What? So What? And the Why? Why? Why?
By Amanda McKeon on November 19, 2018
Today we welcome Maggie McDaniel, senior director of Insikt Group at Recorded Future. She’s had leadership positions in the U.S. government intelligence community, as well as the financial services sector.
We’ll be discussing her recent blog post, “Communicating Threat Intelligence Relevance.” In it, she describes a framework that helps get to the core of what matters, helps explain what it means for your organization, and provides justification to the powers that be, all while improving communications throughout the company.
This podcast was produced in partnership with the CyberWire.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and welcome to episode 83 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.
Today we welcome Maggie McDaniel, senior director of Insikt Group at Recorded Future. She’s spent time working in the U.S. government intelligence community, as well as the financial sector.
We’ll be discussing her recent blog post, “Communicating Threat Intelligence Relevance.” In it, she describes a framework that helps get to the core of what matters, helps explain what it means for your organization, and provides justification to the powers that be, all while improving communications throughout the company. Stay with us.
I was a strategic weapons analyst for a large portion of my career before getting into cyber threat intelligence about four years ago. I was in a financial services firm at that time, and my role was taking the technical analysis that was being done by the analysts there and translating it into executive-level communications. It’s relevant to the topic that we’ll be talking about today in that, basically … Being able to serve as someone who can communicate that type of information to the masses, more or less. I served in that role for a couple of years and felt that serving a company was extremely rewarding, but that perhaps I could be doing more.
I had some contacts at Recorded Future. I was also a customer of Recorded Future before coming here, and super impressed with the product that they provided and the type of talent that they have on board. I thought I could make a broader difference across the industry in this, just, rapidly evolving space. It’s been an amazing journey for me. This is the first startup I’ve been in, and I guess I’m relatively new to the space, and as a mid-career professional, it’s been amazingly rewarding.
Now, when you were with Fidelity Investments, can you take us through … Give us some insights? What was the role of intelligence in that sort of environment?
Absolutely. A lot of different enterprises. They’re going to be organized in different ways and everyone’s going to have their own use cases, whether it’s for intelligence to inform vulnerability remediation or third-party vendor and service provider selection. And then, of course, try to be anticipatory in the type of cyber defenses that an enterprise employs. For a lot of organizations, from my experience, it has been when we were mapped to, more or less, a NIST framework, that threat intelligence informed each of those different verticals. So whether it was recovery and remediation, detection and response, or in some cases, feeding into high-level risk under governance and audit. That’s where my experiences lay in terms of basically informing all of those verticals to better position the enterprise to minimize risk.
Now, what was your experience in terms of communicating the things that you were responsible for to the higher-level folks at an organization like that?
Being plugged in and able to work across multiple verticals is essential in any threat intelligence function because without the appetite, the consumer of it, it’s just information that might sit pretty in a PDF, more or less, and thinking in terms of being successful at that, it’s important to be able to communicate in different ways. One of the ways that you can do that is through the written word. My experience has been producing a daily product. We would do a more technical, biweekly breakfast where we could engage with the operators and practitioners and the people who are putting the threat intelligence to work. Then of course, feeding into more strategic landscape communications, where we’re looking at it on a quarterly or annual basis.
Were there any surprises for you along the way? Any adjustments you had to make, things that made you go, “Oh, okay, well, I thought I had to approach this communication methodology this way, but it works better if I come at it this way with this particular group of people.” Any stories to share about that sort of thing?
Absolutely. I think if you’re coming at it just trying to communicate something, you’re more often than not going to miss the mark. It is important to do the legwork up front and understanding what’s needed where, and not just that, but how it should be communicated to the largest effect. Constantly being plugged into that, because that changes and evolves over time as the enterprise or company maturity evolves over time. So, having to check in with that regularly is important, and one of the things that I found is sometimes when you start off, it’s like, okay, it’s important to understand what the threat is. Once you have a handle on that, you might find yourself in the position of, “Well, okay, it’s great to know what the threat is, but what I’m concerned with is, how does that threat impact our ecosystem?”
It’s not just, “Is the threat out there? Are we vulnerable to this threat?” In some cases, there might have been a cost benefit discussion on, “Yes, we understand that this is the risk and this is a level of risk we’re willing to accept.” So then, that conversation changes from not only, “Is this the threat and are we vulnerable to it?” but also, “Are we seeing activity around this threat along our perimeter?” That threshold for risk can evolve over time. It can be influenced by leadership. It can be influenced by security posture, so staying plugged into those conversations is hugely important.
At all levels — not just what’s being employed along the perimeter but strategically — what’s the direction that the enterprise wants to go in that might be utilizing technologies that we need to able to anticipate? What could that threat be in the long term to help influence strategic decision making? I think being plugged into that conversation is important and there’s actually the government equivalent to that, too. It’s like, we can, as analysts … When you follow an issue for a certain period of time or your particular enterprise for a certain period of time, you get into it, what it is you see on a day-to-day basis. You almost have that invented natural instinct of, “This is important. This isn’t important. This is important.”
At the same time, as you present that information, you should be able to show your work as a calculus problem, right? You have to be able to show your work to where you came up with the answer that this is important, and that gets into the content of the blog post. It’s being able to take that step back and show your work so that as you’re talking about threats in an evolving landscape, what you’re saying is being heard.
I think it’s a interesting point that you make, the communications side of things. I think it’s particularly relevant for folks who are coming up either through school or who are considering a career choice, a shift in their career, something like that, that I hear over and over again, that yes, you have to know all of the technical things, but don’t underestimate the importance of being able to communicate, to be able to write, to be able to do a presentation.
Absolutely. I agree with that 100 percent. It gets back to, knowing amazingly awesome things is fantastic. You have to be able to communicate those things in a way that’s as accessible as it can be to the masses, depending on what it is, of course, that you’re writing about. I think it’s important to be able to communicate those things in various ways. This is a perfect example. I wrote a blog post, and now we’re going to talk about it. A lot of the things that we consider when we’re trying to communicate about threat intelligence is, are we doing it in ways that assists other people’s learning?
Some people are great at it. They’re like, “Read this, or hear this, or show me this.” I think being able to maximize the number of outlets that you have available to you to communicate is important in understanding how other people learn best about threats and how to defend against them. It’s important to be able to communicate, but it’s also important to be able to communicate in a lot of different venues or media.
Well, let’s go ahead and dig into the blog post, here. It’s titled, “Communicating Threat Intelligence Relevance.” What prompted you to take on this topic?
This is a huge passion of mine — and has been — and one of the things that got me into this field, starting out as a technical writer, is that a lot of us hear that it’s important to know the “what.” That’s great. A lot of times, I say, “Okay, so what’s the ‘what’ and what’s the ‘so what?’” Anyone coming out of the U.S. government national security field will recognize that. What’s the ”what” and what’s the “so what?” But a lot of times, we’ll talk about the “what,” and we’ll immediately make the leap to something that’s the bottom line, and sometimes that’s not a clear enough distinction between how you got there for it to resonate, let’s say, with an executive-level individual who’s trying to make a decision.
Other times, we don’t take it far enough. One of the things that I started embracing after a couple of intel lessons learned in the government was, it’s not just the “what” and the “so what.” It’s the “so what” of the “so what.” So, try to get it closer to concepts that are going to resonate most with the people that you’re speaking with, and then, coming into cyber threat intelligence, which was new to me. It was a new field, and working with individuals who did a lot with malware and incident responders in very technical … Talking them through what they were finding, such that I could write about it on their behalf, I found myself saying a lot, “Okay. Well, why is this important? Hey, tell me more about this. Why?”
Just one of the new … It’s like channeling your inner three-year-old. You just “why” to death to get to that nugget of, “Okay, that’s it. That’s it. That’s what we’re going to start with. That’s why we’re talking about this,” and being able to formulate and lay out the logic, taking a threat to its … Getting to the relevance of what that threat is within an enterprise was key for me. I typically immediately grab a tape to the “so what” of the “so what” as the starting point now, and then take it those next steps as we need to to make it as relevant as possible to the reader.
Well, let’s go in and explore all of that, because I think it’s worth taking some time to explain what you mean by the “what” and the “so what.” In the blog post, you’ve got some examples. So could we start with some of the basics here? What are we talking about when we say the “what” and the “so what?”
A lot of times, what we’ll talk about is, “Well, what’s in it for me? Why is this important? Why should I care?” The “what” itself is the threat, and the example I used is the Chinese [National Vulnerability Database (CNNVD)]. We had just published a piece on this around the time I was starting to formulate this blog post. The “what” of that piece was basically that the organizations responsible for running the CNNVD altered the original publication dates for a couple hundred of the vulnerabilities that were within that database, and we later identified them as statistical outliers in some research.
That’s the “what.” The data that’s in the CNNVD has been altered. Well, the “so what” to that is that any manipulation around that data undermines not just the process, but the individuals that rely on it for threat information. So, if you’re doing business in China, or you’re thinking about partnering with a third-party vendor in China, and you’re using that data, it can’t be trusted. That’s the “so what” of the “so what,” right? It’s that you can’t trust that and you need to be utilizing other sources.
So, let’s go down the path, then. We’ve got the “so what,” and then we go further down, which is the “so what” of the “so what.” What are we talking about here?
That takes it the step further, when you basically say, “The ‘so what’ is that the data in the CNNVD can’t be trusted.” Well, so what? The “so what” is that we need to find another source of information that we can trust to prioritize any sort of vulnerability or patch management within the company. Now, in some cases, this might seem pretty explicit or naïve, but when you look at more complicated problem sets, this is where folks can get hung up in terms of, if you’re talking about a particular malware. Even if it’s something more managerial in terms of trying to acquire resources, right?
We need this. Why? Well, why do you need that? Well, because … And so, it just takes you down this logic train of being able to be explicit and lay out your work. That’s the “so what” of the “so what,” is that we need to be utilizing other resources than what we currently are, when we’re talking about this particular example.
And then, we continue down the path with the “why, why, why?” Take us down that path.
This works particularly well with complex issues, but even in the example that we’re talking about here, which is pretty discrete, it’s going back and revisiting the publication dates in the CNNVD that have been altered. The “so what” is that we can’t trust the data in this dataset anymore. It’s important because we should be utilizing other datasets. Why is this important? Well, we’re currently not doing it. Why are we currently not doing it? Because it costs this amount of money, and let’s just say, for example, it costs this amount of money. We don’t have it in our budget. It’s already been allocated, and at that point, you can say, “Well, what are some of the things that we could do to leverage this?”
In the example I give, it’s like, well, there’s a budget meeting coming up. Well, why is that important? Because if we can present this in this way, there is an opportunity for another ask. So, that’s really more inside baseball within an enterprise, but there’s still important questions to ask, particularly if you’re in a position of security leadership. So, whether that’s as a manager, or as a principal engineer, or a principal analyst following particular issues, it basically positions you to be able to communicate with executive leadership in a way that’s going to resonate with them.
I think earlier on in the piece, I say if you jump from the “what” to the 70th degree of “why” as the default, oftentimes that can be seen through, right? It’s like, well, they know that you’re automatically tying it to the bottom line, but does it warrant being tied to the bottom line? When you actually take this and you walk it through each step, it’s a little bit clearer with how you got there and there’s more confidence in why you make the decisions that you make based on threat information that you’ve presented.
Yeah, it also strikes me that going through this process to prepare for that sort of meeting, if you’re presenting to other folks, this will help prepare you for any possible questions that might come at you.
Exactly, and that’s one of the reasons why I like using it, just as a manager. When you’re talking about the next year’s budget cycle, it’s like, why am I asking for the resources that I’m asking for? Why do I want the tools that I need to do the job? I think a lot of times, what you can see in this space is tools for the sake of tools. Why are we buying the tools that we’re buying? How do they all fit together? This type of model works not only for analysis, but it also works in the management framework, in how you’re positioning your teams for success and being able to articulate what it is you need and why.
Do you have any recommendations, any words of wisdom, for folks who want to incorporate this sort of framework in the work that they do?
I think that the key is not being afraid to ask questions. Not being afraid to ask a lot of questions, and I would ask those that are being asked the questions, be open to answering them. Don’t necessarily look at them as a challenge or to put you on the defensive by any means. For the most part, I know I’m asking them to seek clarification and understanding, and I think the more that we’re able to do that, the less opaque a lot of the work that we have to do on a day-to-day basis will be.
When you have folks that are looking at this data day in and day out, it becomes ingrained behavior, and they are able to intuit what’s important and what’s not important. Taking the time to take the step back and understand why and being able to communicate that is so key for making individuals effective in their day-to-day jobs.
Our thanks to Maggie McDaniel for joining us. You can find her blog post “Communicating Threat Intelligence Relevance” on the Recorded Future website. It’s in the blog section.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.