- Welcome to the Cyber5, where security experts and leaders answer five burning questions on one hot topic and actual intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of Nisos, a Managed Intelligence company. In this 50th episode of the Cyber5, I talk with cybersecurity advisor of the public sector for Splunk, and Nisos board member Paul Kurtz. We talk about aspects of intelligence management within Biden's executive order for cybersecurity, and how it impacts the public and private sector. We also talk about an inside out network approach and how critical cloud migration is for detecting cyber threats at scale. Finally, we talk about the value of threat intelligence and the importance of integration into different enterprise systems. Stay with us. Paul, welcome to the show sir, would you mind sharing a little bit about your background for our listeners please? - Yeah, great, thank you for having me, pleasure to be here. Yeah, quick background on me, I spent 15 years or so in the federal government in various capacities at the State Department working on intel analysis on Iraq, and North Korea, Iran, other countries. Spent some time working on policy issues associated with weapons of mass destruction, and that brought me out into the field a few times in Iraq, and places like North Korea. But then changed it up a bit to get involved in the counter-terrorism world down at the White House and the National Security Council. I ended up serving at the White House for close to five years, doing both counter-terrorism and then eventually critical infrastructure protection and cybersecurity. And really for the past 20 years I have done cybersecurity and went on to ultimately found a company focused on cybersecurity intelligence management. A company called TruSTAR that was recently acquired by Splunk. I joined Nisos' board in April of this year and love being a part of the board basically because of Nisos' mention to manage intelligence and bring it to customers who have really interesting problems and your bespoke way of addressing their issues is just . It's great to be a part of the board and helping Nisos move forward. - Appreciate it, and again that's a pretty diverse experience and we'll probably be diving into that quite a bit. Today we'll be talking about really translating the recent executive order from the Biden administration and how it relates to enterprise and cybersecurity. And we were chatting a little bit in our pre-discussion it was really how a lot of this order is almost intelligence management really at its core. And I think that certainly your deep background and experience will certainly speak a lot to how the enterprise can really use this, kind of lay the groundwork a little bit. What is the major provisions of the executive order and what are some often overlooked aspects of that order? - Yeah, I think there are two or three major areas in the executive order. The first one which I take a lot of people gloss over pretty quickly is the emphasis of going to the cloud. There is a clear push within the executive order to get the public sector to move more efficiently and expeditiously into the cloud. The second issue that is highlighted is information sharing. Information sharing within government agencies, and between government agencies, and also the private sector. And then the third issue which candidly I don't think is really getting enough attention and perhaps maybe one of the most important developments out there is the declaration within the executive order about collecting and preserving event-related data. And we can talk more about why I think that's more important but when I think about it it's the cloud, it's information sharing, it's the collection and preservation of data. There's a lot of other provisions that look at adjusting the federal acquisition regs, NIST guidance that needs to be put together here and there. All of which are important, but the takeaway here is really how do we accelerate the government's move into the cloud. And get more cloud-based operations which I'm a huge advocate for because I think from a security perspective, from an intelligence management perspective, it's gonna make us far more efficient and lead to much greater security. - Let's kind of dive into that, right? And let's set a little bit of context. Let's take a ransomware event. I've talked to a lot of customers certainly of Nisos and these are major people that spend hundreds of million dollars on security. They'll be looking at when a vulnerability is released of a certain device that's in their network, and of course the threat hunters are almost sitting there with the guns, and the guards, and the gates, almost looking at when bad guys are starting to exploit those devices. And they say no less than 12 hours of something being released publicly, do they start seeing opportunities to exploit those kind of devices. Understanding that the critical aspects of this threat well throughout the ransomware is around the meantime to alert, meantime to respond, meantime to remediate. Those are the critical metrics that probably need to really come about. And then again, taking the state of collection issue that you kind of just touched on, what does business have to do better from that inside the network to outside their perimeter approach? What do they have to do better? - Great question. I think that when I look back at the road where we've been, we went through the age of building better mouse traps and really focusing on the output from those mousetraps, new firewalls, new antivirus capabilities, new means of protecting ourselves thinking that that would protect ourselves. Then we evolved to, oh yeah, we gotta do that, but then we think that we need to look at this external threat environment. We focused a lot on that and that really kinda took off from the 2014, 2015 context. And we kinda muddled through for five years or so. And then we've arrived at this place where, oh, gee, these world's internal information and external information need to be brought together and we can't do that via humans. Humans play an important role, but if we're gonna really drive down MTTR and MTTD, we have to integrate and automate the data from internal security applications and tools and external reporting. And that sounds really easy but it's a very big lift in terms of transforming and normalizing the data and putting it all together in a very rapid manner, and teeing it up so it can be automatic and used to automatically update defense systems or passed on and prioritized to an operator to review. And so I do think Landon we are maturing in this space, but we're pretty late to our understanding. So when you come to the question of ransomware, I think one of the things ransomware has highlighted for us is, oh, by the way, there is these other IT monitoring tools that are out there, capabilities like solar winds, or others that are actually being exploited by adversaries. And you can probably relate to this given your past. I think we've been trained to look under the lamp post in our analysis of whatever the security tools are telling us, and whatever the external intelligence is bringing to us. And we're not looking more broadly and deeply to understand how adversaries might be coming in the side door so to speak through tools that we normally didn't focus on. And they're being used to create opportunity for the introduction of things like ransomware. And so that broader and deeper capability is so important now, and frankly I think the coming back to the discussion we had in the beginning, the imperative of using the cloud to bring all this data together and to have that rapid look back capability, how do we understand what's happened to us? Not only what's happiness to us today in a transactional basis, but what happened two months ago? What happened six months ago? And how do we maintain that history, that intellectual history of what happened inside of an organization. I think all those pieces are starting to come together now. Despite how bad it is right now, I actually think the industry is on the cusp of doing something pretty transformative, of doing intelligence management on the cloud. - Okay, I'm kinda curious from an example perspective, just take a medium-sized business from inside their network, where are those critical automation pieces and that data that needs to be collected? I mean, are there any more important choke-points at certain levels than other places. If we're talking about cloud data, is it really that a alert really just needs to go to fire in the inbox and getting their ticketing system as an automated perspective? Does something need to be happening from the end point to the email alerts that needs to automate? I guess, where if you're a medium-sized business kind of like where do you even start? - Yeah, from a medium-sized business I think the good news is, is that the capabilities are now there to take that alert that comes in from say a SIM and correlate that alert with other relevant intelligence automatically, and upload that so to speak or feed that into a ticket, case management ticket so that that ticket can be automatically created or more importantly a ticket can be automatically updated with the most recent intel. That can all happen today. That's happening in big companies, that's happening in smaller companies, medium-sized companies. I think one of the things that I don't know if we'll necessarily dwell on here today is what roles do the MSPs have in this space? And I think with the more recent ransomware attacks around Kaseya which did affect the MSPs, I think once again we're kind of like getting that knock, oh, okay, right, we've gotta think about the MSP universe as well because they're supporting so many media in the smaller industries. - Understanding kind of that internal network protection is only one strategy, what has to be done from an outside in approach? We were kinda talking about inside and out, basically inside our network facing externally, how about from an outside in? So external facing toward your network, what's that approach look like in terms of gaining the necessary data and the telemetry on what actors are doing? Kinda where does that kinda need to fall in the prioritization stack? And are we there yet? Are we there yet? - Yeah, I think it's really important but I think the order in which you do things helps make this a less daunting problem. So say for example, if I go out there and I procure a bunch of threat intel, then the next question is alright, how do I put that intel to work? In the 2014, 15, 16, 17 context I would argue that there were threat analysts that were out there that would look at that intel, they would do awesome analysis, and they would do their best to throw that analysis over to wall, and hope that the SOC would be able to use it. And unfortunately many times the SOC didn't have the time on their hands in order to digest it and to use it effectively. It's not to say that it was all lost because there was some exceptional work done. But the way you flip this around and make it much easier is that you take your events coming from your internal security tool set, your SIM, your EDR for example, and you correlate against those versus kind of searching for the threat that relates to a problem. You basically bring that problem to the threat and you're able to put together a picture is like, oh, okay, I've got this notable event that's occurred. What relates to that externally, and that can be automatically brought together? And in the case of high priority intel, because most of the vendors that are out there in some way, shape, or form prioritize the severity of the data, and when we had TruSTAR, when we ran TruSTAR all that data was normalized, the scores were normalized, and you could put it up against whatever the internal events were. And basically that was all done automatically. And then you could go so far as to take the prioritized events and automatically update your defenses. Well, not everything is gonna work like that, so you gotta be able to have the analysts involved. But there the SOC analyst has basically got everything at his or her fingertips in order to begin to bring the pieces together. And not only they're not doing the data wrangling between different systems they can look at and say for example, in ServiceNow, or in a Splunk application, or QRadar application, or whatever it's gonna be. That was a critical development that has helped going back to the MTTR, MTTD perspective that has really helped. And so the one question I would say is how do you select the best threat intel? And I think we can both relate to this there's really good intel out there, but a lot of intel it's value is it ephemeral? It's really good today and may not be so helpful three weeks from now for a variety of reasons, and so we need to be able to create systems that allow us to pull from lots of different threat feeds, and correlate it against what's relevant to our systems. Realizing that our own internal systems, the infrastructure we're running, and tools we're running, they're changing over time and you gotta be able to make sure you can automatically mesh those internal events with the external sources. Does that make sense? - It does make sense. So I guess kind of what you're saying is with intelligence and intelligence services, and this goes way beyond just cyber threat intelligence as well, there has to be an integration mechanism at some point with something within the internal network, right? I mean, so I guess the question then would be what is that critical integration point that needs to happen? Should it be just with the ticketing system? Does it need to be necessarily with the threat intelligence platform or the security management system like Splunk? I guess I'm kinda curious what that key integration kinda looks like 'cause I think in the end, in the end, right, I think we would all agree that IOCs to a SIM is not intelligence, right? That's good information, but that's just a really a point in time an actor can switch their IP or their domain literally in seconds. So, what are the key integrations that you think are important? - Well, I don't wanna be too cute here but I do think it works in this case. I think it has to be data to everything. And the reason I said I'm really not trying to be cute that is Splunk's phrase. And I'm speaking, really speaking here as myself, but it is data to everything. What does that mean in the context of your question? If you wanna bring that to a ticketing system, you ought to be able to bring it to the ticketing system. If you wanna integrate it with your SIM, you ought to be able to integrate it with your SIM. If you wanna bring the data over to a threat analyst, you ought to be able to do that. And in the other piece that you touched on there is IOCs, and IOCs have limited utility. The context is often very important, but I think another piece that is certainly getting a lot of attention now, it's not just the context, but it's also behavior. And this is where I think collection and preservation becomes really, really important because we're gonna better be able to discern behavior when we start collecting and storing data over time in order to understand patterns of behavior rather than just being transactional in like, oh, I have a notable event, here are some IOCs that go with that, let's check the box, and whatever case management system and move on. And that's a transaction. That's not looking at something in depth to see, okay, so what? What else is going on here? And that's where I think behavioral observations of the data are gonna be really, really important. - Yeah, that's certainly a part that I'm excited to see how even all enterprises start to ultimately detect behavior and where things like Red Team Exercises that really get to the behavior and threat intel ultimately can get into and work with systems like Splunk, and really start to detect things very quickly in reducing those meantime to alert, respond, and remediate. Which I guess leads into the next question is how can this be done at scale, and what can be done for medium and small business that can't be done for large enterprise and vice versa? - What's interesting is this is where the cloud is exceptionally important. I don't think you can do this in an on-prem world, and successfully gain the appropriate insights of what's happening and understand behavior on a silo by silo basis. We have to start to see data retrospectively over time, and we have to be able to share data with each other both that retrospective, that lookback capability, as well as to sharing are enormously and the capabilities to look across the data via the cloud are mammoth. They're huge. And I would argue if we don't move to the cloud for security operations, we're gonna continue to get hammered. That's my personal view. I just don't see us succeeding in an on-prem world. I think they offer us way too much opportunity for adversaries to get in, do mischief, and then move on to the next party and pull the same party trick so to speak. And we have to evolve to the cloud in the cloud especially we start collecting and preserving data over time, we're gonna see patterns that we've never seen before. In terms of scale, it can be done. And we've taken close look at our capabilities at least within TruSTAR in terms of scale, in terms of being able to hold data, and search the data, and find relationships within the data, in what we call Enclaves it's there. And scalability is not a challenge for us. And it's pretty cool to see the capabilities that the cloud can offer. - Leading in final question just based on that answer, what can be done at the government policy level and how does that trickle down to enterprise? I mean, does the government need to be more prescriptive in terms of navigating to the cloud so these things can be detected at greater scale? Or does the current executive order start to address some of that? - Well, the current executive order is really, is very much focused on the public sector, and in more particularly the federal government. It is really not meant to force the private sector to the cloud. I think the private sector in many ways is evolving to the cloud and moving from an on-prem world to a cloud-based world. But I do think there's an opportunity under the executive order for the government to begin to set an example of what information sharing, and data collection and preservation can look like, and to underscore the benefits of that. I don't think that is a sure thing in terms of being achievable, because as you know the federal government is not a monolith that the president can sign an executive order and they all answer the executive order that will be fulfilled to tee and then there'll be other elements that will languish. I hope that just because of the severity of the events that continue to occur, that people will take this, government agencies will take this seriously, and they will say, "Yeah, we've gotta figure this out." It's not because we're being told to figure this out it's because we gotta figure this out. Otherwise we're gonna continue to get slammed. And it seems like the drum beat is getting more intense and more frequent, and so I do think that there's a willingness in the public sector to entertain going into the cloud. But frankly I think they need a roadmap. I think they need... There's some work that needs to be done to say this is what the path looks like. This is how you migrate from an on-prem security capability to a cloud-based security operational capability. These are the steps you go through. This is what it looks like in one year, this is what it looks like in three years. And I'm bullish that that is possible especially when you look at certain intelligence agencies that have been able to migrate fully to the cloud. They've done it, and they've been there for awhile. So, it's kind of in the rear view mirror, and now they're starting to improve capabilities where a lot of federal agencies are still languishing. - So, what I think I heard you say is if the US Intelligence Community can go to the cloud so can Fortune 500 America is that fair to say? - Well, not exactly. Yes, certainly Fortune 500 America can go to a cloud but I'm talking about what about all those Civilian Agencies? - Mh. - There's a Civilian Federal Agencies. What about all those other national security agencies that are not intelligence agencies? The DOD space, DHS, they ought to be going to the cloud quickly, and the president can't necessarily direct Fortune 500 companies to go to the cloud, but he does have the means at his disposal to push the public sector toward the cloud. - I see. Yeah, valuable certainly insights. Thank you very much for your time, thank you very much for what you do for Nisos, and congratulations on your exit with TruSTAR to Splunk. - Yeah, thank you, and it's great being a part of your board. - For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane, and conduct high stakes security investigations. Without the value of the team provides day in, day out, this podcast would not be possible. Thank you for listening.