- Welcome to "CYBER5" where security experts and leaders answer five burning questions on one hot topic in actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host, Landon Winkelvoss, co-founder of Nisos, a managed intelligence company. In this episode, guest moderator and Nisos teammate, Alex Eggleston is joined by Head of Global Threat Intelligence at Morgan Stanley, Valentina Soria. They discuss an overview of leading a large scale threat intelligence program in the financial institution space, and how to make intelligence absorbed by multiple consumers. We also talk about how intelligence teams can build processes and technology at scale, to increase the cost of investment to criminals. Finally, we touch on large enterprise being a value-add to small and medium-sized business. Stay with us.

- Thank you so much for joining us, Valentina, really looking forward to the conversation today. Would you mind introducing yourself, giving us a little bit about your background?

- Yeah, absolutely, Alex, my pleasure being with you today. So I'm Valentina Soria, I'm the Head of the Global Threat Intelligence team here at Morgan Stanley. So I've been at the firm now for five years, and I've kind of am responsible for managing and supervising this global intelligence capability for the firm. So pretty, pretty big responsibility. And what my team does is really look across a full spectrum of potential risks and threats to the organization, and anything that could disrupt our business from an operational perspective. These are my opinions, and they don't reflect necessarily the opinions of my employer.

- Awesome, yeah, obviously you have a very wide ranging responsibility, with a lot of visibility across the enterprise. So really interested to get your take on some of this, from your perspective. So today we'd love to focus the conversation on how you use intelligence and not just information across numerous stakeholders and consumers in an enterprise. You'll have a great perspective on this. So I guess, just to get started, would you mind providing sort of an overview of how intelligence can be used across the enterprise within different stakeholders?

- Yeah, absolutely. Really, really tough question. I think Alex, it's interesting to think about the evolution of the intelligence field, right? From a pretty niche discipline focused on really just threats, right? So you think about malicious actors, somebody with intent and capability to strike at your organization, to a field that now really serves the business across a spectrum of potentially disrupting events or incidents that could impact an organization's assets, people and operations, maybe. So in my view, you can really prove the value of intelligence, wherever, really, you can find a valid business case to fill a critical information gap, right? And help stakeholders contextualize the risk facing them and the business. So essentially you need to learn how to leverage that full spectrum intelligence capability to connect the dots and convey the value-add that will bring to your stakeholders. And what do I mean by this? Well, you must think of intelligence. Thinking of intelligence at the various layers of applicability, so from tactical to operational to strategic. Really at the tactical level, intelligence allows you to respond. The operational level allows you to prepare, and at the strategic level, allows you to anticipate and really plan alternative courses of action, in my view. What does that mean in practice? Well, I think that in addition to tracking and alerting on current threats, organizations should really use intelligence to challenge conventional wisdom, if you want, about what senior leadership should be concerned about. I always say this, and people sometimes freak out, but intelligence teams should really make senior leadership and business stakeholders feel uncomfortable about how they think about certain scenarios, or the state of the organization's risk posture. In some more, maybe, mature organizations, they should ensure that intelligence teams are heavily involved, for example, in scenario planning or exercise programs. So really making sure that they can help the business imagine what the potential spectrum of threats and risks, the most dangerous and most likely scenario could be really. And so thinking of intelligence as those three different layers allows you to identify, and also categorize the stakeholders across your enterprise, and really no matter what the size of your intel team is, you should aim to serve a wide range of stakeholders by delivering a variety of products or intel outputs that really help drive actions, generally speaking. Clearly you need to scale that based on your resources, and you might need to be a little bit more selective. Frankly, that role applies always. Intelligence is really not about quantity. It's about quality. And so it's about that unique value-add that you can bring to your stakeholders. And you can only achieve that if you really understand their information needs and their requirements.

- Yeah, absolutely. I think that makes a lot of sense as far as a framework for thinking about intelligence, especially as it spans across stakeholders on an enterprise level. I would imagine this is particularly relevant, as we're getting into the current events of the time, just ripped from the headlines. I'm sure that there's been some legwork on your end required to sort of make sense of everything and inform the right departments in the way that is most relevant to them, with everything happening right now.

- Yes, absolutely. It's so important really, just to make sure that again, the intel function is not sort of misunderstood and mistaken for an information hub or a news hub. It's really that kind of additional and analytical insight or enrichment that you can bring about to your stakeholders to really allow them to appreciate the so-what of specific events for your organization. So it's really about making sure that you, yes, you deliver timely information, accurate, because in the world we live today, that's also a really, really big challenge, make sure that what you're feeding is actually accurate and corroborated information, and again, it's enriched with the kind of insight that can help them navigate the complexity of some world events.

- Sure, absolutely not just the what, but the why. I guess thinking about that on a more detailed level, who are in your experience, the different consumers of intelligence inside and outside of a large enterprise, and how do you go about tailoring that differently than stakeholders?

- Yeah, it's an interesting question. I think in the most traditional sense of the word consumers of intelligence are those who kind of simply receive an intelligence assessment and most likely than not use that for situational awareness and to be kept and formed on a specific issue or threat or on the latest trends across the intelligence scape. And you still have some of those in large enterprises today, right? So you think of your average employee who just really maybe getting your daily, weekly intelligence digest that gets produced by your team. In some organizations, intelligence teams may also be asked to help produce some newsletters or other situational awareness products for individual corporate clients, for example, but frankly you have fewer and fewer recipients of those products who you would simply identify as passive consumers today, right? Because intelligence seems really given also the challenge of having relatively finite resources. They need to write with a specific stakeholder in mind, and while you may still have written products that are purely informational. The bulk of an intelligence production portfolio tends to be tailored to the requirements of the given stakeholders. So it's really important to remember that in order to be called such, intelligence really needs to be, to my previous point, timely, accurate and actionable. So if it doesn't inform or drive action for one or more of your stakeholders, that threat assessment loses that unique value, then is similar to research. Now that I want to sort of belittle research by any means, but it's just a different type of analytical expertise that you have to work with.

- Sure. Yeah. That distinction there might be a little nuanced, but is super important when you're thinking about how intelligence gets delivered. I'm sure diving at a level deeper your expertise within financial institutions specifically, I'd love to hear a little bit about different stakeholder departments, SOC, KYC departments, wealth management, sort of how you divide those when you're thinking about intelligence as stakeholders, if there is nuance in the way that that is packaged and delivered, or how you approach that specifically within a financial institution.

- Well, I don't think there is necessarily anything different, right? What we do here, the way that you can apply the intelligence discipline, it really goes up across different domains and different sector, really. clearly for my stakeholders specifically, and for organizations like mine. Again, it's important to be really on top of things in a way that its context is very easily digestible because everybody's super busy. And so to my earlier point about the difference between intelligence and research, I love it. I come from a much more traditional security background. I've done research for many years in the past, in my previous career life. And to be honest with you, I love to be able to write like pages and pages on a subject that I really like, and I love to dig into, but it's just not the type of output that I know is going to really help drive some of the decision making in my organization, right? That is not how you would deliver that kind of very punchy and concise intelligence assessment that can really brings up the so-what, that unique value at, in your stakeholders need to work with, right? So I don't think there is anything specifically different that we do in the financial sector here about it's definitely understanding and knowing your audience that I think is universally valued across the board.

- Yeah, absolutely. That makes sense. And to further your point about the difference between research around intelligence and actually making it actionable for the enterprise and different stakeholders, we understand that criminals have sort of their own scale and return on investment criteria for their business. How do you think, or how can an enterprise think about using intelligence to derive its own risk based approach to defending profitable assets?

- Very interesting question here. Well, I've been very lucky in my career as an intelligence professional, really to have worked for organizations that are really, really big and serious about the critical value of threat intel in enhancing the overall security posture of the organization and mitigate cyber risks and any sort of operational risk. And that is really a game changer because it allows you to be proactive most of the time, at least, rather than way to find out that you've been breached or impacted by an incident or an attack. Having an intelligence led risk framework means that you make a deliberate effort to understand the threat environment that your organization has to contend with, it means that knowing what to focus on and how to better prioritize resources, because that operational risk environment is very crowded this days. And so you just mentioned that kind of, criminal business model. Threat actors are continuously shrinking that time window from vulnerability disclosure to exploitation from initial compromise to malware deployment or action and objectives. So it's really important to also reduce the time window between threat identification, threat detection and response and remediation efforts, right? And intelligence allows you to really embrace a forward leaning approach to managing risks. So this is how enterprises should think of threat intel disease, no longer as a technical niche function that sits in the back of a room and passively collects indicators of compromise and other raw data. You can, and you should automate all of that today to really free up your analytical resources, to really leverage the technology, to build automation into processes that were once really heavily manual, and don't require that kind of interpretation assessment and critical thinking. And those analytical resources should rather be focused on driving risk mitigation efforts and that go beyond just detecting and blocking the latest mass phishing campaign. And maybe one good example is how more and more teams today are, for example, using the MITRE framework, right? So to map tactics, techniques, and procedures of advanced actors, right? Of those that they prioritize because they may have a history of targeting their organizations or their sectors, so, and how they can leverage that mapping to identify coverage gaps in their prevention and detection tools or identify analytics that could be built to sort of enhance their perimeter, so to speak and their detective controls across the environment. And this is an example of proactive use of threat intel, for example, to mitigate risk against your most critical assets and really one that allows an organization to prioritize resources, to ensure appropriate coverage against the most relevant, and I think impactful threats.

- Yeah, absolutely. I feel like that is a sentiment that we'll continue to hear more and more about automating where you can and conserving those resources for where it matters. Taking that step further, understanding that resources are so scarce. How can this model scale, understanding that it is still a risk mitigation function?

- Well, you need to start small and build incrementally from there by securing more resources for what your leadership will start to view really, as an essential component of the risk management framework, cyber threat intel maturity is a journey, right? Organizations need to go through a journey of, I call it conscious growth in order to really realize the real return on investment when it comes to intelligence capabilities. And to be honest, this won't show straight away, right? You have to be realistic about it. You have to take time to truly understand and evaluate your organization. And really don't be afraid to be in listening mode for the first few months of your journey. So find the key coverage gaps, but also understand what hasn't worked before and really to build the right capability and complement existing ones rather than build something that is redundant and not really necessary. It would be much easier at that point to justify that regular investment in your intelligence function and get more resources for the kind of work that they would want you to do. And it's important to determine where the intelligence function can add more value and really identify meaningful metrics to track the success and relate that return on investment to the leadership. And believe me, metrics can be tricky. I'm not a big fan of metrics. Unfortunately, I'm not a number person, but I understand how important they can be, how useful they can be for exactly this kind of discussion. And for years, the value of intelligence tend to be intangible or somehow hard to quantify. You can't compare intelligence, for instance your metrics that your SOC or your CERT team can turn around every month about the number of incidents and old issues remediated, or how many vulnerabilities, your vulnerability management team has been able to patch, but in organizations where intelligence teams are strongly integrated with response and recovery functions, intelligence inevitably drives some of those metrics. It really all begins, as we said earlier, with mapping your stakeholders and really, whatever intelligence input you provide to them. So closing the loop on any, and every engagement that you have is really key and that infamous feedback loop. So that's the only way you can truly understand whether what you are doing is adding value and how, critically. When you get a request for input from your intelligence team, make sure that you are clear about, very crystal clear I would say, about the use case, the business justification, this way if something is not quantitatively measurable, you're still able to tell your leadership a good story of success, provide them measure of performance or effectiveness, which will eventually help you justify the sustain investment in your intelligence function. So how are you enabling or contributing to enhance certain processes or announcing certain controls, how are you informing your risk management practices and things like that. So, crucially, I think in my view, your intelligence metrics should also reflect the information sharing partnerships that your team participates in. This is something that it's clearly unique to intelligence teams by default. In most cases, the list intelligence teams are the gatekeepers of those relationships with industry partners, government partners and so on. So they really understand and know how to leverage that sort of relationships to be proactive about threat environment. And it's not just a tick of the box exercise where you say, yes, I'm part of my ISACA, and I'm fine. You actually need to make sure that your team pushed to the rest of the organization, that sort of unique information, early warning and such that really gets shared in those forums before it becomes public knowledge. And then everybody can read about it in the newspaper.

- Yeah, absolutely. I guess I am interested unfortunately about the way you think about metrics and how that's not an easy thing to apply to an intelligence function, right? In your experience, what are rational metrics to apply? Is it just measured in controls or how do you think about that?

- As I say, the best ones I think are the combination of what you can measure quantitatively. And, but also those qualitative contributions, 'cause a lot of what the intelligence teams in general do again, it's hard to just sort of measure in a hard number in a way. So what I mean like, yes, what I said before about if you are really, while integrated in your response with other response functions in other defense, the sort of defensive team capability, you can actually demonstrate how some of the intelligence that you can provide be that some raw data that you gather from feeds from partners from the sector or whatever, or just from your analysis, how much of that is contributing to maybe earlier a quicker, a more effective detection of malicious events in our network or expediting the patching of critical vulnerabilities because you've provided evidence and information that points to that specific vulnerability being exploited in the wild and how, and by whom these are some of, again, the more competitive examples that you can put down, if you support a fraud function, of course, that also goes with the number of fraud events or fraud attempts that you have held block or prevent somehow, but also things that you have discovered through your intelligence sort of monitoring capability that you've had to those teams. And on the qualitative side, it's really about how the analysis of your team has helped. Maybe the leadership at that point understand better or better navigate the complexity of, again, the threat environmental there could be related to a specific geographical location and some of the challenges of operating there, it could be about a specific understanding of getting into a business in a certain type of industry or vertical could mean and what the organization should think about as mitigating measures to sort of reduce the risk exposure or the risk or the attack surface when it comes to that.

- Sure, yeah, certainly not a one size fits all answer there, but I think that's a really good breakdown, and really helpful in thinking about that, obviously in a lot of cases, large enterprises, especially in the financial sector, sort of pave away and bear the brunt of a lot of the way we think about intelligence and how to be proactive using an intelligence function. I'm curious to hear how this model that you've sort of laid out for us can be helpful for small and medium sized businesses that need help further down the supply chain.

- Again, to my earlier point, it's tough. It's not easy, it's a journey ,right? And not everybody can have infinite number of resources. So it's really, though about the mindset and the framework to how you think about intelligence, right? So you need to embrace a holistic view of intelligence and project that view to the whole organization as management of business risk. It's not just about an information gathering function is informing really your risk mitigation strategies. And that is, I think is the most effective way of putting that across. It doesn't necessarily mean that you need to cover 10 different domains. This principle applies even to really meet intelligence function that are focused just on cyber or physical or fraud or whatever is the idea of informing the business at a tactical, operational and strategic level and really connecting the dots so that leadership can understand the threat environment and think about it practically to my earlier point, if your resources are limited, be smart about it, try to automate as much as you can at the tactical level and leverage your analysts to provide context, to convey that. So what of a certain threat of an incident or vulnerability to your upper management and to the other teams that are expected to act on that Intel to mitigate the threat and most importantly, make sure that you are connected and plugged into relevant information sharing communities, especially when your resources are really limited. Those partnerships are really a true force multiplier giving you access to what drove of information and resources and outputs that you may otherwise miss or not be able really to produce yourself because your coverage is limited or stretched pretty thin. So you have to really develop and embrace that multidimensional strategy to make your intelligence function truly critical for your organization to the point where they can't really make it without it anymore.

- Yeah. Yeah, absolutely. I think that makes a lot of sense. It's a really helpful way to sort of apply the larger concepts that you've been talking about throughout this time to the smaller and medium sized businesses that obviously still bear the brunt of the same problems with different resource balances. I'd be curious. Do you have an example or can you think of an example of the way any of the tactics that you just laid out can exist in real life for these businesses either on a information sharing basis or how to remain savvy and with more limited resources?

- Yeah, and as I say, you know, when you really have only two, three of four analysts or whatever, again, it's tough to be able to cover everything, to cover all of your bases. There are though, as I said, a lot of sector, specific partnerships and information sharing forms, of course, in US, there are a lot of resources that are pushed by government partners, CSUN and others that really you should be plugged in there you should sort of be subscribed to. I mean, it goes without saying that may sound obvious for most of your listeners here, but it's something that for the small organizations can make the difference. You can't have necessarily eyes on glass on everything and anything, but that's why, what I said earlier about sure that you plugged into those communities can be the force multiplier because they essentially expand the scope and the reach of your team that can only deal with so much information at the same time, right? But again, also be smart about how you leverage a lot of the analytical OCI capabilities that are out there, right? You don't necessarily have to reinvent the well when sort of explaining a fact or an event or an incident, you can kind of reuse that most of the information that a lot of research companies and intelligence companies out there push out on their blogs and similar, what is going to make the difference is that applying that layer of analysis that makes it relevant to your own organization. So if anything, make sure that your team spends a little bit more time truly understanding your environment, right? Because that is going to make the difference to the information that comes from the outside. Everybody can read websites this days, and everybody does that probably sometimes more quickly than then your team can, can process that, but they may not necessarily have the knowledge and the ability to sort of then relay the significance of that to your organization, right? And so I think that that's the right balance to find in between leveraging what's available out there, not reinventive the wheel. And if anything, putting effort on truly understand what is going to be meaningful and significant for your organization.

- Yeah. I think that makes a lot of sense. That's a great breakdown of how to balance those functions. I think. Thank you. Well, thank you and overall Valentina for joining the show. I think this was such a insightful conversation. I really appreciate your perspective. Thank you for taking the time.

- For the latest subject matter expertise around Managed Intelligence, please visit us at www.nisos.com. There we feature are all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane and high state security investigations. Without the value the team provides day in, day out. This podcast would not be possible. Thank you for listening.