Not all threat intelligence is created equal
In this podcast recorded at RSA Conference 2017, John Czupak, CEO at ThreatQuotient, and Jonathan Couch, Senior VP of Strategy at ThreatQuotient, talk about what’s important to know about the difference between threat intel versus threat intelligence platforms, how threat intelligence changed over the past few years, and much more.
Here’s a transcript of the podcast for your convenience.
Let’s get into this conversation. Couch, most people have heard of threat intelligence, but can you give us a quick overview of what’s important to know about the difference between threat intel versus threat intelligence platforms? Where does ThreatQuotient fall into this kind of market that we have here?
Jonathan Couch: Definitely. I think one of the key differences is really the fact that threat intelligence provides you a lot of information and intelligence about what the threats are to your network, and what you need to focus in on from a security perspective. But threat intelligence platforms are, really, that next step in the operational chain. It’s how you actually use, consume and utilize the threat intelligence that’s out there.
It’s not just the creation of threat intelligence, but it’s that consumption, it’s bringing it in, figuring out what the context is around all those threats that are out there, and figuring out the relevance. Does your business, does your organization care about it? And then, how do you utilize that within your network? How do you deploy it out to your sensor grid? How do you communicate with the executives in your company? How do you work with other business units in the company? So, threat intelligence platforms are there to really enable that consumption and use of threat intelligence within your environment.
John, I understand you celebrated one year with ThreatQuotient back in October. What has it been like working with this company since very early on, especially in this emerging market?
John Czupak: It’s been a real whirlwind, and it’s interesting. When I joined the company, we were in an incubator space, here on the East Coast, at America Online. And there’s a thesis that we could build a big relevant business in an emerging marketplace. It would take a lot of work, but it really starts with the people. So I embarked on bringing in a world-class executive team into the company. And yeah, I would stack our team up against anybody. We have folks with experience, deep product experience in the industry, from companies like Sourcefire and Cisco. We’ve augmented that with folks that have deep threat intelligence experience from companies like iSIGHT that was one of the early innovators in this particular space. And our founders, of course, came from deep domain experience, coming out of General Dynamics. So it’s an interesting mix of executives we’ve brought to the table.
And the plan was to build a company around this. ‘Let’s raise great money in this emerging market, let’s build this company out, let’s advance the product in the areas that we think that it is relevant and differentiated, and matters for the marketplace.’ And I couldn’t be more proud of the accomplishments that we’ve made over the past year. As I’ve stated before, we’ve built an executive team, we’ve filled the team out, we’ve created a go-to-market machine that includes folks in Europe and North America. And most significantly, we’ve done a complete recasting and a rebuild of the technology, the product. We architected it from the ground up. And we’re doing some amazing things with the technology today. So, we’re in a great place, and this is going to be a big year for the company.
Great. Couch, you’ve been involved with threat intelligence for longer than most. How has the industry changed over the past few years? And what is still missing in this market?
Jonathan Couch: I would say threat intelligence really started out… Even in the middle/late ‘90s there was, really, threat data. People starting moving beyond their networks. So a lot of organization, from a security standpoint, started just looking at what they could see on their networks, and blocking it – firewalls, IDS, IPS, all the technologies that are out there. And they slowly started to expand beyond the networks, to look over the horizon a little bit. And that’s where a lot of threat data came out. Here are different indicators, different technical information, IP addresses, domain names for command and control servers, and data exfiltration servers, and all these things that weren’t inside of corporate networks, but were the last mile coming in. But there was very little context to it.
And so, over the years, I think what developed was just a lot of noise. There was so much data, it was an overflow of data. And it’s been interesting, because I think the commercial world has started to feel a lot of what the government has seen for years and years and decades, to where you have so much data, but you need to make sense of the data. And so, over the past few years, really, the importance of context and the importance of relevance has really come into the market. The fact that you not just have a ton of data, I can hand you a hundred thousand IP addresses, and tell you they’re bad, and it doesn’t mean anything to you; but if I hand you a hundred thousand IP addresses and I say, ‘But these five are actually targeting your industry, and are going after something that your business cares about that increases shareholder value, that increases revenue generation for your company’, well, that’s something now that you can focus in on. And you can apply your resources against it.
Another key thing that’s popped up over the years has been the discussion at all levels of government, as well as in the commercial industry of sharing, to where I think a lot of threat intelligence groups are focusing in more on sharing than they are necessarily on consumption and use, on the operation side of threat intelligence. And while sharing, I think, is a core component of what needs to occur out there in the market, you need to go about it the right way, you need to make sure you’re sharing the right information in the right way so that it is consumable and usable.
But at the end of the day, it isn’t all just about sharing. I can share with everybody here all day long different tidbits and facts of little interesting things, but it doesn’t do anybody any good unless it’s something that actually applies to them, to their environment, that has the relevance, and that it’s information that they can do something with. So, I think, over the past few years, the market has started to focus in to figure out, ‘All right, we have this whole threat intelligence thing; it’s still being defined.’ I think every day presents new challenges for what people are looking at, but then they’re moving on from that definition of threat intelligence to really, ‘How do I utilize it in an effective and efficient manner?’ Especially within commercial organizations where ROI matters. So that you can’t just buy a ton of data and be overwhelmed by it, you got to do something with it, and then communicate that to your executives to get support.
Something I hear you saying is that not all threat intelligence is created equal. So do you want to talk about that a little more?
Jonathan Couch: Yeah, definitely. And I am somewhat bias. I come from a threat intelligence provider in my background, but we always used to say, ‘Context is king.’ And I think that really is a key point. It’s the fact that you don’t want to just have a ton of data that doesn’t necessarily mean anything to you, you have to have the context around it. And that’s where attribution, and adversaries, and a lot of these concepts around threat intelligence have come into play over the years. But for me to be able to talk to you, rather than just saying, ‘Knives are bad’, to be able to say, ‘Well, there’s this guy, Joe. And he lives in this state, in this city. And he’s utilizing knives to lock pick doors to get into your home. And he focuses in on stealing TVs.’ Having that context around the problem is a lot better. You can’t protect against all the knives in the world, but you can protect against how one specific individual is utilizing a knife. And especially is there’s tens of thousands of those people, all utilizing knives in the same way. You can figure out where along that path you can best stop them, where your countermeasures fit, and be able to work with that.
I truly do believe that not all threat intelligence is created equal, that you have to have the context around it. And for those feeds and providers that don’t provide that context, you have to have platforms that can add that context to the data that you’re bringing into your environment. A lot of times, through government feeds, through open source feeds, you’re not going to get a lot of that context. But by integration with other commercial tools that are out there, you can add that context into your knowledge base. And you have to have that library to be able to store it, and then leverage it.
And back to you, John, what else can you say about your team at ThreatQuotient? And where do you see the company going in 2017 and beyond related to the context that Couch just provided on?
John Czupak: Thank you. It’s a really exciting time for our company. I think for the industry, there’s a lot of change going on, but from viewpoint of my desk, the change is right in the fairway or in the wheelhouse of what we do and what our vision is for this marketplace.
As a company, we’re organized and we have capacity to advance this market this year. So we’re expecting big things out of our business. But from an industry standpoint, one of the things that I’ve noticed, which won’t be controversial, is there’s a tremendous amount of energy and activity in our space. There’s a recent survey that was published by BTIG, a gentleman by the name of Joel Fishbein, who identified that amongst the top three priorities for spending this year and in future years include things that are described as threat intelligence and analytics, and a secondary was this area or notion called security automation and orchestration. And if you think about those two areas, the provision of threat intelligence in a way that’s meaningful and useful to the users or operators is extremely valuable. So, we believe that we’re well positioned for a market that’s in an inflection point and a market that’s going to rapidly increase over the coming years. It’s an exciting time to be here.
Couch, to wrap things up, do you have any advice for companies that are looking to get started with threat intelligence or take better advantage of it?
Jonathan Couch: Definitely. I’ve worked with many organizations over the years, and I’m a firm believer in planning. Organizations, you can’t just jump into threat intelligence. I talked earlier about the overwhelming data that they can face sometimes. And organizations need to go into this knowingly, like they do with any other major program that they may start up at the company.
My advice to organizations is to set up that strategic plan. Know where you want to be in three years. Understand who your internal stakeholders are. If you’re going to have to communicate to your executives and your board of directors, you want to set up an intelligence program that has that goal in mind, and that your outputs and what your team is working on can communicate to them. Board directors don’t necessarily care that you blocked eight million things this month, what they care about is that you stop something that could have decreased shareholder value.
And so, it’s making sure that you set up a program with those definitive goals in mind – tactical, operational, and strategic goals – and that you’re able to communicate the successes that you’ve had in growing your programs, because at the end of the day, security is an overhead function, it’s not generating revenue for the companies for the most part. And so, you need to look at it with that in mind as far as being able to show value to the company through something that the business really cares about.