Dive into the world of threat intelligence as Willy Leichter and Sean Martin discuss its evolving landscape, sharing insights on how businesses can get ahead of potential cyber threats, understand data, and enhance proactive security measures.
In this Brand Story podcast episode, as part of our Black Hat USA conference coverage, host Sean Martin connects with Willy Leichter as he sheds light on his extensive experience spanning over 24 years in the security realm. With a keen focus on cyclical patterns of security, he underscores the unique position of Cyware, a brand that has worked assiduously to bridge silos across industries. While discussing the broader vision of threat intelligence, he underscores its potential in predicting and mitigating attacks proactively.
Join Wily and Sean and they dig into the complexities of threat intelligence, highlighting the importance of clear notifications and the stories behind them. Sean recalls his experiences as a product manager building an enterprise SIEM solution, shedding light on the challenges of orchestrating bidirectional data exchanges due to the diversity of data formats. This reflection underscores the need for a more streamlined and scalable approach.
Willy discusses Cyware's role in addressing these challenges. He explains how Cyware assists teams and systems in understanding and acting upon various threats. The conversation also touches on the role of Artificial Intelligence (AI) in improving integrations and managing threats. A significant portion of the discussion focuses on the potential of bidirectional threat intelligence sharing, emphasizing its advantage over the typical one-way sharing that's more common.
As the episode progresses, the concept of threat intelligence as a service is introduced. In a digital age where cyber threats are continually evolving, Sean and Willy stress the need for a united front in defense. They advocate for a collaborative approach, emphasizing the benefits of collective defense in an industry where real-time sharing and coordination are paramount.
Note: This story contains promotional content. Learn more: https://www.itspmagazine.com/their-infosec-story
Guest: Willy Leichter, VP of Marketing at Cyware [@CywareCo]
On LinkedIn | https://www.linkedin.com/in/willyleichter/
Resources
Learn more about Cyware and their offering: https://itspm.ag/cywaremja9
For more Black Hat USA 2023 coverage: https://itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
[00:00:00] Sean Martin: Hello everybody, this is Sean Martin, host of Redefining Cybersecurity podcast here on ITSP Magazine. We are virtually on the road, and at, BlackatUSA2023, where a lot of cool things happen and all the cool kids hang out. And, uh, today's no different with this episode. I'm thrilled and honored to have Willie Leichter on the show from Sideware.
Willie, thanks for joining me.
[00:00:28] Willy Leichter: Thanks, Sean. Always, always a pleasure to talk to you and glad to be here.
[00:00:33] Sean Martin: We've been, uh, we've been connected for many years, touching on different topics. And, uh, you have... What I imagine is that the pleasure of, uh, working in a space that's really hot, threat intelligence, and, uh, it's evolved over time, you know, which we're going to get into, which I presume leads organizations to try to figure out are they making the most Out of their threat Intel programs or not if assuming they have one so we're gonna get into all of that but before we do that really a coming peek into your journey leading up to Cyware and Sure, what what what what makes you happy about being there?
[00:01:16] Willy Leichter: Yeah, so I've been in many companies in the security space in the last 24 years And seeing a lot, seeing a lot of things come back again, but, um, seems like security is kind of cyclical, but, uh, I've been in a lot of different domains and cloud security and authentication in, uh, SOAR, MDR, um, Cyware is unique and very happy to be here, I think partly because there's a broader vision of.
Threat intelligence connecting to, uh, what you do about it, connecting to automation, connecting to collaboration and really trying to not just talk about, we got to get out of the silos, but actually develop tools that help people work across silos, work across enterprises, share threat intel across whole industries.
So that's what's exciting to me. And there's, like you said, there's a lot happening here. Um, I think there's also a lot happening at the government level that is also, I think, giving some impetus, you know, strong shove to companies to start taking threat intel more seriously. And, you know, the promise of threat intelligence is you get ahead of the attacks.
You're predicting in some way. You're being proactive as opposed to always being on your heels. Now, nothing's perfect, but that is, that is potential of threat intelligence if you apply properly.
[00:02:37] Sean Martin: Yeah, and then maybe that's a good place to start. Well, there's two parts I want to cover and we should probably keep them separate.
So there's sort of the history of threat intelligence in terms of what it was, what it is, what's inside, how we source it. Um, and then we kind of flip over to, well, how, how have companies traditionally. Picked it up and used it and ingested it and applied it so we can come to that second, but maybe a quick view of, of kind of the, the history of threat intelligence, um, from your perspective.
[00:03:17] Willy Leichter: Yeah. And I'll, I'll sort of give you the, the brief history in my view, cause it goes way back and there's all kinds of, you know, incredible experts involved, but you know, the bottom line is companies are not, not nearly enough companies are actually leveraging threat intelligence. It's viewed apart maybe because of its legacy that it's kind of a ninja warrior thing you need the smartest people in the world who've you know worked at the NSA and can see through all this noise and and Have these superhuman powers to detect and predict and the related also to threat hunting Which is often separate, but it's certainly related.
But the bottom line, um, there's been a generation of TIP products, Threat Intelligence Platforms. They really were only sold to large organizations that have, have the wherewithal to specialize teams to kind of do this. But it's frustrating to me that it's always been a step apart. That it's, it's something another team does, maybe you get in an incident, maybe you send it off to them to be enriched, or you do threat hunting.
If you are, you know, the top enterprises that can afford a specialist threat hunting team. Um, so to me, it's a bit of a victim of its own legacy of, you know, this, this mystique that we've got these incredibly smart people who can, who can do amazing things, but unfortunately. 70, 80% of companies can't afford those superheroes.
So they end up putting it on their wishlist, but not doing anything about it. And that's what I think really needs to needs to change.
[00:04:52] Sean Martin: Yeah, and I think you touch on an interesting point and I don't want to bash the industry, but I think we were kind of born Under the guise of we're we're special. We know stuff that others don't.
Yeah, we can decipher things that others can't and and therefore you have to rely on us and if you can't then you're kind of stuck and Certainly a lot has changed in the 30 years that I've been part of this space, and we see a lot of interfaces, we see a lot of analysis, we see the injection of artificial intelligence and other models of data analysis coming to bear to help.
Uh, those who don't have, quote unquote, a degree or decades of experience in, in security to make sense of this stuff. And it certainly, the landscape isn't lessening. It's growing. Uh, the speed is growing, the scale is growing, and, uh, the exposure of the organization is growing. So, you described two scenarios briefly.
One, one is, uh, threat hunting, and the other is... Post breach or, or some, some level of attack and enriching enrichment. Um, describe those two a little more for me. Sure. And are there other scenarios that have surfaced beyond those?
[00:06:21] Willy Leichter: I think that's, I mean, there's lots of variations and I think that's a good way to think about it.
And, and really the difference between incidents and potential threats. Now, one of the challenges of course, is it's a, a scale problem. You know, if you get. Uh, let's say a hundred incidents, you know, maybe there's a lot of noise, maybe, but it's something you can get your head around. Um, world of potential threats is, seems almost infinite.
So it's, you know, hundreds, thousands of times more data points potentially that you need to manage. So it's, it's hard to, it's less of a human scale problem. You know, incidents also are. Becoming not human scale, but I think it's certainly more straight forward. If you have an incident, if something weird is happening, you see some indicators of compromise, and then you go send it to the threat team and they go compare it to whatever their threat feeds are, their database.
And tip platforms have been used for this. There's other other ways to do that, you know, bits and pieces. Um, but I think, you know, that's so enrichment is certainly important. It's something that needs to happen in an automated way. So it's, you know, it needs to be, you need to connect these systems. And I think there's been kind of a gap between say SIM products with your incidents coming in, with your alerts.
Um, enrichment is sort of a, you know, a secondary step typically with a SIM or with a SOAR product that you need to go call some other tool and, you know, find out, is this a bad IP? Is this something that's known? So that's an important step. But I think more broadly, given AI techniques and the ability to overcome the scale problem now, is it's not that impractical to look for potential threats with a certain profile that could be targeting a particular industry or could be targeting a particular kind of infrastructure.
You know, you need to narrow down the whole world of potential threats, but there's a lot of ways to slice it and dice it. And there's a lot of good tools now that can aggregate it, de duplicate it, figure out the context, compare things across many different channels. That's really the, and I think AI, you know, the explosion of AI is, is waking people up maybe to the fact that these things are more practical and you can consume a lot more data.
But you can also, you don't have to wait for some indicator of compromise for some bad behavior to start being, being noticed because reaction times are just too slow. You know, best case reaction times are, you know, take minutes, hours to days when you have a live incident and they can be worse. So anything you can do proactively to.
You know, set yourself up in a better position, more defensively, maybe start building some detection rules based on threat intelligence. All those things can, you know, save huge amounts of time and grief if they're applied properly.
[00:09:24] Sean Martin: Yeah. Yeah. And I was chatting with, uh, Eric Parrizzo from Omdia and they have the, the, the Omdia Analyst Summit, uh, there at Black Hat this week.
And we spent a bit of time talking about proactive security, which is fueled in my, in my view, by, by what you just described. So understanding the threats and the exposure, how it maps to your organization and proactively creating controls and, and rules to look for indicators of... In other words... to try to get ahead of it, as you're describing.
Yeah. Where do organizations kind of sit in that regard then? Um, are there many? I mean, we can talk about the large enterprise that have been using this stuff for decades. Are they in a mature space? What about as you move down the stack to smaller organizations?
[00:10:17] Willy Leichter: So, one of the things that's emerging is that we've seen quite a few partners doing this is Threat Intelligence as a Service.
And I think just like with MDR, it makes perfect sense. You know, it still does require more expertise or maybe more experience and putting together the right tools. Um, you know, we are, we're trying to make it as accessible to the mid market as possible. Um, so there's simpler versions of, of our products and others, but I think ThreatIntel as a service, as a starting point is, is we're seeing a lot of interest in that and we've got some big partners that are starting to really push that out.
Um, the, you know, one of the challenges is there's too much data like everywhere else and not just too much threat data. There's lots and lots of availability of threat feeds. There's, um, from commercial vendors, from open source tools, um, the ISACs play an important role. In fact, we work with most of the ISACs in, in powering what they do.
So there's lots of available information, but, um, I think it's as much about managing that information and making it useful, making it contextual, um, contextualizing it for your business. Um, that makes it, makes it useful at the end of the day. And then the other part that, that doesn't get much talked about, I think, and really been pioneered by the ISACs, frankly, is sharing threat intelligence across communities.
And we're very much proponents of that, and the ISACs do a good job of bringing in different feeds, curating it, and sending it out to different people based on, you know, on the TLP threat level. Um, I think, That's a really good model that we're starting to see replicated in all kinds of hub and spoke organizations.
Um, we've just sold to two of the, two of the major sports leagues in the U. S., where they have, you know, hub and spoke. They have their teams. They're all trying to centralize threat intelligence, um, and lots of other organizations where they really want to disseminate it quickly. And I look at it as It's, it's never, when you talk about automating these things, you know, people get carried away with talking about AI.
To me, it's not either the humans being involved or the machines. It's how quickly can you alert the right people with the right context so they can take action. And if you take action in a few minutes, that's probably fine. As long as it hasn't taken a week for the information to get to you. You can, you can act and you can use your intuition and you can say, no, that was actually some testing we're doing.
This other one is irrelevant, but here's the one that we really got to, we've got to worry about and take some proactive action. So, you know, getting the right humans connected to this and making it actionable for both humans and, you know, an automated action.
[00:13:13] Sean Martin: So that, that leads me to two different things.
One is, I mean, when you start talking about massive amounts of data, uh, that the dependability of that information, um, are, are you going to start to see what we've seen in, in vulnerability assessment, vulnerability management in terms of false positives or false, false detection, things like that come to mind.
But then you, you mentioned the people as well that are relying on this data to make. So hence the dependability, but who, who should have this data, who typically doesn't get it now so that the team as a group can actually make, make the right decisions at the right time, like you described.
[00:13:55] Willy Leichter: Yeah. And this is where silos are, you know, a huge problem and it's understandable because different teams use different tools and they're looking for different things.
But trying to, and what happens a lot, unfortunately, you may have very smart, you know, people who detect new threats, they detect something, they put them in a spreadsheet, maybe the end of the day they email it to someone, you know, maybe that person doesn't understand the context and things can literally, you know, this, all the best technology in the world is suddenly bottlenecked by these conventional communication tools and things get missed, things get forgotten, and you've got to be able to translate the data You know, physically translate it into the right formats, but also then get the right context for the right people.
And that's, that's, I think, the biggest challenge. Um, we look at it as both, um, you know, an integration and an orchestration challenge. That you have to be able to orchestrate anything to anything. And by orchestration that means, of course, you've got to be able to connect the tools, speak their language, but then you can create workflows, you can create playbooks, you can create things that are Less complicated than they sound to get, you know, a particular type of, of threat alert comes in that maybe someone in your SOC needs to know about, or maybe the CISO needs to know about.
Um, these things have to be, um, thought through and any workflow, if you come in and people don't have any kind of workflow, even if it's manual and slow, it's very hard to automate that. But typically there are processes, there's things that people do. They're being diligent. But there's bottlenecks at just where it breaks down.
Or they're just sending, you know, reams and reams of data that no one else can understand. So, getting it into, uh, you know, contextualized, uh, consolidated, so people see what they need to see. And this doesn't happen overnight. This is an iterative process. But machine learning tools can be great here, in terms of, you know, just getting the feedback from the recipient.
Is this useful? Is this what you needed? Is this too much? And fine tuning it. And that's, I think that's an area where a lot of progress is being made. And people are often surprised by how much context you can build into the information. But at the end of the day, the silos aren't there because people don't want to cooperate.
They're there because people are focusing on different things. And it's hard to be a, you know, it's hard to be a generalist and do everything. So as your team grows, you need some specialized. Some specialized teams, but we, we like this term of cyber fusion and it comes from actually comes from the military where the NSA, where they have fusion centers, where they get everybody in a room, you know, all of people looking at all these different elements and looking over each other's shoulders, you know, virtually or, or physically.
And connecting the dots across things because, you know, because people are close physically. And that's been one of our goals is to try to, try to replicate that as much as possible by making it easy to orchestrate across any tool. And then adding the context as much as possible, enriching things. And then also the communication part of it.
is often overlooked. Like, how are you going to tell people? So, you know, we have tools that, you know, we have a kind of a purpose built, um, communication tool for threats. This is what we've built for the ISACs and now it's, it's spreading. But that's, you know, that's as important because if it sits there and someone doesn't notice it, doesn't get the right alert, then, you know, then you're waiting days.
[00:17:38] Sean Martin: Yep. Notifications and the story that goes with it are both important. I, I want to touch on the, the orchestration bit if we can 'cause that, that middle piece and, and when I say middle, because you Yeah. Cy are doing bidirectional exchanges. Yeah. Here, and I, I can harken back to my early days at, at Symantec building the sim there and the, the, the, we had to ingest a ton of information and what we did.
Mm-hmm. . Sadly was enforce a structure and a framework that all the. Providers of the data had to follow so we could ingest it and understand it. Uh, there's no way that scales well. And, um, so different data sources, different formats, some with metadata, some without, some with context, some without, some with your interaction with humans, some without.
Um, it's all over the place. So getting that part right. But then allowing systems and, and people interact with it on the other side to inform teams and then inform others, uh, is a whole nother thing. So if I'm not mistaken, this is kind of where you at Cyware sit to as a platform to help manage all of that at scale, if I'm not
[00:18:58] Willy Leichter: mistaken.
Yeah, very, very much so. And we have, you know, we, we touch on sort of each of those parts, you know, interestingly. Um, orchestrating and connecting and understanding protocols and, and APIs. AI is a great tool for that. You know, that's some of the most mundane stuff that's a, you know, a pain for everybody.
You know, you get your integration working and then something changes in the a p i and then you've gotta go back to square one. So we're actually, um, very happy applying AI on the integration side. You know, people talk about in, in our space, in the source space, you know, we have 300 integrations, we have 400.
Really you want to have, you need all the integrations you need. It's, it's, it's a numbers game where really you need to start automating that process of connecting things. And then there's a lot of, um, playbooks, runbooks for orchestration that are pretty repetitive. They all have different twists, but, you know, that's also an area where AI can just help, you know, chatbot can just help to, you know, find the most common use case, start with that, tell, ask you what's different, get, gather the data, let you select it and, you know, save 90% of the time it requires to do this stuff.
Um, and it's, it's more mundane than it is, you know, kind of cool AI stuff, but it's where it's really, really important. But yeah, you mentioned, so orchestration, it's still, it's not trivial and it's, it can get easier and it is, but it's still, you know, we've built all this complexity. So now we have to deal with it.
But the other thing you mentioned, and this is really important. You know, the model of sharing, uh, threat intelligence by the ISACs, by other communities, ISAOs, private enterprises, um, sharing one way is good. If you can start doing that bi directionally, then it's really powerful. And the technology exists.
Um, with some of the ISACs, we have ISAC members that are now sharing back automatically or even sharing some detection rules and things. And there you have to overcome some, uh, almost corporate obstacles that, you know, Oh, should we really share? Is this sensitive? Is this legal? And we've got to overcome that because the promise of, say, one enterprise in the pharmaceutical industry gets hit and all of them are alerted within a few minutes, that's collective defense, and that's what we've really got to get to.
And it's not a technical hurdle. We already do this, but we're finding 10 15% of ISAC members in some cases are starting to share bi directionally, so we're really proposing really proponents of that It's it's not just a sort of feel good thing It's you know it it will benefit you if you're a part of an industry and everyone in the industry has that frontline information That's you know that's really exciting to us
[00:21:58] Sean Martin: Yeah, no question about that.
So as we um, as we begin to come to a close, sadly, I could talk about this for hours, I'm sure. Me too. Uh, I want to paint two pictures. One for organizations that have some form of threat intelligence as part of their program. And the other for teams that don't have this information at, at hand yet. How, how can they fit in what you do with Cyware?
So existing companies, how do you fit in? And maybe the first step for a company who has no threat intelligence program, uh, to take the first steps.
[00:22:41] Willy Leichter: Yeah, and that's a great question. And, um, you know, I, I, I mean, there's a product answer we have. We try to make it as easy as possible. We have offerings for the mid-market and we're, we're working in that direction.
But I'd also say threat intelligence as a service people should, should look at, um, because that's evolving pretty quickly. We work with some major gss, I, some of the big, um, channel partners that are, that are finding a lot of takers for this. Um, and, you know, you work with experts that can give you the context, give you the right information.
Just like MDRs. There's some, you know, there's some good ones and some ones that aren't as good. But I think it's emerging quickly because people are realizing we've got to get ahead of this. Um, you know, it's not a, if you're always reactive, I mean, look at the classic case of ransomware. You have a very short window from when you, when you notice what's happening to when you get to react before damage is done.
And that's window is missed so often. So we've got to figure out ways to, you know, detect the precursors, understand what's happening out there, understand what these threat actor groups are doing, and, you know, using all of this great threat information from, from dozens of vendors in the space. That are, that are finding these very valuable, you know, gems, but that's got to be manageable.
It's got to be consolidated. So, you know, the end of the day, you need a good threat intelligence management platform, whether you take it on yourself or you use a service for it. And that needs to integrate with everything else you do. So I think if you think of it as, well, we're not big enough to have a threat intel team.
That's the wrong mindset. It's more that your SOC team, however big or small, should be thinking where can we get good threat intel. Maybe just start with your ISAC. ISACs, we're big proponents of that. You know, a lot of valuable stuff you can get there. Um, some of our, you know, we're kind of in a way the conduit for a lot of this stuff.
A lot of the technology partners we work with are interested in getting their threat feeds into this ISAC community. So a lot of good information available there. Um, so it's, it's really how do you start, um, incorporating this into your practice and looking ahead, um, and not just waiting for the threats, um, and, you know, maybe doing enrichment, maybe not.
Um, you know, again, enrichment's good, good thing to do. You want to do it, but if you can, if you can get those precursors, it's, you're just in a much better situation. So, you know, I'm a little bit, you know, preaching, obviously, what, what we do, but I think. I think probably my advice is organizations need to not think this isn't for them.
This isn't something they can, they can tackle. There are, it's becoming easier, it's becoming better. AI is going to push it along quickly. But at the end of the day, and this idea of collective defense, if you join an organization that is sharing information and sharing bi directionally eventually, that offers the promise of, you know, we're all a team here, literally.
And you can get the best threat intel because you're a part of whatever it is. You're part of a manufacturing ISAT or you're part of the automotive ISAT or aviation that all these, um, you know, I think that's. That's a path that's really maturing quickly and really advancing and letting, you know, letting midsize and smaller organizations have access to this critical information.
[00:26:16] Sean Martin: Yeah. And I know a lot of, uh, CISOs and security leaders lean on the, uh, their fellow. Executives and leaders in the industry for information. That's, uh, that's a great way to hear about a new threat that's coming or a compromise that occurred. And I'm not saying don't do that, but. That, that can't scale. So the, the bi directional collective defense, uh, I mean, sounds like a dream to me if I was to see.
So,
[00:26:49] Willy Leichter: yeah, it's going to take, it's going to take a while for it to really spread, but we believe in it firmly. And you know, the, you know, the bad guys are collaborating, right? They're selling tools to each other. They're sharing information. They're doing this at scale. So we've got to figure out a way to.
You know, to collaborate and to get to collective defense. And I think that's a, it's, it's absolutely possible. And we're starting to see it in, in real life in pockets. Now we need to. Kind of expand on this idea.
[00:27:19] Sean Martin: Collective offense, uh,
[00:27:22] Willy Leichter: collective defense. Maybe, yeah, maybe defense is, is too, um, too much of a reactive word.
So proactive, collective offense. Yeah. Well, I'll think
[00:27:33] Sean Martin: on that one. Nice one. Nice one. Well, Willie, it's, uh, it's great to, great to connect with you again. Uh, Glad to catch catch up and, and to get this story and, and an update on, uh, the world of threat intel and, and, uh, the work you're doing at CY to help, uh, organization organizations succeed with their programs.
Um, I know you're in Las Vegas, uh, for a few days for, for Black Hat, so if, if folks want to, uh, They're listening to this in time and they want to come visit you. You have a booth there?
[00:28:06] Willy Leichter: Uh, we have a lounge with coffee and food and at the House of Blues in Mandalay Bay. So stop by and we'd be, we'd love to talk to more people about that.
[00:28:16] Sean Martin: Nice one. All right. Well, we'll, uh, we'll include a link to, uh, your profile so people can connect with you and a link to your website so they can find you and hopefully find you at the show. Of course, uh, after the show, you're always there too. So, um, absolutely. So thanks everybody for listening to this, uh, the story from Willie and the SciWare team.
Uh, hope you enjoy this. Stay tuned. There's still more coming from, uh, Black Hat and, uh, we'll catch you on the next one. Thanks again, Willie.
[00:28:50] Willy Leichter: Thank you, Sean. Really enjoyed it.