Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts. I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, cyber security counsel at the law firm of Newman Du Wors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities...

Kip Boyle: And if you want to manage your cyber risks just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable, and order fulfillment, then you should become a member of our Cyber Risk Managed Program, which you can do for a fraction of the cost of hiring a single cyber security expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. So, Jake, what are we going to talk about today?

Jake Bernstein: Today, Kip, we're going to talk about threat intelligence and how that differs from technical cybersecurity and why it is important for reasonable cyber risk management.

Kip Boyle: Okay. So sounds like we're going to dive deeply here. But I'm interested. So okay. So let's start by telling me, what is threat intelligence?

Jake Bernstein: So threat intelligence is a lot more than just a vulnerability feed. Right now, when you see threat intelligence, it's a kind of sexy phrase. Lots of people like to use it. And a lot of the time what they really mean is a threat intelligence feed. In other words, just a drip or sometimes a fire hose of data that's really automated and-

Kip Boyle: Is that like an RSS feed kind of?

Jake Bernstein: I was actually thinking of an RSS feed. Almost like an RSS feed. But that is not threat intelligence. That is a technical and useful component and it can tie into a SIEM or a SOC. And we should probably define what we mean by those.

Kip Boyle: Definitely. Yeah. I'm thinking about all the CEOs out in the world that are listening to our podcast that are like, "But what now?"

Jake Bernstein: Yes. So a SIEM is an [S-I-E-M 00:02:24], which stands for security information event management. And a SOC is S-O-C for security operations center. They're not identical, but-

Kip Boyle: Well, they go together, right?

Jake Bernstein: They go together.

Kip Boyle: So a security operations center needs to have a way to know what's happening. They need kind of a radar screen, like what's going on? And a SIEM is a way to do that. It's aggregating data feeds from routers, and switches, and firewalls, and intrusion detection systems, endpoint monitoring systems. So in very well done SIEMs that are driving the intelligence of security operations center, that's kind of what's going on. But I mean, a company that is, say, less than a billion dollars of revenue a year, if you're under that threshold, it's not likely you have these things, right?

Jake Bernstein: Right. And it's not necessarily clear that you should have them or that if you did have them, that they would be helpful to you. And so, conveniently, that ties directly into what threat intelligence really means, which is understanding the world of possible threats to inform your overall risk management strategy. It is much more of a intelligence analysis in the CIA sense, in the spy world, than it is about a technical operational plan. And technical cybersecurity, what we mean is the SIEMs, and the SOCs, and the firewall rules, and the IDS, and the IPS, and all of these different network engineering-type things, which are really important. The problem is, how do I know what to tell my fancy intrusion detection system or intrusion prevention system to look for? Or, how do I know what to set my firewall to reject or block? I don't know what the threats are.

Kip Boyle: Right. Okay. So good. So it's kind of like saying... I get a patch notification. Okay, so Microsoft says, "This patch is top of the heap. Deploy it right away." But how do I know that that severity rating applies to me? It's generic.

Jake Bernstein: It's generic. And where it gets even more important and interesting is, so threat intelligence is knowing what the threats are, how they operate, where they come from, whether you are likely to be a target and kind of everything surrounding that human-based intelligence analysis. And the reason it's so important is that it's very easy to get caught up in news stories or vulnerability announcements. But if you don't have the organizational ability to intelligently assess and analyze those reports, you could end up spending millions of dollars defending yourself against something that is unlikely to ever happen to you.

Kip Boyle: Right. Yeah. So a good example of that is in the news recently I saw a warning that the FBI put out that said, "Hey, in the next few days, this weekend coming up possibly, we know there's going to be attack against some banks. And the attackers are going to try to hijack the ATMs and have them spit money onto the ground so that their money mules will be able to scoop up all that cash and make their getaway." And so that was a really interesting alert, because if I'm not a bank, if I don't have automated tell machines, I don't have to really worry about that. And so that's a good example of a highly-targeted piece of information, where it's very clear whether that particular threat affects you or not. But most of the stuff we hear about, it's not that targeted.

Jake Bernstein: It's not. And you bring up a very interesting point, which is one, what's the difference between information and intelligence? The term intelligence has military connotations. It's from the spy world. I think what's really interesting is that as cyber security becomes a industry-level concern, not just military, not just government, not just critical infrastructure, these terms and the training that people get from spy agencies is trickling down into industry. And it becomes necessary to have people who can do this type of threat intelligence analysis.

Kip Boyle: Right. Another way of saying that is it's becoming relevant to know who's after who. Because on the internet, we're all targets. But we're not all targets to the same attackers. Some attackers are going to specialize in certain types of targets. And so, for example, if we know that the Chinese are looking for information related to certain technologies and you're a company that possesses those technologies, then okay, great. Now, you've got some intelligence that says that you could become a target for Chinese hackers. But if you don't possess that kind of intellectual property, then you probably don't have to worry so much about the Chinese this year.

Jake Bernstein: Exactly. Exactly. And that is the essence of threat intelligence, as opposed to what people have called the threat intelligence feeds. Really, that's just a pipe of information.

Kip Boyle: Yeah. And you have to sift through it and figure out, what's applicable to me?

Jake Bernstein: And one of the real challenges here is that automation, and particularly with the buzzwords of machine learning and artificial intelligence, are all the rage right now. The problem is that the term, the term of art intelligence, it must have a component of analysis from a thinking being. And for all the talk about artificial intelligence, it's really nowhere close. Correct?

Kip Boyle: No. I mean, artificial intelligence can do some really interesting things. Maybe you don't realize it, but if you use Gmail, and you've got the Gmail app on your phone, and you get a message from somebody, you can see there are some suggested responses that are starting to show up now. If somebody says, "Well, hey, I just want to let you know X, Y, Z." And you could tap, "Oh, okay, thanks very much," and just respond with that. And that's artificial intelligence. That's Google's algorithms searching the message you just received and then saying, "Hmm, I wonder if I can serve up three canned responses that the Gmail user could choose from." And sometimes they're right. And sometimes they're not. And I've got to make a decision as the receiver of the email, are any of these appropriate or not? And if they're not, then I have to disregard them and actually sit there and type out my own response.

But that's kind of an example of how artificial intelligence is showing up right now. But the point that I want to make is that just they don't always get it right on what the responses are that I really want to send. And so there still needs to be a human being looking at, what is the artificial intelligence suggesting? And a human being needs to be able to say, "Yes, that's right," or, "Nope, that's way off. And I'm not going to follow that."

Jake Bernstein: Exactly. And I think one of the pitfalls of an organization with strong technical cybersecurity can easily fall into is this notion of, well, if all of my blinky lights are working and all of my rules are set up, then I'm doing really well. And they don't necessarily pause to apply their own human intelligence the problems. And I think that really what we're talking about here is learning how to create actionable intelligence. What do I do with this? You've given me information. There's so much information. There's an unlimited deluge of information that you can-

Kip Boyle: And the AI machine learning people think this is great, because artificial intelligence and machine learning feeds off of large quantities crosstalk.

Jake Bernstein: It does. It totally does. So it's helpful in sifting. But in order to make actionable intelligence, you have to have properly trained personnel. And that's where it really comes down to. And I think that there's components of threat intelligence. Understanding and identifying risks, having an adversarial focus and then learning how to apply that knowledge to make critical decisions is very, very important. And a good example of that is to understand and fight against your own biases. And here's a fun example. Talking about the WannaCry virus, it only targeted Windows 95 with a certain flaw.

Kip Boyle: Windows 95?

Jake Bernstein: WannaCry, not Petya or some of those later ones, but the WannaCry virus was... Because Windows 95 still used by a lot of people around the world.

Kip Boyle: Well, I know it's used a lot in the medical industry, as the computer that drives the MRI.

Jake Bernstein: It's also used in a lot of countries that never paid for it. So the user base of Windows 95, despite the fact that it is over, gosh, 20, it's over 20 years old, it's still being used a lot. So this WannaCry virus spread and did all this damage. Well, maybe Microsoft did that to force an upgrade.

Kip Boyle: Maybe they did. But I think where you're going with this, because if you didn't run Windows 95 in your company, and you knew that, then WannaCry isn't really a threat to you.

Jake Bernstein: Well, I have two points. That's one of them. The other point is nobody thought that, because nobody assumes that Microsoft, or any legitimate company, would ever do that. But isn't that a little bit like saying, "Well, the British are our friends, so they'd never hack us either." You see where I'm going with this, is that true threat intelligence training helps you learn about these biases and to fight against them. A more realistic example, and by the way, just to be clear, I'm not suggesting that Microsoft did WannaCry. Whoever is listening, that was meant to be an instruction point.

Here's a much more realistic example, though. Let's say I'm a company in the U.S. And I have some intellectual property. But it doesn't seem realistic that the Chinese government or the Chinese military would be interested in that. Well, that's your bias. You're potentially misjudging your threat landscape, because of your own bias of your own value judgment. The fact is, is that you shouldn't assume that anyone's not going to be interested in your IP. And, in fact, I would probably argue, and I'm curious if you agree, if you have any kind of valuable IP, you should probably think of yourself as a target to more than just the random hacker gang.

Kip Boyle: Well, yeah. So this goes back to a conversation we have all the time with people, which is, movies and TV shows are completely misinforming you as to the true nature of the threat on the internet. It's not the lone hacker sitting in the basement of their parents' house looking for targets of opportunity. I mean, the real issue here is you've got nation states and you've got cyber criminal gangs. They're operating at scale and they want money. Or they want information that they can turn into money. Or they just want the information, because they want to advance their national agendas. And so people are biased to not think about that stuff, because the popular media that they're consuming, the advisors that are talking to them, are generally not mentioning this stuff, at least not in the middle market, in the small business space.

I mean, I imagine that the very, very large enterprises in the nation, very large banks, large aerospace manufacturers, automobile manufacturers, that sort of thing, they're probably pretty well tuned in on this. But I'd say most of the market is not. And so that's part of our mission here with this podcast, is to help people recognize what's really going on out there. But just to circle back to your point, Jake, yes, there's a bias. And artificial intelligence, and machine learning, and threat intelligence, that can all do good stuff in terms of informing you of where your bias is and to sort of counteract for it.

When I was in the Air Force we talked about intent. I'm sorry, we looked at intent, but we also looked at capability. So we would say, "Well, the British are our allies or the Australians are our allies." or whatever. But what capabilities do they have? If they decided that they didn't want to be our buddies one day, what could they do to us? And so we had to develop playbooks to anticipate, what if a current friendly nation becomes a hostile nation to us? What can we expect? And that helped us think about this.

Jake Bernstein: And that is exactly the same mindset that's necessary for threat intelligence. I mean, it is threat intelligence. And what you just said is so funny, because there's not that big of a difference between thinking, "Well, what if Microsoft did this on purpose?" versus, "Well, what if they British or Australian suddenly become an enemy?" Both of those seem, to the average person, equally implausible and silly. But yet, the military still spends time and energy coming up with contingency plans for those what ifs.

Kip Boyle: Yeah. Well, and I think you also have to be careful with these what ifs too, because if you run amuck with this stuff, if you let your imagination run wild with you and you actually start telling everybody, "Hey, we better be careful, because the instant that so-and-so turns on us, they're going to do all this stuff to us." I mean, I think you have to be really careful at this stuff.

Jake Bernstein: You can get overly paranoid and that becomes-

Kip Boyle: You can get wildly paranoid. You can become a Cassandra. You could be saying things to the point, where people are stuffing their fingers in their ears and saying, "Stop! You're spouting nonsense. You've gone too far. I can't rely on you as an advisor, because you are in some la-la land." You have to have a lot of discretion.

Jake Bernstein: And that is why threat intelligence training is so important, because either, you cannot do it at all, which is a big mistake. Or you can go wildly too far off the rails. And that is equally big a mistake. You have to do this stuff. For example, our Internet Age of Criminals presentation that we've given, that actually is a threat intelligence training. And it's important to learn that stuff. And the funny thing is that this isn't an impossible thing. You don't need to go to CIA school to learn how to do this.

Kip Boyle: And you don't even have to get very sophisticated. You don't have to buy a service that's giving you artificial intelligence and machine learning. You don't need that. No, all you really need is you need to get a reliable feed of intelligence. And you just have to think critically. I mean, if you can just do some negative visualization. When you read about a threat, ask yourself, "Well, could that happen to me? And if it did, what would that be like?" And just doing that very simple exercise each day for five minutes or something like that, or sit down once a week for half an hour, can do wonders for you as compared to doing nothing.

Jake Bernstein: It is. I stopped picking on Microsoft for a minute, because I think they're just a great company and is totally fine. But an example of where that type of thinking is actually probably very important is insider threats, because there's a lot of potential risk there. How do you quantify that? Or qualify it? How do you even begin to know? And a trained threat intelligence analyst, that's one of the things they can help with.

Kip Boyle: Right. I mean, we talk about on the geopolitical stage, this idea of what if our ally becomes our enemy? Are we prepared for that? Have we thought about that? Well, the insider threat is conceptually the exact same thing. I've hired somebody. They're an ally. They're helping this company move its agenda forward, this organization move its agenda forward. But what if one day they become disgruntled? They were gruntled and now they're disgruntled. What could they do to me if they just start acting contrary to what I thought was somebody who was going to push my agenda forward? And so tremendous damage can be done. And there's many case studies of insiders going rogue. So yeah, that's a great point of how to use threat intelligence as a way to think about insider threats. That's great.

Jake Bernstein: Yeah. I mean, that's one of its key uses, is to be able to defend yourself against those types of threats. I mean, threat intelligence, it's a way of critical thinking. It's something that I recently discovered we lawyers do all the time without ever having labeled it threat intelligence. When I review a contract, what am I really doing? But I'm actually thinking through all the different ways that things could go sideways and how the other side might use this language to argue against me and for their position. That is a form of threat intelligence. It just so happens that the threats are legal threats as opposed to cybersecurity threats. But it's the same mindset. It's that same kind of critical analysis that goes into it in asking yourself what if and having that adversarial focus.

Kip Boyle: Yeah. Okay. One of the things that I want to also point out for our listeners is something that you mentioned earlier in our conversation, which is that artificial intelligence and machine learning is all the rage now in terms of products and services that you can purchase to deal with your cyber risk. And I think it's important to take a moment and really focus on that, because there are always trends in the cyber security space. And I've seen this over, and over, and over again, when intrusion detection was an emergent thing, all of a sudden everybody had intrusion detection capabilities, even though yesterday, they didn't. All of a sudden, today, their product does. And everybody tries to position to be able to say, "Yeah, we do that, too." They're all hopping on the bandwagon and trying to reposition themselves to be able to say, "We've got that."

And the truth is that from my perspective, there are very few products and services out there that you can buy that are offering genuine threat intelligence capabilities, or genuine artificial intelligence, or genuine machine learning differences. And I would encourage our listeners, if you're considering a product or service that's offering any of this trendy stuff, really dig into it and ask the sellers, "Come on, really walk me through this and show me. Give me the ground truth on this. How exactly does this work? How exactly does it help me," because these buzzwords are really doing a disservice to the few organizations out there that are probably offering something genuinely useful.

But this really goes back to something I studied when I was in college, which was, I was interested in artificial intelligence. And at the time the current thinking was that artificial intelligence would actually provide, once it became feasible, a decision support system. So in other words, it wasn't really thought of as well, machines will make decisions. It was really thought of as a human being will have a machine assistant. And the machine will make suggestions or will provide insights that the human being wasn't as quick at gleaning for themselves, or perhaps would never be able to devise those insights, because the data sets were just too huge for a human brain to comprehend and to sift and to sort. And I still think that really is the ideal model. That's what we've been talking about here, this idea that it takes a human and being, but with the assistance of some kind of a machine learning capability.

Jake Bernstein: And that's actually in the marketplace. They have names. Cortana, Siri, Google Now, Alexa, all of those personal artificial intelligent assistants do exactly that. Yes, they have voice recognition capabilities. But if you dig, particularly with Google and Cortana, a lot of what it's about is anticipating what you might want to see next. And doing that based off a lot of data and number crunching. And they're useful in doing that right now. A good example is Siri or Google Now surfacing a card for you about the traffic conditions at the time that you usually leave for work. That is a practical, and it might seem mundane, but it's only mundane in the context of 2018. The idea that a phone could automatically learn when you leave for work and timely give you a traffic report just in time for you to leave in 2010, even, would've been mind blowing.

Kip Boyle: Yeah. And that's super helpful. I mean, it's a machine saying to a human being, "Hey, I'm going to surface some information for you that you probably weren't aware of and I'm going to help you make a decision." And maybe the decision is, "Oh crap, I got to skip my second cup of coffee at home, because the traffic is horrible and now I've got to hit the road earlier than I thought."

Jake Bernstein: Or maybe it's, "I take the back roads instead of the highway." I mean, that's exactly the point. And that's totally correct. And so there probably are products out there that can do something similar for threat intelligence to bring it full circle to our crosstalk.

Kip Boyle: Yeah. What I would like is a nudge from a machine that says, "Hey, I noticed that on your network you have this kind of computer. And I also noticed that this morning the maker of that computer just released a firmware update that is cybersecurity relevant. You should check on that."

Jake Bernstein: That would be ideal. And then I want to make sure that we mentioned for our listeners, remember that true threat intelligence is a training issue. It is the application of a human brain to a problem. And that no matter how much artificial intelligence and machine learning, you throw at it, the best that you can hope for, at least in the foreseeable future, is this assistant-type of component. You still need to have someone who's been trained. And I want to mention this, because I think it's really important, let's talk about what reasonable cybersecurity is. We've talked about it a lot. What is reasonable with respect to threat intelligence? It's not expensive. It's getting some extra training or reading a book or-

Kip Boyle: And there's a lot of free data crosstalk.

Jake Bernstein: There's a lot of free data feeds. So to me, that indicates that if you haven't thought about this, if you're not making use of threat intelligence, you probably need to start doing that, because-

Kip Boyle: Yeah. And I think a simple way to do that is if you could just get your vulnerability notifications tailored for the systems and software you use, so that you don't have to look at vulnerability notifications for systems and software you don't use, that would be a great first step.

Jake Bernstein: That would be a great first step. I totally agree.

Kip Boyle: It would be very easy to then get that in place. See how useful it is. And then just kind of build on that. Iteration, that's really a lot of, what we recommend to our customers is don't try to big bang any of this stuff. Whether it's artificial intelligence or any of the other things we've talked about, you want to start modestly. You want to build something that works. And then you want to iterate and you want to build on it from that. Well, I think that about wraps it up, Jake. Any last thoughts that does?

Jake Bernstein: It does. No. I think that we had a really important conversation helping people understand the difference between technical cybersecurity and threat intelligence as a training, a form of thinking and I-

Kip Boyle: And how those ideas relate to reasonable cyber risk management, which is a big theme for us. We always want to try to bring it back to that. Well, great. Thanks, Jake. See you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our Cyber Risk Managed Program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.