CISO Series Defense in Depth: Proactive Security

<p>How do you keep your organization secure from threats and attacks? Every day adversaries are not only increasing in quantity but getting smarter and better at cyberattacks. Most companies are in a reactive state or even worse remain intentionally ignorant. AJ Nash, Director of Cyber Intelligence Strategy at Anomali, sits down with David Spark, creator of CISO Series, and Allan Alford, Delivery CISO at NTT Data Services, to discuss how a threat intelligence platform is the key to breaking the reactive cycle and enables an organization to have a proactive cybersecurity strategy.</p><p>You’ll learn:​</p><ul><li>How your threat intelligence effort is only as good as your understanding of your internal threat landscape and business mission.</li><li>It’s best to invest in threat intelligence once you are aware of your assets, and you know what adversaries are after, so you can adjust your defenses accordingly.</li><li>If you don’t have intelligence you’re doing reactive security, which nobody wants, yet that’s what many often end up doing.</li></ul>


DAVID SPARK: How proactive should we be about security?

What's the value of threat intelligence versus just having security programs in place with no knowledge of what attackers are trying to do?

WOMAN: You're listening to Defense In Depth.

DAVID SPARK: Welcome to Defense In Depth.

My name is David Spark.

I am the producer of the CISO Series.

Joining me, as always, is Allan Alford.

Our sponsor for today is Anomali.

And you're going to actually hear a little bit about what they do because our guest is from Anomali.

But before I introduce him, Allan, what is our topic today?

ALLAN ALFORD: So I challenge the idea of proactive cybersecurity.

We use that term a lot.

Let's be proactive, let's be proactive.

I challenge the community with it.

What does "proactive" really mean?

How often is it really required?

And when can we get away with not being proactive?

And more importantly, when should we properly apply proactivity?

And I brought up the idea that threat intelligence could be one of the ways we are proactive with our toolsets.

In other words, don't just go buying all the latest tools.

Maybe we can stick with the tools we have and feed them better intel, and maybe that's where we can come in as proactive players.

And we got a lot of good response from the community.

DAVID SPARK: I will say I'm very excited about this episode, because the community response truly was phenomenal.

And joining us and helping us with this conversation is our sponsored guest AJ Nash, director of cyber intelligence strategy for Anomali.

AJ, thank you so much for joining us.

AJ NASH: Oh, and thanks for having me.

Happy to be here.

[MUSIC PLAYING] WOMAN: How would you handle this situation?

DAVID SPARK: Christophe Foulon of ConQuest Federal said, "it's all about understanding your mission.

Once you understand your assets and how your services are reliant on these assets, you can start to proactively design controls to limit, mitigate, prevent negatively impacting actions.

From there, threat intelligence makes sense." And I also want to point out something that Adrian Taylor of BlueCap Solutions said.

He asked, you know, what about internal intelligence versus threat intelligence?

He said, quote, "organizations strive for juicy threat intel but nearly always overlook the value of good business intel like that from a solid ITSM foundation." So let me start with you, Allan.

I'm assuming you can't begin threat intelligence until you know what your internal systems are.

ALLAN ALFORD: No, I would agree.

I think Chris and Adrian are both on a very strong note here of business alignment.


This is one of the mantras that I always preach-- is you have to have security aligned with the business.

And I think both of them are, in their own way, saying understanding your business, understanding your internal landscape, understanding your internal threat landscape is all critical to being successful as a security practitioner.

DAVID SPARK: And AJ, have you had a situation where you were working with a client that didn't have their own internal systems in place, and you're like, I don't recommend starting threat intelligence until you figure out what you've got internally, because is that like just throwing continued bad money?

Because good threat intelligence with a bad sort of internal systems becomes a waste.

AJ NASH: Well, we've certainly run into that quite a bit.

It's a pretty common problem industry-wide.

Pick an industry, it's the same issue.

We have lots of organizations that complain about all this intelligence they're paying for, but they don't know how to apply any of it and they can't get value out of it.

And then when you start to ask them, well, you know, where are you on your crown jewels assessment, and how are you on your management of your assets and knowing where everything is?

And nobody that I've run into yet has a really solid answer for those questions.

So it creates a huge problem when you're trying to get to the point where you can have actionable intelligence and have intelligence relevant to your needs-- is making sure you understand your own environment.

DAVID SPARK: So what's your bare minimum recommendation before anyone starts threat intelligence?

Like, this is a base you have to start with?

AJ NASH: Well, that's a really interesting question.

I think you can do these things in conjunction with one another.

I think you can do them in parallel.

It's just about understanding and being realistic about the expectations of what you'll get.

I've worked with organizations who have built both of these simultaneously.

And I don't think you have to necessarily have one to have the other.

You just have to understand the value of get out of intel.

You can start understanding the external environment, know your threats, know your adversaries, know what matters to you, and then be in a position to say, well, how does this affect us?

And if you don't have the answer, that's a place you need to start working internally to get those answers.

So I don't think you have to do one or the other, but I don't think you're going to get incredible value out of your intelligence until you understand your own environment.

DAVID SPARK: Is there something about your environment, Allan, that, once this happens, threat intelligence kind of makes a huge leap in sort of value?

ALLAN ALFORD: Oh, absolutely.

I think he's totally right here that we need to coordinate the two.

You need to have a deep understanding of what the impacts to your world are, you need to have a deep understanding of what your assets are in the first place, you need to essentially have a threat model in your mind.

And once the threat intelligence comes along, if you have an appropriate threat model and you have an impact assessment in the back of your mind as well, then all this threat intel is-- the threat in intel is just going to flow through and it's going to be a magnificent little bit of harmony there.

And if you don't have all three of those, I think it's kind of a three-legged stool that's a little wobbly.

[MUSIC PLAYING] WOMAN: Who's saving money here?

DAVID SPARK: Peter Schawacker of Agio said, quote, "'proactive' is supposed to mean investing in something before the cost goes up." And Joe Pride of NextEra Energy Transmission says, quote, "'proactive' is anything that helps you find and control risk." And John Gilda of Revolutionary Security also said, quote, "it is simply a statement that it says 'we aspire to not be surprised and to just react when surprises occur.'" So I want to talk about sort of the economics of proactive security here and what they're saying.

How do you make an economic argument for doing this, AJ?

AJ NASH: Yeah, it's a really good question.

And I think all three of these comments hit on different points that are valid to it.

We have a lot of folks who ask, you know, where's the ROI on this?

And the challenge-- DAVID SPARK: Which, by the way, that comes up with everything.

AJ NASH: [LAUGHS] DAVID SPARK: You're not-- AJ NASH: No, we're not alone, I'm sure.

DAVID SPARK: You're not immune to that question that comes up all the time.

AJ NASH: And the challenge with intelligence is that it can be very difficult to gauge value early on, right?

So a lot of times I've talked to organizations and said, we really need to reconsider how we're judging the value of intelligence.

I look at it much like I look at health insurance or that I look at physical security.

You know, if I run a bank, I've got all these guards and all this equipment, and I do all this physical security to prevent an attack.

If I don't have an attack for a couple years, I don't let my accountant tell me I'm wasting money, and shut down my physical security operation.

Because it's inevitable we're going to be robbed if we do that.

And with health care, it's the same story.

I don't get sick for a few years, I don't decide I don't need health insurance because clearly I'm never going to get sick.

It's an inevitability that I'm going to.

And I think that's the same thing with cyber intelligence-- is it's an inevitability at this point.

In an interconnected world, bad things are going to happen.

DAVID SPARK: Wait, hold on.

I'm going to throw in the argument because someone has a different argument in just a second I'll bring up.

But why specifically cyber intelligence?

Like, yes, we all agree bad things are going to happen, but why am I spending-- like, I have locks on my doors, and I have a security system at home and a camera, but I'm not spending my time figuring out who may actually attack my house.

So why is that an economic benefit-- to know who might attack you?

AJ NASH: That's a really good question.

And the piece there is there are others who are doing that for you when you talk about your own home.

That's where the police department comes in and things like that.

But in our world, we have to be our own defense.

So where you have to understand where intelligence fits in is it's about understanding adversaries, understanding the threat landscape and the environment external to you.

I often talk to people about a threat being on a left-to-right scale.

In the kinetic world, we used to talk about trying to be left of boom.

The boom is a terrorist attack or a bomb.

And if you're to the right, obviously, it's a very bad day.

So you want to stay left.

And it's the same thing in cyber.

So the goal here is to stay left of boom, because everything right of boom is much harder to fix.

It's much more expensive in terms of what it takes really to take care of it, but even beyond that, the brand problems you run into, and customer satisfaction issues, and things of that nature, especially now with regulators and things like GDPR, for instance.

It's far more expensive to wait until something bad happens.

We've seen cases where this has happened where large companies-- I'm not going to name names-- have had large breaches and then spend tens of millions of dollars on intel after the fact.

DAVID SPARK: But I'm still pushing this one thing of I think we still agree on this, but how would knowing who's going to attack me make my security system better?

It's just a really kind of basic question.

AJ NASH: Yeah.

And it's a good question.

If you understand who's interested in you, then you can dig deeper and understand what they're most likely interested in within your systems, what their most common tactics, techniques, and procedures are, and therefore, you can adjust your defenses proactively before they arrive.

DAVID SPARK: That's the answer I was looking for.



ALLAN ALFORD: And that goes back to Joe.

It goes exactly back to what Joe was saying where he says proactive is anything that helps you find and control risk.

You can go off the PTR model, which is a purely economic model, really, that he's discussing in terms of investment of proactivity.

But at the end of the day, what we're invested in here is risk.

This is the currency and the commodity of our job.

It's risk.

And if you can get proactive security to the point where you can identify a potential risk and thwart that potential risk before it even comes in the door, then you've done your job.

And that's where threat intel should be ahead of the pack in doing what it needs to be doing for us.

DAVID SPARK: I want to bring up something that Douglas Edwards said, of Integration Architect.

He said, "the balance has shifted way too far into detection and less to hardening, including the best hardened architecture." So he argues that-- and this is essentially this basic theory of, well, what if I just create a hard architecture, not know who's doing what, and just create the most hardened architecture I could do?

So why is that sort of inappropriate thinking or that's not going to make you more secure?

ALLAN ALFORD: So it ties back for me to that silly meme of the excited person holding up their arms and screaming, whatever it is, all the things.

You know, in this case, secure all the things.

If your goal is to harden against all possible threats, good luck with that.

You're going to be a really, really busy fellow, and you're still going to get hacked out the back door while you're closing the front door.

Someone's going to come in the bathroom window while you're locking up the kitchen window.

You have to have some predictive capability there.

DAVID SPARK: So it's just not economically and humanly feasible.

This goes into this whole 100% security philosophy we were talking about, which is essentially not attainable.

Is this essentially where we're going, AJ?

AJ NASH: I absolutely agree.

We have to accept some level of risk, as he was saying.

So the goal here is to be able to minimize risk, to maximize our level of intelligence knowledge so that we can attack the most appropriate things.

But there is no perfectly hardened system.

I just don't think that's feasible.

[MUSIC PLAYING] WOMAN: What's the motivation to fix this problem?

DAVID SPARK: Jason Clark, CISO of Netskope, points out that proactive security's always trying to improve, like an athlete or a team training to win the world championship.

And [?

Ian ?] [?

Murphy ?] of [?

Lemon ?] [?

Tricks ?] said, quote, "I think it's incumbent on professionals to keep pushing for improvement on all fronts by asking, how can we get better?" So I kind of like these theories on threat modeling and development-- is that you're really just sort of training to be a better cybersecurity professional, yes?

AJ NASH: Yeah, absolutely.

No doubt about it.

Every day the adversaries are getting smarter, they're getting better, and there's a ton of them out there, right?

So we're all fighting this constant war with the adversaries, and they're not stopping.

They never do.

They're always changing their TTPs, just slightly modifying things.

They're always getting a little bit ahead of the defenses, to be honest with you.

We do a lot of chasing.

So I think both comments are valid in speaking to what we're trying to accomplish, which is getting better all the time.

DAVID SPARK: How does this training sort of manifest itself, Allan?

ALLAN ALFORD: So in terms of actual daily practice, I think it manifests in a lot of ways.

I think threat intel is one good way to bring it in.

I mean, let's say that you've started with a sock and let's say that you've got threat hunters.

And they want to do better at what they do.

So today they're doing Level X and tomorrow they want to do Level X plus 5.

Threat intel is one good way to bring new information into them, into their processes, into their daily jobs, and to refine and fine-tune how they do those jobs so they waste less time and get closer to the reality more quickly.

Threat modeling is another great example of a way to improve day-over-day run rate.

And there's plenty of other things we can be doing as well.

Back to the fella who said we could harden the systems, spend more time doing that, he's not wrong.

That's not something that shouldn't be done.

That's something that can also be done.

But again, hardening those systems in an informed manner is going to get you way more bang for the buck.

DAVID SPARK: What's your advice when you're sort of working with a client and you're trying to kind of train them to be better at what they're doing?

I guess it would be like hiring a physical trainer.

Do you come in in kind of the same-- you're like, oh, my god, you're all flabby, we're going to have to get you all toned up in terms of your threat knowledge?

What's sort of the program you start them on?

AJ NASH: Yeah, that's a great question.

So for us, we have a very consultative approach.

Ideally, if we can work with a client-- first of all, we want to make sure that they understand this is a partnership.

To us, this is a relationship.

This isn't some transactional situation where we're trying to sell you something and move on.

My goal and the team's goal is to help people get better long term.

So we like to come in and really just assess the situation.

We'll do NDAs, let's do open kimono.

Talk to us.

Where are you right now?

Where do you feel like you're doing well?

Where do you feel like you're struggling?

Let's really work through that.

And then from there, we can start figuring out where we think you might fit on a maturity model.

And then we could start talking about steps from there.

All right, we see you great here and needing some work here.

How do you feel about that?

Are we on the same page?

And then we start working on filling in those gaps.

So much like a coach or a trainer, as you said, it's about figuring out where your strengths and weaknesses are.

If you have great abs, I'm not going to tell you to do sit-ups.

But if your cardio's terrible, let's talk about working on cardio.

Let's figure out what's good.

DAVID SPARK: Is there a common thing everyone's bad at in terms of threat-- AJ NASH: Yeah.

[LAUGHTER] DAVID SPARK: So what is it?

AJ NASH: Well, first of all, it's certainly the internal environment.

I know we talked about that.

I have yet to run into an organization that's really confident in their CMDB or their crown jewels assessment, which is a huge hamstring.

DAVID SPARK: So even before threat detection, just knowing what's-- Absolutely.

DAVID SPARK: And by the way, that's a whole different department of just sort of discovery that there's great need.

But OK, after that level, in terms of understanding who's coming after them, if you're going to say "start here," where should they all start?

AJ NASH: Well, this will sound self-serving, but I'm a big believer, obviously, in a threat intelligence platform, which happens to be what we do.


And that's what I'm asking.

Yeah, and I'm agreeing with that.

DAVID SPARK: But it's something within doing that.

Actually, let me not put words in your mouth.

Go, explain.

AJ NASH: Yeah.

So the way we talk about building programs is there's a series of things you're going to need to build an intelligence picture, right?

So obviously, I'm a big believer in a threat intelligence platform.

I was as a consumer and as somebody building programs.

Because as you bring in all this different data, and information, and intelligence, you're going to need to bring this together in a sense-making matter.

And therefore, you need to come across a really strong open-source program because there's this massive amount of information out there.

So being able to separate truth from fiction and rumor from speculation from fact, get all these things together.

So open source is massive.

So we need something to do that.

You definitely some deep and dark web capabilities, which normally are separate functions.

And then some external telemetry, so you have data to work with beyond your own data.

Obviously, then tying that back to whatever your internal sim is, whatever system you have working there, so you can start getting some context to work with.

I think from an access standpoint, that's a minimum.

I often talk about building programs based on talent, access, and then you have to have some time to do the work.

The biggest challenge I see with organizations isn't the access.

It isn't about buying feeds, or tools, or any of the things I just mentioned.

Frankly, it's talent.

There's a huge talent gap in the industry, and a lot of folks are misidentifying talent.

It's not uncommon for somebody to build an intel program, and the first thing they do is look around the room and go, OK, we need a new director of intel.

Bob's been doing a great job in IR and he's due for a promotion.

Bob, you're the new director of cyber intelligence, and Bob's going to build a cyber intelligence team, which is really an IR team.

DAVID SPARK: And Bob becomes overwhelmed pretty fast.

AJ NASH: Or he just builds an IR team.

He buys three more people that are just like Bob.

Bob's really good at what he did and he builds a good team that just does IR, but they don't do intel.

It's important to really make sure you're manning the team properly.

And that's a hard skill set to find.

So a lot of times, I've been known to help people do some of that too.

DAVID SPARK: Did you want to add something?

ALLAN ALFORD: I was going to say full agreement, but I would also add there's something you missed, which is when you're talking about the talent deficit, there's also automation to help bridge that gap.

And there's APIs, and there's calls, and there's getting that threat intel fed into the environment in as clean a way that requires the least amount of human overhead possible.

So I think there's that factor too.

But otherwise, full agreement.

The talent piece is really its own critical failing in a lot of shops.

It really is.

And I think your example is spot on.

Forensics guy's doing IR, IR guy's doing threat intel, threat intel guy's doing threat hunting.

You know, these are not the same thing.

[MUSIC PLAYING] WOMAN: What aspects haven't been considered?

DAVID SPARK: I love this quote from Nigel Hedges.

He brings up a very good point.

He's CPA Australia.

He says, quote, "given in the current landscape of cybersecurity management, on the flip side, has anyone tried to position reactive cybersecurity in their strategies?

Pretty much no." I mean, we're arguing, should you do proactive?

But no one's saying, oh, reactive would be the best way to do it.

I don't think anyone's advising that, yet a lot of people do it.

ALLAN ALFORD: Right of the boom.

DAVID SPARK: Essentially, this is a right-of-boom problem that we're talking about.

ALLAN ALFORD: Right of the boom.

AJ NASH: Yeah, this is how everybody actually does it [INAUDIBLE] have any plans to do it as a reactive intelligence or a reactive cybersecurity.

I just think that's where it lands a lot of times.

If you don't have intel and you don't understand what's coming out, then it's all whack-a-mole.

You're on the wire just playing this game of trying to stop things as they happen, and there's millions of things coming in, and you're overloaded with these alerts.

A lot of times you just can't figure out which alerts I care about and which ones I shouldn't.

It's just an overwhelming amount of data coming at you.

But I'd say most organizations of the world really are still working on a reactive cybersecurity model.

They're just overwhelmed.

ALLAN ALFORD: I would agree.

Even from the big picture, if you look at the strategic perspective, you've got your frameworks and everything else going on.

There's plenty of people out there that are doing the frameworks as a checkbox exercise, have no idea how that actually ties to a strategic program and whatever they may actually be trying to form.

And I think this goes back to what AJ was saying too about crown jewels and assets.

There's a reason CSC are asset inventory, right?

Hardware and software are asset inventory.

You have to know what you have, you have to have a plan for what you have, and then you start rolling out that plan.

And you need to do it in an informed manner.

You have to.

Otherwise, you are trapped in that reactive cycle.

DAVID SPARK: I want to add something that Thomas W.

also said.

He said, quote, "proactive cybersecurity is all about critical security control number one, visibility." Exactly what you just said.

"Real-time time monitoring." Quoting a colleague, he said, "sure, we need to build our castle walls high--" and this is actually extending beyond what you said-- "build them high and we need a moat around that castle, but we also need sharks in that moat who are always hungry and always looking." So the idea being, eventually, if you didn't have the sharks in the moat, eventually someone's going to figure out how to get over that wall.

But if you got sharks, essentially, like we say on the show, Defense In Depth, that's an extra level of security.

ALLAN ALFORD: Oh, absolutely.

The sharks are the threat hunters, right?

So you build the walls, you build all this security that he mentioned here, which a lot of that is done through technology.

And then you've got your intel that's feeding that technology and also feeding your hunters, who are those sharks in the water.

So if something does sneak through, the sharks are always chasing that down to pick up the pieces.

But they've got to know what they're looking for, and that's where intel really feeds those organizations so well-- excusing the pun-- is being able to be in a position to say, here's what you should be looking for, these are the behaviors you're going to see, if you see this behavior, you need to look in this place next, because it's more likely that that's where they're headed next.

Trying to get ahead of adversaries as they're in that kill chain or whatever cycle you're choosing to use.

DAVID SPARK: Have you seen any-- this can be an anecdotal story.

AJ NASH: Sure.

DAVID SPARK: But one of the fears of running a threat detection program is, oh, this is going to add another layer of problems and, oh, this is going to make my life so much more difficult.

Oh, my god.

But my feeling is it probably is going to also have the reverse effect if you tune your controls correctly.

So maybe you can tell me a story of a client that was literally underwater, and they developed a threat detection program, and they essentially had better control.

AJ NASH: Yeah, I've certainly seen that.

It's interesting.

I've seen both sides of this.

So when you talk about being in this position where if you learn too much, you have too much to do.

I've definitely seen organizations who choose intentional ignorance.

If I don't know about it, I don't have to worry about it, I'm not responsible for it, and my life's a little bit easier if I just live in the dark.

And that's great.

If you want to live in an apartment full of cockroaches under the carpet, and you just don't want to reach up and look under the carpet and see what's crawling around, and you're comfortable with that, that's your life, that's not going to be mine.

So I've certainly seen that.

DAVID SPARK: Everyone got a good picture of that in their head right now?

AJ NASH: Yeah.

If that carpet's crawling around, you know it's bad even if you choose to ignore it.

DAVID SPARK: I'm going to look under the carpet in this room in just a second.

By the way, I didn't point out that we're actually in a hotel room at the Cosmopolitan in Las Vegas as we are recording this very episode.

And your colleague is taking a photo of us right now.

AJ NASH: Yeah.

DAVID SPARK: By the way, if I have a nightmare about cockroaches in the carpet, I'm calling you and waking you up at 2:00 in the morning.

AJ NASH: But the flip side of that is we've definitely seen organizations who have been in a position, if you get to a point of maturity-- and this isn't easy.

This is not an instant problem.

You're not going to buy three tools and a couple of feeds, and turn on a switch, and everything's just fixed.

There's no magic to this.

There's a lot of work that goes into this.

But we've definitely seen organizations who get themselves into a position where alert fatigue goes down.

All of these alerts they have, now you're tying intel directly to what you're seeing in your sim and you're being able to validate which alerts matter and moving them up further on the ladder.

So you start being in a position where you're mitigating things that actually matter to your organization as your top priorities, and you can document that.

So that gets you back to the discussion with leadership about, where's the value?

Well, we had 10 million alerts, but we were able to get it down to 1,500.

And out of those 1,500, we've now taken care of 800 so far.

million, but 800 out of 1,500 is a much better statistic to work with.

And we know all 800 of those matter to us.

So we've seen organizations work in that fashion.

ALLAN ALFORD: Yeah, this is the Windex approach, I call it, right?

You've heard me talk about before the dirty pane of glass, Everybody sold us on the single pane, the single pane, the single pane.

You feed everything you have into this single pane of glass, and oh, my god, you're overwhelmed with noise, and trying to ascertain a signal becomes impossible.

Anything you can do to spray a little Windex on that glass and clean it up some more is of benefit.

And I think threat intel is one of those bottles of Windex.

DAVID SPARK: And working with teams, have you found, with the threat intel program, has lives become easier or more complicated, and why either way?

ALLAN ALFORD: I've found them get easier, not more complicated.

DAVID SPARK: And in what way?

ALLAN ALFORD: So at the end of the day, you've got your analysts, right?

You've got Tier 1 through 3.

And 3 may be the hunters.

You may even have a fourth tier of hunters.

But you've got people who are riding the sim.

They're living on that console.

That's what they do all day.

And they'll see an event, and they'll see an incident.

They'll see an activity.

They'll look at the activity to determine if it's really an event, if the event is really an incident.

And sometimes you'll spend a whole day, as an analyst, drilling down, and drilling down, and drilling down, and getting absolutely nowhere on something that turned out to be nothing in the first place.

If someone can filter that, and triage that, and steer you in a better direction so you waste fewer days just mindlessly going down rabbit holes that have no rabbits, your life is going to be so much better.

AJ NASH: Yeah.

I absolutely agree with that.

That's exactly what we see, right?

Now, another piece to this, just to turn it a little bit, is beyond what we've-- we've been talking about this the whole time, right?

Very tactical, very tactical, very SOC-oriented.

So again, with that proactive approach, what a lot of folks don't talk about with intelligence is where it goes beyond that, where cyber intelligence can help you with your physical security.

There's a lot of physical security threats that manifest in cyberspace and can be a real engagement point for the physical security team to get ahead of the curve.

Or, huh, let's talk about M&A.

A lot of organizations want to buy something.

And when they do due diligence, all they talk about is, well, is the bottom line good with the company, do they have any lawsuits coming?

But they don't bother to go through the details an intel organization could do to tell you, well, this company actually farms out a third of their work to this area of the world that may be unsafe for us to be doing business in.

So you can get into M&A, you can get into procurement.

A lot of organizations have issues-- well, we procure this software, we put it throughout our systems, and it turns out there's a huge risk we didn't know anything about, because the procurement discussion was really about cost and effectiveness of use, not some of the risks that go with it, or it was just kind of a cursory risk assessment.

So there's a lot of areas-- again, as we talk about value of intelligence, one of the areas I try to push with organizations is, think beyond just your SOC because this will help develop your value proposition as well.

Intel is not a cheap game.

It's effective, and it's useful, and we can prove there's value in it, and it's worth doing, but you've got to look beyond just your SOC and some of those value cases.

DAVID SPARK: All right, quick comment to wrap this up.

ALLAN ALFORD: Yeah, tying this into one of our earlier podcasts from just a few weeks ago, remember when we had Perry on the show and we were talking about cyber harassment.

What was her number one recommended trick to find out if you're going to be the subject of a cyber harassment?

Go google yourself.

DAVID SPARK: Google yourself.

ALLAN ALFORD: She's basically exhibiting an instance there of threat intel for physical security.

DAVID SPARK: Excellent point.

Well, by the way, all those topics good topics for future episodes.

I want to thank you, AJ-- and I'm going to let you speak in just a moment-- for being on the show.

And I also want to thank Anomali for sponsoring this episode and, in general, being a great sponsor of the CISO Series and Defense In Depth.

Allan, any comments you'd like to say?

ALLAN ALFORD: Hey, I just wanted to thank AJ for coming out.

This was a fun one.

I also wanted to say hey to the Black Hat community.

We'll be working the floor over the next couple of days.

Dave and I will be there, and come say hello.

DAVID SPARK: Well, this is going to drop after Black Hat, so-- ALLAN ALFORD: Oh, that's right.

DAVID SPARK: --they're not going to hear it.

ALLAN ALFORD: That's right.

This is all after that.

So in that case, it was great to have met you all.

[LAUGHTER] DAVID SPARK: AJ, any last comment?

And please, plug Anomali, anything you'd like to say.

AJ NASH: Yeah, absolutely.

Well, first, thanks for having me.

I really appreciate this.

This was a lot of fun.

I'm hoping we can do some more of these conversations, because I think they're really valuable to the community.

And frankly, I learn something every time I do something like this.

But as far as Anomali, a lot of folks I think are familiar with who we are and what we do.

Just in brief, we have a couple of really important products I think we've put out there to the community.

We have a great threat intelligence platform helping bring in all of the data, and information, and intelligence you have coming, whether it's internal to the company or external, and helping make sense of that, providing machine learning on top of that, so that you can have a force multiplier for your intelligence scheme.

And then we also have a product called Anomali Enterprise that can connect what's going on in your sim, what's going on in your environment with intelligence to give you something-- that cleaner, Windexed picture we talked about, right?

Being in a position where, instead of having a million alerts and just going, what do I work on first, being in a position where intelligence is tied to those.

You could say, well, these alerts matter to you more, this [INAUDIBLE] more interested in you, you have these specific threats and vulnerabilities to worry about.

So we bring that all together into a complete picture.

And then the last piece, which is the part I'm most excited about, to be honest with you, is the consultative approach that we have, where we can come on site and work with organizations.

If you have a team and you want to see where you stand, great, let's have that chat.

If you have nothing and you're just thinking, maybe I want to do intel someday, great, let's have that discussion as well.

I really enjoy working with organizations around the world, any industry to just have that discussion.

I got a long background in intel.

It's my passion.

It's our team's passion as a whole.

It certainly isn't just me.

And we really enjoy getting out there and just helping people.

As I said, this is a war.

I don't want to overstate it.

People aren't dying, thankfully, in cyber, but this is going on constantly all the time.

This is the silent, hidden war.

And I want to help people and our team wants to help people get smarter and safer, because this isn't going away.

We have these problems and we have these issues to resolve because our clients, my clients personally and our clients clients, expect us to keep them safe.

DAVID SPARK: Well, thank you.

An excellent closing note.

And I want to thank our audience and especially all these awesome contributors.

I want to just comment that, really, like, this episode was slammed with some of the best, most insightful comments.

You've had, like, close to ALLAN ALFORD: Yeah, I think we capped on 100 comments.

I think we capped 100.


So kudos to everyone who contributed.

So thank you again, and I will tag them all respectively on the show.

If you have not left a review of Defense In Depth, which I know there are a lot of you, because we have far more listeners than we do have reviews, please go to either Stitcher or Apple Podcasts or wherever you listen to your podcasts and leave a review of the show.

Thank you again for listening to Defense In Depth.

WOMAN: We've reached the end of Defense In Depth.

Make sure to subscribe so you don't miss yet another hot topic in cybersecurity.

This show thrives on your contributions.

Please write a review, leave a comment on LinkedIn or on our site, CISOSeries.com, where you'll also see plenty of ways to participate, including recording a question or a comment for the show.

If you're interested in sponsoring the podcast, contact David Spark directly at David@CISOSeries.com.

Thank you for listening to Defense In Depth.