Panel - Cyber Threat Intelligence Panel (Experts recommendations to enhance your security posture)..

[Music] Uh my name is Pedro Kurtzman. Um hopefully after this talk uh the idea of this talk actually was to bring some uh of the knowledge we have across our panelists uh from a CTI standpoint. How can that be used um on environments on your day-to-day work to make things uh more secure for your either employers or whatever kind of environment you're protecting. Uh I also have a CTI podcast. So you might think I you know like the topic a little bit. Uh but I'll have the panelists also introducing themselves and then talking on their perspective. What's the importance they think CTI can bring to security teams um in general? >> Okay. So intro >> um and then you can go to the next one.

>> Uh just my name is uh Chris Sketchings. I am the team lead of cyber security operations at the city of Calgary. >> My name is Alyssa Hartford. I'm an information security officer by title but a CTI analyst for the government of Alberta under cyber Alberta. >> My name is Pashant. I'm a senior cyber security adviser with Nbridge and I'm a geek at heart. >> Awesome. Thanks everybody. So, uh, Chris, um, I think we're going to go run through the panelists, but important to to mention that after we do this quick kind of a warm-up, we're going to open up to the public. So, get your CTI questions ready. Um, it's MIA, so you can ask anything related to CTI. We're

going to try our best to to uh get you the best possible answer. So Chris, you want to share um you know your thoughts around the value of CTI for your organization? >> Yeah, for sure. Um so I took over the team about um it's three four years now and we didn't really have a formalized threat intelligence program in place. Of course, our tools and stuff got um threat intelligence feeds and stuff like that, but really we wanted to mature that program. So we stepped back and looked at what problems we want to solve. And the first ones we wanted to really look at were just first start externally facing I don't whoever has a

boss here and you get that good old hey it's 2:00 in the afternoon hey I heard this on the news are we actually impacted and of course you have to go to go into the team they have to drop everything that they're doing now and suddenly let's like doing task switching and then trying to build this report to provide up to our leadership uh to go hey yes we're impacted or no we're not impacted and actually the vast majority. No, this doesn't even impact us at all. It doesn't matter make any sense. So, we started off by actually eliminating increasing capacity in the sense of um we started collecting news feeds and building reports and getting them up to

our leaders before these they ever even came to us. That really um freed up a time for my team to actually focus on the more critical things like that. And that was because the leaders started to trust that we're actually looking at things and being able to uh trust that we're our organization has um trying to do the best to protect us from a from a more tactical level. How many times is we actually running a program you actually spend a lot of effort on things that may not ever impact you? Your team is like putting in indicators of compromise into system systems. they're looking at threats that are just sort of more generic and actually

they won't actually ever impact you. So being able to understand the threats that you are facing also allows your team to be much more focused on the threats that you could face. A good example, a lot of threats that are coming out today are things like crypto stealers. Well, the city of Calgary doesn't produce, store, or do anything with crypto. So yes, we may want our tools to protect from the general techniques that are being used by them, but we're not really worried about the actual impact from a crypto stealer because we have no crypto assets. So again, that's like really spending time to focus on that. So really it's both again I look at it from both a strategic

level going up to the our leaders and stuff like that for that they're informed they're trusting us as well as enforcing it down internally uh from a tactical level to allow our teams to be much more effective at the technical level. So that's really what our team has been focused on recently. >> Awesome >> Alyssa. >> Perfect. So I will have a slightly different story to tell uh for my first thing. Um because I come from a slightly unique different way into this position. I started with the government as part of their work experience program uh which is a two-year program where you rotate through every team in the division. Meaning that during my two years I did

everything from policy to vulnerability management to incident response and of course the CTI team. uh which at the time kind of transitioned from being something that was more reporting because we had the word reporting at the end of our team name and then is now a little bit more into the CTI stuff. But throughout that experience, I actually got to work on the teams that ingest the CTI uh reports uh indicators um the prioritization items and then I ended up getting to work on the team well on the CTI team that is making those items. So I got to see it from both ends which was a very unique perspective to see how that process worked in the government um

as well as just within the teams themselves. And then it got me really interested in the area of CTI thread intelligence just even just knowing what's out there in the news. And then as I got hired on full or not full-time but permanently that's the area that I decided I wanted to work in and now I work in CTI but also awareness and training. So because CTI in the government of Alberta is very external facing. It's under cyber Alberta. We create reports and we give it to the greater community of interest. I then take any kind of indicators that we found internally and turn that into internal awareness for the uh like actual government employees. There's a

fishing campaign um and we find some novel IOC's. That report gets sent out to the committee of interest. But then also we have a hey don't click on this uh alert that comes from me for for the other uh employees because we found that uh we bring in uh we create all this intelligence requirements but are we actually telling our own employees what to not do and just kind of instead of falling back on the the typical cyber security training um actually showing them with proper examples of what it can look like on what not to do. Um, and we found it incredibly valuable to kind of do it this way. Um, our CTI team is uh

relatively new in its current state. Um, again, it used to be more reporting and now we're trying to get into more actual intelligence gathering and sharing, especially using Cyber Alberta, um, to collect that from the wider, uh, like audience within Alberta and all the different organizations and and collected and actually give something of value not only that's shared internally in the government, but also to all other organizations uh, in Alberta. So, we found it incredib incredibly valuable. I found it valuable and I've only been really working with this team for the last five monthsish officially but of course with the government for the last two and a half. >> Awesome. Thank you Brashant. >> Okay. Uh that made me some time to think

about my answer. So um we always stand on the shoulders of giants is what I believe in. uh there have always been people andmemes who have came past us to a point where we have this field what we call cyber threat intelligence. I'm a bit of a philosophical and a strategic person. So I look at look look at the word cyber threat intelligence. What does it mean? It means intelligence related to cyber security. We always had spycraft in our world. We always had intelligence in our armies and our defense across the board. we are bringing that understanding that concept into uh into the world of cyber security. Uh one other thing as I mentioned you know if knowledge does not

make you humble but makes you proudful that knowledge is wasted. Information is power knowledge is power wisdom is power. Hopefully knowledge information makes you knowledgeable which ultimately makes you wiser. If it doesn't make you wiser then it's rost. Now you'd be like why is he ranting about wisdom related to cyber intelligence? Because intelligence at the end of the day is about understanding what's important to you as an organization. I look at the word intelligence or threat from a perspective of risk management 101. Just a plug to Michael, I could see him on the in the in the audience there. What a great keynote today around risk, right? You know, you need to understand, we always look around risk. A very wise

person once told me when why cyber security is important. So, you know, I g I gave him an analogy the way I understand like you're running a vehicle. Why do you have brakes in a vehicle? so that you can avoid accidents. Having a break in a vehicle would make you run faster or make you run smaller, slower. It'll give you the confidence to run faster and accelerate because you have a break. That's why cyber security is in our industry because it gives the organizations the confidence to take risks down the road for their business, you know, uh benefit for that matter. Now on the risk portion, risk is what? threat impact vulnerability likelihood of those vulnerabilities

being exposed. The word threat is being focused in the term cyber threat intelligence. If we know what our threats are in our industry or in our sector, then we can focus on security controls on our cyber postures related to those threats. A threat one may not be applicable to business two. Threat one may be applicable to business one. Let me give a context related to work me working in Enbridge in the oil and gas sector. 33% of oil and gas flows through Alberta. I don't know how many of you know that at least actually from Edmonton in the pipeline alley. 33% of oil and gas of North America onethird of it flows through Edmonton a city which I

have been living for 18 years and I thought it nobody knows in the geographical map this city even exists for many people in the in the world. With that context now you can see at least in the critical in infrastructure space where I come from we attend many DGI SAC FBI DHS you know ingga HA there are various organizations CISA updates etc. End of the day it's about understanding what your threats are how they can impact your business outcomes and ultimately to uh to my fellow panelists point of view the leaders and give them the assurance that we are doing the right things. Another vice leader of once told me if you have $1, you need to spend it on two priorities.

What are you going to do? Make your choice. We have limited resources. those limited cyber resources have to put to secure our businesses and hence threat intelligence helps you identify and prioritize your cyber security towards the goals which are important because now you know your threats for good or for bad which are impacting your sector and your industry and then you can take actions accordingly. So that's how I feel it more from a strategic and a tactical perspective at the operational level. We can go on and on around IoC's and IOAS and you know and all that stuff. So, thank you. >> Awesome. Thanks, Pashant. Um, so anybody has any CTI related question? Michael, you want to take a

Okay, microphone. It's coming. >> I hope he's not ticked off by me calling him up. >> Oh, no, no, no, no. This is good. Um, I'll be honest. I was planning to troll you guys, but um, I went to chat GPT and I asked it, "What kind of questions would stump a cyber threat intelligence panel?" And Liam, Liam, and I here scrolled through all of them. We were like, these are actually really good. So, I want to ask you one that I think this is a great question. What's the one class of thread actor you're pretty sure exists, but you have no visibility into? And I don't take credit for that. The computer came up with that. But I

thought that was a really good question. >> So, I can take that on, Michael. So, first of all, hopefully your chubby didn't give you those kittens. You showed it in your presentation in the they actually gave you good questions to ask. So, I'll just go with it. I work in critical infrastructure. I am always worried about nation state actors. I can go and on and on. But you do not know many things you don't know about what they know about your systems. Uh in critical infrastructure, there's a methodology which I subscribe to called consequence-driven cyberinformed engineering which basically goes around the term. You can Google it. It's an Idaho National Lab U artifact. It goes

by the way that consequences are important on the ground and your adversary would know enough or even more about the technology you use in your own systems because they can mimic those technologies in their own environments in their own lab environments. Nation state actors right they have enough money resources powers uh you know financial wherewithal to create the exact same conditions of technology. How many of us could be you know hey I'm using Windows 10 nobody knows that I'm using Windows 10 right it's very easy to understand that the what where comes the defenders advantage is another concept which says that but I know how I use my technology to bring those outcomes that is probably unique to me for a

university for an oil and gas company for a any other business I'm using it probably differently for a different business purpose somebody could be using the same technology for a same different purpose that's where my defender's advantage come where I could find ways how can how I can safeguard my systems through a threat adversary but nation state actors uh they're always a step ahead and we are always a step behind it it's a cat it's a cat and mouse game and we continue to follow that so that'll be my question answer I look at this I'm going to change it a little bit not threat actor but like a threat place is like actually when you

think about third party risk it's not the third party itself it's actually the technology behind the third party that a lot of us do not know anything about so for example recently in the news there's like lots of uh impact on npm packages. Well, like how many of those of your SAS solutions are using those packages and we just do not know and we do not know also how well that they are tracking these risks and threats as well. And so I it's I think big blind spot like and you hear about sbombs and the things like how many of us actually ask for billable materials for our vendors. So uh my my my perspective my two cents

here I think that's uh one of the key things we don't know u the dependencies of the dependencies and then the attack surface goes just insane right and we don't know what the other guys have on their uh studies or they know how to do something they're just waiting for the right time and I think that's the overwhelming part from a defense standpoint awesome I actually have a uh quite literal answer to uh Michael's question. Which threat actors do we not know were in the environment? Uh to me that's espionage. How would you know? They're there to sneak to espionage. Uh so of course we wouldn't know if they're in there or not until it's too late.

>> Thank you. Any next questions? Uh Adam. Oh, sorry. Yep. You you go. It's okay. You go next. >> Thank you. Uh I didn't ask Chad GPT to help me frame this question. >> Uh my question is about um threats related to AI. Um specifically uh privacy. I've it seems to me this this is keeping me up at night. It seems to me that a lot of people are giving away their uh personal information and uh I'm wondering what kind of threats uh um do you see uh specifically as it regards the how we feeding a AI with our pictures to create uh these um figurines and stuff. H what is the threats that you see and what would be

the impact for individuals? I know like the uh younger generation they would say like I don't care but so what can we tell them uh to that what is the impact from those uh threats? >> Anybody want to take this one? >> Yeah I can take it. Uh first of all I mean AI is proliferating and there was a very good uh uh talk today by Safazwar. I don't know if he's in the audience today. He talked about responsible AI and topics around prompt engineering. We can go on and on. Topics around privacy. I know it can be proliferated. You can look AI models. You can say hey can I manipulate the model or can I look at

the output prompt? Can I do that? So you can go technical into it. End of the day I think I come from a school of thought around privacy that you know unfortunately whatever you do you cannot remain private. So for for very long. There have been so many systems out there, so many things we have already put on the internet that it is hard to claim privacy on everything. Don't be take me wrong that we shouldn't do or we shouldn't put guardrails around our private information. But I am of the school of thought if you ever heard of Bruce Schneider um he is a very good expert in cyber security. He has a blog on uh privacy schmivacy get over it you

know and he'll give you his argument around why privacy is dead but AI will proliferate it much further end of the day I still belong to the school of thought that it is too far down that we'll have terminators we are still out here where we'll have metrics and we'll have control over it and as humans we should always have human in the loop and uh so that they can validate otherwise we are definitely going into the human are meodenic and that'd be great. >> One thing I would add is I think it's actually an old problem that's been across even before AI is really data security and data privacy. AI has made it maybe uh impact faster but in reality

you've had to protect data for a long time. How many people have sent an email to the wrong spot or and there's no controls in place to stop that? that's release of information into a place that's not. So most company the problem is is actually most companies haven't solved that problem let alone try to solve it with AI now. So that's actually going to be a big a big issue moving forward. So I'll give you one very simple example and then I'll stop. I like speaking a lot but anyway the AI incident database go check it out in that you check out deep fakes and check out the 2023 March incident of Pentagon being bombed. It was a deep fake which

went in. There are many other incidents on that database. It'll blow your mind how AI is being used these days. But that one literally caught my eye when I was doing a presentation. Pentagon got bombed. Deep fake video went online. Stock markets did a crash in 20 minutes. People did a put and you know those who do calls and puts who know how options trading work they made enough money they went out of the market. Literally in 20 minutes you become millionaires and billionaires because AI is now becoming such a prolifer prolific efficient technology and we can't validate what we don't know. So you saw, hey, Pentagon got bombed. Hey, things are going down fast right?

>> I'll just take it to say that I don't have anything to add to um what Bashan and Chris um have said. I I was going to say the same thing as Chris. It's the same problem we've always had, what we still have. It's just AI is just another method of putting in your data um and should be thought of that way. you know, it may enhance it, but in the end, it's it's the same problem of data security. What's the risk? Fraud. What's the risk? Fraud. Um, your identity being stolen, um, passwords being cracked, um, your security questions being known because you put in that your home address is whatever, that you went to whatever

school, that your favorite animal is a dog. It's the same same problem. It's just another method in which it's being added into. I'll uh I'll I'll break it down into for for me at least uh two parts. Uh online privacy is just I don't believe in it. It's if it's online if you really want private don't put it online. Uh the second one is I think from a CTI standpoint um AI will become as a big of a um either eyeopener or problem from an attack standpoint that down the line and you can quote me I can be wrong but you can quote me on that we're going to have a miter attack for AI like we have the

one for you know regular operating systems u OT now RCS mobile we're going to have one for for AI not Um, too many years. It's going to be something in the next few years. >> Any any other ones? >> Yes. >> The microphone is >> aha. Not going to stand because Chris told me I wasn't allowed to talk. >> Fair enough. >> Put a muzzle on me. Uh, the consumer's caveat. Good, fast, and cheap. You could only pick two of the three. Okay. Which leaves us, you know, CTI is intended to allow us to get somebody to do something that reduces our risk, our probability or impact. So then it leaves a choice. Do we be fast

with the recommendations we're making from CTI or do we be right? How does that work in any of your organizations? Would you rather be fast or would you rather be right if you could only pick one of the two? >> I've always been on the side of right. >> So for me right would mean again I I I can give the lens Adam from the from a perspective of working for a critical infrastructure organization. uh safety is paramount and critical from a human perspective when we run our pipelines or when we run our refineries and whatnot and human life unfortunately does not have a probability either you are alive or you are not alive so if you

are taking steps whether from a CTI perspective or cyber in general it's very important at least in my sector to be right rather than to be fast we could put breaks take our time and do the right thing according when I say right it may not mean 100% % do our due diligence to the extent possible to not let those outcomes come out when human lives are at stake. So that's my take on being right. >> I agree with that because definitely being fast can actually cause more problems to your organization. A good example, say we get an IoC, oh they're using Cloudflare to attack us. Oh, let's block Cloudflare. Well, guess imagine how much impact you could have on your

entire organization. Like it's really about getting it right. I've actually one of the things I talk to my team a lot about is quality over quantity and it really to get the quality and then actually then frees up time even to look at things if you do it wrong it actually maybe even cause more harm than the threat actors themselves. We also try to be more right. Um especially as Cyber Alberta, you know, creating intelligence reports that get sent out to the broader Alberta audience. Um getting them right is is quite important. Um but, you know, we also try to get it fast. Obviously, intelligence that we create for uh other Alberta organizations isn't always uh

relevant to everyone. Um but that's up to the each organization on how they ingest it. But if we are wrong in the information that we put out there um doesn't exactly farewell to the government of course. Um, next, where's the microphone

looking at uh CTI from a traditional intelligence lens, um, the source of most CTI today is elint or electronics intelligence-based. I'm wondering if uh the panel has any thoughts on whether there's a place for a reemergence of the human or human intelligence sources um in the generation of cyber intelligence going forward. >> Go ahead. um alone just the human element um maybe not and then it will be more on the like military side or things that are you don't need necessarily the the the technology element to it. Um we I think we still as an industry we still rely or use a lot undercovered personnel trying to uncover what uh so it's like the modern

um I don't know 7 kind of person going after threat actors and monitoring if they get like their trust first we still use that uh quite a bit uh hard sometimes for uh government entities And the threat actors know that they for example they charge uh like a sign up fee for example. So with that alone they cut like government entities uh out of that loop. But there from a like a overall industry standpoint we still use uh that espionage approach to to go after the guys that are going after us down the line. That's >> I think at a corporate level we don't have the resources or the time to do a human element side. I do think hopefully

like governments like federal government definitely take that into consideration and and hopefully through their programs can able to send that information down to us right versus me having to do human side of it. It would be very tough. >> Yeah, I'll add on to that. I mean there's a problem of attribution and intelligence, right? who or where did that thing come from? And obviously cyber means cannot be perfect because of reasons that you are sitting in Canada. You could be hacked by somebody in Russia, China, wherever. So there is an element there to Chris's point that we could have at the government level have some spy intelligence to try to pinpoint where some of those threat actors might

be coming from. Um you may have all heard of botnet takedowns by Microsoft, the big likes. They do do a bit of, you know, sharing of knowledge and information among law enforcement agencies across the five eye spectrum to try to nail down where some of those botn nets might be coming from and nail down the actual actors out there. In fact, APD21 report which came out which was a long time back by I believe it was Mandant if I'm not mistaken um did identify actual cyber actors from the PLA unit 42 or 41 which was impacting uh um um I think um one of the news medias at that time that's how I understand some of these threat intelligence

reports but they do pinpoint actual individuals from where they come from but it needs a lot of wherewithal for people in company and at the nation state levels to do that for normal corporations I think we'll always be at the defensive posture. I also subscribe to the thought you know whether offense would ever be a best defense but we don't have the wherewithalss in at least in in the corporate sector to do that governments might have that resources and the in the end it's also prioritization is it actually going to give you value um or not and if the answer is no um lower on your on your priority side um because in the end uh

you know we're talking cyber security and prioritizing what is going to give you the highest value and that you can get should be on your highest priority for corporates.

>> Hi, I just wanted to piggyback off the previous question. I think there was a statement around um leveraging CTI to motivate teams to do something. Um maybe I'm interested to learn how you can share best practices across how you take CTI and work with the extended teams within your organizations to actually take that human element and look at you know vulnerability management, incident response, remediation. What are some best practices you've seen in your organization to make sure that that response time is fast but everyone involved within the whole team is taking action? >> I'll start. So our organization we've looked at exposure management. So really dealing with uh vulnerability management but actually using threat intelligence

to help drive what uh priorities to deal with. Right. So in the space you're actually starting to see a lot of things like vulnerability data tied to MITER attack techni technique. We can then uh so we so to step back we can we can get thread intelligence. We can then take that data, give it to like our vulnerability management team to fix, but also we can give that to our like detection engineering team to make sure that we have um detection logic in place to actually det uh respond to those threats. And then we can actually even test it across the organization to provide like really strong um proof to our leaders like going hey this threat

came in. We've validated that hey yes we have a vulnerability but we also have this control that's designed to protect that threat and we have detection logic in place to detect if that threat becomes realized. That is a good story to you tell your leaders to say hey we are actually protected and it allows you also then not from a vulnerability management perspective or even a detection logic perspective is you're not actually wasting time on maybe the ones that are actually not going to provide any risk to your organization. uh at the government we or the cyber uh intelligence team has something we call the triage board and we basically take in news um that we see um I spend like

an hour 30 minutes of my day kind of reading the news okay is it something that we have in our uh environment if it's yes we kind of go through a little checklist of things okay how where do we put that in priority and we put a card on our triage board and then re assign it a team. So if it's a vulnerability, we assign it to the vulnerability team and then they have their own process to um like check the triage board and deal with uh the cards that we add in. Um and then aside from that, we also have bi-weekly sharing meetings with all the teams in cyber. Um and the threat intel

team talks about um intelligence that we've seen or maybe some tri cards that have not yet been dealt with and we just have a conversation with those teams on where they see the priority, where we see the priority and then uh discuss it with within so that you know that gets resolved if we saw it as a high priority but they didn't and just have a better understanding of what each team requires and adapt. Um it's all about kind of adapting for us, adapting to what each team needs, adapting to their new processes if they have changed their processes and providing intelligence that matches their well intelligence requirements. Um so there's a lot of work that we do to working with those

teams determining what their intelligence requirements are, what their priority intelligent requirements are, and providing them uh their triage cards with uh items that they can actually action. um in the time that we deem uh you know high low medium low uh for priority. So that's something that has been working for us and we will kind of continue to do so but again as different teams change we will also change with them. Can I just build off that? One thing that we haven't fully implemented yet, but we're good. Is it the idea of taking external thread intelligence, but also internal thread intelligence that would then funnel over to our GRC teams, which allowed to go, hey, are these controls aim being are we

putting the right controls for these applications and stuff like that? Really getting them more effective as well. So, it's just not even external, again, internal threat intelligence as well. >> Yeah, I'll just make it quick. So, I see it. You know people could be in different levels of maturity in their CTI program. I see it more from a people process technology perspective. Right. So first is you have to give safe space to people who would like to come into this field of thread intelligence. Sock analyst IR analysts are bit separate from thread intelligence. They can leverage those skills to come into this field. So you have to create a bit of that safe space for them to play to

experiment to do what's called threat hunting as one of the c one of the ways to look at things. Use open source to the extent possible like don't just focus every time on using closed source systems. You have to pay hefty amount of money. You can learn skill sets using open source technologies in safe labs whether personally in their own homes or in your work environment if you could pull that through. Uh so that's the people aspect making sure that they have the skills or are you give them that safe space and time and attention and effort to you know bring that talent up. Then comes the technology. Technology as I said could be open source depending on

your budgetary constraints and whatnot or you could buy closed source technologies or even thread feeds from many angles. There are many things. Information is sharing. Information is power. There are many organizations who would provide you the capability and the platforms to ingest and learn information uh threat threat threat feeds. Public safety Canada they have sectorwise information ISACs which you can subscribe to. US has many CISAI and others DNG ISAC ISAC these are ISAC cyber threat intelligence feed. So those are some uh platforms you could subscribe to from a technology perspective to get an idea internal intelligence or external. And then the process is important. You have technology. You know there's a reason why I call it PPT. It's people process

technology. It's not PowerPoint by the way. It's people first, process next, technology last. A fool with a technology is still a fool, right? It's important that technology can only augment you but it's the people their skill set and if you can build processes around sock around thread feeds intelligence so it takes a time it takes a village to make this feel but you can always start start somewhere start small you know take the first baby step and I'm sure you will go past >> uh and maybe shameful plug here uh for the podcast I think it's fair to say the vast majority of the interviews I did everybody's concerned about how we offer value upstream. So, it's uh CTI teams in

general will tend to be like the nerds kind of thing. So, it's not the most comfortable zone to really like sell the value of your uh team upstream. Uh but if you don't do that, at some point when they need to cut costs top down, uh it might be impacted. So, it's a really important topic within most of the the the people I was interviewing for the for the podcast. Thank you. Um, where's the microphone? Okay, >> we have a question here. Um, I think too much I'll start that from the and I've been in cyber security for 30 years of my life. Um, it seems to me that we're at the infasy ofi cyber threat intelligence and that

we're really looking at it from a systems perspective and a systematic approach. Um, industry uh I'm an industry 4.0 expert. industry is really going towards digitization of of absolutely everything and moving from analog processes to digital processes and as we as we digitize this do you think that there's an opportunity for cyber threat intelligence along with vulnerability management to be tied to business outcome processes so being able to tie uh standard operating procedures and SOPs digitally so that when a analyst is looking at something from a technical perspective at a system level that they understand the out outcome to the business impact, right? What what is going to impact the business because of a potential vulnerability to the

machine. The the other side of this question is is that vulnerability management is only really effective if we inventory all of our assets. We understand the criticality of those assets. And so if we can tie the criticality to business processes is this do you guys see this as a direction in CTI? >> I'll take it if you don't mind. So great question Michelle by the way I think you have hit in my opinion the northstar of where CTI should go. We are probably not there. I mean I made a comment when I started the CTI panel risk is you know threats versus vulnerabilities exposure as you just mentioned. So you have expanded that equation not just based on

threats which is what CTI is but into whether those CTI analysts need to understand the business impact the exposure of those assets and the exposure of those vulnerabilities. And it's a great point because CTI analysts in my opinion should understand their actions or the actions of the threat actors could have impact of the business to which they are serving. You can't just sit in a silo and figure out hey these actors are doing what? So it has to expand down. I'll take it a step further from a CTI to doing a risk assessment of sorts. Use that as an input having a concept of those assets or impacts and an overall risk assessment. If if and not just CTI

analysts I would say cyber in general if you could use those CTI concepts but ingest it into doing that risk assessment that would be great. I mean are we there that in my opinion probably we have work to do there. >> Yeah just great comments again. Um, I'll just add that that's probably an area that I hope it goes to as well. Um, coming from a business background, uh, business student, um, that's definitely kind of sometimes what I think about, but of course, you're kind of stuck in processes. And, you know, I think Michael Spalling said it this morning, you got to take risks to kind of push that change. And perhaps it is a change

because in the end, what gets things done? The business side. Who makes the decisions? The business side. and you have to appease and show the value to the business side. So kind of transforming it to that side is is definitely a way to uh evolve um CTI as a whole. >> One thing I'll think just to add to that is like it really allows your business to maybe to make business decisions if we have good threat intelligence uh that can go up to the board the business leaders to allow them to make that. We try to keep thread intelligence typically like, oh, we're only providing it to our our staff or our or our leader, our direct leaders. But what

about like the business leaders across the entire organization that are making risks? Um, especially maybe if you're in a corporate world where you're doing like mergers and acquisitions and stuff like that that can really help you make a a proper business decision uh to and get a good outcome. And that's where I don't think we're even seeing much of that yet from a cyber perspective actually. But it is actually also impacting one thing also from a business impact. I've had the opportunity to sit earlier this year with our finance department and because we were doing meeting out with the credit agencies and we're talking about like cyber security and the impact to our credit rating.

Well, if we have good intelligence that allows us to maintain a good credit rating allows our business to be much more effective as well. So really linking that up into those processes, I actually do see where we can see the next step. And um how do we get there? I think we have to figure that out. Uh and so we'll see where that goes. >> Uh do we have time for one last question? >> I I have a microphone and they gave it to me. Um unfortunately uh so I was wondering so internal threat intelligence was spoken about earlier. I was just wondering if you all could comment on your processes for data collection threat inter threat

intelligence internally in order to make that actionable. in addition to all the external threat feeds uh external threat intelligence sources that you're collecting etc. Oh, sorry. Uh, one of the big uh, things that we've been working on is really around our data pipeline. A lot of things is actually more than thread intelligence. This is sort of like AI analytics and stuff like that is really being able to collect data and then store. We're actually looking about building a bit like a data lake and then being able to analyze across that actually leads to a bit of skills that I think in the thread intelligence space that we're we're looking for. We're actually looking for people with data

science and data analytical skills to join our team to then be able to analyze that data to look at all the incidents or things that have happened within our organization. Put that together and go, hey, maybe this is a threat or maybe we can actually combine incident that happened like 6 months ago, a month ago, two days ago that hey, we're actually now being targeted by a single target. and then being able to report that up to drive a lot of the decisions. So really it both starts at the beginning of Maya though is actually building a proper pipeline to get all the data that we do need to be able to do that work.

We're trying. Um um I the uh in intelligence team for the government is new for its current state. Um and we are we have it in our maturity level to try to build that up because right now everything that's come from internal has been by chance. I've come across from this fishing email and chance by chance and it evolved into this big fishing campaign um that we discovered. Um, do we have a proper process right now? No. But we're trying to set that up right. We've been trying different things, Excel, GitHub. Um, but it's something that we are trying to mature right now because it is incredibly important. >> I've been told to stop. >> Stop.

>> Yeah. >> Oh, okay. That's it. Thanks everybody. Thank you all.