/> Update cookies preferences

Abstract and Chris Camacho: Threat intelligence - the next evolution

Abstract Team
SIEM
August 1, 2024

In this episode, Ryan had the pleasure of welcoming Chris to Abstract Security and discussing the importance of threat intelligence in the cybersecurity field. Chris and Ryan, both with operational roots in the financial services space, shared insights on how customers are utilizing threat intelligence in their Security Operations Centers (SOCs). We highlighted the shift towards more efficient and automated processes, with many organizations integrating threat intelligence into their Security Information and Event Management (SIEM) systems for proactive threat hunting.

We covered the evolution of threat intelligence use cases, from basic indicator investigation to advanced analytics and event enrichment. Chris emphasized the need for scalable solutions like Abstract Security to help organizations of all sizes effectively manage and leverage threat intelligence data. We also touched on the challenges of prioritizing and integrating threat intelligence feeds into detection and prevention tools, underscoring the importance of a platform that can handle large volumes of data.

A key highlight of the episode is the announcement of the Abstract Intelligence Gallery, a platform designed to streamline the management and correlation of intelligence data from various vendors. This new offering aims to empower organizations to make their threat intelligence actionable, enabling them to proactively identify and mitigate potential security threats.

Show Transcript

Ryan:

Welcome Chris, glad to have you as at Abstract Security here. I noticed you're kind of, you're getting into things your first couple of months and we just announced you at the company. So I want to give you an official welcome. Wanted to talk to you today about some of the threat intelligence work we have going on here and some of the news we have going on and, and kind of how we see customers using threat intelligence and really getting value out of their threat intelligence. Yeah. In the real world. So, so welcome.

Chris:

Thanks Ryan. Excited to be part of the Abstract family and talk about this thing with you because I know that you and I have operational roots in this space from way back in the financial space.

Ryan:

Yes, yes, that's definitely helped me inform, kind of how I. Kind of view our customers’ challenges is, you know, working in the kind of big financial space. I know you have many years there as well. Definitely help gave me some perspective on. On kind of the scale really that a lot of customers are seeing in their environment, right? The scale from terms of, the kind of threat intelligence they have coming in and just the amount of data that they need to collect and analyze as part of their security stack. So yeah, you're obviously coming from the Intel vendor side as a kind of Intel provider. You know, how have you seen customers using threat intelligence from a SOC perspective? Like what's some of the most interesting use cases or ways they've been applying it in the real world?

Chris:

Yeah, so I think Not much has changed from probably you and I were in a seat doing threat intelligence, meaning people still have a provider or a feed or something from an ISAC and they see an interesting indicator or something, a hash, right? Some type of value that they then have to go investigate on their network. And still to this day, many are literally just cutting and pasting and then pushing it to their SIM to investigate, right? I don't think that's changed. Some have become a little more sophisticated maybe of taking a, as you said, so I come from a third Intel company Flashpoint just recently, and I seen what others are doing, which is, all right, I'm going to integrate into my SIM, easy, or I have a third Intel provider, a tip in the middle to do that work for me. Lo and behold, as budgets are starting to get decreased and people are looking for more efficiency and automation, I think you're starting to see a lot of people try to do it themselves, again, meaning How can I just take my intel, whether it's commercial or proprietary, and do my hunting in a sim-like environment? And I think that's honestly where the future of all this is headed, like adding efficiency and the ability for more SOC members to do threat intel per se, operational. In the past, I think when you and I were in a threat intel operational space, threat intel really owned everything and then would pass it on to the SOC to investigate. I think more and more, Even when I was at my previous company, I was like, why? Why is there a middleman slowing things down? Especially in this day and age where events are happening 24-7 and you have 24 by 7 SOCs or MSSPs that can be doing that work. Why wait for someone to do it in the middle? So you're starting to see if I'm able to take a feed or look at indicators and hunt within my own sim, I can at least do analysis, I'm not gonna break anything, and then turn that into a possible incident event or do a lot of head start on the findings and then push it to a third Intel team to maybe do some attribution or what group is this, have others seen it, et cetera.

Ryan:

The threat Intel function or the sock, right? Shouldn't need to be managing lists of indicators like that's what they're paying the security vendors for. You should just be able to take whatever threat intelligence that you want as a security team and apply that against your events and let an analytic product like Abstract Security do that correlation for you. And one of the things I've seen is. Like there's this overwhelming sense of where do I start with threat intelligence, right? There's all these feeds out there. There's actually been, it seems to be some consolidation in feeds, you know, for me, like 10 years ago, when I got into this space, there was all kinds of open source threat Intel out there. And a lot of that seems to have gone away. And it seems like a lot of customers are picking kind of a handful of Intel vendors that are delivering, you know, the right intelligence for their use case. right for their kind of industry sector. If they're a bank, maybe focus on the banking malware Intel, right? Yeah, cybercrime brings. Yep, bring and bring that in. Do the correlation against your events and go from there.

Chris:

So yeah, cool and then right action on that. That's exactly what appealed me to, you know, starting Abstract with you right back in the day and then obviously join now is, you know, day in day out as enterprises as the most mature enterprises were building large teams. I could see that not scaling to, let's say, the mid-tier, the regional banks. They're never going to hire an army worth of folks to be able to operationalize threat intel. So how does a solution like Abstract help those folks scale? And it's easy. It's just taking, like I said, your home-baked threat intel or things you're getting from an ISAC or your peers, or a commercial solution, and quickly be able to hunt on a platform, investigate, query, Run searches and then bring that back so that you can actually start taking action on all that Intel.

Ryan:

Yes, that's really what I would consider, I'll call it the analytics use case, right? Like, taking my Intel doing the correlation against my events and doing the analytics on that. The other kind of high-level use case I've seen come up is this idea of using threat intelligence to enrich my events, right? So I have, let's say, for example, some authentication events flowing into my analytics tool. Those have a source IP address associated with them. And I actually want to not just alert if there is a match to a known bad IP, but I actually want to add context to that event Because later on when I'm just doing searches or reporting, I might want to use that threat intelligence as part of my report or as part of my queries. Yeah, this is something I've seen come up more often, and there's a whole suite of pipeline and observability products out there trying to tackle this space coming online as well. I don't know if you've seen that at all, Chris, or heard some of those conversations.

Chris:

Yes. I mean, to me, the threat intel space was always hard to define. And what I mean is, if I were to take 10 customers, 10 enterprises, some of the largest to mid-tier to small ones, to even technology companies and ask them, what does threat intel mean to you? Everybody would have a different answer. Some are very geopolitical focused, some are very focused on identity access management, DDoS, malware, nation state malware, physical security, fraud, et cetera. So it's very hard to, you know, have a solution that is applicable to all from one vendor per se, including the use cases that you just described. I think those discussing or thinking about those use cases are thinking ahead as folks should be, right? You still have some that are in the traditional, hey, I need, oh, a phishing campaign. Just tell me who the senders are and I'll do that query. All right, pretty easy. But those that are kind of evolving in the third Intel space and moving above and beyond, which have similar use cases to the ones you described are the ones that are probably more sophisticated that will continue maturing and continue looking at innovative vendors in this space or applying innovative solutions. And then the others, nothing wrong with not having those capabilities, but it's, you know, you're probably, your threat landscape is much smaller, right? You're probably, you know, your brand isn't as well-known or your footprint just isn't as large as some of those others, which is fine. I mean, that's where we can come in as well. It's just we apply to small use cases, medium use cases. And, of course. The heavy, large, you know, Splunk type of deployments that are out there as well, that scale and absorbing, absorbing all those logs, bringing them in and searching on them.

Ryan:

Yeah, so when you are. In your Flashpoint days, I know one of the big use cases, I'm sure for you, was customers wanting to ingest some of the observables that you were providing into their either detection tools or into their networking tools, right? One of the things I saw on the Threat Intel management side, someone who's aggregating all these feeds was I have all of this intel that I want to put into these products to do detection, but like I'm getting hit by limitations all the time, right? And certain products are better and worse than others in terms of the limits they can handle. But oftentimes, you know, we're talking about, you know, on a scale of thousands of indicators that you can send in for either detection or prevention into these networking and detection tools. That was a challenge that I saw coming up again and again: customers paying a premium for intelligence from a vendor like Flashpoint, and they're only able to leverage really a small sliver of that in their tooling. Then that made the story all about, well, how do we prioritize the right intelligence into the right systems? Something that we're focused on here at Abstract is making sure you don't have to make as many of those prioritization decisions. We're really building our platform at scale and you know, can handle up to, you know, millions of pieces of threat intelligence that you want to do from the correlation or from the, the kind of enrichment and data pipeline perspective. That, that's something I saw consistently, and I'm sure you're writing to as well.

Chris:

You know, Brian, that reminds me. So back in our day, I believe that we were one of the two financial institutions that had Palantir as a solution. And I think back in those days we had it because it was really the only one that would scale and absorb so much logs. Right. But. What was the end use case? It was taking stuff like threat Intel and then searching across all that data set. At the end of the day, that's what it was. Right. And of course, other use cases and fraud and whatever, but that was our strongest use case. And we've come a long way where companies like us, Abstract, can, you no longer need that forward deployed engineer in a very sophisticated and heavy engineering. You know, you can deploy us in our cloud environment, your cloud environment, more importantly. and start doing those queries. I think that's definitely a big differentiator in this day and age from back then. And also one thing I didn't like about the Palantir model was we, at my last institution, had to buy all these feeds because where else would we get the feeds from, right? And, you know, I always wondered why don't these like SIM vendors and the Palantirs of the world just have a data feed? I know that at your previous tip company, I think you had a data feed and I think that was a strong use case for how to sell it and people were using it. So this is why instead of us building a feed, we're partnering with your own feed or we're letting you use, you know, as we, as we mature this Abstract Intel Gallery, your own Intel and process all those millions of indicators across the data sets.

Ryan:

Yeah. So that brings me to, I wanted to get a quick shout out into what we're going to be announcing here in a few days, which is our Abstract Intelligence Gallery. Basically, it's a way to bring in your key intelligence vendors right into a common platform that can manage that intelligence correlated against your events at scale. use it for enrichment against your events from a data pipelining perspective, do keyword alerting on that intelligence. So that's something that we're launching here in a few days. We've been working on it for the past several months and super excited to get that out into the field and in our customers' hands. And you and I are going to be along with some other folks in Vegas this coming week as well. Right. So we'll be around and definitely looking to meet with anyone interested in learning more about our product and our company and you know, meeting all the Intel partners that we have out there and getting a chance to touch base.

Chris:

So I'm personally excited about this because I think it finally answers what me and my last company and many of our friends in the Intel space also we're trying to answer. So what? Time and time again, both from current and current customers and prospects, everyone's like, yeah, we understand you have a bunch of Intel and data, but so what? I think we're helping answer that finally. Right? Well, here's what you can do with all this data and make it actionable and query on it and hopefully find something that you didn't know about. And then that starts an event and prevents an incident.

Ryan:

Exactly. That's a great way to put your threat intelligence to work and actually in a single platform, really operationalize that data and really get some value out of it. Right. So. Great. Well, appreciate the conversation, Chris. I look forward to seeing you in Vegas and great talk. Talk to you next time.

Chris:

See you in Vegas.

Get In Touch