Scott Jarkoff, Director of Intelligence Strategy for APJ & META of CrowdStrike, explores threat intelligence development, emerging technologies’ challenges, and balancing data privacy in cybersecurity’s evolving landscape.
In the rapidly changing field of cybersecurity, understanding the nuances of threat intelligence and integrating new technologies is crucial for organizations. To shed light on these topics, tech journalist Nisha Sharma recently sat down with Scott Jarkoff, Director of Intelligence Strategy for APJ & META at CrowdStrike. Their conversation touched on critical issues such as the development of threat intelligence capabilities, the impact of emerging technologies like Generative AI, and the importance of balancing data privacy with comprehensive security measures. Jarkoff, with his expertise in the field, offered insights and practical advice, highlighting the challenges and considerations for organizations navigating the complex landscape of cybersecurity.
Scott Jarkoff, Director of Intelligence Strategy for APJ & META, CrowdStrike
CIO&Leader: What are the essential elements of a robust threat intelligence program in today’s dynamic cyber threat environment?
A robust threat intelligence program is anchored on several vital components in today’s dynamic cyber threat environment. First and foremost, it’s essential to understand the program’s objectives clearly. This may involve identifying potential threat actors, understanding their methods, or gathering specific intel-like credentials from the deep and dark web. The program’s backbone is the threat intelligence lifecycle, which encompasses planning and directing, data collection, processing, analyzing, and prioritizing information.
A critical step is identifying what you already know and, more importantly, what you don’t know to pinpoint gaps in your intelligence. This informs the selection of appropriate sources, ranging from vendors specializing in dark web monitoring to government intelligence sources, depending on your needs. After subscribing to these intelligence services, the focus shifts to collecting and analyzing the intelligence and integrating this information into your security strategy. The utilization of this intelligence is pivotal; it should not be confined to just the intelligence team but should be leveraged across various departments, including the security operations center (SOC) and at the executive level, ensuring a holistic approach to security.
Lastly, disseminating intelligence products to relevant stakeholders and the subsequent feedback loop is vital for continuous improvement. The core challenge lies in determining which elements are most critical for your specific situation, ensuring that the program remains focused and effective.
CIO&Leader: In your experience, where do you feel organizations need to implement and utilize their threat intelligence?
Two primary issues commonly arise when considering the implementation of threat intelligence in organizations.
Firstly, many organizations need to be more committed. They subscribe to various intelligence feeds or capabilities without having the requisite capacity to process and utilize this information effectively. This challenge is twofold: they often need more specific expertise and face constraints regarding available time and resources due to competing priorities and projects. This results in an inability to fully leverage the intelligence they acquire, leading to inefficiencies and potential underutilization of valuable data.
Conversely, another issue I’ve observed is a need for a more comprehensive understanding of the value that threat intelligence can offer. In some cases, organizations, particularly in the Financial Services Industry (FSI), opt into threat intelligence services merely to comply with regulatory requirements, treating it as a checkbox exercise. This approach frequently involves selecting the least expensive option without thoroughly evaluating its effectiveness or relevance to their specific needs. Consequently, these organizations fail to extract meaningful value from these services, fulfilling a regulatory formality rather than enhancing their security posture.
In summary, the challenges lie in attempting to assimilate too much information too quickly without the necessary infrastructure or undervaluing and underutilizing the intelligence capabilities due to a compliance-driven mindset. A more balanced approach, focused on gradual integration and a clear understanding of the strategic value of threat intelligence, is essential for effective implementation.
CIO&Leader: What best practices would you recommend for developing threat intelligence capabilities, and what pitfalls should organizations avoid?
In developing threat intelligence capabilities, starting slowly and focusing on manageable steps is crucial, rather than diving into overly complex solutions from the beginning. The aim should be to ensure that any intelligence services subscribed to are used and provide tangible value to the organization. A key strategy is gradually building internal capacity, starting with essential tools and progressing to more sophisticated systems as understanding and expertise grow. Integrating intelligence effectively, such as enhancing SOC visibility, is important to augment operational capabilities truly.
On the other hand, there are some common pitfalls to avoiding financial waste and inefficiency. Investing in intelligence services that could be more effectively utilized can lead to unnecessary expenditure. Additionally, ensuring that the team’s time is spent on activities that genuinely contribute to the organization’s security posture and operational efficiency is vital. Overcomplicating the threat intelligence strategy with tools or data that the organization isn’t prepared to handle can create confusion and lead to inefficiencies, detracting from the overall objective of strengthening the security infrastructure.
CIO&Leader: How can organizations effectively address the talent gap by adopting advanced technologies and threat intelligence, considering the challenges faced by different generations in the workforce?
Regarding the talent gap in technology adoption and threat intelligence, the fundamental solution lies in education and training. With the rapid evolution of technology, there’s a noticeable divide: the older generation may not be as familiar with newer technologies, while the younger generation, though more tech-savvy, lacks experience and depth of understanding. To bridge this gap, organizations should invest in educating their workforce.
If an employee, regardless of their role, shows an interest in intelligence but lacks experience, consider enrolling them in specialized training courses. For instance, despite being expensive, SANS courses are highly valuable for their comprehensive and practical insights into various aspects of cybersecurity, including threat intelligence. This investment in education upskills your staff and helps build a team capable of effectively leveraging intelligence tools.
Another critical factor is securing executive buy-in. Often, initiatives like subscribing to threat intelligence services start at the middle management level without involving higher executives. However, executives must understand and support these programs to be successful and sustainable. They need to see the relevance of threat intelligence in the broader context of business risk and security strategy. Without this top-level endorsement, such initiatives may struggle to make a significant impact.
Organizations can effectively navigate the talent gap by adopting and utilizing advanced technology and intelligence systems, focusing on education and training, and ensuring executive buy-in. This approach enhances the current workforce’s capabilities and aligns the strategic goals of intelligence programs with the overall business objectives.
CIO&Leader: How do you anticipate the integration of generative AI (GenAI) will transform the efficacy of threat intelligence programs in cybersecurity?
With the rising prominence of generative AI (GenAI) in various industries, its impact on the efficacy of threat intelligence programs is expected to be significant. One of the key benefits of GenAI in this context is its ability to function like a virtual Chief Information Security Officer (CISO). This AI-driven approach can rapidly provide comprehensive insights into potential threat actors, their methodologies, and the vulnerabilities they might exploit.
Generative AI simplifies the process of gathering, processing, and understanding complex security data. It enables security professionals to ask direct questions and instantly receive detailed, actionable answers. This capability is transformative compared to traditional methods, which are more time-consuming and labor-intensive. For instance, with GenAI, a security team could quickly identify specific adversaries targeting their organization, along with the particular vulnerabilities these adversaries exploit. This immediate access to critical information can significantly streamline tasks for teams, such as vulnerability management, by providing them with focused, prioritized areas for patching and defense.
Integrating Generative AI into threat intelligence is not just about making CISOs’ jobs easier, although that is a significant benefit. It’s also about enhancing their capabilities, allowing them to make more informed decisions faster. While the role of a CISO is inherently challenging, with the responsibility often falling on them when security incidents occur, GenAI can provide a powerful tool to bolster their effectiveness.
Considering the trajectory of security technology since 2017 and the rapid advancements in AI, the potential of generative AI over the next five years is vast and somewhat unpredictable. As industries and companies increasingly adopt Gen AI and users demand more AI-driven solutions, threat intelligence and the cybersecurity landscape are poised for substantial evolution. The current state of GenAI can be seen as just the beginning, with its full potential yet to be realized in cybersecurity and beyond.
CIO&Leader: If not GenAI or AI, what other technologies will come in for the next five years?
Looking beyond GenAI and AI, predicting the exact technological advancements over the next five years can be challenging. However, it’s expected that there will be significant developments in artificial intelligence, particularly in GenAI. The rapid pace of change in this field, much like what we’ve seen with ChatGPT and similar technologies, suggests that AI will continue to be a significant focus.
One notable trend is the increasing speed and sophistication of cyber attackers. We’ve observed adversaries executing initial access and lateral movements within extremely short timeframes, sometimes in minutes. This trend is likely to continue, accelerated by advancements in AI technologies. As attackers become faster and more efficient, defensive technologies must evolve at a similar pace to counter these threats effectively.
Another emerging concern is adversaries’ potential misuse of generative AI, including the possibility of poisoning large language models to output incorrect or misleading data. This could lead to false security postures, where organizations might focus on irrelevant or incorrect threats, leaving them vulnerable to actual risks. This scenario underscores the importance of robust, adaptive security measures that distinguish between accurate and manipulated intelligence.
The future might see less reliance on traditional, manual cybersecurity methods and an increased emphasis on automated, AI-driven processes. While it’s hard to pinpoint an exact metaphor – be it the Matrix or Terminator – the shift will likely be towards more autonomous systems making decisions and taking action. This evolution suggests a need for bold and innovative approaches in cybersecurity, where staying ahead of technological advancements and potential threats becomes paramount.
CIO&Leader: Considering that technological advancements are as accessible to hackers as they are to legitimate users and companies, what strategies should organizations adopt to secure their data and protect their customers’ information against sophisticated cyber threats?
In the context of technology being as accessible to hackers as it is to users and companies, the key lies in using the right technology to ensure data security and protect customer information. The reliance on legacy technology is a significant vulnerability that many organizations face. While it’s understandable due to the complexities involved in transitioning to more advanced solutions, the risks associated with sticking to outdated systems, particularly in the face of modern threats like ransomware, are high. Investing in next-generation technologies is crucial. These advanced solutions are essential in combating sophisticated cyber adversaries who often exploit weaknesses in older systems, mainly through tactics like ‘living off the land’ attacks that use native operating system tools.
Even next-gen technologies aren’t infallible and must be complemented by skilled human oversight. For example, distinguishing between legitimate administrative activities and malicious actions on a network can be challenging. This highlights the need for a balanced approach that combines technology with human expertise.
Moreover, a unified platform approach is recommended. Adopting a unified platform simplifies operations instead of using multiple disparate systems, which can create complexity and require extensive training across different technologies. This streamlines the process of managing security tools and enhances the ability to respond effectively to threats. Layered defenses remain important, even with the shift towards cloud-based solutions. Moving away from legacy systems to integrated, advanced cybersecurity technologies while ensuring a combination of automated defenses and human expertise is crucial for modern organizations to protect their data and customers’ information.
CIO&Leader: How can organizations effectively balance the need for comprehensive threat intelligence with ensuring data privacy?
Balancing comprehensive threat intelligence with data privacy is a nuanced area, but it may not be as problematic as it initially seems. Threat intelligence is largely a consumption-based model, where organizations consume information such as indicators of compromise (IOCs) or threat reports without necessarily sharing sensitive data with vendors or government entities. Therefore, the issue of data privacy in the context of threat intelligence is limited.
The primary concern around data privacy in threat intelligence involves ensuring that appropriate security controls are in place when intelligence is fed into cloud-based environments. This is particularly crucial in sectors like the Financial Services Industry (FSI) or healthcare, where the leakage of personally identifiable information (PII) or health data can have serious consequences.
In most cases, about 95% based on experience, threat intelligence involves consuming rather than sharing data. When sharing is necessary, such as sending tools left by threat actors on a network for analysis, it generally doesn’t involve private, sensitive data. Data privacy focuses on protecting the core, sensitive data of the organization, which typically isn’t implicated in the consumption of threat intelligence. Thus, while it’s important to be vigilant about data privacy, especially in certain sectors, in threat intelligence, it’s not a predominant issue for most organizations.