In this Spotlight episode of the Security Ledger podcast, I interview David Monnier, the CIO and Chief Evangelist at the firm Team Cymru (pron. kum–ree) about the evolution of the threat intelligence space and the growing need for what Team Cymru calls “Threat Reconnaissance,” a process for leveraging organization-specific threat intel to help root out and neutralize malicious campaigns targeting an organization.
“Cyber threat intelligence” is a phrase that refers to data compiled on the activities, tools and capabilities of malicious cyber actors. And it’s a big business. By one estimate, the global threat intelligence market was valued at USD $4.24 billion in 2022 and is projected to grow to $18.11 billion by 2030.
These days, most security teams consume multiple threat intelligence feeds to help them make sense of the threat landscape and spot risks to their organization – IT assets, networks, data. But making threat intelligence actionable is another matter. After all, knowing that a ransomware group or state sponsored actor is targeting your industry is different from knowing that they’re targeting your company specifically. And, absent specific information about threats to your organization and the ability to act on that information, threat intelligence feeds can simply add noise to an already noisy SOC.
A better approach is what our next guest calls “threat reconnaissance” – the application of threat intelligence to hunt down and neutralize looming or active threats that target your organization. But how does a security team move from simply consuming threat intelligence, to operationalizing it and conducting threat reconnaissance?
In this Spotlight Edition of the podcast, I’m joined by David Monnier, the CIO and Chief Evangelist at the firm Team Cymru to talk about his company’s work to evolve threat intelligence from merely curated feeds relevant to a specific industry or sector, to tailored feeds that highlight active or evolving threats specific to an organization.
The key, Monnier explained, is to gather threat intelligence that is actionable and then leverage it to expose the workings of cyber adversaries targeting your organization – the command and control (C2) infrastructure they rely on, the employees they target, and so on.
“A hotel chain doesn’t have the same adversaries pursuing it as someone at home nor as say a defense contractor. They all have different adversaries. And really, you need to have intelligence that’s catered,” Monnier told me.
In this conversation, David and I talk about the drive towards threat reconnaissance and the evolution in threats and threat actors – in particular the economics driving and explosion in cyber crime and what Monnier calls “miscreancy” over the past three decades.
To start off our conversation, I asked David to fill us in on his long tenure in the cyber security community, which stretches back to the mid 1990s and the more recent work he’s focused on at Team Cymru.
Paul Roberts (Security Ledger): [00:00:00] Okay, and we’re back. And welcome back to the security ledger podcast. We are here today speaking with David Monnier, who is the chief information officer and chief evangelist at Team Cymru. And David, you’ve written for us at Security Ledger before, but I think it’s the first time that we’ve had you on the podcast.
David Monnier, Team Cymru: Thank you very much. Thanks for having us, Paul.
Paul Roberts (Security Ledger): It’s great to have you. So I guess first place to start off Dave for, our listeners is maybe just tell us a little bit about yourself and the role that you play at Team Cymru and for listeners who aren’t familiar with Team Cymru tell us what they do.
David Monnier (Team Cymru): Sure, absolutely. Team Kumry, we are an intelligence provider. That’s our primary focus, largely around threat intelligence specifically. We do a lot of B2B enrichment. So we provide a lot of the intelligence [00:01:00] insights that go into security products in the world. Whether it be your firewall needing to know what to block or whether it be your antivirus needing to know what files are malicious those types of things.
In addition to that we make our insights directly available to threat hunters allowing people to do what we call threat hunting or threat reconnaissance and it allows our partners to create what you would call a proactive threat intelligence helping us to get over the hurdle of you’re waiting for your threat intelligence provider to collect information and feed it back to you through their tip, something like that.
All of that takes time. It’s also frankly. Entirely too generically collected to be super important to you. Like a hotel chain doesn’t have the same adversaries pursuing it as someone at home [00:02:00] nor as say a defense contractor, they all have different adversaries. And really, you need to have intelligence that’s catered.
To the theater of of action that you’re subject to so we focus on that how I got to Team Cymru I I was a non commissioned officer in the U. S. Marine Corps after that, I got out and caught the, I guess you could call it the beginning of the internet boom and discovered that I had a natural aptitude for how computers worked not just mechanically but at the code level as well as the network level.
So I was a natural hacker, if you will entirely self taught self taught. I’ve taught some collegiate classes but I’ve never attended many. I don’t know if that’s good or bad. It helps me with communicating for sure because I… Yeah, it’s well I, communicate always in layman terms because I don’t know the [00:03:00] fancier words typically.
But that’s helpful. But then from there, I went to work at Indiana University primarily as a Unix specialist. And largely in high performance computing space, originally doing what you could think of as multibody experiments around gravity and astrophysics, things like that. We were I was part of a team that process that type of data.
But then we moved into biosciences. ’cause it’s a very similar problem where I helped build systems that was do, that were doing things like protein folding and things like that, looking for genomics and, tie-ins like this computationally. It’s very similar. But then we had a breach of a international grid system that we were part of.
And I was one of the few people in the room that kind of understood what criminal motives were and how bad actors, what motivates them and why they do things, and then how they act when they get into a [00:04:00] system. So it turned out I had a natural aptitude, not just for computer systems, but also how people misuse them.
So I transitioned from being doing Unix administration into doing security engineering and security architecting. From there I left to start the research and education networking ISAC which is information sharing community collaboration amongst higher education and in North America where I helped start that organization build its trust community and information sharing platforms that were there along the way I met Team Cymru’s founder Rabbi Rob Thomas who he invited me to join Team Cymru about 16, almost 16 years ago, I guess now and at Team Cymru, I’ve held a number of roles both technical roles as well as leadership roles managing both our operations and engineering teams, networking teams, security teams but [00:05:00] also.
Oversaw our intelligence practice. Presently I oversee as CIO, I oversee all of those technical operations, but then as chief evangelist, I also oversee our intelligence research teams where we do a lot of work highlighting and illuminating the activities of various miscreant teams and operations around the world most of which you can see our information published either on Twitter or on our website.
We do regular. Intelligence, information sharing components there. Typically with all the things you need IOCs, technical backgrounds, things like that. Our forte though, really comes down to applying what we call our, product suites are what’s called pure signal. So think in the signal intelligence sense and we help people – we apply network metadata to help people understand what bad guys are doing, who they’re doing it to, how they did it and how you can keep them from doing it to you.[00:06:00]
Paul Roberts (Security Ledger): You’ve been at team Cymru for 15, 16 years, long time. And obviously, in cyber security well before that really interesting in your thoughts on how you. How you’ve seen the space change and the sort of threat landscape change. We’re speaking today we just heard this week Kevin Mitnick passed away as a earlier this week, a prominent figure in the early days of, hacking, going back to the kind of phone phreaking days and stuff like that.
It makes, me mindful of, how much the industry has evolved and changed in that time period. I’m interested in your thoughts.
David Monnier (Team Cymru): So a lot has changed in the industry. And a lot of it comes down to some societal changes.
I, would pin much of it on that. Cause technology. changes no matter what, right? We [00:07:00] have Moore’s law that says CPUs double in speed every 18 months. And we have all these other various factors. But one of the things that I think has really changed the security community or security industry as a whole, or the security landscape let’s, even draw it back a notch.
But the security landscape, a big part of what drove or has driven change is frankly, the monetization of miscreant behaviors. You mentioned Kevin Mitnick. He was absolutely probably one of the greatest social engineers to, ever be we should all we, we should probably all be thankful that he took a technical route and didn’t start a Ponzi scheme or something like that where he probably would have done amazing at that probably could have (Bernie) Madoff look like an amateur in that regard, but yeah.
In that time, when all of that was going on he he gained access to various national laboratories [00:08:00] he had direct access believed to have had direct access to AT& T’s Unix source code, which was all proprietary at the time, he had direct access to Bell Labs, and the Berkeley distributions.
That was and if you’re not familiar with Unix, there are two kind of family trees to Unix, the AT& T family tree, and then also the Berkeley side of the family tree. And he basically had access to both of those and. What he didn’t do was go out and try to sell them and that stayed to be the ethos for the most part.
I know there are instances in what I would call corner case examples of early hackers or whatnot going out and rigging radio call in shows and so that they won every prize and there’s all of these examples, but they weren’t the norm. But somewhere along the way.
[00:09:00] Things changed significantly and miscreants figured out that they could monetize miscreancy and that is a very powerful driver. In pursuit of money is the same reason. People do all kinds of unpleasant occupations, right? The guy cleaning out septic tanks in the countryside has probably one of the most terrible jobs ever, right?
But he needs money. They have it’s no one really loves to be a septic tank engineer, I would imagine so. But similarly, having that driver, there were people who figured out that well. I the country I’m in maybe it’s a former Soviet state, maybe it’s some part of Africa the famous Nigerian email scams and all of this stuff.
Those folks figured out that you could make money doing miscreant activities, right? And that drive, that economic driver has largely, in my opinion [00:10:00] shaped the adversarial motivation. Shifted it from, hey, let’s learn something, or hey, let’s do something no one else can do, which there was a lot of bravado in early miscreant activities, like they would come in and deface the FBI’s website just to show that they could do it but nowadays, I would imagine if somebody gained access to their network it would be more to, to find out who all the confidential informants are in the world and try to sell that information to the people who would look, pay for it.
So that kind of shift where hacking what’s just called miscreancy when it became profitable that’s really what I would say was, the apex moment of where things changed drastically that motivation the details of that motivation spread the industry at the time Blaster, Sasser [00:11:00] Worms, things like that came about probably in the first five or seven years or so that I was involved in the industry.
But those, that malware did nothing. Conficker did nothing. All it did was propagate and cause network disruptions. But today, if the same type of vulnerability were to be found in let’s say the, global user base at large of the internet you can rest assured that would not be Done the way that it was done that I, super worm days are over because it’s just entirely too profitable to waste the capability like that.
Given that I would say that’s the number one thing that’s changed technology changing. I don’t attribute it necessarily to the security industry driving that change, I would largely argue that technology is on a momentum of its own and the application of that those new [00:12:00] things just happens to be in the security space, right? they’re, also getting applied in other non security applications
Paul Roberts (Security Ledger): Sure.
David Monnier (Team Cymru): The thing that certainly has changed is the motivation space.
Paul Roberts (Security Ledger): Yeah, I agree. It’s interesting when I started the cybersecurity beat was in September of 2002, and within about four or five months four months of starting, it was SoBig, Blaster SQL Slammer, right? They all just rolled out one after the other.
And like you said back then, you didn’t really talk so much about cybercrime. There wasn’t this notion of cybercriminal groups. These were all kind of, status malware, and it was who can span the globe quickly enough, who can compromise the most networks, who can generate the most disruption, but that was about it.
It was just a demonstration of ability rather than a targeted attack with a monetary gain at the end of it.
As you described Team Cymru is in the [00:13:00] threat intelligence space. One of the things you, are talking about is this sort of migration or evolution, maybe is a better word, from threat intelligence to threat reconnaissance, right?
And getting organizations to look more at in a more holistic way at identifying threats. Could you talk about that? What’s behind that? So what, is threat reconnaissance as opposed to threat intelligence?
David Monnier (Team Cymru): Yeah, sure. I touched on it briefly in my intro, but there is a there is a difference between receiving static intelligence versus curated intelligence versus proactive dynamic intelligence, right? Static intelligence is here’s a list of every bad IP that we’ve seen on the internet, or here’s a list of every bad hash that’s been [00:14:00] found on the internet, and that’s not useless.
That’s interesting, right? It takes time and whatnot to generate that insight. And but it takes resources to apply static threat intelligence. And your routers, your policy devices on your network, for example, which let’s use that they have a finite resource. In them, they have only so much memory that therefore only so many lines of policy can exist to be applied at a certain time, right?
The evolution shifted from tell every router about every bad thing there was to, to the threat intelligence community, ourselves included, started to categorize. The threats. So like he, these are specifically DDoS bots. These are specifically command and control servers. These are specifically phishing sites.
These are… And we started to get into this kind of let’s, call it categorization for lack of a better word. And those [00:15:00] categories are applicable depending on whether your business is in the healthcare industry you’re going to be concerned about certain things that are different than, for example, a financial company that has their own concerns, right?
So that kind of middle stage what I would call “curated” threat intelligence, where people did their best to identify, “Hey. These are the general threat types that you should concern yourself with”. And that’s useful because it does allow the application, better application of the finite resources that are your controls, whether they be firewalls or routers or… Group policy objects on the desktop. You can push out white listing and blacklisting policy for execution on as a group policy or AV these types of things. So it is helpful in making better use of those things, but it’s still largely [00:16:00] antiquated in the sense that you don’t actually know that the threat intelligence you’re receiving is applicable to the adversaries that are looking for you or, that are looking to be a nuisance to you.
But what you can do is with enough external visibility and enough external insight you can actually take let’s say the list of IPs that you see probing your network, or the domains and URLs that you see people sending phishing attempts or spear phishing attempts to your staff at your company, wouldn’t it be great to be able to say, hey, we know for sure that that this adversary is attempting to target specifically us, right?
Wouldn’t it be great to be able to take that insight and then illuminate that infrastructure? See maybe you see those IPs [00:17:00] are all talking to another same IP. Now you start to see, okay. This must be the command and control infrastructure that’s managing this adversary. And then maybe be able to go so far as to see who’s talking to the command and control server.
That may say if all of the bots are checking into something. Via using HTTP maybe TCP port 80 or TCP port 443. You can see all that, but there’s another IP in there that’s using SSH. This person using SSH is likely the person administering that command and control server.
And wouldn’t it be great to be able to pivot off of that person and see what other. infrastructure are they SSH’d into and take those IPs and then practically block it. And now you’re getting into threat reconnaissance, right? You’re observing the adversary who is conducting operations against yourself or perhaps against your sector, your vertical whatever.
Whatever their specialty is, right? Whoever that they’re [00:18:00] targeting and that type of insight allows you to create what you could think of as bespoke intelligence specifically for you and enabling your threat hunters and you would know with confidence then we’re doing. Everything we can to actually be in front of the adversary.
So we’re like, we’re seeing them stand up new infrastructure and we’re blocking that new infrastructure before it’s even live and be able to be used to deploy it against us. And then again, the ability to have the context around the attackers is priceless as well. So imagine knowing the difference on Friday if your SOC.
Is able to tell the difference between just general noise. So something that’s just maybe probing the entire internet or something that’s probing every company that’s similar to you in an industry or probing only you. Those types of contexts that’s the difference [00:19:00] between, okay I can revisit this on Monday. Or, no, I need to put a team together because we have a determined adversary that’s trying to get into us right now. And we need to address this immediately. In that type of context, saves you time.
It removes what I to describe as the fog of war. Which is where, most problems happen in the decision making tree is under duress, right? So if you’re not clear headed you can make bad decisions. And I would argue without context, you couldn’t possibly be clear headed.
You may be calm but you don’t have context. So there is that fog. So that type of clarity that you also get with doing threat reconnaissance is like I said. I would argue is invaluable.
Paul Roberts (Security Ledger): So, what’s in the threat reconnaissance tool belt? Obviously, companies have invested a lot of money in [00:20:00] various cybersecurity point products or platforms SIM and endpoint detection response and you name it. What, when we talk about threat reconnaissance is really just a new way to use the data from the tools you’ve already gotten, or is there, are there new capabilities that you need?
David Monnier (Team Cymru): No, it’s it inherently needs external data. Threat hunting Based on your own telemetry it’s limited to exactly that, right? So until you actually have made contact with the adversary, you don’t have any insights, right? If the only sensor that you have is your own network edge or your own systems.
You’re already engaged with the adversary in order to earn, learn any insights from that behavior. So what threat reconnaissance does is actually borrows on collective insights. So in our case, we have [00:21:00] sensors and partnerships with people around the world. We, Collect double digit petabytes of insights every day both from network metadata, but also things like passive DNS information malware hashes all kinds of external visibility and what threat reconnaissance the difference between threat hunting and threat reconnaissance, right threat hunting, you’re limited by your own information.
Capabilities, your own devices that you already own and threat reconnaissance is, you’re borrowing on external visibility, so not not data you produced yourself, but that was produced somewhere else in the Internet and you leverage that visibility. You could think of it like all of the doorbell camera systems wouldn’t it be great to be able to borrow, and on the insights learned from the house at the end of the street at one end of the street So you could prepare on your end of the street [00:22:00] before the people came down the road and vice versa and that’s the biggest difference right there. tools that
Paul Roberts (Security Ledger): thought up an idea for a new company, David.
David Monnier (Team Cymru): No, no, that company actually exists. There’s a couple different startups right now that are doing collected and AI driven where you can lend your camera footage to a collective and AI then ties these things together.
Paul Roberts (Security Ledger): interesting.
David Monnier (Team Cymru): Yeah
David Monnier (Team Cymru): I wouldn’t tie into that just because (inaudible) other telemetry, I wouldn’t have a problem with it. But in the case of cameras and AI…
Paul Roberts (Security Ledger): it starts tilting towards bad outcomes. Orwellian, yeah, authoritarian surveillance.
David Monnier (Team Cymru): absolutely.
Paul Roberts (Security Ledger): And we obviously, we see [00:23:00] authoritarian governments around the world doing, this very thing, right?
David Monnier (Team Cymru): Absolutely.
Paul Roberts (Security Ledger): One of the challenges right now in the information security space. It’s always been a challenge is, that it is that’s populated by a lot of smaller companies and a lot of kind of point products and products are evolved to address new needs because the bad guys keep doing stuff differently and discovering new methodologies and approaches and then there’s a response, but.
From the defender’s standpoint, that’s complicated because you end up with a lot of kind of siloed technologies and you need to integrate you’ve talked about this in the context of threat hunting and threat reconnaissance that one of the challenges is integrating these capabilities across different platforms is that problem getting as you see it getting any Better are we getting any better at tying together some of these security tools and capabilities or is that still a big problem that [00:24:00] organizations are struggling with?
David Monnier (Team Cymru): I think it is still a problem in the sense that people’s workflows are still anchored onto antiquated methodologies. To where they haven’t looked at their workflow as a whole. As far as are, is this the way we should still be doing it? Typically SecOps security operations is seen as a cost center.
So once you make the big big expensive push to get started you don’t. Usually get very friendly faces when you go and tell your board that you need to redo the wheel every five years or things like that. So there are, unfortunately, a lot of antiquated workflows that exist out there because the starting framework is, antiquated itself.
But that aside I would argue that it is getting technically more feasible and way easier because [00:25:00] we are, at least presently we are I would say I won’t call it the golden age, but we’re certainly living a brighter age of what I would describe as A. P. I. as a necessary feature.
So most most policy devices these days are open to integrations. They have. Remote configuration and remote policy application is in most everybody’s policy devices. But, and most management systems whether they be a tip or a sim or something like that, they typically have the ability to leverage those APIs so those things are largely available but like I said in my opinion, one of the things holding it back is at the business level adoption because if your cost center is going to cost you again, We’re [00:26:00] it’s a hard sell and until something bad happens to your neighbor most, people aren’t looking to go tear down their fence and build a new fence but not until you see that somebody bested your neighbor’s fence and then you’re like I don’t want it to do that to our fence, so let’s go replace the fence.
That’s how the board typically sees what is the I guess for lack of a better word let’s, say that the, migration from OPEX to CAPEX, right? That’s how they see security operations. Operations are a cost center. That people like to say, okay we did it once.
We’ve checked the box. We’ve met our regulatory needs. Or we’ve got our ISO certification or our NIST certification. Or we’ve got our certification. And then they don’t really want to go back and touch it again. And so as technologies move. And now like I said, everybody has the ability to tie things to a single pane of glass.
[00:27:00] Unfortunately, it’s hard to go back. What if the framework you were using to begin with didn’t have windows at all? What if couldn’t tie another view into this thing anyway? Because it simply just doesn’t work that way. And that’s what I have seen is holding us for lack of a better word, I’ll say holding us back in this regard.
Is that a lot of the first people who did great, amazing, groundbreaking shifts to accept that security operations was a necessary part of business. Many of those giant companies made what’s the cost effective commitment to this and then now are still sticking to it. So I have been to really, big companies think fortune 100 size I’ve been in these companies and discovered that they’re still using 10 year old, eight year old methodologies to manage their infrastructure.
And you couldn’t tie an AP and AP high into [00:28:00] it if you wanted to or if you did want to it’s a really long involved software development process.
Paul Roberts (Security Ledger): to that point, what are the KPIs, if you will, the key performance indicators or measurements that organizations can use or look to know if they’re threat hunting, threat reconnaissance capabilities and programs are actually paying dividends are actually working for them.
David Monnier (Team Cymru): Well, I think
Paul Roberts (Security Ledger): not, getting hacked. That’s one.
David Monnier (Team Cymru): Absolutely. That’s a trick, right? Because it’s, you’re trying to measure a zero, right? If, you don’t get compromised, how do you demonstrate that? Typically I tell people the, whole, the, or the grail, let’s call it the holy grail, of security operations is detection and awareness.
It’s not actually mitigation. [00:29:00] It’s not actually remediation. It’s detection and awareness, because without those, you can’t do any of the other two. So I am a believer that if you can’t detect it then you can’t do anything about it. So I often encourage people to move to KPIs.
In the sense of how much, how many events are you able to process? So if you have an enterprise where presently all you’re able to do is look at your blocked.
Firewall the block records from your firewall to see what your firewall has denied, but you’re not able to look at everything that was allowed to pass through. If you can move from doing able to do monitoring where only negative policy events are monitored and then move to well, every packet that traverses our network is monitored.
I would say that’s a significant KPI. If you have only your authentication denial. [00:30:00] Let’s say failed authentication logs being processed at a system level and that’s your starting point. If you’re able to move that to where you can, for example, log every execution, every process execution on a system then that’s a KPI you should work towards.
If you can produce those logs but not, process them all. Maybe you’re only able to process half of them in a day. So now you’re getting down to selecting what are the most business critical systems. But then you invest and are able to look at, okay, now every endpoint in the network, we’re going to review all of their logs at this level.
That’s a KPI you should be looking to. The biggest KPI driver is, ask yourself, What’s the most amount of intelligence I could pull off of my enterprise itself down to, like I said, each individual process execution, every single packet every every facet of information that you can [00:31:00] produce.
Pick the most important systems, if that number’s not 100%. And then work towards getting to 100%. Work to drive towards total information awareness. So that, way, when you have a breach, when you have an security event, You might be in a situation where you say, you know what, we don’t know what happened. We don’t know how it was done. We don’t know what this is, but here it is. Now we have the thing that we can go back and apply forensic methodologies to try to understand what actually was this. If you don’t have in house expertise. So what, you at least captured the event at an atomic level and then can review it with expertise as time permits and things like that.
Paul Roberts (Security Ledger): I wouldn’t be doing my job if I didn’t ask you about intelligence. AI technology. Many applications in the information security space are already being used heavily. [00:32:00] But in the particular area that you’re looking at, threat hunting, threat reconnaissance, talk just a little bit about the impact of artificial intelligence, some of the tremendous advancements we’ve seen both in generative AI and, other types and, how you see that changing the landscape in the years ahead, on both the attack and the defense side.
David Monnier (Team Cymru): Yeah, sure. On the attack side, we’re certainly seeing in particular things like large language models being employed to create more believable delivery mechanisms for malware, right? You can take you can take, for example, you could take a hundred press releases written by the same author, put them into a large language model and say, using these source materials, write for me another press release.
That sounds like it came from this person. You can do the same thing with emails. If you get access to somebody’s email you can teach an [00:33:00] LLM to. You author a new message that is identical in the writing style that the person would have generated. So we’ve definitely seen the attackers make use of this stuff already but largely only in the LLM space.
Generative AI though, on, on the other side, I. And I’m a fan of the idea that you can feed more information to AI than a human would ever tolerate being exposed to, for starters. And actually get results out of it, because AI doesn’t get tired, AI doesn’t get sick, AI… Doesn’t get bored with the topic and you can use it to identify, in particular, anomalous activities like slow and low exfiltration that really good nation state folks are able to employ I don’t know if you’ve seen any of the recent toolkits that are being discovered in the wild where The adversaries are using a type of what’s often referred to as [00:34:00] port knocking, where you have to send a specific packet sequence to a specific service or port and they’re even now incorporating specific cryptographic methods to where backdoors basically wake up if they receive the right sequence of magic packets.
That would be very, hard for a human being to spot with just their eyes. Most of the research that we’re seeing right now is presently happening because people are doing memory forensics on compromised systems or are stumbling across the toolkits the, implant itself and then reversing it from there.
And that’s how they’re discovering these. But I believe that generative AI could actually allow you to look at patterns in large, data sets, like network telemetry flow data, IP fits data, something like that, where you could then. In an AI driven system could actually see those for lack of a better [00:35:00] word, see them it could actually assemble those patterns and determine, Hey, this is something that we should probably do something about.
Now, one thing that AI will never be able to do though, is determine what is the actual value to your business. And it’s important for security practitioners to keep in mind is that without the business, they don’t need the security. So no offense to, “hey this thing has to be absolutely secure.”
That’s nice, but you have to be in business to have something to secure. So business intelligence is one of the in my opinion, the larger missing pieces CISOs often get it, but they have a very hard time articulating it down into the operational layer for people to understand why aren’t we patching?
Oh these people are just idiots or lazy. That’s often what you’ll hear. But no, it’s because this system can’t be interrupted because it’s core to the business. And then we we’re not making money. So only humans I predict for the foreseeable future will be able to bring in those types of insights [00:36:00] to know why a system is important to the business.
Because it’s very, hard. It would be very hard to teach. AI, why your business was important to you in the first place it would be very hard to articulate it. It comes down to largely gut feelings. It comes down to things like pride that an AI just can’t possess. It comes down to things like motivations to cure an illness.
There’s pharmaceutical researchers out there that have started their own startup. They’re in pursuit of a specific cure to something. And that motivation might be because. They had a nephew or a child die or a parent die of that illness. You can never teach AI that motivation. So for them to understand the business value for AI, I just don’t see that as it’s ever going to happen.
The other thing that I will tell you and for anybody, any of your listeners out there that are considering AI components into their security product is ask to see the AI ask to [00:37:00] see “hey, you’ve put these two letters on, on your product claiming to have AI. Tell me more about it. Is it generative? Is it in house?” If it’s in house, show me your, GPU farm, show me your massive parallelized processing capability. Because if they can’t do that, then that’s not what they’re doing because AI from a computational aspect is like a supercomputer. It requires a great deal of resources.
And if they can’t do that, ask to see their bill for whoever’s CPU, GPU farm that they’re making use of via API calls ask to see that. Prove it to me that you’re actually using AI.
Paul Roberts (Security Ledger): David you’re not suggesting that there might be cyber security companies out there saying they’re doing AI when they’re not really doing AI, are you?
David Monnier (Team Cymru): I, would hate to upset anybody with such a claim…
Paul Roberts (Security Ledger): That is shocking!
David Monnier (Team Cymru): Yeah. But no, ask to see it. That’s because so few people [00:38:00] truly understand these technologies. I understand I come from a high performance computing background, so maybe I’m uniquely skeptical in this way or uniquely cynical, let’s say but but they’re not they’re not questions to gloss over. They’re, just not. And in particular press people to tell you why what they have is AI and not just machine learning. Ask them to answer that. And if you’re talking to an account exec somewhere, if it’s an AE who’s trying to push the deal, ask to talk directly to the solutions engineer, bring me in your CTO. Cause I want to have a deep dive, technical deep dive, bring your CISO bring some of your top nerds and audition these people like it’s America’s Got Talent.
Paul Roberts (Security Ledger): don’t take it as this kind of blanket assertion of what we use AI really, I’m trying to understand what, they’re using and how they’re using it. It’s also a very long [00:39:00] and not very proud tradition in the information security industry, right? Of jumping on trends.
And we’ve all seen this and RSA or Black Hat whatever the or, Yeah approach du jour is everybody kind of starts to gravitate towards that regardless of
David Monnier (Team Cymru): Absolutely. I’m a little sad that Zero Trust didn’t stay around longer as a philosophy. I’m sad to see that it got eclipsed by AI. I would argue Zero Trust as a philosophy, again, not as a technology, but as a philosophy I would argue that goes back to enabling what I still argue is the most important factor, which is detection and zero trust.
If you operate with the philosophy of zero trust it facilitates or necessitates, I should say that you have total information awareness.
Paul Roberts (Security Ledger): Mm hmm.
David Monnier (Team Cymru): that’s how you establish violators of the trust.
That as a philosophy is something that I’ve used for 25, 30 years, long [00:40:00] before it had long before it had a cool name like Zero Trust.
But I’ve employed that as a blue team engineer. For more than 20 something years and, I was really happy to see that it had gotten like a buzzword name. I was glad to see that was happening. I’m a little bit. Disappointed but it is unfortunate that AI has pushed that out of the way. And we went from having something that I don’t disagree with super buzz worded and everybody was very much hyped up on the zero trust concept.
But so there was plenty of snake oil there, don’t get me wrong. But I’m disappointed to see that something that was as fruitful as a sound engineering concept as Zero Trust has now been largely usurped by but frankly, the “woo woo” of AI,
Paul Roberts (Security Ledger): David, is there anything I didn’t ask you that I should have or anything you wanted to say I didn’t give you a chance to say?
David Monnier (Team Cymru): [00:41:00] I would encourage your listeners in particular, if they’re in security leadership or aspiring to be in security leadership, that they not be disheartened that they understand that business decisions don’t always make sense do do go in and don’t try to scare people. Go in and try to articulate the threat as best as you can and if they don’t buy into it then try to rearticulate it draw on a lot of analogies But keep your eyes on the prize You know stay motivated to convince people don’t be motivated solely on your ability to employ New technologies or employ new methods to do things.
Think of it where the goal is, to get everybody bought into the idea that security is, important and don’t be disheartened if specific projects don’t get approved. Don’t be disheartened by that. It’s we’re living in a [00:42:00] technically driven world where if you walk down the street and ask most people, how does it work, they couldn’t even begin to answer it to you.
Even security leadership. There are people out there who couldn’t tell you how a PKI works but yet they’re responsible for ensuring it’s there. There’s plenty of CEOs out there who couldn’t tell you how email works. If you ask them to describe how email works, they would use words like click and open and things like that.
My advice would be for everybody out there is to keep in mind that you’re pushing uphill. But the thing you’re pushing is not buy in to your idea. It’s buy in to the language you’re speaking to begin with. So don’t get disheartened if people don’t approve your specific idea.
That likely means you need to step back and get them bought into your philosophy first. That said good luck everybody.
Paul Roberts (Security Ledger): David Monnier [00:43:00] of Team Cymru, thank you so much for coming on and speaking to us on Security Allegiant Podcasts. It’s really been a pleasure
David Monnier (Team Cymru): Thank you, Paul.
(*) Disclosure: This post was sponsored by Team Cymru. For more information on how Security Ledger works with its sponsors and sponsored content on Security Ledger, check out our About Security Ledger page on sponsorships and sponsor relations.