March 19, 2025 • 28 mins
Grace Chi, co-founder and COO of PulseDive, takes us deep into the often overlooked world of cyber threat intelligence networking. Grace has become a passionate advocate for the human connections that power effective security programs, conducting groundbreaking research on how threat intelligence practitioners share information.
What makes this conversation especially valuable is Grace's focus on the practical realities of threat intelligence implementation. She reveals that while formal structure or groups like ISACs provide important frameworks, the most timely and actionable intelligence typically flows through one-to-one relationships and trusted peer networks. These connections become critical during security incidents, when having someone who can provide just-in-time context about a threat can make all the difference between detection and compromise.
The discussion tackles common pitfalls in threat intelligence program development, particularly the tendency to invest in platforms without proper implementation planning or ongoing maintenance resources. Grace offers concrete advice for organizations at different maturity levels, emphasizing the importance of starting with clear requirements, assigning dedicated point persons for implementation, and understanding pricing models before making significant investments.
For those building threat intelligence capabilities from scratch, this episode provides a roadmap that focuses on identifying organizational pain points, leveraging existing talent, and implementing capabilities incrementally rather than attempting to configure every available feed immediately. Grace also highlights the critical distinction between external intelligence sources and the often-underutilized wealth of internal telemetry and observations.
Beyond the tactical aspects, we explore how threat intelligence must be communicated differently to technical teams versus executive stakeholders, and how building a diverse network across multiple channels creates compounding value over time. Whether you're a seasoned security professional or just beginning to explore threat intelligence, this conversation offers insights that will help you build more effective security capabilities through the power of community.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Thanks for tuning in to Simplifying Cyber.
I'm Aaron Pritz and I'm CodyRivers, and today we're here
with Grace Chee, co-founder andCOO of Pulse Dive.
Welcome to the show, grace.
Speaker 2 (00:15):
Thanks for having me.
Speaker 1 (00:16):
Awesome.
Well, we were lucky enough tomeet each other at Cyber
Marketing Con in where were we?
Philadelphia, pittsburgh,philadelphia, yep, philadelphia,
you know, in December, which isthe best time to be in
Philadelphia Just kidding,beautiful but or not right after
the Super Bowl, because thatgot a little crazy up there.
But anyway, we were reallyexcited to talk to you because
you're doing so many things forthe cybersecurity community and
(00:39):
specifically threat intel.
But we wanted to focus ourtopic today on the state of
sharing, and sharing is soimportant within cybersecurity
and what you do at Pulse Diveobviously opens up a lot of that
sharing.
But I want to cover peopleprocess technology sides of
sharing and tips for ourlisteners of how they can get
(01:00):
more plugged into the communityand, most importantly, share
information, receive informationand use it to help reduce the
risks that we're all focused on.
So let me let you give a littlebit of a backstory on yourself
and then we'll dive right intothat topic.
Speaker 2 (01:14):
Yeah, we'll keep it sweet and short.
So Pulse Dive is a vendor inthe space.
We offer community-driventhreat intelligence and
everything we do is focusedaround creating frictionless
threat intelligence solutionsfor growing teams.
So that means, whether you'rethe single IT person that
somehow is also responsible forall of security in a small org,
or you have an established,large, flourishing budget and
(01:36):
group of people and processes,there is something that fits for
you and the focus, our keyword,is frictionless, because we
think that in security there's alot of technology, there's a
lot of talent, there's a lot ofprocesses, but it becomes very
burdensome in a lot of ways.
So personally for me, I came infrom a non-security background.
I had some experience withsecurity startups before, but as
(01:58):
I jumped into the space ofthreat intelligence, which was
not my domain expertise at all,and still today, right, if you
ask for specific threatintelligence expertise, I'd pass
you to 1000 people before I'drecommend myself.
I work a lot on the businessside, but I love the threat
intel community so much and Isaw as I was getting in and
there's all these shiny toolsand cool you know exploits and
(02:22):
lots of news about threats.
At the end of the day, diggingin deeper in my first couple of
years with Polstive, I realizeda lot of this was still
happening on a very peer-to-peer, one-to-one basis, and so, as
you mentioned before, the stateof sharing that ended up driving
some of my research, which wascompletely not vendor-driven.
It doesn't lead to any dealsfor me or anyone else.
(02:43):
I know about what is happeningwithin the CTI space when it
comes to networking and bynetworking, not technical
networking and also notnetworking for a new job or to
close a deal or something.
Networking in terms of I'm athreat intelligence practitioner
or adjacent practitioner.
I need to do better for mycompany and my role.
How do I connect with peoplethat way?
And so that led to a hugereport and that's one of my
(03:05):
passion topics that I do inconjunction related to Polstive,
but really not a direct outputof you know, driving the
Polstive business.
Speaker 1 (03:13):
That's really cool.
So for those that haven't seenthat report, give us the high
level synopsis of what you coverand what what they you know.
If they go download it now,what, what, what, what can they
do with it?
Speaker 2 (03:23):
Yeah, so these reports are fully ungated.
I did two years of this becauseI wanted a quasi-lateral study
over time of how there weretrends that were changing.
But my hypothesis going in wasthat while this quote-unquote
networking CTI networking phrasewas extremely valuable, it was
underrepresented,under-acknowledged in the space.
It's under-acknowledged in thespace.
So people put a lot of emphasison what tools you have and
(03:46):
potentially what you'veimplemented, what your program
looks like.
A lot of the value that wasdriven was somebody who's giving
you a just-in-time warningbecause you met them at an event
or you connected with themthrough an ISAC, a sharing group
, being able to get you ahead ofa threat or just-in-time for a
threat.
But that was never reallyattributed to.
So I went in and I said, as I'mobserving this field as a
(04:08):
little bit of an outsider, howmuch of this is taking place in
these one-to-one DMs or in thesetrust groups?
Let's demystify that foreveryone else who says they're
interested in CTI, trying tobuild up a CTI program.
Maybe there's a securitymanager who doesn't really
understand or acknowledge thatat all, to have awareness that
this is happening and it can bea leverage, strength and skill
versus a liability.
Speaker 3 (04:31):
Awesome.
So, grace, this is veryinteresting to me.
I think you know, here inIndiana, myself and Aaron are
involved with the ISAC group buttrying to get this started and
we learned of it from thenational stage with, like, the
health ISAC and they do a greatjob but, to your point earlier,
they don't have the budget toget there, for travel or the
cost of membership.
So what do you think you'redoing?
(04:51):
Like that's, that's kind of new, and give us a kind of some
insight of like connecting folksto your point of like if they
can't afford to get to an ISAC?
Or you've got health ISAC andfinancial ISAC.
So how do you kind of takethese little different
communities and kind of distillthem down and open the doors?
Speaker 2 (05:05):
Yeah, that's a great point, and I'll step back into
the research I had done, becauseone of the key points was what
channels are people connectingISACs and industry?
Formal groups was one.
There's social media, which,for all its toxic junk, there's
also still very much, so valuethere.
Reddit is obviously a fanfavorite, and then there's also
one-to-one and industry eventsand so forth.
(05:26):
So I think there were sevenchannels that I looked into and
you can find all this onblogpulsedivecom if you look for
the CTI networking report.
And ISACs are really valuablebecause they are established,
they have key membership players, they have funding, they have
tooling.
The truth of the matter is a lotof the companies out there that
need to be plugged into thethreat landscape and what's
(05:47):
happening don't have thecapability, and even if they had
the money right, they might nothave the time because they're
stretched very thin.
And so what we saw in theresearch was that one-to-one and
peer-to-peer relationships sounstructured let's call it free
and ungated in terms of whoyou're affiliated with were
always the most valuable, themost timely, the most actionable
(06:12):
intelligence you could get.
But outlets like ISACs, outletslike industry events so a
B-sides conference, which iswhat $5 to $50 max being
available and active online onsocial media within your comfort
.
Those were all feeders to getyou connected to the people that
could then think about you whenthey see a piece of a puzzle
that might impact you.
And so ISACs are reallyvaluable, but they are not one
(06:33):
and only.
I think they just come up asthe first kind of obvious
structured component rightchannel that somebody can get
involved with.
But I also hear a lot of timesthat it's great that these exist
, but they are a gateway forthen the practitioners that are
member organizations that thentalk to each other more directly
too, versus just in the formalmeetings and the formal settings
.
Speaker 3 (06:53):
Yeah.
So that kind of goes to my nextquestion too, which I think is
key.
One thing we get, you know, yousee a lot of threat intel like
vulnerability, any topics ortactics from bad actors.
One thing that we get fromvirtually every client and
potential client and just kindof colleagues in the industry
are benchmark data andparticularly around like NIST
(07:15):
assessments, and that we get alot of it.
We have a lot of internal stuffthat we've developed because we
have our clientele growing andbenchmarking for, call it, small
financial regional bank orsomething or global pharma
company under 40,000 employees.
But that's one thing I see as agap right now is that people are
sometimes scared to share ordon't have the avenue to share
that data.
And then also you don't want tobe public because I don't want
(07:37):
to say, hey, I'm a 1.5 inrecovery or something, so
recover.
So I think do you see anythinglike changing there or any ideas
on like how that improves orhow we kind of get access?
Because benchmarking I think isalso valid when you're looking
to go fight for budget of likethis is where we stand against
our peers or our you know thatdata right now At least I've not
seen yet and you can chime inyou know that we've not seen
(07:58):
freely available outside ofthings we have ourselves.
Speaker 2 (08:00):
Yeah, and I think, benchmarking.
So that leads to some of thechallenges that we looked at,
and some of the top challengeswere legal liability right, your
legal team does not want yousharing anything you've seen
because that can cause all sortsof issues, even if that might
have positive benefit of yousharing the data.
Two, there's also TLP right, socan you share something, even
within a trusted group?
Obviously, publicly is notalways the best.
(08:21):
And then also like fear, likereputation and just competitive
advantage right, those types ofexternal factors that have these
security practitioners beinglike I'm not allowed, I want to,
I'm not allowed to.
Unfortunately, I think the truthabout benchmarking is, with any
sample size, a lot of data isnot there and where I'm
(08:42):
witnessing in my research, it'smore of an intuitive like have
you guys seen this?
I'm witnessing this issue.
Are you also getting this?
And I will not name any names,but recently I had a lot of
people reaching out to mebecause I do love connecting
people for the sake of themhelping each other in their
roles.
Being like we got an alert fromthis vendor that you know one of
our clients are compromised andwe have no idea.
(09:04):
There's no details.
Help me, because this isbecoming an incident for our
client, but we don't even knowwhat the validity is right, and
so I can bring them saying, oh,I know that you have a shared
vendor, or, hey, I know somebodywho used to work there, help
paint a picture, and so,unfortunately, this is a very
anecdotal, point by point andnot a large benchmark.
But when it comes to thesemoments where there is a fire,
(09:26):
how much you know somebody orcan get connected someone to
give you pieces of the pictureso you're not scrambling to
write a full RFI and doingresearch or using ChatGPT to
make up some sort of essay foryou is really important because
timeliness is so key in all ofthese events.
Speaker 1 (09:41):
Awesome Grace.
Do you have any?
Obviously being so close toThreat Intel even though I think
you described yourself you'renot a threat analyst and you
came from more the business sidebut you probably have come
across a lot of stories of likehow Threat Intel saved the day
or prevented something.
So do you have like a marqueestory that you like to tell
about that would maybe encouragethose that are maybe starting
(10:04):
to build their threat intelprogram or they're not quite
there yet?
Speaker 2 (10:06):
We had a workshop, so there's a few quotes, and I
like quoting the customers andthe users versus like our own
stories.
Speaker 3 (10:11):
Sure.
Speaker 2 (10:12):
Because I just feel like it's way more interesting.
Right, there was a workshopthat we had delivered.
It was about and you would lovethis connecting threat
intelligence and risk becausethe different audiences, same
type of shared outcomes, a lotof overlap, but not in how
things are executed.
And I found this really greatexample of threat intelligence
people being successful in aReddit thread and they were
(10:35):
saying, when risk was coming toask me about you know what
policies, what processes, whatstructures, how to react to
certain threats on the riskregister that are coming, they
were helping define that.
So, at a process level, havingthreat intelligence become this
trusted advisor to helptranslate right, because threat
researchers, threat intelanalysts are very analytical,
(10:55):
they can process, they cancommunicate well is great.
From the program level On avery discrete, granular level,
there are times where somebodywho's working in a threat intel
hat maybe they're in a SOC,maybe they're dedicated threat
intel on a team.
I have some of these vignettesas well in my report.
They'll say I got an alert overthe weekend that some
(11:15):
compromised network was relatedto our environment and so I sent
that over and I became theconduit of all these other
sources that were providinggranular raw data to the
incident response team, and sothis is a way in which you have
this awareness, this almost likepresence in the market of peers
, that they can reach out to youas an intel analyst, intel
(11:36):
practitioner, to then help be achannel to communicate
information to the right teammembers at critical moments in
time.
Speaker 1 (11:44):
Great, all right Grace.
I'd like to pivot to.
You know, at RevealRisk we do alot of process-oriented work
and I feel like we're bigsupporters of tech.
But tech without processsometimes can result in more
risk and more complications.
So we spend a lot of timebuilding and improving processes
that make tech and cyber workbetter.
So I would like to talk aboutthat specific to threat intel
(12:07):
and threat intel programs.
How does the role of processcome into play?
Where have you seen exampleswhere lack of process can make
for not a good program result,and maybe those that have
invested in it?
How do you invest in it ifyou're an early program adopter?
Speaker 2 (12:23):
Yeah, with threat intelligence in particular, this
was one of the biggestheadaches that I witnessed
working with our clients andusers and as a awful salesperson
.
Sometimes I would say, hey, youdon't need the thing that you
came to us for.
And I ended up writing a blogabout this, about tips for tips.
So tips for threat intelligenceplatforms, and it was about
building a process around theprocurement piece of getting a
(12:45):
threat intel platform.
One of the products threatintel, all security products
there's a lot of noise, a lot ofnew adjectives, a lot of new
abbreviations that can be veryconfusing for customers.
Sometimes it leads to somebody,maybe outside of the
organization or program itself,demanding that you know you get
a new tool or saying, hey, weneed this.
(13:06):
Or sometimes it goes bottom upwhere somebody says we need it
but then at the point ofsuccessful implementation it's
not resourced properly, right tosucceed.
And so I had kind of three keytips, and one was building
requirements.
Threat Intel folks are very goodat requirements overall, but
not always necessarily inprocuring technology like a
(13:26):
platform for themselves, and sowe talk about and we introduce
like what a Moscow method is andthat the must have nice to have
right will not have type oftiering as well as applying that
to like the NIST cybersecurityframework, depending on how deep
you want to go, and thenassigning a point person.
It is unbelievable how oftenpeople are like let's buy a
(13:47):
platform and then we just liketurn it on and then we're going
to walk away.
And I say all the time, ifyou're not curating the data, if
you don't have some sort ofautomation, feeding, unique
internal telemetry or feeds, andthen you're commenting and
manipulating that data for yourbenefit and pulling that out,
you don't need a platform.
I would love the paycheck ifyou need.
You know.
I would love it if you wantedto procure either way to check a
(14:10):
box, but you don't need this.
You could do just as well withfeeds and APIs, automation and
other ways.
And so what we hear a lot isthat, process-wise, they're not
actually thinking about one, therequirements of what does it
need to do day one, day 30, day60 versus shiny bells and
whistles of what it could do inthe future for undisclosed price
(14:30):
point.
And then two do you have anengineer who's building the
integrations?
Do you have an analyst who'sgoing in?
Is it not just supporting a POCbut also supporting the
maintenance of this product overtime, which sounds so obvious,
but it is something that Iconstantly am reminding and
pushing our clients who are inthe procurement cycle to think
about and to really addressearly on.
(14:52):
And then the last piece I hadwas confronting pricing.
Very early and often andthere's no vendor bashing it can
be very confusing.
But when you go in thinkingpositively or not fully
understanding pricing models,scaling models, what
integrations or what seats willcause more pricing, that can
cause a lot of pain on bothsides and end up being churned
(15:13):
for unfortunately for both sidesas well one year later during
renewal.
Speaker 1 (15:17):
Yeah, what you said really resonates on the buying
tools and then walking away, andI've had conversations over the
years of what drives thatmentality.
I think there's something inthe reward system within IT of
how IT projects are awarded, andthe word project doesn't
necessarily imply the ongoingcare and feeding and support and
building it to scale.
(15:38):
So I think part of it is.
A lot of us came up in IT anddelivery and project execution
and there was always a newinitiative each year and it was
easy to neglect last year'sinitiative.
So I think same thing withthreat intel programs, grc
programs.
You got to plan past the launch, because usually that's not the
launch isn't where the value is.
That's usually like base MVPcapabilities and, like you
(16:00):
mentioned, integrations, usecases.
You know who's going to consumethe data.
All of that is process work.
That's not going to come fromany vendor out of a box.
That there's no magic and youcan find people that have done
it before and get those people.
Speaker 2 (16:13):
But on the flip side, like don't expect because it's
going to be a big letdown thatthe tool is going to
automatically do everything,that a end of the year you don't
(16:35):
have that ROI and fingers arebeing pointed, so you're in a
defensive position, and that'sthe last thing we would want for
any of our customers.
And the other piece as well isbeing able to say that this is
the product that we need, that'sgoing to deliver XYZ
immediately and over time too.
So it is a big sticking point.
(16:56):
It is something we repeat toour customers over time and we
almost challenge them in someways, like can you answer these
questions?
Do you have a requirementssheet that you're allowed to
share with us?
That's like you know, cross outso we can tell you what we can
and cannot do right now in termsof your use case.
And if you don't have a usecase, you know.
Once again, I will help them asmuch as I can, but there's no
vendor and if there's a vendorgiving you these answers,
(17:16):
they're just giving you theanswers that they are going to
score a hundred on.
Speaker 3 (17:19):
Yeah, yeah, grace, thank you too.
So I love to give out tips toour listeners and kind of like,
if I have nothing now, what'sthe next, my next three steps,
and so thinking from like abreak into three phases of like
gather, review and action right,new program, new CISO, new
person in security?
We don't have a threat intelprogram yet.
What are some like here's threesteps or kind of.
(17:41):
You know, the first, like 90days, I'd look into, of setting
up a threat intel program.
Or even, just to your point,I've got all these feeds.
How do I gather, review andaction threat intel?
Speaker 2 (17:51):
Yeah, and this is a challenge that even as a vendor
I faced, where I've gone toclients being like I will give
you a year of feed for free.
Can you just one-to-onebenchmark we talked about
benchmarking Tell me what wegive us, Tell us what our false
positives, tell us what ourfalse negatives are.
And there's just no capacity.
We've gone out and said we'llgive it to you.
Can you do this?
Can you help us with thisresearch?
And the answers have still beenvery anecdotal, right, Piece by
(18:13):
piece.
We got some feedback.
It helped us improve ouralgorithms and our processes,
but it was never at that toplevel that we'd hoped for that
academic level of research.
But I would say, if you have asecurity environment and you're
considering threat intelligence,call me old-fashioned, but I'm
like where are your current painpoints right now?
Where are you wasting too muchtime?
Where do you need capabilitiesthat a single resource that you
(18:36):
have could peel off some hours?
Or there is talent in your teamthat is interested, right,
being able to nurture a stockanalyst or a detection analyst
or somebody malware reverseengineer who likes intelligence,
to then think about it fromthat level and then do research
and context and look at what thecapabilities are is really
important, versus thinking, well, we first need the tool and
(18:58):
then all these crazy commercialfeeds, and then we need to join
an ISAC all at the same time,because you won't have the
structures to support itunderneath to get your ROI which
is the most important thingright, the ROI that then reduces
your risk.
Speaker 3 (19:09):
Yeah, I think from like the if I'm thinking of like
strategic, operational andtactical kind of like those
different tiers At the tacticallevel, yeah, we see an increase
in Citrix vulnerabilities or RDPand manufacturing or you know
some like legacy tech or OTstuff.
And then I think at likestrategic level of like the same
threat intel to two differentpeople yields two different
(19:30):
outcomes, and so how do you kindof delineate what goes to my
tech tactical team for thefirefighting and then what goes
to my executives for additionalbudget or capacity planning and
those kinds of things?
And I think that's where Ithink a lot of our at least some
of our clientele have struggledof like they get a feed from
their MDR provider or you know,or maybe they've got recorded
future or one of those types ofservices.
But then it's like I don't knowhow to change the narrative and
(19:54):
push it to the right person tothen warrant action.
I think to your point earlier,that's kind of where it's harder
than, at the end of the year,assign an ROI to it.
Did we get value from it?
Do we just not use it?
Do we need to action it better?
And I think that's a lot of ourfindings we see in our NIST
assessments with clients is likeI've got threat intel but I
need to action it better.
But I need to action it better,but I don't know how to action
it better.
Speaker 2 (20:13):
Right and the most granular, is like we need threat
intel and then they get anabusech feed and they're like,
okay, we have threat intel now,right, and that's fine.
That's a starting point.
It is a decent, high-fidelity,open-source feed.
But where I do see a huge gapand it really takes a special
type of advocate in theorganization and leadership
support is being able to speakto that risk and executive team.
(20:35):
I think the tactical supportand the even operational level
intelligence there is goodgroundwork there.
But when it comes to even theintel cycle of collection and
processing and analysis, there'sstrong communication.
I have my thoughts about it.
I think it falls apart in a lotof ways.
And then getting the feedbackright so communicating findings
(20:56):
in the right format to thesedifferent levels of teams and
then actually pulling in thefeedback from the board, from
the CISO, from the CEO rightAbout risks, what they're
looking for, and then how tobring that back through the
cycle again is something that'scome through a lot of maturation
, I would say as just an area offocus, even in the last five
years no-transcript.
(21:46):
That's a big, that's a tough one, and I don't want to be the
security person that says itdepends on what you have, but
obviously it's true, rightDepends on who's on your team,
what kind of buy-in you havefrom leadership, what kind of
support you have right withinyour existing talent and
technology stack.
But I would say the one bigmiss that I see is like industry
level and peer level research.
I think what we hear in thenews cycle is, oh my God,
(22:08):
ransomware, why, oh, there's awar in Ukraine?
And then everyone and all theleadership is like tell me about
this, when it may or may noteven be relevant.
So Scott Small over at TidalIntelligence and I think Simone
over at Orange Cyber Defensealso delivered a workshop about
how to do threat profiling foryour organization in a realistic
way, versus drowning inspreadsheets with data that
(22:29):
you're just making up right.
So being able to look at whatyour threat profile looks like
as light as you have it, butdefinitely creating that kind of
dossier for yourself, isimportant.
The other piece of don'ts isdon't just try to configure
every feed.
It's going to be noisy, it'sgoing to cause a lot of headache
, it may cost a lot of moneythat your leadership isn't
(22:50):
really going to understand thequality of.
So it's much more of a beselective and implement over
time so you can actually beginto see what feeds are providing
valuable enrichment for you,what types of data, what type of
IOCs are important, as well aslike what types of potential,
like tooling or commercialvendors you're purchasing from
that have the capabilities thatyou need in smaller batches,
(23:11):
because we do know that thereare teams that are like, oh, we
have an open source platform,like a mispronouncement, just
add everything, and then they'respending their time calling or
just drowning in alerts, notreally thinking at that
strategic level of what isproviding value.
And then, of course, selfishly,I'm going to say getting engaged
in the network, whether that'sa trust group, whether that's
just people that you've knownover time, that are working on
(23:32):
similar projects or that canoffer you insight into new tools
and new techniques that arehelpful to keep you on track of
your news and just be able tothink about you.
New techniques that are helpfulto keep you on track of your
news and just be able to thinkabout you.
That has compounding value overtime as well, even though it
does take time and effort rightfrom day one to build up.
Speaker 1 (23:48):
That's awesome.
I'm curious your thoughts onthreat modeling and what program
CTI teams or cyber teams ingeneral should be doing with
threat modeling.
And when I was a Six Sigmablack belt on the corporate side
, we had a tool called FMEAfailure mode and effects
analysis and it was kind of verysimilar.
That was for analyzing aprocess and anticipating what
(24:08):
could go wrong.
But threat modeling and thenkind of using Intel to validate
or to focus you in, I think issuper powerful.
Give me your thoughts on that,and is threat modeling something
you advocate for?
Speaker 2 (24:23):
So I will say that is it, in theory, something I
advocate for?
Obviously there are threatmodels out there, but I think
somewhere where I do see thepitfall is, I see assessments
from certain vendors being likeoh, mitre attack, right, we
prevented 100%.
Therefore we are winning as avendor.
And I think that's the mistake.
Where, let's say, you'vemodeled something out and you
have detections that fit what isalready known.
(24:45):
Unfortunately it gives you afalse sense of security in a way
, and it becomes a sales tactic.
So I would pass it off tosomeone much smarter to myself
to say, hey, use this specifictool set or this specific GitHub
repo to guide you.
But I'm not anti, it's just Ithink that in a lot of ways it
becomes convoluted with salesprocesses, like a lot of a lot.
Speaker 1 (25:06):
And I think threat model is to model something you
have to know it Whereas threatintel you could be learning
something that's a zero day oran unknown.
So I think maybe there's aplace for it, but not being
overly complacent that hey,we've modeled our threats, so
we're good.
Or whether it's a corporatepractitioner saying that or
thinking that, or if it's avendor trying to claim turf in
(25:26):
their sales pitch.
Speaker 2 (25:27):
Yeah, and I think the other piece that this reminds
me of is like the do's anddon'ts.
When I talked to or justwitness conversations, discourse
online, a lot of threatintelligence conversations used
to be about external stuff, likewhat can I buy externally, what
can I get extra, what tool canI add?
And not enough time and effortwas focused on internally how
(25:47):
much data can you track?
What can you learn?
What have you observed?
How do you structure that intointelligence in its own right
that is then enriched byexternal sources?
So I do think that that'sanother piece where having a
threat profile, being able tounderstand your threat model,
being able to understand yourrisk appetite related to threat
intelligence, is important,where we need to not only look
(26:08):
outwards but make sure that theinternal stuff which is really
valuable, that no one right willbe able to just sell to you in
a feed, in a CSV or Stix taxiformat, we'll be able to
compound, right, force, multiplyany tool, any process, any
person you hire on top.
Speaker 3 (26:22):
Awesome?
I think so, Grace.
This has been phenomenalconversation.
We like to always kind of atthe end, kind of in with like a
fun fact or something about afun story.
So for those out there who hadnever met which most people have
never met before on our podcastuntil today, what is a fun
grace fact that someone may notknow off the street?
You know, it could be history,it could be a fun talent.
Speaker 1 (26:45):
Is this a reveal?
Is this going to be some intelon Grace that the community
doesn't know?
My goodness.
Speaker 2 (26:51):
There's some intel.
That's more I've shared beforein the past, even if they don't
know me.
But this one is fun.
I don't talk about that much.
I do have some watercolorillustrations published in an
art history textbook.
Speaker 1 (27:03):
Oh, that's pretty neat.
How long have you been painting?
Speaker 2 (27:07):
My whole life, I think.
Back in the day I was learningpiano and I hated it and my mom,
being so smart, she was likethat's okay, you don't have to
do this.
Because I was dragging my feetevery day.
And she said then picksomething else you want to do.
And I said art.
And then I think, because as achild I picked it I kept with it
much better than being toldright, that idea of choosing to
do something versus being forcedto do something.
(27:28):
And so ever since then I wouldjust take so many art courses.
I still practice.
I take commissions once in awhile, but it's more just for
fun, it's just a way to get awayfrom the screen.
Speaker 1 (27:43):
That's awesome, very cool fact.
Now we're going to have to dorecon to find a piece and maybe
we'll land that in the postcover of this podcast.
Speaker 2 (27:48):
So if we can find it.
Maybe I'll share something withyou.
We'll see.
Speaker 1 (27:51):
First see if we can find it that would be the
security answer and then, if wefail, if our pen test does not
work on whatever the publicdomain this is, then we'll ask
it for you, okay, perfect.
Awesome.
Well Grace, this has been anawesome conversation.
Really appreciate you coming onto share with our community and
talking about sharing andintelligence, so I really wish
you best of luck and appreciateyour time.
Speaker 2 (28:13):
Thanks so much for having me again.
Have a good week.
Thanks for tuning in to Simplifying Cyber.
I'm Aaron Pritz and I'm CodyRivers, and today we're here
with Grace Chee, co-founder andCOO of Pulse Dive.
Welcome to the show, grace.
Speaker 2 (00:15):
Thanks for having me.
Speaker 1 (00:16):
Awesome.
Well, we were lucky enough tomeet each other at Cyber
Marketing Con in where were we?
Philadelphia, pittsburgh,philadelphia, yep, philadelphia,
you know, in December, which isthe best time to be in
Philadelphia Just kidding,beautiful but or not right after
the Super Bowl, because thatgot a little crazy up there.
But anyway, we were reallyexcited to talk to you because
you're doing so many things forthe cybersecurity community and
(00:39):
specifically threat intel.
But we wanted to focus ourtopic today on the state of
sharing, and sharing is soimportant within cybersecurity
and what you do at Pulse Diveobviously opens up a lot of that
sharing.
But I want to cover peopleprocess technology sides of
sharing and tips for ourlisteners of how they can get
(01:00):
more plugged into the communityand, most importantly, share
information, receive informationand use it to help reduce the
risks that we're all focused on.
So let me let you give a littlebit of a backstory on yourself
and then we'll dive right intothat topic.
Speaker 2 (01:14):
Yeah, we'll keep it sweet and short.
So Pulse Dive is a vendor inthe space.
We offer community-driventhreat intelligence and
everything we do is focusedaround creating frictionless
threat intelligence solutionsfor growing teams.
So that means, whether you'rethe single IT person that
somehow is also responsible forall of security in a small org,
or you have an established,large, flourishing budget and
(01:36):
group of people and processes,there is something that fits for
you and the focus, our keyword,is frictionless, because we
think that in security there's alot of technology, there's a
lot of talent, there's a lot ofprocesses, but it becomes very
burdensome in a lot of ways.
So personally for me, I came infrom a non-security background.
I had some experience withsecurity startups before, but as
(01:58):
I jumped into the space ofthreat intelligence, which was
not my domain expertise at all,and still today, right, if you
ask for specific threatintelligence expertise, I'd pass
you to 1000 people before I'drecommend myself.
I work a lot on the businessside, but I love the threat
intel community so much and Isaw as I was getting in and
there's all these shiny toolsand cool you know exploits and
(02:22):
lots of news about threats.
At the end of the day, diggingin deeper in my first couple of
years with Polstive, I realizeda lot of this was still
happening on a very peer-to-peer, one-to-one basis, and so, as
you mentioned before, the stateof sharing that ended up driving
some of my research, which wascompletely not vendor-driven.
It doesn't lead to any dealsfor me or anyone else.
(02:43):
I know about what is happeningwithin the CTI space when it
comes to networking and bynetworking, not technical
networking and also notnetworking for a new job or to
close a deal or something.
Networking in terms of I'm athreat intelligence practitioner
or adjacent practitioner.
I need to do better for mycompany and my role.
How do I connect with peoplethat way?
And so that led to a hugereport and that's one of my
(03:05):
passion topics that I do inconjunction related to Polstive,
but really not a direct outputof you know, driving the
Polstive business.
Speaker 1 (03:13):
That's really cool.
So for those that haven't seenthat report, give us the high
level synopsis of what you coverand what what they you know.
If they go download it now,what, what, what, what can they
do with it?
Speaker 2 (03:23):
Yeah, so these reports are fully ungated.
I did two years of this becauseI wanted a quasi-lateral study
over time of how there weretrends that were changing.
But my hypothesis going in wasthat while this quote-unquote
networking CTI networking phrasewas extremely valuable, it was
underrepresented,under-acknowledged in the space.
It's under-acknowledged in thespace.
So people put a lot of emphasison what tools you have and
(03:46):
potentially what you'veimplemented, what your program
looks like.
A lot of the value that wasdriven was somebody who's giving
you a just-in-time warningbecause you met them at an event
or you connected with themthrough an ISAC, a sharing group
, being able to get you ahead ofa threat or just-in-time for a
threat.
But that was never reallyattributed to.
So I went in and I said, as I'mobserving this field as a
(04:08):
little bit of an outsider, howmuch of this is taking place in
these one-to-one DMs or in thesetrust groups?
Let's demystify that foreveryone else who says they're
interested in CTI, trying tobuild up a CTI program.
Maybe there's a securitymanager who doesn't really
understand or acknowledge thatat all, to have awareness that
this is happening and it can bea leverage, strength and skill
versus a liability.
Speaker 3 (04:31):
Awesome.
So, grace, this is veryinteresting to me.
I think you know, here inIndiana, myself and Aaron are
involved with the ISAC group buttrying to get this started and
we learned of it from thenational stage with, like, the
health ISAC and they do a greatjob but, to your point earlier,
they don't have the budget toget there, for travel or the
cost of membership.
So what do you think you'redoing?
(04:51):
Like that's, that's kind of new, and give us a kind of some
insight of like connecting folksto your point of like if they
can't afford to get to an ISAC?
Or you've got health ISAC andfinancial ISAC.
So how do you kind of takethese little different
communities and kind of distillthem down and open the doors?
Speaker 2 (05:05):
Yeah, that's a great point, and I'll step back into
the research I had done, becauseone of the key points was what
channels are people connectingISACs and industry?
Formal groups was one.
There's social media, which,for all its toxic junk, there's
also still very much, so valuethere.
Reddit is obviously a fanfavorite, and then there's also
one-to-one and industry eventsand so forth.
(05:26):
So I think there were sevenchannels that I looked into and
you can find all this onblogpulsedivecom if you look for
the CTI networking report.
And ISACs are really valuablebecause they are established,
they have key membership players, they have funding, they have
tooling.
The truth of the matter is a lotof the companies out there that
need to be plugged into thethreat landscape and what's
(05:47):
happening don't have thecapability, and even if they had
the money right, they might nothave the time because they're
stretched very thin.
And so what we saw in theresearch was that one-to-one and
peer-to-peer relationships sounstructured let's call it free
and ungated in terms of whoyou're affiliated with were
always the most valuable, themost timely, the most actionable
(06:12):
intelligence you could get.
But outlets like ISACs, outletslike industry events so a
B-sides conference, which iswhat $5 to $50 max being
available and active online onsocial media within your comfort
.
Those were all feeders to getyou connected to the people that
could then think about you whenthey see a piece of a puzzle
that might impact you.
And so ISACs are reallyvaluable, but they are not one
(06:33):
and only.
I think they just come up asthe first kind of obvious
structured component rightchannel that somebody can get
involved with.
But I also hear a lot of timesthat it's great that these exist
, but they are a gateway forthen the practitioners that are
member organizations that thentalk to each other more directly
too, versus just in the formalmeetings and the formal settings
.
Speaker 3 (06:53):
Yeah.
So that kind of goes to my nextquestion too, which I think is
key.
One thing we get, you know, yousee a lot of threat intel like
vulnerability, any topics ortactics from bad actors.
One thing that we get fromvirtually every client and
potential client and just kindof colleagues in the industry
are benchmark data andparticularly around like NIST
(07:15):
assessments, and that we get alot of it.
We have a lot of internal stuffthat we've developed because we
have our clientele growing andbenchmarking for, call it, small
financial regional bank orsomething or global pharma
company under 40,000 employees.
But that's one thing I see as agap right now is that people are
sometimes scared to share ordon't have the avenue to share
that data.
And then also you don't want tobe public because I don't want
(07:37):
to say, hey, I'm a 1.5 inrecovery or something, so
recover.
So I think do you see anythinglike changing there or any ideas
on like how that improves orhow we kind of get access?
Because benchmarking I think isalso valid when you're looking
to go fight for budget of likethis is where we stand against
our peers or our you know thatdata right now At least I've not
seen yet and you can chime inyou know that we've not seen
(07:58):
freely available outside ofthings we have ourselves.
Speaker 2 (08:00):
Yeah, and I think, benchmarking.
So that leads to some of thechallenges that we looked at,
and some of the top challengeswere legal liability right, your
legal team does not want yousharing anything you've seen
because that can cause all sortsof issues, even if that might
have positive benefit of yousharing the data.
Two, there's also TLP right, socan you share something, even
within a trusted group?
Obviously, publicly is notalways the best.
(08:21):
And then also like fear, likereputation and just competitive
advantage right, those types ofexternal factors that have these
security practitioners beinglike I'm not allowed, I want to,
I'm not allowed to.
Unfortunately, I think the truthabout benchmarking is, with any
sample size, a lot of data isnot there and where I'm
(08:42):
witnessing in my research, it'smore of an intuitive like have
you guys seen this?
I'm witnessing this issue.
Are you also getting this?
And I will not name any names,but recently I had a lot of
people reaching out to mebecause I do love connecting
people for the sake of themhelping each other in their
roles.
Being like we got an alert fromthis vendor that you know one of
our clients are compromised andwe have no idea.
(09:04):
There's no details.
Help me, because this isbecoming an incident for our
client, but we don't even knowwhat the validity is right, and
so I can bring them saying, oh,I know that you have a shared
vendor, or, hey, I know somebodywho used to work there, help
paint a picture, and so,unfortunately, this is a very
anecdotal, point by point andnot a large benchmark.
But when it comes to thesemoments where there is a fire,
(09:26):
how much you know somebody orcan get connected someone to
give you pieces of the pictureso you're not scrambling to
write a full RFI and doingresearch or using ChatGPT to
make up some sort of essay foryou is really important because
timeliness is so key in all ofthese events.
Speaker 1 (09:41):
Awesome Grace.
Do you have any?
Obviously being so close toThreat Intel even though I think
you described yourself you'renot a threat analyst and you
came from more the business sidebut you probably have come
across a lot of stories of likehow Threat Intel saved the day
or prevented something.
So do you have like a marqueestory that you like to tell
about that would maybe encouragethose that are maybe starting
(10:04):
to build their threat intelprogram or they're not quite
there yet?
Speaker 2 (10:06):
We had a workshop, so there's a few quotes, and I
like quoting the customers andthe users versus like our own
stories.
Speaker 3 (10:11):
Sure.
Speaker 2 (10:12):
Because I just feel like it's way more interesting.
Right, there was a workshopthat we had delivered.
It was about and you would lovethis connecting threat
intelligence and risk becausethe different audiences, same
type of shared outcomes, a lotof overlap, but not in how
things are executed.
And I found this really greatexample of threat intelligence
people being successful in aReddit thread and they were
(10:35):
saying, when risk was coming toask me about you know what
policies, what processes, whatstructures, how to react to
certain threats on the riskregister that are coming, they
were helping define that.
So, at a process level, havingthreat intelligence become this
trusted advisor to helptranslate right, because threat
researchers, threat intelanalysts are very analytical,
(10:55):
they can process, they cancommunicate well is great.
From the program level On avery discrete, granular level,
there are times where somebodywho's working in a threat intel
hat maybe they're in a SOC,maybe they're dedicated threat
intel on a team.
I have some of these vignettesas well in my report.
They'll say I got an alert overthe weekend that some
(11:15):
compromised network was relatedto our environment and so I sent
that over and I became theconduit of all these other
sources that were providinggranular raw data to the
incident response team, and sothis is a way in which you have
this awareness, this almost likepresence in the market of peers
, that they can reach out to youas an intel analyst, intel
(11:36):
practitioner, to then help be achannel to communicate
information to the right teammembers at critical moments in
time.
Speaker 1 (11:44):
Great, all right Grace.
I'd like to pivot to.
You know, at RevealRisk we do alot of process-oriented work
and I feel like we're bigsupporters of tech.
But tech without processsometimes can result in more
risk and more complications.
So we spend a lot of timebuilding and improving processes
that make tech and cyber workbetter.
So I would like to talk aboutthat specific to threat intel
(12:07):
and threat intel programs.
How does the role of processcome into play?
Where have you seen exampleswhere lack of process can make
for not a good program result,and maybe those that have
invested in it?
How do you invest in it ifyou're an early program adopter?
Speaker 2 (12:23):
Yeah, with threat intelligence in particular, this
was one of the biggestheadaches that I witnessed
working with our clients andusers and as a awful salesperson
.
Sometimes I would say, hey, youdon't need the thing that you
came to us for.
And I ended up writing a blogabout this, about tips for tips.
So tips for threat intelligenceplatforms, and it was about
building a process around theprocurement piece of getting a
(12:45):
threat intel platform.
One of the products threatintel, all security products
there's a lot of noise, a lot ofnew adjectives, a lot of new
abbreviations that can be veryconfusing for customers.
Sometimes it leads to somebody,maybe outside of the
organization or program itself,demanding that you know you get
a new tool or saying, hey, weneed this.
(13:06):
Or sometimes it goes bottom upwhere somebody says we need it
but then at the point ofsuccessful implementation it's
not resourced properly, right tosucceed.
And so I had kind of three keytips, and one was building
requirements.
Threat Intel folks are very goodat requirements overall, but
not always necessarily inprocuring technology like a
(13:26):
platform for themselves, and sowe talk about and we introduce
like what a Moscow method is andthat the must have nice to have
right will not have type oftiering as well as applying that
to like the NIST cybersecurityframework, depending on how deep
you want to go, and thenassigning a point person.
It is unbelievable how oftenpeople are like let's buy a
(13:47):
platform and then we just liketurn it on and then we're going
to walk away.
And I say all the time, ifyou're not curating the data, if
you don't have some sort ofautomation, feeding, unique
internal telemetry or feeds, andthen you're commenting and
manipulating that data for yourbenefit and pulling that out,
you don't need a platform.
I would love the paycheck ifyou need.
You know.
I would love it if you wantedto procure either way to check a
(14:10):
box, but you don't need this.
You could do just as well withfeeds and APIs, automation and
other ways.
And so what we hear a lot isthat, process-wise, they're not
actually thinking about one, therequirements of what does it
need to do day one, day 30, day60 versus shiny bells and
whistles of what it could do inthe future for undisclosed price
(14:30):
point.
And then two do you have anengineer who's building the
integrations?
Do you have an analyst who'sgoing in?
Is it not just supporting a POCbut also supporting the
maintenance of this product overtime, which sounds so obvious,
but it is something that Iconstantly am reminding and
pushing our clients who are inthe procurement cycle to think
about and to really addressearly on.
(14:52):
And then the last piece I hadwas confronting pricing.
Very early and often andthere's no vendor bashing it can
be very confusing.
But when you go in thinkingpositively or not fully
understanding pricing models,scaling models, what
integrations or what seats willcause more pricing, that can
cause a lot of pain on bothsides and end up being churned
(15:13):
for unfortunately for both sidesas well one year later during
renewal.
Speaker 1 (15:17):
Yeah, what you said really resonates on the buying
tools and then walking away, andI've had conversations over the
years of what drives thatmentality.
I think there's something inthe reward system within IT of
how IT projects are awarded, andthe word project doesn't
necessarily imply the ongoingcare and feeding and support and
building it to scale.
(15:38):
So I think part of it is.
A lot of us came up in IT anddelivery and project execution
and there was always a newinitiative each year and it was
easy to neglect last year'sinitiative.
So I think same thing withthreat intel programs, grc
programs.
You got to plan past the launch, because usually that's not the
launch isn't where the value is.
That's usually like base MVPcapabilities and, like you
(16:00):
mentioned, integrations, usecases.
You know who's going to consumethe data.
All of that is process work.
That's not going to come fromany vendor out of a box.
That there's no magic and youcan find people that have done
it before and get those people.
Speaker 2 (16:13):
But on the flip side, like don't expect because it's
going to be a big letdown thatthe tool is going to
automatically do everything,that a end of the year you don't
(16:35):
have that ROI and fingers arebeing pointed, so you're in a
defensive position, and that'sthe last thing we would want for
any of our customers.
And the other piece as well isbeing able to say that this is
the product that we need, that'sgoing to deliver XYZ
immediately and over time too.
So it is a big sticking point.
(16:56):
It is something we repeat toour customers over time and we
almost challenge them in someways, like can you answer these
questions?
Do you have a requirementssheet that you're allowed to
share with us?
That's like you know, cross outso we can tell you what we can
and cannot do right now in termsof your use case.
And if you don't have a usecase, you know.
Once again, I will help them asmuch as I can, but there's no
vendor and if there's a vendorgiving you these answers,
(17:16):
they're just giving you theanswers that they are going to
score a hundred on.
Speaker 3 (17:19):
Yeah, yeah, grace, thank you too.
So I love to give out tips toour listeners and kind of like,
if I have nothing now, what'sthe next, my next three steps,
and so thinking from like abreak into three phases of like
gather, review and action right,new program, new CISO, new
person in security?
We don't have a threat intelprogram yet.
What are some like here's threesteps or kind of.
(17:41):
You know, the first, like 90days, I'd look into, of setting
up a threat intel program.
Or even, just to your point,I've got all these feeds.
How do I gather, review andaction threat intel?
Speaker 2 (17:51):
Yeah, and this is a challenge that even as a vendor
I faced, where I've gone toclients being like I will give
you a year of feed for free.
Can you just one-to-onebenchmark we talked about
benchmarking Tell me what wegive us, Tell us what our false
positives, tell us what ourfalse negatives are.
And there's just no capacity.
We've gone out and said we'llgive it to you.
Can you do this?
Can you help us with thisresearch?
And the answers have still beenvery anecdotal, right, Piece by
(18:13):
piece.
We got some feedback.
It helped us improve ouralgorithms and our processes,
but it was never at that toplevel that we'd hoped for that
academic level of research.
But I would say, if you have asecurity environment and you're
considering threat intelligence,call me old-fashioned, but I'm
like where are your current painpoints right now?
Where are you wasting too muchtime?
Where do you need capabilitiesthat a single resource that you
(18:36):
have could peel off some hours?
Or there is talent in your teamthat is interested, right,
being able to nurture a stockanalyst or a detection analyst
or somebody malware reverseengineer who likes intelligence,
to then think about it fromthat level and then do research
and context and look at what thecapabilities are is really
important, versus thinking, well, we first need the tool and
(18:58):
then all these crazy commercialfeeds, and then we need to join
an ISAC all at the same time,because you won't have the
structures to support itunderneath to get your ROI which
is the most important thingright, the ROI that then reduces
your risk.
Speaker 3 (19:09):
Yeah, I think from like the if I'm thinking of like
strategic, operational andtactical kind of like those
different tiers At the tacticallevel, yeah, we see an increase
in Citrix vulnerabilities or RDPand manufacturing or you know
some like legacy tech or OTstuff.
And then I think at likestrategic level of like the same
threat intel to two differentpeople yields two different
(19:30):
outcomes, and so how do you kindof delineate what goes to my
tech tactical team for thefirefighting and then what goes
to my executives for additionalbudget or capacity planning and
those kinds of things?
And I think that's where Ithink a lot of our at least some
of our clientele have struggledof like they get a feed from
their MDR provider or you know,or maybe they've got recorded
future or one of those types ofservices.
But then it's like I don't knowhow to change the narrative and
(19:54):
push it to the right person tothen warrant action.
I think to your point earlier,that's kind of where it's harder
than, at the end of the year,assign an ROI to it.
Did we get value from it?
Do we just not use it?
Do we need to action it better?
And I think that's a lot of ourfindings we see in our NIST
assessments with clients is likeI've got threat intel but I
need to action it better.
But I need to action it better,but I don't know how to action
it better.
Speaker 2 (20:13):
Right and the most granular, is like we need threat
intel and then they get anabusech feed and they're like,
okay, we have threat intel now,right, and that's fine.
That's a starting point.
It is a decent, high-fidelity,open-source feed.
But where I do see a huge gapand it really takes a special
type of advocate in theorganization and leadership
support is being able to speakto that risk and executive team.
(20:35):
I think the tactical supportand the even operational level
intelligence there is goodgroundwork there.
But when it comes to even theintel cycle of collection and
processing and analysis, there'sstrong communication.
I have my thoughts about it.
I think it falls apart in a lotof ways.
And then getting the feedbackright so communicating findings
(20:56):
in the right format to thesedifferent levels of teams and
then actually pulling in thefeedback from the board, from
the CISO, from the CEO rightAbout risks, what they're
looking for, and then how tobring that back through the
cycle again is something that'scome through a lot of maturation
, I would say as just an area offocus, even in the last five
years no-transcript.
(21:46):
That's a big, that's a tough one, and I don't want to be the
security person that says itdepends on what you have, but
obviously it's true, rightDepends on who's on your team,
what kind of buy-in you havefrom leadership, what kind of
support you have right withinyour existing talent and
technology stack.
But I would say the one bigmiss that I see is like industry
level and peer level research.
I think what we hear in thenews cycle is, oh my God,
(22:08):
ransomware, why, oh, there's awar in Ukraine?
And then everyone and all theleadership is like tell me about
this, when it may or may noteven be relevant.
So Scott Small over at TidalIntelligence and I think Simone
over at Orange Cyber Defensealso delivered a workshop about
how to do threat profiling foryour organization in a realistic
way, versus drowning inspreadsheets with data that
(22:29):
you're just making up right.
So being able to look at whatyour threat profile looks like
as light as you have it, butdefinitely creating that kind of
dossier for yourself, isimportant.
The other piece of don'ts isdon't just try to configure
every feed.
It's going to be noisy, it'sgoing to cause a lot of headache
, it may cost a lot of moneythat your leadership isn't
(22:50):
really going to understand thequality of.
So it's much more of a beselective and implement over
time so you can actually beginto see what feeds are providing
valuable enrichment for you,what types of data, what type of
IOCs are important, as well aslike what types of potential,
like tooling or commercialvendors you're purchasing from
that have the capabilities thatyou need in smaller batches,
(23:11):
because we do know that thereare teams that are like, oh, we
have an open source platform,like a mispronouncement, just
add everything, and then they'respending their time calling or
just drowning in alerts, notreally thinking at that
strategic level of what isproviding value.
And then, of course, selfishly,I'm going to say getting engaged
in the network, whether that'sa trust group, whether that's
just people that you've knownover time, that are working on
(23:32):
similar projects or that canoffer you insight into new tools
and new techniques that arehelpful to keep you on track of
your news and just be able tothink about you.
New techniques that are helpfulto keep you on track of your
news and just be able to thinkabout you.
That has compounding value overtime as well, even though it
does take time and effort rightfrom day one to build up.
Speaker 1 (23:48):
That's awesome.
I'm curious your thoughts onthreat modeling and what program
CTI teams or cyber teams ingeneral should be doing with
threat modeling.
And when I was a Six Sigmablack belt on the corporate side
, we had a tool called FMEAfailure mode and effects
analysis and it was kind of verysimilar.
That was for analyzing aprocess and anticipating what
(24:08):
could go wrong.
But threat modeling and thenkind of using Intel to validate
or to focus you in, I think issuper powerful.
Give me your thoughts on that,and is threat modeling something
you advocate for?
Speaker 2 (24:23):
So I will say that is it, in theory, something I
advocate for?
Obviously there are threatmodels out there, but I think
somewhere where I do see thepitfall is, I see assessments
from certain vendors being likeoh, mitre attack, right, we
prevented 100%.
Therefore we are winning as avendor.
And I think that's the mistake.
Where, let's say, you'vemodeled something out and you
have detections that fit what isalready known.
(24:45):
Unfortunately it gives you afalse sense of security in a way
, and it becomes a sales tactic.
So I would pass it off tosomeone much smarter to myself
to say, hey, use this specifictool set or this specific GitHub
repo to guide you.
But I'm not anti, it's just Ithink that in a lot of ways it
becomes convoluted with salesprocesses, like a lot of a lot.
Speaker 1 (25:06):
And I think threat model is to model something you
have to know it Whereas threatintel you could be learning
something that's a zero day oran unknown.
So I think maybe there's aplace for it, but not being
overly complacent that hey,we've modeled our threats, so
we're good.
Or whether it's a corporatepractitioner saying that or
thinking that, or if it's avendor trying to claim turf in
(25:26):
their sales pitch.
Speaker 2 (25:27):
Yeah, and I think the other piece that this reminds
me of is like the do's anddon'ts.
When I talked to or justwitness conversations, discourse
online, a lot of threatintelligence conversations used
to be about external stuff, likewhat can I buy externally, what
can I get extra, what tool canI add?
And not enough time and effortwas focused on internally how
(25:47):
much data can you track?
What can you learn?
What have you observed?
How do you structure that intointelligence in its own right
that is then enriched byexternal sources?
So I do think that that'sanother piece where having a
threat profile, being able tounderstand your threat model,
being able to understand yourrisk appetite related to threat
intelligence, is important,where we need to not only look
(26:08):
outwards but make sure that theinternal stuff which is really
valuable, that no one right willbe able to just sell to you in
a feed, in a CSV or Stix taxiformat, we'll be able to
compound, right, force, multiplyany tool, any process, any
person you hire on top.
Speaker 3 (26:22):
Awesome?
I think so, Grace.
This has been phenomenalconversation.
We like to always kind of atthe end, kind of in with like a
fun fact or something about afun story.
So for those out there who hadnever met which most people have
never met before on our podcastuntil today, what is a fun
grace fact that someone may notknow off the street?
You know, it could be history,it could be a fun talent.
Speaker 1 (26:45):
Is this a reveal?
Is this going to be some intelon Grace that the community
doesn't know?
My goodness.
Speaker 2 (26:51):
There's some intel.
That's more I've shared beforein the past, even if they don't
know me.
But this one is fun.
I don't talk about that much.
I do have some watercolorillustrations published in an
art history textbook.
Speaker 1 (27:03):
Oh, that's pretty neat.
How long have you been painting?
Speaker 2 (27:07):
My whole life, I think.
Back in the day I was learningpiano and I hated it and my mom,
being so smart, she was likethat's okay, you don't have to
do this.
Because I was dragging my feetevery day.
And she said then picksomething else you want to do.
And I said art.
And then I think, because as achild I picked it I kept with it
much better than being toldright, that idea of choosing to
do something versus being forcedto do something.
(27:28):
And so ever since then I wouldjust take so many art courses.
I still practice.
I take commissions once in awhile, but it's more just for
fun, it's just a way to get awayfrom the screen.
Speaker 1 (27:43):
That's awesome, very cool fact.
Now we're going to have to dorecon to find a piece and maybe
we'll land that in the postcover of this podcast.
Speaker 2 (27:48):
So if we can find it.
Maybe I'll share something withyou.
We'll see.
Speaker 1 (27:51):
First see if we can find it that would be the
security answer and then, if wefail, if our pen test does not
work on whatever the publicdomain this is, then we'll ask
it for you, okay, perfect.
Awesome.
Well Grace, this has been anawesome conversation.
Really appreciate you coming onto share with our community and
talking about sharing andintelligence, so I really wish
you best of luck and appreciateyour time.
Speaker 2 (28:13):
Thanks so much for having me again.
Have a good week.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com