Eward Driehuis

Eward Driehuis
Chief Research Officer

SecureLink logo

Q: Eward, you have extensive experience in threat hunting and advanced security analytics. Why has it become so critical for organizations to have a cyber threat intelligence capability?

Every company, in some form, benefits from threat intelligence, as we speak. If you run AV, it's backed by malware research, if you run firewalls they consume threat feeds, put together by threat analysts. There is a lot of work being done behind the curtains. For many companies, consuming this operational threat intelligence is no longer enough. Many look for tactical and strategic intelligence. This is fueled by a fast changing threat landscape, where on one day ransomware is an entry-level criminal attack the next day nation states have weaponized it for destructive purposes.

An important development is cyber entering the boardrooms. As companies incorporate cyber risk, these trends and narratives are important. Because it is not about the malware anymore; it is about who's behind it and what their intention is, that helps qualify risk. The way to assess this is with intelligence, analytics and research. Many companies are looking for third parties to provide this as a service, but there are big companies like banks incorporating threat intelligence capability in their "fusion centers".

There's an added benefit. While at an operational level we'll need to digest feeds of indicators in real-time, the trends and the narratives serve an important purpose for boards. When they make decisions on cyber budgets, they need to have access to these high-level overviews. Boards don't consume Indicators of Compromise (IoC's); they do consume narratives. It helps them to adopt cyber strategies faster.

Q: Gartner and others expect strong growth in demand for managed security services in the next few years. What is it about the nature of the threat landscape that is making it so hard for organizations to meet security requirements on their own?

What makes threat detection complex is the trend that criminals, spies and nation states are blurring, sometimes fueled by geopolitical tensions. Cyber criminals clean their tracks, whereas in the past they made a big old mess because law enforcement couldn't touch them anyway. Spies have shared sleeper cell style techniques, anyone can now trickle sensitive data out of networks undetected. Lateral movement is no longer exclusive to nation states anymore. The upshot is that even if we have full visibility on IoC's, we still don't know what our risk is.

Much of the focus is on technology. That makes sense, since that is a bad guy's most visible attack component. I have worked with some amazingly smart people over the years – many of them customers. They taught me that people and process are equally important. I have worked with forward-thinking people, who were experts at finding the right people, building fit for purpose and scalable processes, and then deploying the technology to support that. Whether it's a SOC, or an anti-fraud team, the trinity of people – process – technology needs to be in place.

That's where we see that cyber experts are in short supply. An example: Gartner says, instead of looking for rare security analysts, you could hire an analyst and a security pro and put them in a room. They're right, talent is scarce, but that sounds kind of like mating a narwhal with a horse in order to get a unicorn. MSSP is another path to take here. Over the years, an abundance of amazing cyber technology has been created. If you boil it down, most of these solutions increase productivity. Threat feeds allow you not to manually copy and paste IoC's in your firewall. SIEMs allow you to collect events and create a manageable workload for your analysts. But no matter how efficient you are, those experts will be running the processes. That's of course where MSSP's come in. We specialize in wrapping technology with people and process, and use the benefit of scale to our customers' advantage. We've seen demand increase tremendously as organizations realize they need to build detection processes, as their prevention strategies are no longer enough.

Q: SecureLink is a Diamond Sponsor of Black Hat Europe 2017. Why is it important for the company to be there?

SecureLink has been around for quite a while… however we've always been focusing in our MSSP work, helping our customers, rather than making noise and press releases. When Nebulas and SecureLink joined forces, and other big brands in Europe followed, we inevitably became a strong player. That's when we decided it was time to start sharing more with the community, and share more trend information from our Cyber Defense Centers. We've just completed a report on the state of Security Maturity in Europe across a dozen verticals, which is soon to be released, and we've released research on various threats including criminal altcoin mining and ransomware.

In other words, I think we've got a lot to share and contribute to the community, and of course Blackhat is an amazing event with great vibes whether you're in London on Las Vegas. For us this is a great opportunity to meet old friends, make new ones, and show we're dedicated to safely enabling business across Europe and beyond.


  • Black Hat Asia 2018
    March 20-23, 2018
  • Black Hat USA 2018
    August 4-9, 2018
  • Black Hat Europe 2018
    December 3-6, 2018



Sign up to receive information about upcoming Black Hat events including Briefings, Trainings, speakers, and important event updates.

Sustaining Partners