Interviews | July 12, 2023

Threat intelligence data needs context to make it impactful

Cisco | Palo Alto Networks | ReliaQuest | VMware

Tom Gillis
SVP and General Manager


Q1. You were appointed to a new role at Cisco relatively recently, but you've been with the company for a long time. What is your vision for Cisco's security business? Where do you see the biggest opportunities for the company to make a difference in the space?

I started a company called IronPort, which was acquired by Cisco in 2007. As Security VP/GM, I worked at Cisco for five years before leaving in 2011 and starting a new company called Bracket Computing. In 2018, Bracket was acquired by VMware, where I was a Security SVP/GM for five years. But now I’m back. I came back to Cisco for a reason, and I’m super excited to be here. We have a huge opportunity in front of us.

For decades, the security industry has been built around the idea that once a new security problem emerges, there’s a cluster of new companies that pop up to solve that problem.

In an ecosystem of point solutions, the burden falls on the customer. They must ingest all these point solutions and just because a solution is marketed as “end-to-end,” doesn’t mean it is.

Customers are stuck with a bunch of products that provide mediocre security. No one wants mediocre security. If you went to your dentist expecting a filling, and instead, they told you that they have a special on heart pacemakers, you wouldn’t want that. The opportunity for Cisco in security is our approach with the Cisco Security Cloud. The industry is moving toward a platform approach. One where you can look across multiple domains and gather unique telemetry and there are very few, if any, companies that have the breadth that Cisco does. Our Cisco Security Cloud provides our customers the platform to solve this problem.

Q2. What were some of the main takeaways for enterprise organizations from Cisco's latest Cybersecurity Readiness Index? What, if anything, was surprising or unexpected in the results?

The Cybersecurity Readiness Index highlights an alarming cybersecurity readiness gap, which will only widen if global businesses and security leaders don’t pivot quickly. Only 15% of organizations are considered “Mature” and ready to defend themselves against a threat. We found that shockingly more than half (55%) of companies globally fall into the Beginner (8%) or Formative (47%) stages – meaning they are performing below average on cybersecurity readiness. However, companies are taking action; 86% of respondents said their organizations plan to increase their cybersecurity budget by at least 10% over the next 12 months.

Readiness is critical - 82% of respondents said they expect a cybersecurity incident to disrupt their business in the next 12 to 24 months, and the cost of being unprepared can be substantial. A majority of respondents said they had a cybersecurity incident in the last 12 months, which cost at least $500,000 for 41% of organizations affected. Closing the readiness gap must become a global imperative and a top priority for business leaders. With the consequences of cyberattacks so clear, readiness must be a priority for all organizations to anticipate what is coming down the road so they can bounce back faster when a threat becomes real.

Q3. What specific initiatives or technologies is Cisco Talos planning to showcase at Black Hat USA 2023?

Our threat researchers are always looking at the bleeding edge of what threat actors are doing, how they are getting past our defenses, and that feeds into how we can innovate to stop them. We’ve got some great research coming out over the next few months on mercenary hacking, kernel exploitation, as well as some interesting work our teams continue to do in Ukraine, particularly with electrical substations.

One of the things we've seen adversaries do, notably the more sophisticated groups, is move lower on the stack. The places we've seen this most recently are in the commercial spyware space and driver abuse. By attacking drivers, adversaries can get closer to the kernel and potentially evade traditional detection capabilities. In the commercial spyware space, we've seen that those with the means can compromise smartphones with alarming ease. We recently published a deep analysis of one of these commercial spyware infection chains, PREDATOR, as well as uncovered a toolkit designed to facilitate driver abuse.

Beyond these spaces we continue to do incredible work in Ukraine and most recently have been working extensively on protecting electrical substations. We have quite a few security researchers presenting in the booth. [Attendees] can come by and hear from vulnerability discoverers, malware reverse engineers, detection content generators, etc.

Wendi Whitmore
SVP of Unit 42

Palo Alto Networks

Q1. What should the board of directors be doing to prioritize cybersecurity at their organizations? What role can/should they play in fostering a proactive, agile and responsive cybersecurity culture at their organizations?

Cybersecurity and the cyber resiliency of an organization has become increasingly relevant across the Board of Directors over the past decade. Impactful and prolific attacks, data breaches and vulnerabilities like Solarwinds, Log4j, Colonial Pipeline and others have brought security to the forefront of the c-suite - beyond the CISO - and the board.

While all boards have extensive leadership skills and expertise, not all are tech savvy enough to assess and make informed decisions about an organization’s risk and security posture, gauge how much corporate business and reputation can be impacted by threat actors and determine if they are investing enough and in the right areas to prevent successful cyberattacks.

Effectively prioritizing security at the board-level can have impactful consequences for the entire organization. Completing proper and regular education and security briefings can help ensure there is no ambiguity when it comes to an organization's security posture and risk. I always encourage board members to ask what they might consider to be too many questions. Without a full understanding of your organization’s risk, it’s difficult to make the critical decision and resource allocations necessary to foster a proactive cybersecurity culture.

Among the most important actions directors can take is participating in and encouraging proactive assessments of an organization’s security posture and resilience. This includes incident simulations and tabletop exercises, which not only prepare an organization for an incident but also serve as education for the board and company leaders.

Q2. What are some of the biggest challenges that security teams face when it comes to enabling the strategic use of cyber threat intelligence in managing cyber risk?

The use of threat intelligence is a valuable tool for any organization in managing cyber risk. At Palo Alto Networks Unit 42, we know that better than anyone. Our team of more than 200 cyberthreat researchers enables our customers and own organization to apply a threat-informed approach to prepare for and respond to the latest cyberthreats.

But it’s important to consider there will be challenges and roadblocks in leveraging advanced threat intelligence to effectively manage cyber risk - not only in larger companies, but companies newer who are building their security strategies and organizations from the ground up.

  • Timeliness: Timeliness is paramount with intelligence. Collecting, analyzing and producing threat intelligence in a timely fashion helps mitigate potential threats. Any type of delay to the collection or analysis of intelligence will inherently lower it's value, making it less impactful.
  • Observable overload: Strategic threat intelligence often generates a large amount of data, and many threat intelligence teams don't have the time or technology to parse through all of this data.
  • Context: Threat intelligence data needs context to make it impactful to senior leaders. Adding this context of broad oversights, trending and more is often time consuming. Many organizations struggle with adding context to their threat intelligence data.
  • Integration: Strategic threat intelligence is often integrated into an organization's security and decision-making frameworks. Ensuring this strategic intelligence is integrated with all of the organization's processes and procedures is often a difficult process that many organizations fall behind in.
  • Policies and Procedures: Most intelligence programs have no formal requirements documents, like a lack of definition of General Intelligence Requirements (GIR), Prioritized Intelligence Requirements (PIR), prioritized collection requirements (PCR).

Unit 42 uniquely understands these challenges and how important it is to acknowledge and work through them to ensure that threat intelligence can have a maximum impact on an organization's security posture.

Q3. What specific initiatives or technologies is your company planning to showcase or present at Black Hat USA? How does the company's participation at the event enhance its understanding of emerging cyber threats and industry trends?

We have a number of exciting initiatives and technologies that we'll be showcasing at Black Hat. For the third consecutive year, our team and technology will be charged with securing the Black Hat network operations center (NOC). At the upcoming conference, Palo Alto Networks will secure the Black Hat infrastructure with our Next-Generation Firewalls and Cloud Delivered-Security Services, as well as incident response collaboration and workflow operations with Cortex XSOAR. Attendees can see our experts in action at the Black Hat NOC, or via a live stream from the Palo Alto Networks booth.

As the dedicated security operations (SecOps) portfolio of Palo Alto Networks, Cortex is enabling organizations to make the leap to the modern SOC. Attendees will get a detailed look at XSIAM and see first hand how Cortex endpoint security outperforms other EDR/EPP solutions. They'll also learn how to automate SecOps with Cortex XSOAR and uncover the unknowns in your public facing attack surface with Cortex Xpanse.

Be sure to check out our booth #1332 if you are attending Black Hat in person. In addition, Unit 42 Consultant, Margaret Zimmerman will be hosting a session titled, "When a Zero Day and Access Keys Collide in the Cloud: Responding to the SugarCRM 0-Day Vulnerability."

Joe Partlow


Q1. How will customers benefit from ReliaQuest's recent purchase of EclecticIQ? How does it complement or build on GreyMatter's existing capabilities?

We are always looking to expand the capabilities of GreyMatter and the addition of EclecticIQ technology will allow us to consolidate our current agent management and functionality as well as give us expanded Incident Response functionality above what a customer may currently have already.

Q2. What specific ways does ReliaQuest integrate artificial intelligence (AI) into GreyMatter? How has it enhanced the effectiveness of threat detection and response capabilities?

AI has definitely improved the effectiveness of GreyMatter by providing analysts with many event and data summarization capabilities, integrated chat functionality for further interrogation of the datasets along with many automation capabilities above and beyond traditional static SOAR automation playbooks. Blending open-source models with our own data and internal models has also greatly improved our contextual handling of alerts and events.

Q3. What are ReliaQuest's plans at Black Hat USA 2023? What specific insights or expertise does ReliQuest plan to highlight at the event?

Black Hat is always one of our biggest events of the year so demoing our generative AI capabilities within GreyMatter and expanded use case automation across multi-SIEM and multi-cloud environments will be a couple of the main items we will be talking about at the booth.

Jason Rolleston
Vice President & General Manager, VMware Carbon Black


Q1. What does VMware's recent decision to split its Carbon Black and NSX businesses into separate business units mean for customers? What prompted the decision?

Carbon Black and NSX were always separate businesses even when they were grouped together under the Networking and Security Business Group (NASBG) umbrella organization for a short period of time. The working relationships and collaborations formed throughout that period continue with the recent release of Carbon Black XDR being a notable example of the teams delivering joint innovation. That said, there is little overlap in the two businesses and the selling motion looks very different, so we just weren’t seeing the synergies. Given the need for Carbon Black to focus more explicitly on the security buyer, we decided to dissolve NASBG and return to two independent BU’s. Customers should feel no negative impact and if anything will be seeing more security market focused execution from Carbon Black going forward.

Q2. You recently wrote about why organizations need to focus on improving the SOC analyst experience if they want to effectively reduce risks and operational costs. What exactly does 'analyst experience' mean in this context? How can security and technology decision makers help improve it?

Analyst experience is referring to what a security analyst goes through day in day out trying to accomplish their job and how they experience the technology that is ostensibly there to help them. We see our job as enabling and empowering the analyst to do their job more effectively and efficiently. That means offloading work where possible, focusing on the delivering high fidelity alerts and minimizing false positives, making it easy to get common tasks done, avoiding the need to learn multiple tools or take manual steps, and more. It’s about mapping out the set of things an analyst must do and making sure the tools improve their ability to do them.

Security and technology decision makers can help here by making sure they understand what their SOC processes look like and how the team is working. Any potential change, addition, or removal of technology needs to be evaluated not just on the merits of the tech itself, but also on how it will impact the experience of the analysts. In trying to save a quick buck or get the latest shiny new toy, you may find that you impede detection and response, increase staff attrition, and reduce the effectiveness of your team.

Q3. What are VMware Carbon Black's plans at Black Hat USA 2023? What can customers and attendees expect to see and hear from your company at the event?

VMware Carbon Black will have a significant presence at Black Hat 2023 as a Diamond sponsor. In our booth #1732, you’ll be able to see our latest cloud and on-prem demos for our XDR, Cloud-Native Detection & Response, Application Control, and advanced Threat Hunting solutions. We are also hosting a lunch and learn on Thursday, August 10, 1:00PM entitled “Being Held Hostage by Ransomware? Gain the advantage with one change”. I’ll be joined by VMware Carbon Black’s Field CISO and cybersecurity expert Fawaz Rasheed to share his personal experience on the matter. We will be sponsoring the LevelUp Party on Wednesday, 8:00PM at the Skyfall Lounge at the Delano Hotel. Hope to see you there!

Sustaining Partners