Future of Threat Intelligence

In this episode of The Future of Threat Intelligence, Dmitri Alperovitch, Co-founder & Executive Chairman at Silverado Policy Accelerator and Author of World on the Brink: How America Can Beat China in the Race for the 21st Century, delivers a stark warning about the second Cold War with China that's unfolding, from military and nuclear arms races to space competition and technological rivalry. 
Dmitri also shares how the Volt Typhoon intrusions represent deliberate "preparation of the battlefield" for potential conflict. He explains why Salt Typhoon could represent one of America's greatest counterintelligence failures.
Topics discussed:
The evolution of Chinese cyber operations from noisy, sloppy techniques in 2010 to today's sophisticated threats that represent unprecedented counterintelligence failures.
How the Volt Typhoon intrusions into critical infrastructure serve as "preparation of the battlefield" designed to impede America's ability to defend Taiwan during potential conflict.
The concrete evidence of China's Taiwan invasion preparations, including specialized bridge barges designed to land armored forces directly onto Taiwan's highways.
Why Taiwan's 40% share of global semiconductor manufacturing creates catastrophic economic risk that could trigger a 5% compression in global GDP if disrupted.
The fundamental flaw in prevention-focused security models and why CrowdStrike's hunt-focused approach better addresses persistent nation-state threats.
Why the concept of "deterrence by denial" fails in cyberspace, unlike in physical warfare where anti-ship capabilities and other tactics can effectively deter invasion.
The organizational dysfunction in US government cybersecurity, where even CISA lacks operational control over civilian networks and agencies operate in silos.
Key Takeaways: 
Implement a hunt-focused security strategy that assumes adversaries will penetrate initial defenses, allocating resources to rapidly detect and eject intruders during their post-exploitation activities before they can accomplish objectives.
Evaluate your organization's target value to nation state actors rather than simply comparing your defenses to industry peers, recognizing that highly valuable targets will face persistent campaigns lasting years, regardless of defensive measures.
Acknowledge the inherent tension between security and availability requirements in your industry, developing tailored frameworks that balance operational resilience against the risk of catastrophic compromise.
Diversify semiconductor supply chains in your technology procurement strategy to reduce dependency on Taiwan-manufactured chips, preparing contingency plans for severe disruptions in global chip availability.
Incorporate geopolitical risk analysis into your security planning, particularly regarding China-Taiwan tensions and the projected window of heightened vulnerability identified by intelligence experts.
Revise incident response playbooks to address sophisticated nation-state intrusions like Volt Typhoon that target critical infrastructure as "preparation of the battlefield" rather than immediate data theft.
Establish clear security governance across organizational silos, addressing the dysfunction that plagues even government agencies where CISA lacks operational control over civilian networks.
Shift security metrics from prevention-focused measurements to detection speed, dwell time reduction, and ability to prevent objective completion even after initial compromise.
Challenge assumptions about deterrence by denial in your security architecture, recognizing that unlike physical defenses, cyber adversaries have virtually unlimited attack vectors requiring fundamentally different defensive approaches.
Prioritize protection of your most valuable digital assets based on adversary objectives rather than spreading resources evenly, recognizing that nation-state actors will specifically target strategic information regardless of general security posture.
Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. 
Apply now at http://www.cymru.com/rise.  
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

What happens when Microsoft's on-premises security falls behind while cloud innovation accelerates? In this episode of The Future of Threat Intelligence, Wes Miller, Research Analyst for Microsoft Identity, Security, and Management at Directions on Microsoft, pulls back the curtain on Microsoft's fragmented security landscape. 
Having survived the historic Windows security push during his 7 years at Microsoft and spent the last 15 years analyzing their enterprise strategy, Wes delivers an insider's perspective on why vulnerable legacy systems like Exchange Server, Certificate Services, and Federation Services have become prime attack vectors while Microsoft focuses its innovation almost exclusively on cloud services. 
He also walks David through why organizations are struggling with critical misconceptions about Entra ID, reveals how Microsoft's release notes contain hidden threat intelligence, and shares tactical approaches to influence Microsoft's security roadmap through strategic stakeholder relationships.
Topics discussed:
The critical security gap between Microsoft's cloud-focused investments and neglected on-premises systems like Exchange, Certificate Services, and Federation Services.
How analyzing Microsoft Defender update notes provides a "hidden" threat intelligence feed that reveals emerging attack patterns targeting enterprise environments.
The misconception that Active Directory and Entra ID are similar systems, when they require fundamentally different security approaches.
Why entitlement management represents the essential intersection between security and identity teams, connecting HR processes directly to access lifecycles.
The strategic challenge of harmonizing legacy and cloud identity systems while protecting non-Microsoft workloads in increasingly Microsoft-centric environments.
Practical methods for large enterprises to influence Microsoft's security roadmap through targeted stakeholder relationships and coordinated feedback.
How certificate servers often operate as "forgotten infrastructure" within organizations, creating prime attack vectors that Microsoft's Defender for Identity is specifically designed to detect.
The threat of Microsoft potentially limiting third-party identity provider integration capabilities, and strategies for maintaining ecosystem diversity.
Key Takeaways: 
Monitor Microsoft Defender release notes to identify emerging attack patterns that Microsoft is actively detecting across their customer base, providing valuable threat intelligence without additional cost.
Implement entitlement management systems that connect HR processes directly to identity lifecycles, ensuring proper access provisioning and deprovisioning throughout employee transitions.
Audit your on-premises certificate servers and federation services which often operate as "forgotten infrastructure" and represent prime attack vectors.
Develop a comprehensive strategy for synchronizing Active Directory and Entra ID, recognizing their fundamental architectural differences rather than treating them as interchangeable systems.
Establish strategic relationships with Microsoft stakeholders to influence their security roadmap, leveraging coordinated feedback when features don't align with real-world enterprise security needs.
Harmonize legacy and cloud identity systems by mapping complete workflows and identifying potential integration gaps between Microsoft's on-premises and cloud-based security tools.
Evaluate third-party identity providers for critical non-Microsoft workloads, addressing the potential limitations of Microsoft's tightening control over Entra ID integration capabilities.
Prioritize Exchange Server security through rigorous patch management and enhanced monitoring, as Microsoft has effectively "abandoned" on-premises Exchange according to Wes Miller.
Integrate security and identity management teams through shared workflow processes, recognizing their interdependence rather than maintaining traditional organizational silos.
Document architectural limitations of Microsoft's identity systems, particularly in hybrid environments where cloud and on-premises systems must interoperate securely.
Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. 
Apply now at http://www.cymru.com/rise.  

In this episode of The Future of Threat Intelligence, Jeffrey Caruso, Senior Analyst at Wikistrat & Author of Inside Cyber Warfare, shares examples of how teams with minimal budgets achieved kinetic effects through OT system manipulation — from destroying missile research facilities to compromising subway systems and burning down FSB-affiliated banks. His findings, based on two years documenting Ukrainian cyber operations, demonstrate how deep supply chain understanding and innovative attack methods are proving more effective than conventional nation-state capabilities. 
Through methodical vendor system compromise and strategic engineering documentation exfiltration, he tells with David how these teams have developed techniques for creating cascading physical effects without entering Russian territory. Notably, they've demonstrated that successful cyber-physical attacks don't require massive resources; instead, success comes from understanding system interdependencies and supply chain relationships, combined with the ability to interrogate key technical personnel about specific system behaviors. 
This research challenges traditional security models that emphasize tool stacks over team composition and suggests that adversary categorization (nation-state vs. criminal) may be less relevant than previously thought.
 
Topics discussed:
How Ukrainian teams executed cyber-physical attacks by compromising vendor systems to obtain engineering diagrams and documentation, then exploiting OT vulnerabilities to create kinetic effects.
Why commercial security tools face limitations in addressing these attack methods due to business model constraints and design approach.
Technical examination of supply chain compromise techniques enabling physical infrastructure attacks, with examples of vendor system exploitation.
Evidence supporting an "adversary agnostic" approach to defense rather than traditional threat actor categorization.
Practical insights on building security teams by prioritizing mission focus and institutional loyalty over technical credentials.
Analysis of how OT system trial-and-error testing creates new risks for critical infrastructure protection
Key Takeaways: 
Implement an adversary-agnostic defense strategy rather than focusing on threat actor categorization, as demonstrated by Ukrainian operations showing how even small teams can achieve nation-state-level impacts.
Prioritize supply chain security assessments by mapping vendor relationships and identifying potential engineering documentation exposure points that could enable cyber-physical attacks.
Establish comprehensive OT system monitoring to detect trial-and-error testing patterns that could indicate attackers attempting to understand system behavior for kinetic effects.
Transform security team building by prioritizing veteran hiring and mission focus over technical credentials alone, focusing on demonstrated loyalty and motivation.
Design resilient backup systems and fail-safes for critical infrastructure, operating under the assumption that primary defenses will be compromised.
Evaluate commercial security tools against their fundamental design limitations and business model constraints rather than feature lists alone.
Document all subsystems and interdependencies in OT environments to understand potential cascade effects that could be exploited for physical impact.
Build security team loyalty through comprehensive support services, competitive compensation, and burnout prevention rather than relying on high-paid "superstar" hires.
Develop verification checkpoints throughout automated security processes rather than assuming tool effectiveness, particularly for critical infrastructure protection.
Create architectural resilience by assuming breach scenarios and implementing multiple layers of manual oversight for critical system changes.
Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. 
Apply now at http://www.cymru.com/rise.  
Listen to more episodes: 
Apple 
Spotify 

Deral Heiland’s research has uncovered critical vulnerabilities across the IoT spectrum, from office printers to medical devices, revealing how seemingly isolated devices can compromise entire networks. In one investigation, he discovered active credentials for five major hospital systems still present on secondhand medical equipment. 
With extensive experience, including his current role as Principal Security Research (IoT) at Rapid7, Deral breaks down why IoT security requires examining entire ecosystems rather than individual devices, and shares practical frameworks for testing and securing IoT infrastructure at scale. On this episode of The Future of Threat Intelligence, Deral walks David through how his team's testing methodology examines the full attack surface: embedded device firmware, cloud APIs, management interfaces, and critically — the often-overlooked inter-chip communications. 
Topics discussed:
The development of an IoT testing methodology that maps complete device ecosystems: examining firmware extraction points, analyzing unencrypted inter-chip communications, evaluating cloud API security posture, and testing management interface access controls.
A technical analysis of inter-chip communication vulnerabilities, where internal busses like I2C and SPI often transmit authentication credentials and sensitive data without encryption, even in devices with strong external security.
An example of lateral movement through a state government network via unsegmented security cameras, demonstrating how default credentials and shared infrastructure bypassed department-level network isolation.
A framework for building IoT security testing capabilities, progressing from web/API/mobile security foundations to hardware-specific skills like firmware analysis and bus protocol monitoring.
Research findings on medical device disposal practices, identifying active directory credentials, Wi-Fi PSKs, and other sensitive data retained in second-hand equipment across five major hospital systems.
Practical strategies for securing unpatchable legacy IoT devices through network segmentation, behavioral baseline monitoring, and access control reconfiguration.
Integration of AI tools to accelerate IoT security testing, focusing on firmware analysis automation while maintaining human oversight of test methodology and results validation.
Implementation of coordinated vulnerability disclosure programs specifically designed for IoT vendors, including practical mitigation strategies for devices that cannot be immediately patched.
Key Takeaways: 
Map IoT device communication pathways by monitoring all traffic types and documenting API endpoints, cloud services, and management interfaces to understand the complete attack surface.
Implement protocol-aware monitoring for inter-chip communications to detect unauthorized data access at the hardware level, even when external interfaces are secured.
Deploy VLAN segmentation with explicit access controls for IoT devices, using separate networks for different device types with monitored cross-VLAN communication.
Create device behavior baselines using network flow analysis to identify normal communication patterns and detect anomalous activities that could indicate compromise or misuse.
Establish IoT asset disposal procedures that include secure erasure verification, credential revocation, and documentation of all removed sensitive data before decommissioning.
Implement network access controls for legacy devices based on known-good behavior patterns, restricting communication to required services and monitoring for deviation from baseline.
Deploy protocol-specific IDS rules for IoT device traffic, focusing on device-specific anomalies rather than traditional network attack signatures.
Develop hardware testing capabilities by starting with API/mobile security testing, then progressively adding firmware analysis and hardware protocol monitoring skills.
Create incident response playbooks specifically for IoT devices, including procedures for evidence collection from embedded systems and cloud service logs.
Structure vulnerability disclosure processes around providing configuration-based mitigations when patches aren't available, focusing on network isolation and access control recommendations 
Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. Apply now at http://www.cymru.com/rise. 

What happens when you combine market research expertise with cybersecurity strategy? On this episode of The Future of Threat Intelligence, Frank Dickson, Group VP of Security & Trust at IDC, shares his journey from market research to leading a team of 20 cybersecurity analysts advising organizations on security strategy. 
Frank walks David through the industry's shift from reactive security to proactive threat management, discussing why traditional metrics need to evolve and how security leaders can better communicate risk to business stakeholders. His unique perspective on the CISO role's evolution, the impact of organizational complexity on security, and the strategic importance of data management reveals why technical expertise alone isn't enough for modern security leadership. 
Topics discussed:
Moving from reactive security to proactive threat management through strategic metrics and improved risk communication approaches.
The evolution of the CISO role from technical expert to business leader, including critical communication and customer service skills.
Impact of organizational complexity on security effectiveness, particularly in environments with legacy systems and acquisitions.
Strategic approaches to managing and leveraging threat intelligence data while avoiding unnecessary complexity and redundancy.
Balancing necessary and unnecessary risks when implementing AI and machine learning in security programs.
Importance of translating cyber risk into business risk for effective communication with executives and board members.
The evolution of security leadership reporting structures in response to changing business technology dynamics.
Building strategic security programs that focus on simplification and clear business alignment.
The challenges of regulation in driving security adoption while maintaining agility and effectiveness.
Developing security metrics that meaningfully communicate value and risk to business stakeholders.
Key Takeaways: 
Implement mean time to detection and mean time to remediation as core metrics to measure security program effectiveness and efficiency.
Transform threat data into actionable intelligence by aligning it specifically with your environment's outcomes and requirements.
Streamline security infrastructure by consolidating tools and platforms to reduce complexity and improve manageability.
Establish direct CISO-to-CEO reporting structures to effectively manage security across line-of-business technology initiatives.
Develop customer service capabilities within security leadership to support sales processes and stakeholder relationships.
Structure security communications around business risk rather than technical metrics to improve executive understanding and support.
Create standardized taxonomies using frameworks like MITRE ATT&CK and OCSF to make security data more homogeneous and actionable.
Evaluate AI implementation risks by distinguishing between necessary innovation risks and unnecessary implementation risks.
Build security leadership skills progressively through compliance, business acumen, and executive communication capabilities.
Maintain comprehensive data inventories to prevent orphaned data and reduce unnecessary security exposure.
Join us for a milestone celebration as RISE marks its 15th year of bringing together elite cybersecurity professionals, law enforcement, and enterprise teams. 
Apply now to be part of RISE USA 2025 April 8 - 9th in San Francisco: https://www.team-cymru.com/rise-usa. Space is limited.

Jeff Orr, Director of Research & IT Technologies at ISG, brings over three decades of technology experience to his discussion with David about transforming enterprise security approaches. On this episode of The Future of Threat Intelligence, Jeff shares his explanation for why traditional security investments focused primarily on protection are leaving organizations vulnerable, with 98% experiencing significant incidents despite increased spending. 
The conversation also explores the critical need to shift from perimeter defense to comprehensive security programs that include detection and recovery, while addressing the challenges of limited budgets and resources. Jeff offers practical insights about aligning security with business objectives, leveraging AI effectively, and building valuable industry peer networks to stay ahead of emerging threats. 
Topics discussed:
The evolution from traditional perimeter defense approaches to comprehensive security programs that include detection and recovery capabilities.
Research findings that show 98% of organizations experienced significant security incidents despite increased investment in protection.
The importance of aligning security goals with business objectives rather than treating security as an isolated technical challenge.
Leveraging AI and machine learning as assistive technologies to help address staffing gaps and alert fatigue in security operations.
Balancing security investments across protection, detection, and recovery capabilities while operating under constrained budgets.
The role of experience and human intuition in security operations, and how AI can complement but not replace seasoned practitioners.
Building effective community networks within industries and geographic regions to share threat intelligence and security insights.
The importance of breaking down silos between IT and security teams to leverage existing tools and observability capabilities.
Developing risk-based approaches to security that align with business risk appetite and operational priorities.
Creating effective tabletop exercises that include business stakeholders to better understand and prepare for security incidents.
Key Takeaways: 
Diversify security investments beyond perimeter protection by allocating specific budget percentages to detection and recovery capabilities.
Establish clear metrics linking security initiatives to business outcomes through collaboration with department leaders and stakeholders.
Implement automated threat intelligence sharing within your industry vertical to leverage collective insights about emerging attack patterns.
Deploy AI-powered security tools strategically to address alert fatigue while maintaining human oversight of critical security decisions.
Create cross-functional teams between IT and security to leverage existing observability tools and network monitoring capabilities.
Develop comprehensive incident response plans that include business continuity strategies beyond just technical recovery procedures.
Institute regular brown bag sessions between security and IT teams to share knowledge about emerging threats and technical capabilities.
Build regional security partnerships with peer organizations to share attack intelligence and mitigation strategies.
Schedule quarterly tabletop exercises that involve business stakeholders in scenario planning for security incidents.

Where is the balance between data accessibility and protection in today's interconnected digital landscape? Oded Anderman, Privacy Lead at Meta, has plenty of insights on this question and more from his journey from financial services to protecting user data at one of the world's largest social platforms. 
His conversation with David on this episode of The Future of Threat Intelligence explores how the proliferation of connected devices, advancement in AI, and evolving regulatory frameworks are reshaping our approach to data privacy. 
Oded also touches on why unauthorized data scraping poses risks for organizations of all sizes, not just social media giants, and offers practical strategies for implementing effective privacy protection measures while maintaining essential business functions.
Topics discussed:
The evolution of data scraping threats, from simple email harvesting to sophisticated automated collection affecting organizations of all sizes.
The impacts of technological advancements, including AI and machine learning, on both data collection capabilities and protective measures.
How regulatory frameworks like GDPR and CCPA shape organizational approaches to data protection and privacy.
Strategies for distinguishing between legitimate data collection and unauthorized scraping while maintaining business accessibility.
Comprehensive anti-scraping programs that incorporate prevention, detection, and enforcement capabilities.
Importance of industry collaboration through organizations like the Mitigating Unauthorized Scraping Alliance.
Challenges of balancing privacy protection with legitimate research needs through controlled data access programs.
The growing need for consumer education and digital literacy in protecting personal information online.
Evolution of privacy policies and communication strategies to make data practices more transparent and accessible.
Key Takeaways: 
Implement a comprehensive anti-scraping strategy that addresses prevention, detection, and enforcement rather than focusing on single-point solutions.
Recognize that unauthorized data scraping affects organizations of all sizes, not just large social media platforms.
Develop clear protocols for distinguishing between legitimate data collection and unauthorized scraping activities.
Stay informed about evolving regulatory frameworks and adjust data protection strategies accordingly.
Invest in consumer education and transparent communication about data practices and privacy policies.
Participate in industry collaborations and information sharing to stay ahead of emerging threats.
Balance security measures with business accessibility to maintain user value while protecting data.
Consider both technical and regulatory aspects when developing data protection strategies.
Maintain awareness of emerging technologies that could impact both threat scenarios and protective measures.
Prepare for future developments in the data protection landscape, including potential governed data exchange platforms.

When Ben April started managing remote teams in 2005, the concept was nearly unheard of. Now, as CTO of Maltego, he brings nearly two decades of distributed team leadership experience, which he shares with David in this episode of The Future of Threat Intelligence. From implementing Commander's Intent for clear direction to ensuring mental health support during the pandemic, Ben brings practical wisdom about building strong remote cultures that transcend time zones and technology challenges.
His unique perspective on hybrid versus fully remote environments reveals why seemingly simple choices about communication tools and meeting structures can make or break team cohesion. Drawing from experiences that span from the early days of remote work through the global pandemic and beyond, Ben has invaluable insights about preventing burnout, maintaining work-life boundaries, and fostering genuine connection in distributed teams.
Topics discussed:
Establishing effective communication protocols across multiple time zones while preventing isolation and maintaining team cohesion.
Managing the unique challenges of hybrid work environments versus fully remote teams, including the risk of excluding remote team members.
Developing strategies for monitoring and supporting remote employees' mental health.
Building strong remote team cultures through regular video connections, virtual social activities, and periodic in-person gatherings.
Adapting leadership methodologies to effectively manage distributed teams while maintaining clear lines of communication.
Identifying key characteristics and qualities when hiring for remote positions, including self-motivation and adaptability.
Leveraging follow-the-sun operations for enhanced productivity and continuous coverage across global time zones.
Balancing the benefits of remote work flexibility with the need for face-to-face collaboration and team building.
Creating dedicated workspaces and establishing clear work-life boundaries to prevent burnout in remote work settings.
Implementing Commander's Intent leadership strategy to empower remote teams in making autonomous decisions aligned with organizational goals.
Key Takeaways:
Prioritize video communication to maintain human connection and monitor team wellbeing in remote environments.
Focus on building inclusive communication practices that prevent hybrid environments from creating two-tier team structures.
Schedule regular face-to-face meetings to strengthen team bonds and align on strategic objectives.
Create opportunities for non-work social interaction to maintain team cohesion across remote environments.
Look for self-motivated candidates with strong communication skills when hiring for remote positions.
Leverage global time zones strategically for enhanced operational coverage and team handoffs.
Establish dedicated workspaces and clear boundaries between work and personal life to prevent remote work burnout.
Implement Commander's Intent to provide clear direction while allowing remote teams autonomy in decision-making.

David steps into the new world of identity security with Simon Moffatt, Founder & Research Analyst at The Cyber Hut, on the latest episode of The Future of Threat Intelligence. With over two decades of experience, Simon illuminates the dramatic transformation from static directory management to dynamic, threat-informed security architecture. He walks through the challenges of modern identity security, exploring how cloud computing, remote work, and the rise of non-human identities are reshaping our approach to access management. 
 
Simon shares invaluable insights on building adaptive security systems that can respond in real time to emerging threats while balancing usability and privacy concerns. From passwordless authentication to AI-driven security controls, discover how organizations can move beyond traditional static defenses to create more resilient security architectures for an increasingly complex digital landscape.
 
Topics discussed:
 
The evolution of identity security from static directory management to dynamic, adaptive systems responding to real-time threat intelligence and behavioral analysis.
Misconceptions about identity threat intelligence and the importance of moving from static protections to dynamic, responsive security controls.
The intersection of zero trust architecture with identity security principles and how both concepts transcend individual product implementations.
Emerging trends in non-human identity management, including API security, workload identity, and infrastructure automation authentication challenges.
Implementation of adaptive access controls that can make fine-grained security decisions based on real-time context and behavioral analysis.
Balancing privacy considerations with the need for comprehensive security monitoring and threat intelligence sharing across organizations.
The rise of passwordless authentication and its impact on both security posture and user experience in modern digital environments.
Strategies for understanding and mapping your complete identity landscape, including human and non-human identities across cloud and on-premises systems.
The importance of runtime behavior monitoring and real-time intervention capabilities in modern identity security architectures.
Practical approaches to implementing threat-informed defense strategies while maintaining operational efficiency and user productivity.
 
Key Takeaways: 
 
Map your complete identity landscape across cloud and on-prem environments to establish a comprehensive visibility baseline for both human and non-human identities.
Implement adaptive authentication controls that can dynamically adjust access permissions based on real-time context and behavioral analysis.
Deploy passwordless authentication solutions to enhance both security posture and user experience while eliminating password-related vulnerabilities.
Establish robust authentication mechanisms for non-human identities, including API credentials, service accounts, and infrastructure automation tools.
Design fine-grained access controls that can respond to contextual changes by adjusting permissions in real-time rather than simply terminating sessions.
Integrate threat intelligence feeds with identity security controls to enable dynamic, threat-informed defensive responses.
Develop privacy-preserving methods for sharing threat intelligence across organizations while maintaining competitive boundaries and regulatory compliance.
Build resilient identity architectures that assume breach scenarios and focus on rapid detection and response capabilities.
Monitor runtime behaviors of both human and non-human identities to establish baseline patterns and detect anomalous activities.
Create surgical, precise security controls informed by sector-specific threats and actual attack patterns targeting your industry.

David’s latest guest on The Future of Threat Intelligence points out the unexpected ways his customer service background enhances his cybersecurity work. From mastering the art of asking the right questions to navigating remote SOC operations, Lee Ramsey, Senior Security Analyst at Zoom shares practical insights on digital forensics, incident response, and the future of AI in security. 
Drawing from his experience in customer service and his journey to his current role at Zoom, Lee offers valuable perspectives on building successful security teams, implementing effective incident response plans, and maintaining critical thinking in an AI-driven world.
Topics discussed:
The intersection of customer service skills and cybersecurity investigations, focusing on effective communication and problem-solving techniques.
Common pitfalls in incident response planning and the importance of having documented procedures before crises occur.
The impact of AI on digital forensics and incident response, including potential risks and benefits.
Challenges and strategies for managing remote SOC operations in the post-pandemic era.
Key Takeaways: 
Implement a documented incident response plan before you need it to avoid legal and operational complications.
Borrow from customer service skills to improve security investigations through better question-asking techniques.
Approach AI tools with healthy skepticism and always validate their outputs manually.
Build remote SOC capabilities with proper tools and processes for remote data acquisition.
Maintain team cohesion in remote environments through proactive engagement and trust-building.
Document all security practice experience, including CTF participation, to demonstrate practical skills.
Attend local security conferences and volunteer to build professional networks.
Pursue relevant certifications for both credentials and learning opportunities.
Balance tool automation with critical thinking to avoid over-reliance on technology.