Future of Threat Intelligence

Welcome to the Future of Threat Intelligence podcast, where we explore the transformative shift from reactive detection to proactive threat management. Join us as we engage with top cybersecurity leaders and practitioners, uncovering strategies that empower organizations to anticipate and neutralize threats before they strike. Each episode is packed with actionable insights, helping you stay ahead of the curve and prepare for the trends and technologies shaping the future.

Listen on:

  • Apple Podcasts
  • Podbean App
  • Spotify

Episodes

2 hours ago

The cybersecurity industry has long operated on fear-based selling and vendor promises that rarely align with practical implementation needs. Jeff Man, Sr. Information Security Evangelist at Online Business Systems, brings a pragmatic perspective after years of navigating compliance requirements and advising organizations from Fortune 100 enterprises to small e-commerce operators. His cautious optimism about the industry's current trajectory stems from witnessing a fundamental shift in how vendors understand and communicate compliance requirements, particularly around PCI DSS 4.0's recent implementation.
 
Jeff's extensive conference speaking experience and hands-on consulting work reveal critical disconnects between security marketing rhetoric and operational reality. His observation that security presentation slides from 1998 remain almost entirely relevant today underscores both the persistence of fundamental security challenges and the industry's slow evolution beyond superficial solutions toward meaningful risk management frameworks. 
 
Topics discussed:
 
The transformation of vendor compliance conversations from generic marketing responses to specific requirement understanding, particularly around PCI DSS 4.0 implementation strategies.
Why speaking "compliance language" with clients proves more effective than traditional security-focused approaches, as organizations prioritize mandatory requirements over theoretical security improvements.
The reality that 99% of companies fall into small business security categories rather than commonly cited SMB statistics, creating massive gaps between available solutions and actual organizational needs.
Risk prioritization methodologies that focus security investments on the 3% of CVEs actively exploited by attackers rather than attempting to address overwhelming vulnerability backlogs.
The evolution from fear-uncertainty-doubt selling tactics toward informed decision-making frameworks that help organizations understand exactly what security technologies deliver versus marketing promises.
How independent advisory perspectives enable better technology purchasing decisions by providing objective analysis separate from vendor sales motivations and product-specific solutions.
The convergence of threat detection, vulnerability prioritization, and compliance requirements into cohesive risk management strategies that align with business operational realities rather than security team preferences.
 
Key Takeaways: 
 
Prioritize vendors who demonstrate specific compliance requirement knowledge rather than offering generic "we do compliance" responses, particularly for PCI DSS 4.0 implementation.
Frame security discussions using compliance language with business stakeholders, as regulatory requirements drive action more effectively than theoretical security benefits.
Focus vulnerability management efforts on the approximately 3% of CVEs that attackers actively exploit rather than attempting to address entire vulnerability backlogs.
Recognize that 99% of organizations operate with small business security constraints and require solutions scaled appropriately rather than enterprise-grade implementations.
Seek independent security advisory perspectives separate from vendor sales processes to make informed technology purchasing decisions based on actual needs versus marketing promises.
Evaluate security investments through risk prioritization frameworks that align with business operations rather than pursuing comprehensive security controls beyond organizational capabilities.
Leverage the convergence of compliance requirements, threat intelligence, and vulnerability management to create cohesive risk management strategies rather than implementing disparate security tools.

5 days ago

The criminal underground is experiencing its own version of startup disruption, with massive ransomware-as-a-service operations fragmenting into smaller, more agile groups that operate like independent businesses. John Fokker, Head of Threat Intelligence at Trellix, brings unique insights from monitoring hundreds of millions of global sensors, revealing how defenders' success in EDR detection is paradoxically driving criminals toward more profitable attack models. His team's systematic tracking of AI adoption in criminal networks provides a fascinating parallel to legitimate business transformation, showing how threat actors are methodically testing and scaling new technologies just like any other industry.
Drawing from Trellix's latest Global Threat Report, John tells David why the headlines focus on major enterprise breaches while the real action happens in the profitable mid-market, where companies have extractable revenue but often lack enterprise-level security budgets. This conversation offers rare visibility into how macro trends like AI adoption and improved defensive capabilities are reshaping criminal business models in real-time. 
Topics discussed:
The systematic fragmentation of large ransomware-as-a-service operations into independent criminal enterprises, each focusing on specialized capabilities rather than maintaining complex hierarchical structures.
How improved EDR detection capabilities are driving a strategic shift from encryption-based ransomware attacks toward data exfiltration and extortion as a more reliable revenue model.
The economic targeting patterns that focus on profitable mid-market companies with decent revenue streams but potentially limited security budgets, rather than the headline-grabbing major enterprise victims
Criminal adoption patterns of AI technologies that mirror legitimate business transformation, with systematic testing and gradual scaling as capabilities prove valuable.
The emergence of EDR evasion tools as a growing criminal service market, driven by the success of endpoint detection and response technologies in preventing traditional attacks.
Why building trust in autonomous security systems faces similar challenges to autonomous vehicles, requiring proven track records and reduced false positives before organizations will release human oversight.
The strategic use of global sensor networks combined with public intelligence to map evolving attack patterns and identify blind spots in organizational threat detection capabilities.
How entropy-based detection methods at the file and block level can identify encryption activities that indicate potential ransomware attacks in progress.
The evolution from structured criminal hierarchies with complete in-house kill chains to distributed networks of specialized service providers and independent operators.
Key Takeaways: 
Monitor entropy changes in files and block-level data compression rates as early indicators of ransomware encryption activities before full system compromise occurs.
Prioritize EDR and XDR deployment investments to force threat actors away from encryption-based attacks toward less reliable data exfiltration methods.
Focus threat intelligence gathering on fragmented criminal groups rather than solely tracking large ransomware-as-a-service operations that are splintering into independent cells.
Implement graduated trust models for AI-powered security automation, starting with low-risk tasks and expanding autonomy as false positive rates decrease over time.
Combine internal sensor data with public threat intelligence reports to identify blind spots and validate detection capabilities across multiple threat vectors.
Develop specialized defense strategies for mid-market organizations that balance cost-effectiveness with protection against targeted criminal business models.
Track AI adoption patterns in criminal networks using the same systematic approach businesses use for technology transformation initiatives.
Build detection capabilities that identify lateral movement and privilege escalation activities that indicate advanced persistent threat presence in network environments.
Establish incident response procedures that account for data exfiltration and extortion scenarios, not just traditional encryption-based ransomware attacks.
Create threat hunting programs that specifically target EDR evasion tools and techniques as criminals increasingly invest in bypassing endpoint detection technologies.

7 days ago

In this special RSA episode of Future of Threat Intelligence, Martin Naydenov, Industry Principal of Cybersecurity at Frost & Sullivan, offers a sobering perspective on the disconnect between AI marketing and implementation. While the expo floor buzzes with "AI-enabled" security solutions, Martin cautions that many security teams remain reluctant to use these features in their daily operations due to fundamental trust issues. This trust gap becomes particularly concerning when contrasted with how rapidly threat actors have embraced AI to scale their attacks.
Martin walks David through the current state of AI in cybersecurity, from the vendor marketing rush to the practical challenges of implementation. As an analyst who regularly uses AI tools, he provides a balanced view of their capabilities and limitations, emphasizing the need for critical evaluation rather than blind trust. He also demonstrates how easily AI can be leveraged for malicious purposes, creating a pressing need for security teams to overcome their hesitation and develop effective counter-strategies.
Topics discussed:
The disconnect between AI marketing hype at RSA and the practical implementation challenges facing security teams in real-world environments.
Why security professionals remain hesitant to trust AI features in their tools, despite vendors rapidly incorporating them into security solutions.
The critical need for vendors to not just develop AI capabilities but to build trust frameworks that convince security teams their AI can be relied upon.
How AI is dramatically lowering the barrier to entry for threat actors by enabling non-technical individuals to create convincing phishing campaigns and malicious scripts.
The evolution of phishing from obvious "Nigerian prince" scams with typos to contextually accurate, perfectly crafted messages that can fool even security-aware users.
The disproportionate adoption rates between defensive and offensive AI applications, creating a potential advantage for attackers.
How security analysts are currently using AI as assistance tools while maintaining critical oversight of the information they provide.
The emerging capability for threat actors to build complete personas using AI-generated content, deepfakes, and social media scraping for highly targeted attacks.
Key Takeaways: 
Implement verification protocols for AI-generated security insights to balance automation benefits with necessary human oversight in your security operations.
Establish clear trust boundaries for AI tools by understanding their data sources, decision points, and potential limitations before deploying them in critical security workflows.
Develop AI literacy training for security teams to help analysts distinguish between reliable AI outputs and potential hallucinations or inaccuracies.
Evaluate your current security stack for unused AI features and determine whether trust issues or training gaps are preventing their adoption.
Create AI-resistant authentication protocols that can withstand the sophisticated phishing attempts now possible with language models and deepfake technology.
Monitor adversarial AI capabilities by testing your own defenses against AI-generated attack scenarios to identify potential vulnerabilities.
Integrate AI tools gradually into security operations, starting with low-risk use cases to build team confidence and establish trust verification processes.
Prioritize vendor solutions that provide transparency into their AI models' decision-making processes rather than black-box implementations.
Establish metrics to quantify AI effectiveness in your security operations, measuring both performance improvements and false positive/negative rates.
Design security awareness training that specifically addresses AI-enhanced social engineering techniques targeting your organization.

Thursday May 22, 2025

In our latest episode of The Future of Threat Intelligence, recorded at RSA Conference 2025, AJ Nash, Founder & CEO, Unspoken Security, provides a sobering assessment of AI's transformation of cybersecurity. Rather than focusing solely on hype, AJ examines the double-edged nature of AI adoption: how it simultaneously empowers defenders while dramatically lowering barriers to entry for sophisticated attacks. His warnings about entering a "post-knowledge world" where humans lose critical skills and adversaries can poison trusted AI systems offer a compelling counterbalance to the technology's promise.
AJ draws parallels to previous technology trends like blockchain that experienced similar hype cycles before stabilizing, but notes that AI's accessibility and widespread applicability make it more likely to have lasting impact. He predicts that the next frontier in security will be AI integrity verification — building systems and organizations dedicated to ensuring that the AI models we increasingly depend on remain trustworthy and resistant to manipulation. Throughout the conversation, AJ emphasizes that while AI will continue to evolve and integrate into our security operations, maintaining human oversight and preserving our knowledge base remains essential.
Topics discussed:
The evolution of the RSA Conference and how industry focus has shifted through cycles from endpoints to threat intelligence to blockchain and now to AI, with a particularly strong emphasis on agentic AI.
The double-edged impact of AI on workforce dynamics, balancing the potential for enhanced productivity against concerns that companies may prioritize cost-cutting by replacing junior positions, potentially eliminating career development pipelines.
The risk of  AI-washing similar to how "intelligence" became a diluted buzzword, with companies claiming AI capabilities without substantive implementation, necessitating deeper verification — and even challenging — of vendors' actual technologies.
The emergence of a potential "post-knowledge world" where overreliance on AI systems for summarization and information processing erodes human knowledge of nuance and detail.
The critical need for AI integrity verification systems as adversaries shift focus to poisoning models that organizations increasingly depend on, creating new attack surfaces that require specialized oversight.
Challenges to intellectual property protection as AI systems scrape and incorporate existing content, raising questions about copyright enforcement and ownership in an era where AI-generated work is derivative by nature.
The importance of maintaining human oversight in AI-driven security systems through transparent automation workflows, comprehensive understanding of decision points, and regular verification of system outputs.
The parallels between previous technology hype cycles like blockchain and current AI enthusiasm, with the distinction that AI's accessibility and practical applications make it more likely to persist as a transformative technology.
Key Takeaways: 
Challenge AI vendors to demonstrate their systems transparently by requesting detailed workflow explanations and documentation rather than accepting marketing claims at face value.
Implement a "trust but verify" approach to AI systems by establishing human verification checkpoints within automated security workflows to prevent over-reliance on potentially flawed automation.
Upskill your technical teams in AI fundamentals to maintain critical thinking abilities that help them understand the limitations and potential vulnerabilities of automated systems.
Develop comprehensive AI governance frameworks that address potential model poisoning attacks by establishing regular oversight and integrity verification mechanisms.
Establish cross-organizational collaborations with industry partners to create trusted AI verification authorities that can audit and certify model integrity across the security ecosystem.
Document all automation workflows thoroughly by mapping decision points, data sources, and potential failure modes to maintain visibility into AI-driven security processes.
Prioritize retention of junior security positions to preserve talent development pipelines despite the temptation to replace entry-level roles with AI automation.
Conduct regular sampling and testing of AI system outputs to verify accuracy and detect potential manipulation or degradation of model performance over time.
Balance innovation with security controls by evaluating new AI technologies for both their benefits and their potential to create new attack surfaces before deployment.
Incorporate geopolitical and broader contextual awareness into threat intelligence practices to identify potential connections between world events and emerging cyber threats that AI alone might miss.

Tuesday May 20, 2025

In this special RSA 2025 episode of The Future of Threat Intelligence, David speaks with Jawahar Sivasankaran, President of Cyware, about their partnership with Team Cymru to democratize threat intelligence. Jawahar outlines how their CTI program in a box approach enables organizations to implement comprehensive threat intelligence capabilities in weeks rather than months. 
Jawahar offers a unique perspective on industry progress and remaining challenges in collaborative defense. This conversation explores the practical realities of operationalizing threat intelligence for organizations beyond the most mature security teams, the current implementation of AI in security operations, and a thoughtful assessment of how automation will reshape security careers without eliminating the need for human expertise.
Topics discussed:
How Cyware's partnership with Team Cymru creates turnkey threat intelligence solutions with pre-configured use cases and clear outcomes for rapid implementation.
The critical gap in threat intelligence sharing between private and public sectors despite overall industry progress in security capabilities.
Cyware's work with ISACs to facilitate bi-directional threat intelligence sharing that benefits organizations at varying maturity levels.
Current implementation of AI through Cyware's Quarterback module, featuring knowledge bots and NLP capabilities beyond future aspirations.
Multi-agent AI approach to threat-centric automation that focuses on enriching and correlating intelligence for actionable outcomes
Historical perspective on industry disruption and how AI will transform security careers by automating basic tasks while creating new opportunities in design, architecture, and human-machine collaboration.
The evolution of security solutions over two decades of RSA conferences and whether the industry is making meaningful progress against adversaries.
Practical strategies for implementing comprehensive threat intelligence programs without months of planning and configuration.
 
Key Takeaways: 
 
Implement a "CTI program in a box" approach to accelerate threat intelligence adoption, reducing deployment time from months to weeks through pre-configured use cases with clear, measurable outcomes.
Establish bi-directional threat intelligence sharing between private and public sectors to strengthen collective defense capabilities against emerging adversary tactics and behaviors.
Leverage partnerships with ISACs to gain access to curated threat intelligence that has been validated and contextualized for your specific industry vertical.
Deploy AI-powered knowledge bots with NLP capabilities to help your security team more efficiently process and action threat intelligence data without requiring extensive expertise.
Adopt a multi-agent AI approach for security operations that enriches threat intelligence, correlates information across sources, and recommends specific defensive actions.
Evaluate your organization's cyber threat intelligence maturity honestly, recognizing that even large enterprises and government agencies often struggle with operationalizing intelligence effectively.
Streamline threat intelligence implementation through turnkey solutions that provide unified platforms rather than attempting to build capabilities from scratch.
Balance AI automation with human expertise in your security operations, recognizing that technology will transform job functions rather than eliminate the need for skilled professionals.
Transform basic security workflows into threat-centric processes that focus on actionable outcomes rather than just data collection and processing.
Prioritize collaborative defense mechanisms that benefit organizations with varying levels of security maturity, particularly those downstream that lack advanced threat identification capabilities.
Listen to more episodes: 
Apple 
Spotify 

Thursday May 08, 2025

In a world obsessed with cutting-edge security technology, Lonnie Best, Senior Manager of Detection & Response Services at Rapid7, makes a compelling case for mastering the fundamentals. After transitioning from craft beer journalism through nuclear security to cybersecurity, Lonnie witnessed the evolution of ransomware attacks from "spray and pray" tactics to sophisticated credential theft and security tool disablement. 
His insights reveal why 54% of incident response engagements still trace back to inadequate MFA implementation, and why understanding "how computers compute" creates better security professionals than certifications alone. Lonnie also shares practical wisdom on building effective security operations, avoiding analyst burnout, and measuring program success. As AI increasingly handles tier-one alert triage, he predicts the traditional junior analyst role will fundamentally change within 5-10 years — though human expertise will always remain essential for validating what machines uncover.
Topics discussed:
The evolution of attack sophistication from "spray and pray" ransomware to targeted credential theft and security tool disablement, requiring more comprehensive detection capabilities.
How managed detection and response (MDR) services have evolved to provide enterprise-grade security capabilities to organizations lacking internal resources or security maturity.
The critical components of building an effective internal SOC: centralized logging through SIEM implementation, specialized security expertise across multiple domains, and leadership strategies to combat analyst burnout.
Implementing AI and machine learning for tier-one alert triage to reduce analyst fatigue while maintaining human oversight for validation, with predictions that traditional junior analyst roles will transform within 5-10 years.
Why traditional metrics like alert closures fail to accurately measure SOC analyst performance, requiring more nuanced approaches focusing on contribution quality rather than quantity.
The hiring dilemma of attitude versus aptitude in security analysts, revealing why foundational system administration experience creates more effective investigators than certifications alone.
Strategies for preventing analyst burnout through appropriate tooling, staffing levels, and leadership practices that recognize security's 24/7 operational demands.
The persistent gap between security knowledge and implementation, as demonstrated by 54% of incident response engagements in 2024 resulting from inadequate MFA deployment or enforcement.
Practical fundamentals for effective security: comprehensive asset inventory, attack surface management, vulnerability remediation, and understanding where critical assets reside.
Key Takeaways: 
Implement multi-factor authentication across all access points to address the root cause behind 54% of incident response engagements in 2024, according to Rapid7's metrics.
Build your security operations center with centralized logging through SIEM implementation as the core foundation before expanding detection capabilities.
Recruit security analysts with system administration experience rather than just certifications to ensure practical understanding of system behavior and anomaly detection.
Deploy AI and machine learning solutions specifically for tier-one alert triage to combat analyst fatigue while maintaining human oversight for validation.
Create comprehensive asset inventories that identify and map all crown jewels and their access paths before implementing advanced security controls.
Develop leadership strategies that address security's 24/7 operational demands, including appropriate time-off policies and workload management to prevent burnout.
Measure security operations performance through nuanced metrics beyond alert closures, focusing on the quality of investigations and genuine threat detection.
Structure your security team with specialized roles (threat hunting, cloud detection, malware analysis) to create effective career paths and deeper expertise.
Incorporate regular one-on-one meetings with security analysts to assess performance challenges and identify improvement areas beyond traditional metrics.
Prioritize attack surface management alongside vulnerability remediation to understand how attackers could gain entry and navigate toward critical assets.
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Thursday Apr 24, 2025

From cleaning up after an insider theft of the notorious Pegasus spyware to safeguarding billions in payment transactions, Nir Rothenberg brings battlefield-tested security leadership to his role as CISO/CIO at Rapyd, and joins David on this episode of The Future of Threat Intelligence to share all his lessons learned. 
In this no-holds-barred conversation , Nir delivers a wake-up call to security leaders still pretending they can defend against everything, offering instead a radical prioritization framework shaped by watching elite hackers routinely break supposedly "unbreakable" systems. 
Nir challenges conventional CISO thinking by ruthlessly eliminating theoretical threats from his roadmap, explaining why even Google-level security can't ultimately stop determined nation-state attackers, and providing practical strategies for focusing resources exclusively on threats that organizations can realistically defend against.
Topics discussed:
The challenges of prioritizing security efforts based on attacker capability tiers, focusing resources on threats that can realistically be defended against rather than top-tier nation-state actors.
How working with elite offensive security teams fundamentally transforms a defender's understanding of what's feasible in attack scenarios and reshapes security investment decisions.
The evolution of breach disclosure practices and why current placative approaches prioritize shareholder confidence over sharing actionable details that would help other defenders.
Strategic approaches to developing security capabilities through partnerships rather than building in-house, particularly for specialized functions like threat intelligence.
Why even major crypto breaches often stem from preventable issues like social engineering rather than sophisticated technical exploits, and how to prioritize defenses accordingly.
Practical strategies for combating CISO burnout through focused prioritization and avoiding the tendency of boiling the ocean that leads to ineffective security programs.
Creating collaborative security ecosystems that leverage the numerical advantage defenders have over attackers when working together effectively.
How to extract meaningful intelligence from breaches beyond just indicators of compromise, focusing on understanding attacker methodologies and misconfigurations that can be tested and remediated.
Key Takeaways: 
Prioritize security resources based on attacker capability tiers, focusing efforts on threats that can realistically be defended against rather than top-tier nation-state actors that will find a way in regardless of defenses.
Implement a strategic partnership approach with specialized security vendors instead of building capabilities like threat intelligence in-house, leveraging their decades of experience to enhance your security posture more efficiently.
Demand more detailed technical information in breach disclosures from vendors and partners, seeking specific misconfigurations and vulnerabilities that were exploited rather than just indicators of compromise.
Position your security leadership role within the management team to enable greater impact, reducing bureaucratic barriers to implementing innovative security controls and technologies.
Evaluate emerging security startups as design partners before they become widely known, creating a competitive advantage through early access to cutting-edge security capabilities.
Challenge theoretical security risks like AI data exposure by comparing them with documented threats that have caused actual damage, allocating resources proportionally to proven rather than hypothetical dangers.
Leverage M&A transitions as opportunities to eliminate technical debt and modernize security practices rather than just viewing them as risk events requiring assessment.
Adopt comprehensive breach intelligence sources like the Verizon Breach Report to compensate for the limited technical detail in most public breach disclosures.
Combat CISO burnout by focusing exclusively on security elements you can control and impact.
Create collaborative security ecosystems with partners, vendors, and internal teams to maximize the numerical advantage defenders have over attackers when working together effectively.

Thursday Apr 10, 2025

Jill Rhodes, SVP & CISO at Option Care Health, shares her unconventional journey from international development lawyer stationed in Bolivia and Moscow to healthcare leader, where she built the security program from the ground up as the organization's first CISO. Jill outlines for David how a transformative assignment at an intelligence agency sparked her cybersecurity passion before she helped build cloud environments for the intelligence community. 
Now, she's leveraging this background to develop what she calls the rainbow of security — a visual security model for board communications — while building a security culture so pervasive that employees discuss security without her team present. Her approach, balancing legal analytical thinking with strategic security vision, demonstrates how healthcare CISOs can navigate a complex regulatory landscape of HIPAA plus 50 different state laws while maintaining the essential visibility needed for comprehensive threat intelligence.
Topics discussed:
Transforming organizational behavior through the Ambassador Program that deploys 100+ non-technical employees as security advocates.
Conducting pre-meeting content reviews with non-technical audiences including family members and business partners to ensure security concepts are translated from technical language into business value propositions.
Navigating the complex healthcare regulatory landscape that requires simultaneous compliance with federal HIPAA requirements and 50 distinct state privacy laws versus the unified security framework of intelligence agencies.
Implementing the rainbow of security visualization framework that maps security controls from perimeter to internal systems, making complex security architecture understandable to board members while facilitating threat intelligence integration.
Building security teams through maturity-based prioritization by conducting comprehensive security maturity assessments before hiring, then strategically filling gaps starting with technical experts to complement leadership's strategic orientation.
Measuring security program effectiveness through cultural integration metrics rather than technical KPIs by tracking whether security considerations arise organically in conversations when security personnel aren't present.
Applying intelligence community verification methodology to threat intelligence by requiring multiple non-derivative data sources to validate information, particularly crucial as healthcare-specific threat intelligence accessibility has declined.
Key Takeaways: 
Implement a security ambassador program by recruiting non-technical employees across your organization to meet monthly, discuss security topics relevant to both work and personal life, and serve as security advocates within their departments.
Translate technical security concepts for board presentations by testing your content on non-technical family members and business partners first — if they don't understand it, executives won't either.
Construct your security team strategically by first conducting a comprehensive security maturity assessment to identify gaps, then hiring for skills that complement leadership's background rather than duplicating existing expertise.
Develop a visual security framework that maps controls from perimeter to internal systems, making complex architecture understandable to executives while providing structure for threat intelligence integration.
Measure security program effectiveness through cultural indicators rather than just technical metrics, specifically tracking whether security considerations arise organically in conversations when security personnel aren't present.
Validate threat intelligence using the intelligence community verification methodology by requiring multiple non-derivative data sources before acting on information, especially important as healthcare-specific intelligence becomes less accessible.
Navigate complex healthcare regulations by partnering closely with privacy, compliance, and business teams to create a collaborative approach to security rather than viewing it as a balance between competing priorities.
Build security partnerships across departments, especially with finance, privacy, and compliance teams, to frame security risks in business language rather than technical terms and strengthen organizational buy-in.
Transform security behaviors by comparing security adoption to the evolution of seatbelt use — initially resisted but eventually becoming automatic — to normalize security practices throughout the organization.
Apply intelligence community analytical thinking to private sector security challenges by focusing on asking the right questions rather than having all the technical answers, particularly valuable for CISOs with non-technical backgrounds.

Thursday Mar 20, 2025

In this episode of The Future of Threat Intelligence, Dmitri Alperovitch, Co-founder & Executive Chairman at Silverado Policy Accelerator and Author of World on the Brink: How America Can Beat China in the Race for the 21st Century, delivers a stark warning about the second Cold War with China that's unfolding, from military and nuclear arms races to space competition and technological rivalry. 
Dmitri also shares how the Volt Typhoon intrusions represent deliberate "preparation of the battlefield" for potential conflict. He explains why Salt Typhoon could represent one of America's greatest counterintelligence failures.
Topics discussed:
The evolution of Chinese cyber operations from noisy, sloppy techniques in 2010 to today's sophisticated threats that represent unprecedented counterintelligence failures.
How the Volt Typhoon intrusions into critical infrastructure serve as "preparation of the battlefield" designed to impede America's ability to defend Taiwan during potential conflict.
The concrete evidence of China's Taiwan invasion preparations, including specialized bridge barges designed to land armored forces directly onto Taiwan's highways.
Why Taiwan's 40% share of global semiconductor manufacturing creates catastrophic economic risk that could trigger a 5% compression in global GDP if disrupted.
The fundamental flaw in prevention-focused security models and why CrowdStrike's hunt-focused approach better addresses persistent nation-state threats.
Why the concept of "deterrence by denial" fails in cyberspace, unlike in physical warfare where anti-ship capabilities and other tactics can effectively deter invasion.
The organizational dysfunction in US government cybersecurity, where even CISA lacks operational control over civilian networks and agencies operate in silos.
Key Takeaways: 
Implement a hunt-focused security strategy that assumes adversaries will penetrate initial defenses, allocating resources to rapidly detect and eject intruders during their post-exploitation activities before they can accomplish objectives.
Evaluate your organization's target value to nation state actors rather than simply comparing your defenses to industry peers, recognizing that highly valuable targets will face persistent campaigns lasting years, regardless of defensive measures.
Acknowledge the inherent tension between security and availability requirements in your industry, developing tailored frameworks that balance operational resilience against the risk of catastrophic compromise.
Diversify semiconductor supply chains in your technology procurement strategy to reduce dependency on Taiwan-manufactured chips, preparing contingency plans for severe disruptions in global chip availability.
Incorporate geopolitical risk analysis into your security planning, particularly regarding China-Taiwan tensions and the projected window of heightened vulnerability identified by intelligence experts.
Revise incident response playbooks to address sophisticated nation-state intrusions like Volt Typhoon that target critical infrastructure as "preparation of the battlefield" rather than immediate data theft.
Establish clear security governance across organizational silos, addressing the dysfunction that plagues even government agencies where CISA lacks operational control over civilian networks.
Shift security metrics from prevention-focused measurements to detection speed, dwell time reduction, and ability to prevent objective completion even after initial compromise.
Challenge assumptions about deterrence by denial in your security architecture, recognizing that unlike physical defenses, cyber adversaries have virtually unlimited attack vectors requiring fundamentally different defensive approaches.
Prioritize protection of your most valuable digital assets based on adversary objectives rather than spreading resources evenly, recognizing that nation-state actors will specifically target strategic information regardless of general security posture.
Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. 
Apply now at http://www.cymru.com/rise.  
Listen to more episodes: 
Apple 
Spotify 
YouTube
Website

Thursday Mar 13, 2025

What happens when Microsoft's on-premises security falls behind while cloud innovation accelerates? In this episode of The Future of Threat Intelligence, Wes Miller, Research Analyst for Microsoft Identity, Security, and Management at Directions on Microsoft, pulls back the curtain on Microsoft's fragmented security landscape. 
Having survived the historic Windows security push during his 7 years at Microsoft and spent the last 15 years analyzing their enterprise strategy, Wes delivers an insider's perspective on why vulnerable legacy systems like Exchange Server, Certificate Services, and Federation Services have become prime attack vectors while Microsoft focuses its innovation almost exclusively on cloud services. 
He also walks David through why organizations are struggling with critical misconceptions about Entra ID, reveals how Microsoft's release notes contain hidden threat intelligence, and shares tactical approaches to influence Microsoft's security roadmap through strategic stakeholder relationships.
Topics discussed:
The critical security gap between Microsoft's cloud-focused investments and neglected on-premises systems like Exchange, Certificate Services, and Federation Services.
How analyzing Microsoft Defender update notes provides a "hidden" threat intelligence feed that reveals emerging attack patterns targeting enterprise environments.
The misconception that Active Directory and Entra ID are similar systems, when they require fundamentally different security approaches.
Why entitlement management represents the essential intersection between security and identity teams, connecting HR processes directly to access lifecycles.
The strategic challenge of harmonizing legacy and cloud identity systems while protecting non-Microsoft workloads in increasingly Microsoft-centric environments.
Practical methods for large enterprises to influence Microsoft's security roadmap through targeted stakeholder relationships and coordinated feedback.
How certificate servers often operate as "forgotten infrastructure" within organizations, creating prime attack vectors that Microsoft's Defender for Identity is specifically designed to detect.
The threat of Microsoft potentially limiting third-party identity provider integration capabilities, and strategies for maintaining ecosystem diversity.
Key Takeaways: 
Monitor Microsoft Defender release notes to identify emerging attack patterns that Microsoft is actively detecting across their customer base, providing valuable threat intelligence without additional cost.
Implement entitlement management systems that connect HR processes directly to identity lifecycles, ensuring proper access provisioning and deprovisioning throughout employee transitions.
Audit your on-premises certificate servers and federation services which often operate as "forgotten infrastructure" and represent prime attack vectors.
Develop a comprehensive strategy for synchronizing Active Directory and Entra ID, recognizing their fundamental architectural differences rather than treating them as interchangeable systems.
Establish strategic relationships with Microsoft stakeholders to influence their security roadmap, leveraging coordinated feedback when features don't align with real-world enterprise security needs.
Harmonize legacy and cloud identity systems by mapping complete workflows and identifying potential integration gaps between Microsoft's on-premises and cloud-based security tools.
Evaluate third-party identity providers for critical non-Microsoft workloads, addressing the potential limitations of Microsoft's tightening control over Entra ID integration capabilities.
Prioritize Exchange Server security through rigorous patch management and enhanced monitoring, as Microsoft has effectively "abandoned" on-premises Exchange according to Wes Miller.
Integrate security and identity management teams through shared workflow processes, recognizing their interdependence rather than maintaining traditional organizational silos.
Document architectural limitations of Microsoft's identity systems, particularly in hybrid environments where cloud and on-premises systems must interoperate securely.
Join us for the 15th anniversary of RISE in San Francisco this April 8-9, where cybersecurity professionals, law enforcement, and threat intelligence analysts come together for two days of TLP-RED content sharing and hands-on collaboration in the fight against cybercrime. 
Apply now at http://www.cymru.com/rise.  

Copyright 2022 All rights reserved.

Podcast Powered By Podbean

Version: 20241125