How do you define and shape the strategic direction of your organization’s threat intelligence efforts?
eSentire is a global leader in Managed Detection and Response(MDR) services. We have over 2,000 customers across 85 countries.
Atlas, our AI-Powered, XDR platform ingests and processes approximately 20 million threat signals a day from our customers, automatically stopping 3 million cyberthreats.
eSentire’s Atlas platform enables our highly-trained SOC analysts and Elite Threat Hunters to focus on the highest priority security events.
On average, our analysts and threat hunters investigate 6,000 security alerts daily, and if confirmed malicious, the threat will be isolated from the customer’s network and eliminated.
eSentire’s threat response time averages 35 seconds, with a mean time to contain (MTTC), of 15 minutes.
I lead the Threat Intelligence team, which acts as an additional layer supporting the SOC.
The Threat Intelligence team at eSentire sits inside of the Research & Development arm of the organization, so the strategic direction is largely informed and influenced by our research and product management teams.
Annually we hold an offsite where we connect cross functionally to determine the Threat Intelligence team’s roadmap.
This year we had a huge win in Q1 where we launched our first ever B2B SaaS offering in the form of the Threat Intelligence Feed, which allows our customers to consume indicators of compromise that we curate and leverage internally in threat hunts.
These indicators of compromise are of the highest fidelity as we are collecting and curating them from incidents that our SOC has observed targeting our customer base.
What are the most significant challenges you currently face in threat intelligence, and how are you addressing them?
At a strategic level, I think the industry and threat intelligence analysts have a habit of using overly complex terminology when articulating threats and vulnerabilities.
Those insights can be valuable for other researchers but present a challenge for leadership to consume.
The way we address this is through a variety of intelligence products that are geared towards different audiences.
We complete our malware analysis and true positive blogs for a technical audience.
Our Security Advisories, and our Threat Response Unit Intelligence Briefings, are delivered for decision makers so that we are able to take those tactical insights and provide clear and concise insights into the threats and vulnerabilities impacting the threat landscape.
We present the information in a digestible manner for those in leadership positions to make decisions on.
At a more tactical level, it’s the challenge of staying ahead of the malware authors and initial access brokers.
This is fundamentally a human challenge, meaning that there are very talented humans writing software (malware) and looking for ways to gain access to organizations’ IT environments; you need just as talented humans writing detections for the malware and looking for ways to harden environments and reduce an organization’s vulnerabilities.
Can you describe a recent success story where your threat intelligence insights led to a significant security enhancement?
Given our unique role in protecting western industries, we have strong relationships with Five Eyes Intelligence and Law Enforcement agencies.
These relationships can result in unique intelligence sharing opportunities; in this case, we received intelligence on Cisco ASA Zero Days prior to their public disclosure that allowed us to protect our organization as well as our customers.
Another success story from our team, is two of our Threat Intelligence team members recently presented at RSA on research we conducted into the BatLoader & FakeBat malwares; this in-depth research allowed us to build out better detections for our customer base so as to better protect them from these two threats.
How do you ensure your team stays ahead of rapidly evolving cyber threats and maintains a proactive rather than reactive approach?
We stay proactive by leveraging intelligence both from our internal collection of true positive, malicious incidents, observed by our SOC through a process called “incident analysis,” and by conducting open-source collection through a process called “intelligence analysis and exploitation” which allows us to take proactive actions for our customers leveraging the intelligence created from those processes.
The overall process follows the “Infinite Loop framework” to gather threat intelligence, operationalize it to conduct hypothesis-driven threat hunts, and build detections for our team of 24/7 SOC Cyber Analysts and Threat Hunters.
In terms of tactical and operational outcomes, we leverage our intelligence through threat hunting, which is the practice of proactively searching for signs of malicious activities or indicators of compromise (IOCs) before threat actors gain a deep foothold within an organization’s environment.
This involves observing both attacker behaviors (e.g., evidence of lateral movement, privilege escalation attempts, anomalous user activity) and indicators (e.g., presence of malware artifacts, unusual network traffic, command and control).
In your perspective, what emerging technologies or innovations hold the most promise for enhancing threat intelligence capabilities?
Ultimately the goal of threat intelligence is to be timely, relevant and actionable and that requires using both humans and tools to accomplish that.
I believe that Gen AI and LLMs possess a ton of potential for Threat Intelligence team’s specifically around the creation of Intelligence Products, and for distilling information.
As an example, threat intelligence products can become overly complex in their communication of threats and vulnerabilities; one way to leverage the LLMs is to prompt them to simplify reports so that consumers can better digest the information and make decisions from the more technical intelligence products.