Livestream at RSAC 2024 on Mastering Cybersecurity Intel & IR Readiness
At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed David Etue of Cylent Knights LLC and Nick Selby of Evertas on cybersecurity intelligence and incident response readiness.
At Bishop Fox's second-annual livestream from the 2024 RSA Conference in San Francisco, we interviewed David Etue of Cylent Knights LLC and Nick Selby of Evertas for the session, "Mastering Cyber and Intel Threat Readiness."
Transcript
Matt Twells: Hi, welcome back. I'm Matthew Twells, senior solutions architect at Bishop Fox. This panel is called Mastering Cyber and Intel Threat Readiness. We've got David Etue here, principal at Cylent Knights LLC. I'd love for you to tell us a bit about yourself. How's your week been here at RSA so far? How much swag have you collected?
David Etue: Zero swag. I haven't made it to the show floor yet, but I'm glad to be here today. Thank you. I'm the former CEO of Nisos, where I helped scale the first company and manage services for threat intelligence. I've had the opportunity to work in a number of different places in the industry. I started my career as a tech practitioner and a CISO, then went to the vendor side. Disturbingly, I'm hitting 25 years in cyber, which is hard to say out loud.
Matt Twells: You've got to release a greatest hits album now, right?
David Etue: God, no. But, have a great week. The wonderful chaos of RSA.
Matt Twells: That's probably the right way to put it, right? The chaos of RSA. Beautiful chaos.
Nick Selby: It's wonderful, yeah.
Matt Twells: So let's put it on our byline next time around. And then the other guy is Nick Selby, EVP at Evertas. We've worked together before, but I'd love for people who haven't met you before to hear what Evertas does. How are you enjoying your week here in San Francisco?
Nick Selby: Loving San Francisco. I run the professional services team at Evertas, the first crypto insurance company. We do quite a bit of crypto security for the crypto industry, but also traditional cybersecurity consulting. I've been in intelligence in and out for many years. I had an intelligence startup back in 2011. I worked at the NYPD as the director of cyber intelligence and investigations. I was the chief security officer for Paxos Trust Company and also the VP at Trail of Bits.
Matt Twells: You're probably uniquely well-suited for this discussion based on the NYPD. I'm curious from both of your sides, practitioners and now leading programs and helping on a more strategic level, what would you say separates those starting out from the elite in intelligence?
Nick Selby: I'm not going to push back on whether they know what intelligence is because I think that's actually part of the big problem.
David Etue: Yeah, I think the fundamental part is, I started primarily in cybersecurity but have dabbled in intelligence. I started General Electric's open source intelligence program in 1999. I didn't grow up in the intelligence community. For me, it was at Fidel Security Systems, working with the Air Force, that someone really showed me what the intelligence process was. If you don't understand the intelligence cycle, you're not doing intelligence. A lot of people in our industry grow up in security operations. If you understand lateral movement, executables, and process trees, you're going to be at a disadvantage if you don't understand the intelligence process. Great teams build both capabilities together, with synergies and learning between the two groups.
Nick Selby: I agree. Defining the mission and making sure everyone is on board with what you're trying to do is crucial. Once you've decided what the mission is, applying the tradecraft and known methods in intelligence becomes easier. The hardest thing is figuring out what you want to know and how to make it actionable and relevant to both the geeks in the basement and the C-suite.
Matt Twells: I think the mark of an elite is knowing not just the technical side but also capturing requirements. If you don't know what you're aiming at, don't be surprised when you don't get there. The communication gap is business awareness. Why does the CFO care?
Nick Selby: What's the most important question when you're trying to get the attention of someone who measures their time in 30-second intervals? If you have something that needs to go up to the CEO or the board, it better be worth it and described in a way that is succinct, meaningful, and actionable immediately.
Matt Twells: It's like a meaningful use of political capital. You've got the CEO's attention for maybe 15 minutes. Make sure he understands.
Nick Selby: If you're lucky. You have him in the elevator half the time.
Matt Twells: Where are people falling down right now in setting up these teams and doing the work?
David Etue: It's about preparedness and collaboration. If you told me you had 20 devices encrypted by ransomware, it could be a non-issue or it could be critical systems. That context is key. It's about building partnerships within the business to understand that context. Great teams operationalize this understanding. You build that partnership with your customers to understand the context, which is everything.
Nick Selby: I agree. The biggest danger is being irrelevant. Setting expectations early and making sure your messaging is relevant to the people reading it is crucial. Every time you deliver meaningful, actionable information, you build credibility.
Matt Twells: It's the basics done well. Knowing what you're aiming at is key.
David Etue: Exactly. You need to understand what your goal is. If the goal of your cyber intelligence program is to feed the threat hunting team and create matches in the SIEM, that's one thing. But if you're dealing with fraud issues or insider threats, that's a different approach. Knowing what the goal is and aligning to it is key.
Nick Selby: You can turn morning meetings into a tabletop exercise. If there's a new exploit, ask your team if they can detect it. These basic questions are important and often overlooked.
Matt Twells: Is it true that as an industry, we hyper-focus on nation-state actors when we should be worried about more immediate threats?
Nick Selby: Yes. Focusing on the basics and real-world threats is crucial.
David Etue: I agree. Running intelligence injects into tabletop exercises is key. It brings context and value at a level the C-suite may not expect.
Nick Selby: The sources you look at for intelligence are important. It's not about espionage. It's about turning data into actionable information.
Matt Twells: There's a sea change in regulators taking cybersecurity seriously. Do you see that changing the way companies approach it?
David Etue: The new regulations are fascinating. If your board needs to understand a risk in two or three days, systems analysis isn't enough. This is a boon for intelligence teams. How many are rising to the occasion is unclear, but it's a positive development.
Nick Selby: I'm concerned about oversimplification. Complex issues like supply chain security need more than tick boxes. However, how else do you get the board to listen? It's a tough problem.
Matt Twells: It's like saying you can run a restaurant because you wrote the menu. It's more complex than that.
Nick Selby: CISA is doing a good job, but the problems are complex and nuanced. Getting the board's attention is tough.
David Etue: I think we're seeing a shift in regulation. It's not going to be perfect, but it's moving in the right direction. There's more education and capability in the regulatory environment now.
Nick Selby: Insurance can be a force for good. Rewarding proactive steps in cybersecurity is important.
Matt Twells: Cautious optimism, iterative improvement, and basics done well are key. Thank you both for your time. This was really interesting to me. Enjoy the rest of your week.