I was actually thinking of, you know, making a boring start, but actually I've just noticed that maybe you would like to add something to the points that Patrick covered. Is there anything you would like to add or like maybe or even objective, but of course after making an introduction about yourself? I'm Matt Calligan, I work for ArmorText, but as far as related to this topic here, one of the key focuses is building threat intelligence communities that are already connected through our platform.
So I've actually worked hand-in-hand with Department of Energy, CISA, DHS members, as well as law enforcement and a lot of critical infrastructure industries in setting up either informal communities where just different organizations that are on the platform can connect as well as actually launching official communities under, if you are familiar with the information sharing and analysis centers in the U.S., those are actual legal entities, you know, done by law, so I help set up a lot of those as well through ArmorText.
So I have become somewhat of a specialist in bringing communities together, sharing best practices, helping them spin that up and get connected. So I'm the nerd who had to design that platform, founder and CEO of ArmorText, Navrut Mitter. We designed this platform with a couple things in mind. One was the ability to have trusted identities, trusted people, but also to ensure that individual organizations could maintain their own governance. And so that's a lot of what helps enable the kinds of things that Matt is talking about. And we'll touch upon more in the panel.
I don't want to do too much in the introduction. So founder and CEO, Navrut. All right. And for those of you who were not here in the beginning of the session, my name is Osman Cilic. I'm a research analyst at Kupinger Coal, and I've been working on the solutions that are utilizing cyber threat intelligence as part of their technology. And I've been working around tech service management and the network detection and response tools that utilize those intelligence. Yeah. All right. To begin with, as I said, anything to add to Patrick's point or object to it?
Because I think at some point I heard that you claimed that threat intelligence is not actionable at all, I guess. In practice. All right. I would I would add not not necessarily modify or change, but I would. There's a lot of emphasis and there's a lot of just given given the industry that we operate in and kind of most of our backgrounds being technical, we tend to focus on tools and technologies that can help us be better at our jobs internally with with CTI and things. I'm not a technologist. I'm actually more on the human side.
So I would I always come from this problem from how can humans, you know, come together more effectively to make what we get from these tools more actionable. And I will I will go head to head with, sorry, with any technologist here that says that a group of humans can actually create something actionable out of TI much faster than any tool can. So that's that's my controversial opinion. So I guess I'm the cyborg then in the middle who has to translate between the data technologists or sorry, the data technologists and the human side of the house.
What I what I will add is, is that I don't think it's that CTI isn't actionable. It's that right now we're drinking from the fire hose. Right. If you guys are familiar with it in the US, I think you have them here. You have the fire hydrant, you have this giant hose that's hooked up to it and we're all being blasted with continuous amounts of data points. Data points are not actionable intelligence. The communications and conversations around those data points and what we should actually be thinking about within them, what are the strategies that we're developing as an organization?
What should we be thinking about that we have not thought about that your organization has thought about that dialogue? That's where the intelligence arises from. Intelligence is the analysis of those data points, not the data points themselves. And right now, to Patrick's point earlier, is that, you know, you have these vendors and platforms saying they are the next big thing. And what they're really providing you is just a different look at how to connect to that fire hose, right? Nozzle A versus nozzle B, you're still just getting blasted with a jet of water.
And that's, I think, one of the big challenges. Yeah, that's right.
You know, I'm also looking to look at it from, let's say, another perspective. When you talk to business, you need to talk with business language.
So, you know, it's easy that we say, invest on this, invest on that, invest on quantum computing right now. OK, if I go to my CISO and say the same thing, if she listens to me, she might say, OK, what is the business case for it? Show me the cost and benefit. Show me the ROI and show me it is positive, you know, and it's far away from just academics. It's far away from being so optimistic. Making sure it is visible in your organization, that's the challenge. And that's why I'm saying sometimes it is not actionable.
So if there is a platform and you choose it wisely and your expectations are realistic, you know, because sometimes you just think of, oh, I have a car, it doesn't work well, just go buy another car. CTI is not like that, you know, so different perspectives. But I think we are converging the same thing, but from different points of view.
Well, and this is where I think the sharing communities become so valuable, right? Because the sharing communities, what they allow you to do is they allow you to extract signal from the noise. There's a lot of noise. You have 100,000 data points being thrown at you daily. AI is going to increase the number that's coming every hour, every day. What you've got to go figure out is what's actually applicable to you. Oftentimes, sectors have similar buying patterns, right?
One of the communities that Matt helps support that he actually helped, frankly, increase the amount of sharing in and as a result, actionable threat intelligence in is the energy sector in the US. And when they started tying those members together and created a platform on which they could converse more freely because they trusted in the security of the platform, they knew that that intelligence wasn't going to get compromised and were viewed by an adversary. They also could trust in the identities of the platform.
And because their own legal departments had blessed the platform because it allowed each of them to maintain their own individual governance, it allowed them to share far more freely than they otherwise could on an open platform or an open portal or something else where they had to go post anonymously with less context. That sharing then drives far more actionable intelligence. Here's what we're seeing that's valuable to us. We know that in this sector, our nearest neighbor that has this problem is actually in Florida, even though we're in Washington state. So we want to get this out to you.
But oh, by the way, because New York also has a similar problem, you analyze what this is going to do, the co-ops in your backyard. And maybe if there's new intelligence from that, share that out for others in the community to benefit from as well. That sharing mechanism, that trust is foundational to actually creating more actionable intelligence. But to Patrick's point, you also have to then figure out how to summarize that in business relevant terms. Why do I care? Right. And if you can't actually tie it back to how this impacts your individual business, you're going to be at a loss.
And I think that's one of the big misses right now is that, you know, it's without adding humans into that to help assess how does this tie into our current M&A strategy? How does this tie into our current go to market motion? How does this tie into what the board's current objectives are? It's harder than justify the additional cost related to some of these activities.
And one of the things that I see on the human side helping out with with making those business cases is a lot of times when these communities can share specifics around what tools they use, where they are in the evaluation process, the challenges they're hitting internally with management. I often hear and we can't obviously see most of what they're saying because of our particular technology.
But I understand that the communities are out there actually helping each other, coaching them, you know, coaching their colleagues in other, you know, relevant industries and stuff like that on how to present the business case, how to make the case for whatever tool they've all kind of collectively decided or come to the conclusion works best for a particular application. So, again, you can even, you know, crowdsource is overused a lot.
But if you have the right appropriate underpinning tech that can create trust and consolidate the communities and enforce those identities more effectively, people become better at engaging with each other in real time around actionable stuff, even when it comes to tool selection. All right. So then I have a question for you guys. And what distinguishes actionable data from the raw data? Because I think this is one of the challenges that the organizations are having to face nowadays. And how can organizations make use of this actionable data the best, in the best way, let's say.
Very good point. You know, I hope you have watched the very first keynote in the entire cyber revolution this year. There were two senior CSO and CSOs from these German institutes, I can't remember them, hardly, to banks.
And, you know, the very important thing there, you know, when you are going to a board and you are going to show something really matters, you need to talk in risk language. I'm not saying exaggerating things, but, you know, talking in risk language, that if we don't have proper CTI adoption in our organization, it will cause us this problem, that it might affect our productivity and our reputation and, you know, everything.
So, you know, formulate it in that way. OK, to make this happen, raw data cannot make this happen. You need to analyze, correlate, contextualize everything in your organization that say, OK, what CTI brings here, you know, far away from raw data. And there are plenty of discussions there that how do you trust this raw data to be analyzed there?
You know, if someone else is sharing threat with you, how do you make sure that sharing is reliable? Yeah.
You know, this Pandora box, then it will be open after that. Yeah. And I just wanted to say one thing that when I was doing the analysis with vendors, it is really interesting to see that most vendors actually omit to actually like put a relevancy score, at least for the data they have for the threat intelligence because then end user, when you're so, when you're exposed to too much information, then you might be just thinking, OK, I'm from finance sector, what is relevant to me?
And then, you know, some solutions omit this or they focus on too much on the risk score, risk scoring, sorry. But I think that the relevancy score is something that they should be also including in their solutions. This is something I would like to say.
Well, and you can you can do this without even having technology that that that provides those kinds of scoring mechanisms. And again, I'm going to beat the same drum about sharing communities. If you all can't tell, I'm a big fan. We see quite frequently beyond just making the business case internally for why, you know, something's actionable from why we need to buy this platform.
Also, real time actionable like this is a real threat kind of actionable. And with utilities in some of these cases when the energy industry in specific, the communities themselves help the people in these communities help someone who is seeing a particular threat or a potential threat help them determine if it is something they should pay attention to or not.
You know, oh, don't worry, we're all seeing that IP address. Don't sweat that.
Or like, no, you're the only one that is seeing this. It looks like it's targeting you. The human component of a community can actually help people dial in to what the scale of that particular potential threat is. Is it across an industry? Is it multi industry? Is it just you, the particular utility or bank? So communities can provide those kinds of scoring mechanisms just by interacting with humans that you trust in those communities as well.
I mean, look, I think one of the challenges with the relevancy score is I'm going to violate, I'm going to I'm going to piss off a lot of vendors right now. Right. The promise of the AI that can consume all the institutional knowledge that your best people have about your organization to provide context for that CTI and then as a result, give you a relevancy score doesn't actually exist. No matter how much marketing BS is being shoved down everyone's throat about how AI has solved this problem. Half the time, the AI is actually hallucinating what they think is actually happening.
Half the time, the AI didn't actually consume the right part of your data set, or it's actually still calling stuff that's from someone else. It has nothing to do with your organization. Right. And so you actually do need human capital. The AI is not replacing the human at this point. And so to Matt's point, then it's you, you have a mathematical challenge ahead of you. The average analyst can maybe look at an individual threat in about 20 minutes to help gauge relevancy at best. Right. It means about three an hour. You have an eight hour workday.
You assume one hour for lunch, maybe a smoke break. You're down to about maybe 20 a day. Sound about right.
OK, let's let's double it. Let's make it 40. You've got a team of, let's say, 10 cyber analysts, so you can do 400 events a day.
OK, five days a week, 2000. How many events are our systems throwing off on average?
Oh, too much, too much that you don't even have time to, you know, I can tell you, and this is a major known problem, you get too many hours that you don't have people to read, even read them. So, you know, even if you sort it out and they say these are major ones, you can't cover all those major ones. But not only that, it's the threat models for each organization are so different that at the end of the day, what you think is major is not a big deal.
Like, for example, Heartbleed was a real problem. If you're on an end-to-end encrypted platform that doesn't rely on TLS, though, except for as an outer wrapping layer, then Heartbleed is dramatically less important for you. But we had every single customer pinging us for, you know, five days straight going like, wait, how does this impact your platform? How does this do this? How does this do that? And it's like, oh, that's right. You don't have the nuanced context that we have about why this doesn't actually affect us at all. We had to write standardized responses and send them back.
And indeed, we weren't impacted. But that context is really hard to go put into a generic tool that isn't actually designed to identify various modes of encryption and understand the nuances there. Right. Your CTI tool is not going to go do that for you. You've got a mathematical challenge. You can't hire your way out of the problem. The only way then to help fill the gap is to engage in the kind of sharing that's taking place here. So you can multiply the efficacy of your team by allowing them to better engage with others.
And one of the studies at MIT years ago showed that sharing begets more sharing. So if you start to solve for what's allowable, what our organization will be OK with legally, you start to have the right kind of protocols in place like the traffic light protocol that was on the board two talks ago. And you can both help enforce that with technical measures, but also establish trust between the humans themselves and trust in the platform. You can actually solve for a significant portion of this mathematical challenge by multiplying your efficacy, cutting signal out of the noise. Right.
Or so you're extracting signal from the noise. We just have noise.
Actually, we can make the panel a bit more interactive if you guys want. Is there anyone who wants to add up to the points that we have covered so far? Any questions also is more than welcome.
All right, then we can maybe move on to the next topic. So we were talking about the challenges. Patrick covered most of them. But if you wanted to maybe highlight the top three or top five challenges that you think that are the most relevant to sharing threat intelligence, maybe you could maybe mention them. I combine this question with others, but they're all relevant to each other. So what could be the best practices to avoid them? And maybe if you would like to share some success stories that you have witnessed as a vendor, specifically to threat sharing, you said.
Yeah, I mean, general, if you would like to share. Or maybe I can tell you two challenges and hear your opinions. Number one, legal compliance, especially in insurance and banking. You see many of them. What are you sharing? Privacy concerns like, you know, how do you ensure that we don't get PII or anything is there in that data?
And then, you know, it brings the risk of reputation that, you know, if there is any false data there and mistakenly there is a piece of data there, then how do we ensure we are away from that? I would I would so I would actually not what I would do is I would categorize all of those under what's what I call cultural problems into an internal organization.
People, legal and executives see those risks and they go because of that, you're not allowed to say much of anything or no. We've met a lot of organizations to say, no, we're not engaging with our peers in our industry because of these risks. We've got to talk to you. Yeah. So the for for someone like yourselves who are going back to an organization saying we need to do more of the sharing, we need to find these communities and get out there. You're going to run into those three concerns. Absolutely. And there's certainly ways to address them.
Obviously, we've become quite good at helping our our clients make those arguments to their bosses so they get approval. But beyond the cultural, I would say that there's a general trust issue that trust has to be present. Communities don't just materialize out of nowhere. I tell our sharing community, like the people who are trying to get them started, it doesn't matter what tool you have.
If if nobody knows each other and you don't make an attempt to engage and develop those relationships, that if that trust isn't there and the context of who you're talking to isn't there, you'll you'll probably just have, you know, for a read only kind of chat that a lot of these things turn into. But also fragmentation from a technical tool standpoint is a big challenge.
Well, we're going to use this tool or we're going to use email or we like slack or, oh, the government made a website for us to all go to. Fragmentation is also a big challenge on that. And it's because, frankly, there isn't a lot of money to be made in threat sharing communities because it's almost always nonprofit or just random confederation of people coming together. And so it's hard to it's hard to those are the big challenges.
But where your your three fit into, for sure, on all of Matt's points there, except for the first, I agree wholeheartedly, oddly enough, on the first one of a slightly different take. Right. I think there is there are sectors for whom threat intelligence sharing is going to be easier than for others. The sectors where a company enjoys a relative, you know, monopoly of sorts means that they have less of an incentive to not share and quite a bit of incentive to share and engage and receive sharing. Right. So I'll use the US as an example.
In the US, our electric sector, the electricity utilities, they are able to very easily engage in threat intelligence sharing because, by and large, they have localized monopolies. There's a defined region that they get to go serve. There's a defined region for which they are responsible. They know they can't hire their way out of the problem. Engaging and sharing multiplies their efficacy. They want to be in that. Banks are a slightly different challenge, right, because the bank isn't tied to just this one community.
Community banks, maybe, but the larger banks, well, they're going to go across the entire country. In fact, they're going to go globally and they're going to be competing for that same business at those different tiers. And so for them, it's a bit more of a challenge. They then have to understand the business case more about the mathematical challenge, the impossibility to hire, the fact that it's going to cost them dramatically more if they don't engage in this. So it is a bit more of a different business case that has to be established.
But once you can get the general counsel comfortable around those kinds of legal arrangements and also try to funnel the sharing itself through bodies that give you coverage, some sort of privilege like coverage, so that anything shared there can't be used against you later, you can actually get the ball going. And I think that's where it is going to be easier for some of your sectors than for others. We have one minute left. I just wanted to see if anyone has a question so far.
If not, then I have one question, because, you know, as an analyst company, I look at the things from a vendor's perspective as well. And when I was doing my research on both tax reference management and NDRs, I've seen many solutions that are even part of Cyber Threat Alliance, you know, that is, I think, really relevant to the sharing threat intelligence. But I've seen even some of them are not complying with the CTI standards we have around nowadays.
Don't you think that this would actually bring some regulatory concerns to the end user because they are not complying with most of the standards that are available now? I'm not going to comment on regulatory concerns in Europe, but, because I'm not a lawyer and I don't want to play one on TV even, but I will say part of that is intentional. Why do you think? Vendors have a desire to lock you in and make it harder for you to move from one to the other. Vendor lock-in is a real part of their business strategy, right? Monetize it. Absolutely.
And adding to that, you know, sometimes these standards like Stix, Taxi, some people, you know, during my academic research notice that there are some complaints that these are not really user friendly and they are not really solving the problem. So if two CTI platforms talking to each other, you know, making data ready for this is this platform is also a challenge. This standard.
Yeah, this is actually something we talk about quite a bit, right? Again, I'm a nerd in the basement originally. How many of you guys remember ETL functions?
Extract, transform, load functions, right?
The reality is, is one of the things we've proposed is a lighter weight method of integrating between distinct types of tips that have their own proprietary implementations of like Stix, Taxi, which is what prevents the exchange that you want from happening in an automated fashion is take their proprietary format, use an ETL function, put it back into what the common language should have been, extract that on this side, transform it again and load it into your custom proprietary format for whatever tool you're running on your side so that you can actually then exchange that intelligence much more easily without paying your systems integrators millions of dollars to set that up for you, right?
Writing an ETL function to go do that is, I don't know, three days of work for an engineer in the basement. Find a good nerd, hand them the problem, say, here's your ETL. I expect this to be our mapping on both sides. And we just do that kind of thing to save a lot of money. This is also the systems integrators, though, because then they can't make money off that, which is why they won't do that version of the solution for you.
Well, let's see what's going to be the end user's expectation in the upcoming years. Yeah, I was a bit surprised, actually, when I looked at the market. All right. So I think we can wrap it up. I don't know if you have any questions, but if not, then I would like to thank our panelists, everyone. And thank you. Thank you.
