• Garrett O'Hara

    Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.


    Add comment
Garrett O'Hara

Gar O’Hara catches up with his old colleague and cyber threat intelligence specialist, Kendal Watt. Kendal is a Senior Account Executive at Recorded Future, a company that provides businesses with real-time threat intelligence to help them proactively defend against cyber attacks. Kendal’s impressive cyber security career spans over 20 years and 3 continents. He has worked with a range of companies from startups to multi-nationals and advised on holistic cyber security strategy, governance and compliance including recommending the most appropriate tools to fit requirements. During this podcast, Gar and Kendal explore the exciting threat intelligence space and discuss the deep shift that is needed in the industry to proactively get ahead of the advanced cyber threats that we are seeing today and expecting in the future.

#cybersecurity #cyberresilience #getcyberresilient


The Get Cyber Resilient Show Episode #14 Transcript

Gar O'Hara: [00:00:00] Welcome to the Get Cyber Resilient podcast, I'm Gar O'Hara and this week I'm joined by Kendal Watt from Recorded Future, the global leader in cyber threat intelligence. Kendal spends a lot of time educating customers on the role of security intelligence within a broader cybersecurity program. In a career that's been going over 20 years, he's worked for both startups and in multinational corporations and that experience spans three continents and many more countries. In his time, he's advised organizations on holistic cybersecurity strategy, governance, compliance, and part of that obviously is recommending the most appropriate security tools to fit requirements. He's also spent time focused on cybersecurity solutions in the messaging and now the intelligence space.

In our conversations, I've seen that Kendal recognizes that a deep shift is definitely going to be required in cybersecurity strategies and operations to proactively get ahead of the threats that we're facing today; that's governments, businesses, and as citizens. He's betting big that intelligence is a building block to achieving that goal. I really hope you enjoy the conversation. Hello and welcome to the Get Cyber Resilient podcast, I'm today joined by Kendal Watt. Good morning, Kendal.

Kendal Watt: [00:01:17] Good morning, Gar, nice to be on the show.

Gar O'Hara: [00:01:20] Thank you. Um, we've known each other for actually many years now [laughs]. We, we work together and, uh, you've kind of moved on and you're with the Recorded Future now.

Kendal Watt: [00:01:30] It's been about four years. I think, Gar, that we've known one another, a few adventures in that time. Certainly this podcast is a great adventure for you.

Gar O'Hara: [00:01:38] [laughs] Certainly have, uh, many coffees in many, uh, sort of areas of Sydney meeting clients and stuff over the years. So good to, uh, to see and connect over the, uh, the podcast. Um, so you're obviously with Recorded Future these days and that's a really, to me, one of the more interesting spaces in cybersecurity these days, the whole threat intelligence, um, side of things. Like as an opener, um, and maybe as a way to kind of get started, like what is threat intelligence from your perspective?

Kendal Watt: [00:02:07] It's a, it can be a long or a short, uh, answer to that question, Gar, so it's a pretty good one. And it's often sort of in the, in the context of who I'm chatting to, but it's, um, it is, it is, it's pretty exciting, uh, which is why I, I took the challenge to, to enter the space. It's, it's certainly, uh, growing in its importance and just chatting to customers, I can see how much they are starting to look at security differently and threat intelligence is one of those disciplines that sort of allows them to do that. But basically it's knowledge, it's knowledge that allows companies and security professionals within those companies to try and prevent and mitigate attacks on their digital systems. Uh, utilizing contexts, context, sorry, um, such as who's attacking them, what the motivations of those attackers are and what capa- capabilities those atta- attackers have. It's about both, I suppose, providing strategic and operat- operational in- in- um, information to multiple stakeholders in security said that that can take decisions, um, quicker and make them faster.

Gar O'Hara: [00:03:14] And who do you see those stakeholders like... So, I mean, you know, in cybersecurity that's a pretty broad range of people generally. Um, for threat intel, like what, what sort of stakeholders are generally going to be interested in that?

Kendal Watt: [00:03:25] So it's, it's important to have, uh, threat intelligence, not as a solid discipline.

Gar O'Hara: [00:03:31] Mm-hmm [affirmative].

Kendal Watt: [00:03:32] Um, it, it talks to different areas as you say, those stakeholders within the business. Uh, typically it's, it's people who are concerned and, and care about the brand of the organization. It'll be, uh, security operations and response. Um, they get a huge amount of value out of a solid threat intelligence solution. Third-party risk and vendor management teams, uh, looking outwardly at the suppliers of an organization as, as you've spoken about in other podcasts, Gar, um-

Gar O'Hara: [00:04:02] Mm-hmm [affirmative].

Kendal Watt: [00:04:03] ... that supply chain management risk is, is a massive one and a lot of compromises happen from that space. Um, there's often threat intelligence teams built up within organizations and that operates, uh, tools and services. Um, looking at, uh, geopolitical challenges as well as vulnerability management, um, those are sort of the solution areas, but, uh, certainly, uh, the C-level, um, are a key stakeholder in any, um, threat intelligence strategy.

Gar O'Hara: [00:04:35] Yeah, understood. And when we were chatting about the recording today, one of the things you raised was the difference between sort of technical threat intel versus the more strategic stuff. And I think that was a useful thing for me to, to hear from you. Can you kind of run us through the difference between those two things?

Kendal Watt: [00:04:51] Yeah, sure. Um, it, I comes down to I suppose when I'm, when I'm talking to organizations about what they see threat intelligence as there's so many different definitions and so many different, uh, misconceptions of it. So often it's used as a strategic tool and that's based in reporting. Uh, reporting could be things like, um, threats facing a particular industry in a, in a report presented to a board. It could be a daily threat landscape updates. Uh, the challenge with reporting is often it's, it's not actionable. It's, uh, it's interesting, but it certainly, um, doesn't, uh, fast track or accelerate an action to mitigate a risk.

So operationalizing threat intelligence into those key solution areas that I mentioned earl- uh, earlier, um, will speed up that process, uh, and really make the, the, um, the intelligence lead to a kinetic action; something will change, something will happen. Potentially, uh, new rules are put in firewalls or, um, specific indicators are hunted and looked for, uh, within an, an organization. And that's all relevant to different teams. Maybe prioritizing CVEs in the world of vulnerability management, that's a big operational, um, acceleration point that threat intelligence can have.

Gar O'Hara: [00:06:17] Hmm. And then you've sort of touched on it, but what would you see as the core outcomes of effective threat intel?

Kendal Watt: [00:06:25] Um, I would look at it as, as quickly identifying threats to organization, certainly prioritization of, uh, certain activities, certain CVEs, for example. Um, and allowing people threat researchers, for example, or security operations teams to make decisions on high-fidelity information that they trust. Those are sort of operational goals of any core threat intelligence strategy.

Gar O'Hara: [00:06:56] And so presumably there would be a huge sort of time saving there for a SOC analyst or you know, people working in security teams where, um, with effective threat intel essentially kind of your, your ability to be more effective as a SOC analyst and maybe not deal with false positives or, uh, you know, even if it is a, a kind of real threat, your ability to kind of remediate that becomes much more quickly. Is that a fair comment?

Kendal Watt: [00:07:21] Gar, I absolutely love that question. It's such a good question. Um, it, it wasn't me sort of saying this, the words came out of a customer that I'm working with and they said, um, specifically it was Recorded Future of course, but they said good threat intelligence, um, becomes a force multiplier for an organization. Uh, what I mean by that is in their particular case, um, a threat intelligence analyst or a SOC analyst would receive indicators from somewhere in the business. It could be from the s- the SIM, it could be from someone else reporting a particular sort of incident. And I was blown away to hear that it would often take that analyst sort of four hours to go and find information and make decisions associated to that indicator.

Um, I suppose indicator for, for technical audiences will know what I'm talking about, but flavoring when else, an indicator can really be anything. It could be an IP address, it could be a domain name, it could be a link from a URL in an email. Um, it could be a website address, it could be a phone line. So indicators are, they're everywhere and every piece of, e- e- every incident that takes place or every malware is going to have indicators and someone needs to make a decision, right?

Gar O'Hara: [00:08:38] Yeah.

Kendal Watt: [00:08:39] Is that indicator good or is that indicator bad? And if it's bad, why is it bad? And it's that question. It's the context. It's the, why is it bad that would create doubt for those analysts. So they would go down these rabbit holes. They'll go and say, “Right, okay, my my tools, my, my intelligence tools are telling me that IP address is bad. But let me go and find out where.” And they might ask a few friends, they might look at, uh, another service or a tool, like a virus title or a Spamhaus or something like that. Uh, they'll probably do some Google searches, um, and go and look for that IP address in context of badness. But so often it would lead to sort of rabbit holes or maybe a false positive and they couldn't make that decision with confidence. And now they had a browser with about 17 tabs open, all trying to make sense of the information they're gathering.

So having, uh, a platform with high fidelity information context associated to them as a business. Um, and what they originally started the research on just meant that they could find information faster. They could look at the sources 'cause we, um, sort of anonymized... uh, sorry. We created all the sources within the platform and they knew those thour- sources. They trusted those sources so they could really say, “Okay, research that indicator. This is a bad, it's bad because of these reasons.” And now they've, they can make those decisions or pass that up the chain or move it to wherever it needs to be faster. So now they're doing it within 45 minutes, half an hour, as opposed to three or four hours once they've gathered those indicators.

Gar O'Hara: [00:10:30] That's phenomenal. So like if, it sounds like it saves time, obviously in the, the research to understand what a threat is, but also I'm assuming you can eliminate the wasted time going after false positives because, you know, you can see straightaway, is this real? Is it something I need to worry about or, or not as the case may be?

Kendal Watt: [00:10:47] Yeah, absolutely. It's sort of, I suppose, getting those dashboards to light up. Um, and that's a, that's a component of intelligence. Certainly a lot of sort of people I've spoken to in the past have said, “Oh, isn't threat intelligence just a feed that comes into my SIM platform?”

Gar O'Hara: [00:11:03] Yeah. Yeah. .

Kendal Watt: [00:11:05] Well, yeah, it's a, it's a part of it. It's absolutely a part of, it's not all of it. It's a use case.

Gar O'Hara: [00:11:10] Yeah.

Kendal Watt: [00:11:10] So it's giving those security intelligence feeds into the SIM. Cool. Now, we do the correlation, great, now, we know it's bad. It's asking and answering the next questions. Why is it bad? Why is it bad in my context?

Gar O'Hara: [00:11:26] So that, and that word “context”, that's a really interesting, uh, word in this case. So I'm guessing, is there a learning time for a platform for threat intel to kind of understand the context of an organization? Like how does that look when you, um, go from not having a platform for threat until to having one that's effective and actually delivering? What's the kind of ramp time to get to that point where the platform kind of understands the context of the business and also how do you, like, does that work? Is it sort of a self-learning thing? Is it intel that gets fed back from the SOC analyst? Like how does that all go?

Kendal Watt: [00:11:58] That's sort of, you're really thinking about, Gar, that's great. So, um, certainly when a customer's investing time in a security intelligence program that they're going to look at their environment and get to know their environment and use that information to tune. Um, so that's the point, you're tuning the platform during setup. So it might be things like just your domain names or your IP addresses, or [inaudible 00:12:26] blocks, what vendors you use and inputting all that information during that setup phase in order to, uh, sort of train the machine quickly and build that context. Once that's done, um, naturally the machine has a, a number of, um, functions that it utilizes from a machine learning perse- perspective to work out maybe a typosquatting example to say what looks like a domain like mine that's been registered and you want those early alerts and the machine needs to know that based on the information that's inputted and certain risk rules that are created within the platform as time goes.

Gar O'Hara: [00:13:11] So I'm going to put my hand up and say that, you know, before we, uh, started recording today we were actually chatting about what we were going to talk about. And one of the things that was really interesting to me was this idea of platform versus product when it comes to threat intel. And when I thought it'd be useful just for the listeners, if you wouldn't mind kind of running through the, the difference between those.

Kendal Watt: [00:13:30] Cool. That, that's a, that's a really good question, Gar, so the idea of a platform is about automation. So it's, uh, a single place where all intelligence can be, uh, put in the hands of the operator or the customer themselves so that they can, uh, perform research or they can go and look up notes, things like finished intelligence or notes from our analysts. Um, the machine can constantly be doing, um, research and collection from a wide variety of sources and automate that process or automate that information in near real time straight into the platform. So that unlike a product where an analyst would have to, um, pivot into another tool, like a potentially, um, uh, uh, the pivot, un- unlike, unlike a product where an analyst would have to reach out to an, a, uh, uh, a demand-based service like an analyst dem- demand-based service and ask for, uh, information on a specific topic that they're researching. And that would of course have its own, uh, turnaround time.

Gar O'Hara: [00:14:47] Yeah.

Kendal Watt: [00:14:47] That's more of a product in the threat intelligence space. Or maybe, um, a use case that I see all the time around brand protection. So a lot of intelligence solutions are limited to, uh, minor use cases. So I see so much of this in our market where people are looking for things like compromised credentials and they have a product that looks for compromised credentials on the dark web and they'll get that information. But as soon as they've got it, what did they do with it? They want to pivot. They want to find out more data about potentially the threat actor that took that information. What, uh, what potential, uh, malware is used in an attack to gather that kind of in- uh, information from a business in that kind of a compromise. And if it's a single use case threat intelligence products, unfortunately they don't have that scale. One of the best quotes I've heard in the world of threat intelligence, think big, start smart, choose a tool or a service or a platform that will allow you to scale as your maturity in the space of threat intelligence increases.

Gar O'Hara: [00:16:00] So Kendal, with that, I mean with looking at rolling out something like a threat intel platform, um, what you've just described there, is there a potential for SOC analysts to kind of maybe overwhelmed by threat intel, like as you're onboarding, as you start kind of your threat intel journey within a cybersecurity, either functioning your function or the wider business. Um, is there a, uh, a sort of... what'd you call it, like a ramping cadence that makes sense so that the SOC analysts are not overwhelmed with too much information, um, and that the threat intel platform is actually delivering value but not, you know, you're not turning on everything and everything lights up, but then the analysts actually don't know really how to use it? Like is that a thing that could happen or like what's your experience of onboarding?

Kendal Watt: [00:16:45] It really comes down to defining what are the use cases that are important to the business in a day one and then what does day to look like and what does day three look like? So there is definitely a threat intelligence journey. Um, it is, is not a, uh, a turn on and immediately you, you're going to be delivering the most all the value to the business. Get those first few use cases right, get those spot on. Uh, identify who those stakeholders are for those use cases, collaborate with them, then move on to the next set of use cases. So potentially start with brand protection. That is a good place to start from a threat intelligence perspective. Then think about how do you integrate, uh, threat intelligence into your security operations services within the organization and your incident response. Inform those stakeholders or those elements of the business, how threat intelligence can augment and improve the efficacy of those teams.

Make them look good. Then identify po- potentially the third party risk or the vendor management use cases that will be of core relevance to your business. So yes, there certainly is a journey. The other thing that is so important is how can you maximize either investments in other tools that you've already made within the business. And that really comes down to integration and automation. So pick a tool and utilize a tool that has a very strong and mature API. Potentially you want to bring, um, vulnerability management or third-party risk management into something like a service now. So those teams that are familiar with utilizing a particular workflow or a particular tool can leverage threat intelligence in those familiar places. Don't get them out of their common working environment. So-

Gar O'Hara: [00:18:48] And you've mentioned-

Kendal Watt: [00:18:49] ... there's a process. Yeah. Start small, grow it. As [crosstalk 00:18:53] as I said, it's about being smart.

Gar O'Hara: [00:18:55] Yeah. And kind of measuring as you go, which makes sense. You- you've mentioned automation a couple of times and, uh, SOAR is obviously a huge space at the moment. We're starting to see I think much more in Australia. So, um, you know, those platforms for orchestration and response. Um, I'm, uh, guessing threat intel fits beautifully in that space where, you know, via APIs you could pass over information for actionable remediation through a SOAR system. Is that stuff that you guys are doing?

Kendal Watt: [00:19:21] Um, we've, we've got a number of integrations with a number of SOAR platforms. Um, and it is, it's absolutely beautiful to watch. And of course a SOAR journey has its own planning stages, but being able to provide a SOAR tool with high fidelity information that the analyst or the SOAR architects can have confidence in the fidelity of that information, um, just accelerates that journey. So I've had the privilege of watching, uh, Recorded Future integrated into, um, into Phantom. Uh, you had, uh, some guys from Spunk on your podcast the other day, um, and watching them integrates through a playbook methodology, uh, Recorded Future and a number of workflows being able to, to, to be kicked off quickly.

Um, the, the team that I was working with was so refreshed that a number of the workbook workflow elements playbook elements had already been thought through from a Recorded Future point of view.

Gar O'Hara: [00:20:32] Mm-hmm [affirmative].

Kendal Watt: [00:20:33] So they have to think about the concepts, absolutely. Once the concepts were [inaudible 00:20:39] down, it was really a plug and play to-

Gar O'Hara: [00:20:43] Yeah.

Kendal Watt: [00:20:43] ... integrate those two systems.

Gar O'Hara: [00:20:47] And you, you mentioned that, you know, SOAR has its own, uh, has its own nuances and role, uh, there was an EOI, uh, paper they wrote. It's a little while ago now where they talk through kind of things to think about as you are looking at deploying or using a SOAR. And one of them was the idea of, you know, looking for use cases that are very well understood, um, and obviously are automateable and because what you don't want to do is automate something and then have the, you know, the, the robot go in and fix something that isn't broken, you know, blocking a domain that it's actually on a business critical system, for example. Um, but one of the things they talked about was that, you know, making sure that the, the task that was to be automated was very well defined, very well understood. And, you know, the steps were very clear and documented, but your comment there around the fidelity, that's something like threat intel can provide to an automated task.

Would I be right in thinking about it almost that way where if you've got an automated task, having threat intel to, you know, add fidelity to that being the correct decision, if you are going to do a remediation action, that it removes a lot of the risks that may come with rolling out a SOAR, where would that the threat intel, not that it's a guest, but you, you're kind of exposing the business potentially to a remediation action that actually has a negative consequence to the business rather than a good security consequence. Am I, am I thinking about that, right?

Kendal Watt: [00:22:07] Yeah, it's, it's, uh, I love the concept of SOAR. Um, when we think about it from a high level, being able to automate workflows like, uh, potentially blocking a phishing that was via the firewall automatically is incredibly powerful, especially when we're resource constrained and there's more and more security tools on the market. But as you say, sort of when you start thinking about the process and the risks associated to that automation-

Gar O'Hara: [00:22:35] Yeah.

Kendal Watt: [00:22:36] ... it's, it's a pretty scary prospect, isn't it?

Gar O'Hara: [00:22:39] It is. Yeah.

Kendal Watt: [00:22:40] So, yeah, there's certainly a maturity journey that's gonna come with SOAR and we're gonna- I think we're gonna see some, some really, uh, well-regarded practitioners in the, uh, in the SOAR world come and rise to the surface. Um, and they're going to have their, their choice of, of, uh, services and adjunct tools in their SOAR capability. Um, but it's about confidence.

Gar O'Hara: [00:23:05] Yeah.

Kendal Watt: [00:23:05] So if you're worried about the wrong decision being taken based on data, it all comes down to how confident are you with that data. So working with an input or a threat intelligence input that you have high confidence in, surely that's inevitably going to, um, super charge your SOAR process and your SOAR, SOAR journey.

Gar O'Hara: [00:23:31] Yep. Yeah, I've been, I've sort of talking about this a little bit, I actually gave a talk at SplunkLive! and, well, actually I saw a guy called Christian who's the, I think he's the senior, uh, presales guy over at, uh, Splunk and, but he did a demo of the Phantom platform and actually saw like we were part of the playbook that he used to demonstrate it. And I'll be honest with you, it was when the penny really dropped for me around the potential and the power for, you know, what SOAR could actually deliver. Um, bearing in mind it takes some time to get it dialed in and, and to get it to the point where you, as you say, would have confidence in the, the data and the inputs. Um, but it's amazing to me how much of a conversation, uh, the integration side of things has, has become.

Kendal Watt: [00:24:11] [inaudible 00:24:11] is everything.

Gar O'Hara: [00:24:11] Uh, and it feels like... It really is. I met a guy in New Zealand at a conference and, uh, his comment was that as you went around and it was a typical conference, right? So there's people talking and then there's a like a showroom floor where all the vendors are and you know, kind of chatting to people. And this guy worked for one of the bigger banks over there. But his comment when I was chatting to him, 'cause I had just given a talk on kind of integrations and API and his comment was that he almost doesn't even bother talking to vendors around their feature set or any of that stuff. He just kind of assumes that's table stakes. His big thing is tell me about your end points. What's your API look like? How mature is it? What can I do with your platform programmatically?

And then he did some really cool stuff where he'd actually showed me on his phone, he'd built this, uh, like a mini SOAR almost, where he had described his previous life where you'd get a, an alert and he would have to get up in the middle of the night, pair up his laptop, you know, jump on a tool, you know, do some analysis, see if it's real, and then kind of make a decision on, on action. And he showed me a UI he had built for his own phone, um, using, he'd just spin up a LAMP server and built this thing, you know, using kind of standard kind of, um, programming languages and, and probably some scripting tools, uh, to the point where using APIs and the various products that he had, he had a basically a green yes button or a red no button and a summary of what the, the sort of thing was at the top with where the information had come from.

Kendal Watt: [00:25:34] Yeah.

Gar O'Hara: [00:25:34] So instead of getting up, he could lie in bed, still had to like have an element of human interaction, but instead of the get up, you know, power up a laptop and, you know, maybe put on the kettle, you could look at his phone, hit the, you know, the, the green yes button to take action or the red no button and then go back asleep. Um, so yeah, I dunno, it just feels like APIs-

Kendal Watt: [00:25:52] Yeah.

Gar O'Hara: [00:25:52] ... integrations is such a huge, huge part.

Kendal Watt: [00:25:54] APIs is everything. If you've-

Gar O'Hara: [00:25:55] Yeah.

Kendal Watt: [00:25:55] You've also spoken a lot about the context.

Gar O'Hara: [00:25:57] Yeah.

Kendal Watt: [00:25:57] What is he looking for when he looks at his phone, when he's getting the alert? What is the context? All of that, um, indicator that's driving that decision flow.

Gar O'Hara: [00:26:09] Yup. 100%.

Kendal Watt: [00:26:10] So there's still a spot, a- a- absolutely a place for humans. There's an action he needs to do and he's going to be asking, well, why did that fire, where did that, where did that indicator come from? What would have been running at that time? And that's all the context. So if you can surface the context into the hands of the analyst, they're going to make those decisions faster. And it's the difference between your example where the gentleman would have got up and made himself a coffee and fired up his laptop and then got going, which is a 45-minute process or going actually knowing context of that, I expect that to happen.

Gar O'Hara: [00:26:46] Yep.

Kendal Watt: [00:26:47] I'm going to click a button and then I'm going to go back to sleep.

Gar O'Hara: [00:26:50] Yeah. Which sounds like, uh, an amazing outcome [laughs].

Kendal Watt: [00:26:53] I mean, I look at... That's why I l- I love the idea of threat intelligence is there are so many security tools that organizations are buying. Um, and I think every single one of them is important. And all of those particular vendors are innovating their products and they have to do that to stay ahead of attackto- uh, attackers, but also in context of staying ahead of their competitors. So they're adding features and functionality all of the time, but it does create a level of inward focus. So the focus of those teams are, how can I get enough time to make sure that my X, Y, Z control is functioning optimally? They're not looking at what's happening externally. Threat intelligence will be going right now the kinds of attacks in your industry are utilizing a particular malware-

Gar O'Hara: [00:27:45] Mm-hmm [affirmative].

Kendal Watt: [00:27:45] ... which exploit a particular vulnerability. So therefore, what's my action? Is to go and patch that particular, or prioritize the patching of that particular vulnerability. So it's an externally facing, um, intelligence and information gathering side, um, exercise, which we will do. And we provide that to the analysts who then have to go and decide where they're going to focus their time with the, the tools and controls internally.

Gar O'Hara: [00:28:19] And as you say that, and, uh, you know, that idea of where did they focus their time? I, I had a chat with a guy at a conference in, uh, the Hunter Valley, uh, and again I feel like all I'm, it sounds like all they do is give talks in integration-

Kendal Watt: [00:28:31] [laughs].

Gar O'Hara: [00:28:31] ... but actually I had just given a talk on, um, not necessarily integration and, and what the business value is in, in a cybersecurity world. And, and this, this person had a really interesting point around with, with good integration and with some elements of automation, he's able to hire essentially cheaper employees. And by that I just mean less experienced employees because you can take some of the kind of what would be done by someone with a lot of experience and through good intel and through automation you can basically replace, you know, the, the expensive person with a less expensive person. But the, the thing that that expensive person would have brought to the table is now wrapped up in logic and that's through automation and then sort of threat intel.

And so the example he gave is that he could hire, uh, grads to press a button because the button is informed by the essentially almost certainly the knowledge from a more extre- experience, you know, SOC analyst, for example-

Kendal Watt: [00:29:29] Mm-hmm [affirmative].

Gar O'Hara: [00:29:30] ... um, you know, making that programmatic and then feeding it with threat intel and all of a sudden your employee costs can go down.

Kendal Watt: [00:29:36] Yeah. Give him all that information, all of that context so that it's easier to make the decision. The more, more expensive, uh, more experienced analyst would, uh, be utilizing his time to go and find the context, to go and find the information-

Gar O'Hara: [00:29:54] Exactly.

Kendal Watt: [00:29:54] ... maybe get access to, um, dark web sources or-

Gar O'Hara: [00:29:58] Mm-hmm [affirmative].

Kendal Watt: [00:29:59] ... get access to closed forums or get access to a specific Slack groups in their, uh, in their community. But if you can automate the gathering of that context, automate the gathering of that intelligence and information and put it in the hands of a, still a critical thinker-

Gar O'Hara: [00:30:17] Yes.

Kendal Watt: [00:30:17] ... but a less experienced analyst who can make the decision without going to do all of those steps, he's faster. Um, and you've created that force multiplier because you still want that smart, um, analyst. But he can be spending his time in, in, in more, um, profit accelerating areas within the business or more strategic objectives 'cause you need to keep them engaged as well. You don't want to have him spending, uh, a huge amount of his time as a highly paid resource pressing that button.

Gar O'Hara: [00:30:51] And then that was exactly this person's points to, to be honest was that there's better ways that they can use their time. So it wasn't so much like re- necessarily reducing in headcounts, but actually do they really need to spend so much time chasing false positives. I know, and I'm sure you've seen the stats, but the amount of false positives on the average SOC, uh, dashboards, it's phenomenal. They spend most of their time chasing smoke. Like it's not, there's no fire, it's just, you know, it's stuff that doesn't really need attention. Um, I'm just looking at the clock here. We've actually blown over time, but I'm, I'm happy to keep talking for another five if you're, if you're good with that. Um-

Kendal Watt: [00:31:24] Let's go for it, Gar.

Gar O'Hara: [00:31:26] So Kendal, one of the things I'm always keen to see, hear from, uh, from people is where do they get their news sources? Obviously, there's a lot of different places people can go to, you know, find out what's happening in cybersecurity and it's an avalanche of information. Uh, what's your go-to, like where do you, how do you keep abreast of the, uh, the current goings on in cybersecurity?

Kendal Watt: [00:31:45] Oh, thanks, Gar. Um, the, I, I seem to be always be turning back to, to the original sources, um, that I found years ago. Um, KrebsOnSecurity is probably one of my-

Gar O'Hara: [00:31:56] Mm-hmm [affirmative].

Kendal Watt: [00:31:57] ... favorite sources of information and I suppose I'm a bit of a, a fan boy when it comes to his book, Spam Nation, which was, um, I've had that in, in soft copy and on the Kindle edition I've also listened to, um, an audio, uh, recording of it. So that's a, that's a massive place. Um, Dark Reading's always good. Threatpost is great, but it probably the, the big one is, um, guys get involved, um, go to the Acer webinar, the webinars, um, or the Acer meetings, go to the last Tuesdays of the month. It's, uh, it's those conversations with peers that are so important, um, and make such a big difference, um, in your security care- uh, career.

From a podcast perspective, I mean, you know, you've mentioned before, Risky.Biz is a bit of a-

Gar O'Hara: [00:32:45] Phenomenal.

Kendal Watt: [00:32:45] ... a bit of a staple of the Australian cybersecurity community. Um, that's always really good. Um, and then there's the, uh, the Recorded Future inside threat intelligence podcast, podcast with, uh, Dave Bittner in the CyberWire. Um, and another one that I would really encourage the guys to have a look at if they can is, um, our research team known as Insikt, which means insight in Swedish has recently released a weekly podcast. It's sort of a roundup of the week's, um, threats that have been discovered and, and really interesting, um, security related news, um, TTPs even a bit of geo, geo political, um, intelligence as well.

Gar O'Hara: [00:33:30] Awesome. Um, and I'm actually recording this with Kendal as we have, uh, a video feed on Zoom and, um, as he was talking about Acer, I held up my, uh, Acer keep cup. I'm a huge fan of the work that, uh, that organization does, um, amazing national conference. But actually those branch meetings are incredible too, um, the, the quality of the speakers, the just purely from a networking perspective-

Kendal Watt: [00:33:51] Yeah.

Gar O'Hara: [00:33:52] ... um, credibly, incredibly useful, highly recommended.

Kendal Watt: [00:33:54] I cert- I certainly hope that this year's conference goes ahead given, uh, the changes in the new normal associated to COVID-19.

Gar O'Hara: [00:34:02] Mm-hmm [affirmative]. Yeah. And in some form, even if it is virtual, but, uh, yeah, there's something really lovely about actually seeing everybody, uh, face to face.

Kendal Watt: [00:34:11] Yeah.

Gar O'Hara: [00:34:12] I just said, uh, like, one of the things is I always kind of like to talk about what are the gotchas. So what are the things that, you know, as people go on the threat intel journey, what are the things that maybe they, you know, they need to kind of think about, maybe they wouldn't have thought about it if they, they're just starting out in the threat intel world? Um, is there anything in your experience that you kind of go, yeah, look, here's some stuff I see all the time that maybe people want to think about.

Kendal Watt: [00:34:37] Uh, it sort of goes back to that point earlier that the primary gotcha that I see is people reactionary, uh, or people being reactionary and buying for a single requirement or a single need. And so often that particular requirement is this compromised credential use case and they buy a tool that is just focused on that use case and doesn't allow them to scale and expand. So the, the biggest advice is really guys, take a step back, think about your wider threat intelligence needs, solve that particular pain and that use case first as a quick win, but give yourself the scope to be able to add value to other areas in, in the business as well. And certainly back to that integration one, where can you integrate the threat intelligence to make other teams and other tools better at their, uh, their core objectives?

Gar O'Hara: [00:35:36] I think that is the positive note to, to finish on. Um, I think, uh, yeah, at this point, yeah. I mean I really just want to thank you. Uh, it is so good to, uh, to chat again and, uh, yeah, thanks so much for taking the time to talk to us. I suspect there may be another conversation on this down the line if you're keen to come on again. But, uh, for now, thank you.

Kendal Watt: [00:35:55] Love it. I'd love to join you for another conversation. It's always, uh, always is great having a chat with you, Gar. Um, if I sort of were to leave with one, uh, one parting thoughts about those gotchas, it's really too often intelligence and security are completely out of sync. Teams and, uh, and objectives are siloed, analysis lacks relevance, and the response is slow and reactionary. So think about it in a bigger picture so that you can be proactive with, uh, security intelligence.

Gar O'Hara: [00:36:27] And on those words we will, we will leave it there. Thank you, Kendal.

Kendal Watt: [00:36:31] Thank you, Gar.

Gar O'Hara: [00:36:35] Wise words there from Kendal, I learned a lot and I hope you did too. So thanks again to him for that chat and thank you for listening to the Get Cyber Resilient podcast. I look forward to catching you on the next episode.


Principal Technical Consultant

Garrett O’Hara is the Principal Technical Consultant at Mimecast having joined in 2015 with the opening of the Sydney office, leading the growth and development of the local team. With over 20 years of experience across development, UI/UX, technology communication, training development and mentoring, Garrett now works to help organisations understand and manage their cyber resilience strategies. When not talking about the cyber security landscape, data assurance approaches and business continuity Garrett can be found running, surfing or enjoying the many bars and eateries of Sydney's Northern Beaches.

User Name
Garrett O'Hara