Ep. 14: How to Lead a Threat Intelligence Team

Summary

Threat actors are scaling, broadening their scope, and leveraging new tools, so it’s critical for enterprises to strategically invest in threat intelligence. Here’s how to build strong teams, utilize AI, and get buy-in from the CISO and the board.

Host: Melissa Bischoping, director of endpoint security research, Tanium
Guest: Sherrod DeGrippo, director of threat intelligence strategy, Microsoft

Show notes

For more info on threat intelligence and how threat intel teams optimize it to their advantage, check out Focal Point, Tanium’s award-winning online cyber news magazine, and these other must-read resources.

• Applying Past Lessons for Intel-Driven Identity Threat Detection | Tanium – Nicole Hoffman, security investigator with Cisco Talos and author of the book, The Mighty Threat Intelligence Warrior, offered us a preview of her RSA Conference 2024 presentation, and outlined her proactive approach to cyber threat intelligence and threat detection.
• Cyber Triumph: 6 Skills the Paris Olympics Got Right | Tanium – The Paris Olympics faced an unprecedented level of cyber threats. Here’s their unofficial playbook, and the skills (including threat intelligence) that any enterprise can master.
• Threat Intelligence | Tanium – Check out Tanium’s up-to-the-minute cyber threat intelligence roundups, with the latest breaking news on ransomware targets, malware trends, phishing reports, backdoors, bad actors, and more.
• Tanium Threat Response | Tanium – Stop using fragmented tools to protect your environment. Minimize the impact of threats with automated hunting, early detection, and rapid investigation and remediation, all from a single platform.

Transcript

The following interview has been edited for clarity.

Sherrod DeGrippo: “If you’re starting a threat intelligence team, you’re starting a threat intelligence practice, and it is like you just described: Focus on your CISO. Focus on the threats hitting your CISO. Give your CISO a report on the threats that have attempted to target that CISO. Go do some OSINT [open-source intelligence], put together a report that is a threat intelligence report about your CISO. And I know some people might be saying, “Oh my gosh, this is great—”

Bischoping: Spicy! [She laughs.]

DeGrippo: They want it, they want it, and they want to see and understand what threat intelligence is in a language that resonates with them. And that language is themselves.

Bischoping: When it comes to cyber threats, the numbers today don’t look that good, especially if you’re an enterprise leader or a security practitioner. If you’re a cybercriminal, these are the boom times. Data breaches are increasing by more than a third year over year, and ransomware attacks are up 84% across all sectors. In 2023 alone, threat actors stole or exposed more than 17 billion personal records last year.

Hi, I’m Melissa Bischoping, director of endpoint security research at Tanium, and today we’re talking threat intelligence – and specifically how you’re going to start and lead stronger threat intelligence teams.

Joining me to discuss this topic is Sherrod DeGrippo, director of threat intelligence strategy at Microsoft – although, her LinkedIn profile refers to her as a “weird security voyeur.”

Sherrod has been observing developments in the world of cybersecurity for more than two decades, working in roles at Proofpoint, Symantec, SecureWorks, and the National Nuclear Security Administration. Now she brings this weird voyeur perspective to Microsoft, which we’ll get into next. Welcome to the podcast, Sherrod.

DeGrippo: Melissa, thank you for having me. It’s so great to be with you.

Bischoping: So before we get started, you and I have known each other for a while. We met I think via Twitter because I love your dog, who is really the coolest dog on the planet. And I’ve been following your career for so many years. You’re currently working at Microsoft, where you also get to host a really cool podcast on threat intel. Can you tell me a little bit about what you’re doing over there?

DeGrippo: Yeah, I think what we’re realizing is kind of just what you said: Threat actors are scaling, their scope is getting bigger, they’re leveraging new tools, they’re doing all these things. And I think you have to have a good strategy around how you’re going to use threat intelligence. That’s a big part of what I focus on every day. We’ve got a lot of threat intelligence. Where can we find more value, make it more actionable, and leverage it better to protect more people?

Bischoping: It’s such important work, especially because the data is only getting bigger, the amount of information you have to parse through – like, more data doesn’t always necessarily equal more value if you’re not using it well.

But before we go into how you use good threat intelligence and how you build these teams, let’s level-set on what we mean when we’re talking about threat intel and the historical context of the industry. What can you talk about there?

DeGrippo: Oh my gosh, there’s so much to say there and it’s really controversial, so let’s go for a lot of solid hot takes.

There’s a quote about threat intelligence: If it’s not actionable, it’s threat entertainment.

Bischoping: I love that.

DeGrippo: I know, it’s so true. I think if you’re in this world and you hear that, you’re like, oh my gosh, that can’t be me. And that is sort of where I like to focus, taking what other people might say is just threat entertainment and turning it into real intelligence, because it’s being leveraged to protect people. And that is actually the origin of my tagline on LinkedIn, which is “weird security voyeur.” Because I was on a call with the stellar/infamous Nick Carr, one of the researchers at Microsoft, and we were talking about how we might do this better. How can we make threat intelligence more actionable? Where can we put it? And he goes, “We don’t want to be weird security voyeurs; we want to actually do something with this.”

And I thought to myself, “No, I am a weird security voyeur, because I’m not just a player, I’m a fan, and I’m even more of a fan than I’ve ever been in my career now because of the role I have at Microsoft. I am really in the front row observing a lot of what’s going on. And I think that’s the key: We have to make it actionable, we have to make it important, and we have to take threat intelligence from something that’s “a cool story, bro” to actually seeing hits on a signature because of threat intelligence that we’ve put into place and made it useful.

Bischoping: I think that’s such an important concept. Because for me, threat intelligence is only useful if it makes my security team more effective at their job. Nobody needs another feed of patches, nobody needs another feed of IP addresses; they need to understand contextual relevance and how is this useful to me? How does this reduce my noise? So I love that you said that.

Now I want to zoom out for a second. How do you recommend or how do you see folks have really great conversations with board members, with executives, to understand that threat intelligence isn’t just a buzzword and understand why their organization needs to strategically invest?

DeGrippo: I think those conversations are going to be eternal, but there are a couple of things I really like in terms of looking at it.

First, we have to understand that threat intelligence is data after it’s been processed into something subjective. So it takes something objective, it processes it through experience, technical systems, narrative, and quite frankly, creative writing, and becomes a subjective product at the end many times. The IOCs [indicators of compromise, that is, evidence of a data breach] at the bottom, I hate to tell you, IOCs at the bottom are not intelligence. The context of what those IOCs are, that is threat intelligence. IOCs are just data. So I think that’s important to understand, and the thing that I think can resonate well with your executives, with your CISO, with your board, heck, tell your CFO because they have a lot of decision-making power too. Never leave a CFO out of a room – if you can convince them, you’re convincing everybody else, because they typically win.

But here it is: Let’s say you have a security system on your house. I have one. And let’s say that every quarter that alarm system sends me a report and it’s like, “Hey, we stopped 27 people from breaking into your house.” I’m like, oh, OK. That’s really cool. Great. I experienced no difference. My life did not change. You stopped these people from breaking into my house? I’ve been blissfully unaware and going on with my day.

Their competitor comes to me and says, “Hey, I know they blocked 27 people from breaking into your house.” I’m like, yeah, I get that report every month or whatever. And the salesman goes, “I can tell you who those people are. I can tell you what they look like, what they were wearing, what car they were driving, the license plate of the car, the make model, and year of the car. I can tell you where they live. I can tell you how long they’ve been doing these kinds of crime attempts. And in fact, not only can I tell you all about that person that tried to break into your house, I can tell you the other houses on your street that they tried to break into.”

Oh my gosh, you have my attention. Let’s make some changes. I want that. And that is really the difference. It’s the difference between a commodity protection and deep understanding of reality, of the world, of what’s going on and therefore what’s going to happen next.

Bischoping: I want to come back to that in a second because you made a point there that I think is really nuanced and something that a lot of organizations struggle with regarding where they are in their maturity and what they’re ready for as far as a threat intel appetite. But I want to come back to that in just a second.

Let’s assume that you go in, you make this great pitch, and you’ve got your executive team all on board. They say we need to be making more investments. We need to build a threat intel team. We need to invest in threat intel platforms. We need to invest in threat intel feeds. Here, we’re giving you a budget, we’re giving you the headcount.

Where do you start? What does that foundation, if you’re greenfield threat intelligence, what does that look like?

DeGrippo: Again, I think we are in such a weird reality. Many of us are weird security voyeurs, and that fact means that we have to change how we approach things sometimes. And if I’m giving advice, it’s this:

If you’re starting a threat intelligence team, you’re starting a threat intelligence practice, and it is like you just described: Focus on your CISO. Focus on the threats hitting your CISO. Give your CISO a report on the threats that have attempted to target that CISO. Go do some OSINT [open-source intelligence], put together a report that is a threat intelligence report about your CISO. And I know people might be saying, “Oh my gosh, this is great—”

Bischoping: Spicy! [She laughs]

DeGrippo: They want it, they want it, and they want to see and understand what threat intelligence is in a language that resonates with them. And that language is themselves. And so they can literally put themselves in that target seat.

Once you’ve got them understanding the threats that are targeting them personally and the potential footprint that they have externally, you can start saying things like, do you want us to put this together for the executive team? Do you want us to put this together for the executive assistants and admins? Do you want us to start putting this together for employees who’ve only been with the company for six months? And your CISO starts to conceptualize [how] threat intelligence can help me. Threat intelligence makes sense. At the end of the day, this is something everyone – from just beginning in the industry to, hey, I just want to work in the SOC [security operations center] and be left alone, I just want to do my good stuff and not be bothered – everyone needs to understand that ultimately CISOs report to the board. And if a CISO does not have the trust and buy-in and backing of their board of directors, they’re not going to get very far.

So ultimately, enabling your CISO to talk to your board in a way that is successful, that makes the CISO have leverage. That’s the way to do it. And so go work with your CISO to understand how do we get the board, how do I get you on board? And then how do we get the board on board?

Bischoping: Let’s go back to some team-building aspects and the personalities in this field. So one of the things that I love about having so many friends in the threat intel community is they come from some wild and varied backgrounds. I don’t think many of them have had the same path. And I am personally a huge believer that diverse teams of any kind yield better results. But I think this holds true especially in security and definitely within threat intel.

Talk to me about that. I think you’re equally as passionate about this subject as I am, so I’d love to hear your perspective.

DeGrippo: Oh, I have so many opinions. I think the number one thing that you bring in security and threat intelligence is your opinion, your point of view, and your intuition. Because your intuition is colored by all of your experiences, all of your skills, all the things you’ve seen. And it creates this innate sense of “I don’t know why, but I don’t think this is right.” “This network diagram should be changed.” “This code kind of freaks me out.”

And if you talk to really smart, really talented people who have been in threat intelligence for a long time, you’ll hear them say those things… And that’s the sense that you should develop.

Bischoping: It’s a combination of trusting your gut but also sort of honing that skill of “that really shouldn’t be there.” And I think one of the hardest skills to build as a professional is confidence in trusting that that little itch in your brain is actually telling you this is out of place and not being afraid to speak up and say so. I remember early in my career, I was always very afraid to be the first person or the only person saying, “Does anybody else think this is weird? Or am I just dumb? Because I think it’s weird.” And learning to have that confidence to say, this is making my brain itchy, I think we need to dig in further was a big growth point for me personally. And I think that’s something everyone has to get to.

And I think this is one of the most fascinating topics. So before I got into my roles in tech and security, I have a background in psychology and I’m really interested in how human behavior adapts and how schemas get developed over time in your brain. And I also kind of took the scenic route to where I am now. I’ve worked in retail, I’ve worked in real estate, I’ve worked in aviation.

So my question for you is, outside of the obvious government, military, law enforcement kind of career paths, what are some of the wildest paths you’ve encountered with professionals that have come into the threat intel field? How did you even make the jump? What are some that you know of?

DeGrippo: So for me, I started out going to art school in college; I wanted to be a photographer. And I always remind people when they ask me if I have a degree in cybersecurity that I started college in 1996 when degrees in cybersecurity didn’t really exist. And even computer science degrees are not today what they were back then. It just was not a thing that you really did.

So I went to school for art, for fine art, and one of my former co-workers, Michael Raggi, who’s now at Mandiant, he did a lot of art forgery work, where he would look at pieces of art and determine if they were authentic or not. So of course when we worked together, I was like, oh my gosh, tell me all about this. It’s fascinating. I know a lot of people, I have a co-worker today who started out working security at large big-box retail, in anti-theft, shoplifting security, and is now one of the best detection engineers I’ve ever met, [and] writes network detection signatures. Obviously, law enforcement is a big one. But people come from all over. Ultimately, I think if you have a security sense, then we can find something for you to do. You want to be nervous and weird with us, we’ll give you tasks.

Bischoping: I love these conversations when we’re talking about people and how intel is an art, not a science, to tie back into your art background.

How do you plan and build team strategy and set objectives that keep a threat intel team inspired, so they feel like they’re working toward success, without making it so rigid that they can’t explore the creativity that the threat intel space requires?

DeGrippo: That’s really hard, and I think that it takes good relationships.

The number one thing when you’re building those teams is to get a variety of expertise. But it’s not just about skill and expertise; it’s about preference and what people like to work on. Trust me, if you have someone working on something that they’re good at and they like it, you’re gonna win. And if you let those people, say, [help] add someone to the team, [they’ll often say], “Yeah, I interviewed that candidate and she doesn’t know this, this, this, and this.” And it’s like, well, YOU know all those things. Why would we hire the person that knows all the same things as you? That doesn’t make sense. So you have to be really careful when you’re hiring because threat intelligence analysts will talk to a candidate, and be like, “Yeah, I interviewed them to exactly be me.”

And it’s like, no, no, no, no, no.

We’re trying to find the person that likes doing the things that you hate and that is good at doing things that you think suck. So you’ve got to get the diversity of everything, of every type, especially preference. Smart people don’t do well working on things they hate. And they don’t last. And so finding that beautiful golden match of something the person is good at and they like doing, finding three, four, or five of those things, putting those people on a team together that have complementary and contrasting preferences, it can really get you far.

And I think too, like, understanding what people are interested in and what they’ll get excited about – it just helps so much to understand those things. Because you want people to enjoy their role. You want to make people feel that work isn’t…that much work. I mean, it’s work, but hopefully it’s not like a brutal slog. Hopefully it’s something you’re genuinely interested in and enjoy.

It’s really funny because we have these teams at work that track certain different things and they’re responsible for threat actor tracking, and they all have their favorite [threat] actors that they like. And if you tell them, Hey, we’re going to switch you over to the – they’re like, “Nope, I don’t want to switch. I like these actors.” Keeping people kind of focused on the things they like is, to me, it’s a magical superpower for an organization, to have people working on what they want to work on.

Bischoping: It’s an efficiency multiplier for sure. And I know that’s true myself. If I’m really head-down into a project, I’ll look up and I’m like, oh my gosh, where did the time go? I have been just churning out content about this. I love it.

DeGrippo: And I have certain co-workers who, like, I know they have juicy stuff. So sometimes they’ll call me or message me and be like, Hey, you have time to talk? And I’ll be like, I don’t have time to talk. But then I’m like, that person always tells me really crazy things and so I’m going to find a way to make time for this. Because I know when I get on the phone with them, they’re going to be like, yeah, so there’s this new threat actor and they’re doing this new thing and there’s this new targeting… And that’s what I live for. It’s like, that’s not work.

Bischoping: Yeah, that’s fun.

DeGrippo: That’s doing threat intelligence. And this is why threat intelligence is tough sometimes, because the payoff is down the road. It’s like, three months later, I’ll be doing something and I’ll remember that threat actor they called me about and now there’s another one that’s very similar, and now I have a pattern, and now I have a trend – and now I have to put a report together about this pattern, this trend, six months, 12 months, two years, 10 years. It starts to kind of coalesce in your brain. And I think that that’s part of the creativity aspect of it.

Bischoping: Oh, for sure. And that’s also part of the value of building that honed skill set and that gut instinct and following that through your career. Because I think intel analysts – they age well.

The more you can spend time in the industry working on these different projects, growing and developing from the work that you’ve done prior and building upon it, you learn to look for signals in the noise and looking for patterns that maybe your younger self wouldn’t have put together, which I think is really cool. And when you balance that with bringing in people with fresh perspectives that don’t necessarily have preconceived notions of where they should or shouldn’t look to find a connecting point, you get this orchestration of ideas that starts to emerge and it’s really beautiful to watch. You can just sort of stand back and watch people have these conversations, and watch careers evolve in the process. It can happen literally over a conference room table in the course of half an hour.

DeGrippo: Absolutely. I love that too. I love seeing what people are curious about.

Bischoping: So alright, let’s pivot now from the human element to the AI element, because that’s the topic on everybody’s mind, right?

DeGrippo: Oh my gosh, I love it. I’m obsessed. I’m an AI junkie. [They both laugh.]

Bischoping: So pretty much every organization in the world, and definitely Microsoft, is talking about AI right now. Almost every employee in the world is thinking one of two things: How can I use AI in new and exciting ways? Or, is AI going to take my job?

I think those same questions are coming up for us in security and threat intelligence. I think there is understandable concern: Can a threat intel analyst trust AI-augmented research? Or how can they use it in a way that’s going to be safe and supportable? And I think there’s also a lot of hope that it’s going to help us make better sense of bigger data. What trends are you seeing? What conversations are you having? This is an important topic.

DeGrippo: Yeah, I guess about a year ago was sort of an inflection point for me where I started just trying to incorporate AI into so many things. And my boss at the time, John Lambert, I went to him, I said, “John” – this was when I first started at Microsoft a year ago – I was like, “John, I need weekly threat intelligence reports. I need this constant feed of curated written-up intelligence and what team can do that? Who can we get to put that together?” And he was like, “You’re thinking in the past, you have antiquated thinking.” I was like, “Oh no, my new boss says I’m antiquated.” He said, “You have to figure out a way to do this with AI.” And I was like, oh my gosh. And at that moment I understood this, which is what everyone will go through.

Everyone will go through it. It is the maturity curve of yourself using AI as a tool. I was much earlier in the maturity curve than John at that time. I hope I’ve caught up a little bit. It’s about when your mind triggers: How quickly can I fire my neurons to get AI to do it for me before I try to do it myself? That is the key that everyone has to train themselves to do, and the people who are faster at that thought process will be more successful. And you can apply that to almost any tool, right? I’m sure when cars first came out, people would start walking to the store and [then think], wait a minute, I can drive there. And then people started getting excited. They’re like, I love driving. It’s so fun.

But before they had that normalcy, it was, “Well, what do I do? Mmm, I gotta think about this.” Stop! Stop working your meat brain and start using the silicon brain of AI that’s available to you, even if it’s not perfect. Get yourself in that habit now, now, now, today.

Bischoping: I love that.

DeGrippo: Use your human brain to be creative, to have feelings, quite frankly, to enjoy things. Use the AI for everything that it can possibly do for you and think to use the AI right away. Don’t spend a bunch of time putting your grocery list together. What do I need? Oh, I want to make dinner. Nuh uh. Immediately go to the AI and say, “I need to make a grocery list for dinner tonight.” Immediately.

Bischoping: What is the grocery-list version of this story for the intel community?

DeGrippo: I think that there are a lot of different ways for this to play. One of the ones that I’m most involved in at work is Copilot for Security. And what’s amazed me about it is it is natural language. People should never underestimate the ease and the comfort of natural language. You’re just typing into or with some apps you can speak to them and you’re just telling them what you want, telling them what you need. Asking questions.

Copilot for Security is really amazing because it has the ability to access all of the Microsoft threat intelligence capabilities that we’ve ever released; go into that with natural language and you can say, “Tell me about threat actor X, Y, Z. Tell me about the TTPs [tactics, techniques, and procedures] used in this particular threat actor’s arsenal.” Not only can it tell you that as a practitioner, a technologist, a security person, but who did we say earlier is our number one most important person? The CISO! It can summarize things at an executive level for you, which I just think is incredible. Because again, maturity curve. I can almost guarantee you that the people listening to this podcast are going to be further along in their AI adoption journey, personally using it in their personal life – they’re going to be further along than their CISO.

That means yet again you have to initiate and indoctrinate your CISO to get to the point where you are. Which means showing your CISO: You can use Copilot for Security to pull your own reports, to get your own intelligence. I don’t need to be making these weekly briefings for you anymore. Pull it yourself, and if you have questions, come to us and we’ll give you a super deep dive. Or we’ll pull more or we’ll give you prompt help. That’s another thing: Get ready, everybody; you’re going to have to start helping your CISO with prompts.

And I think that we’re going to start watching who is instantly employing AI and who is still sort of in fits and starts, “Oh, I was thinking about doing that. I’m going to try this.”
I go straight to the AI. I mean it depends on which, whether it’s a Copilot or ChatGPT or Bing or whatever I’m doing, whether it’s work or personal or whatever. Lemme tell you: I’m never shopping normally again. I’m using Bing AI for all my shopping from now on because it gives you discount codes and it gives you comparisons of every product. It’s crazy! I don’t want to do a bunch of manual thinking work. I don’t want to do it. I want to do creative, interesting, innovative work. And I think that we all pretty much can agree that the AIs are not at that point and may never be at that point where it’s truly innovative and creative and has that human feel to it. But man, let me tell you, if you ask it to do some quick data-checking or to bring you some kind of information or to explain something to you, a concept, they’re really good at that.

And I also think that you have got to start leveraging it for your own efficiency. Copilot for Security can write queries, which just is bonkers to me. Like you need to write KQL [Kusto Query Language] queries, you need to have it check some kind of syntax in some sort of query that you’re writing? You literally paste it in there and you’re like, “Does this look good?” And it’s like, “Well, actually it’s pretty inefficient. You asked it for 365 days when really you could ask it for 30 and it would come back a lot faster.”

It can optimize queries for you. It really is about accelerating things, augmenting things, making things better. And I think that’s the direction that I’m seeing a lot of the successful AI implementations go.

Bischoping: Awesome. Well, thank you so much. This has been an absolute pleasure. I always love talking to you.

DeGrippo: Thank you, Melissa.

Bischoping: I’ve been talking with Sherrod DeGrippo, director of threat intelligence strategy at Microsoft.

If you’d like to learn more about threat intel teams, check out Focal Point, Tanium’s online cyber news magazine. We’ve got relevant articles also linked in the show notes. Just visit tanium.com/p for publications.

To hear more conversations with today’s top business leaders and security experts, make sure to subscribe to Let’s Converge on your favorite podcast app. And you can help us get the word out – give us a five-star rating.

Thanks for listening, and we look forward to sharing more cyber insights on the next episode of Let’s Converge.