Here are the 5 Topics We Cover in This Episode:
1) Intelligence Playbooks Start with Education to the Customer
Playbooks should include three major steps. The first step is education on how intelligence is going to be consumed and not be nonstop noise. Discussions between customers and vendors should start around requirements that customers are trying to address with business stakeholders.
2) Understanding Commercially and Publicly Available Data to Avoid Noise
The next step in any playbook needs to be about what data is needed to cover unique intelligence requirements. Social media, passive DNS, foreign media, business entity, person, and netflow datasets are all available, but they’re meaningless without understanding what a security team is trying to accomplish.
3) Flexibility is Critical to Meet Compliance Regulations
A threat intelligence program by itself is not generally a compliance regulation like anti-virus or a DLP program. However, there are many aspects of a threat intelligence program that are inherent with compliance spending such as the ability to monitor third parties, manage vulnerabilities, track credential and data leaks, as well as mitigate against insider threats. Flexibility to adapt to compliance needs is critical for maintaining the program and is as important as addressing routine vulnerability disclosures for the SOC or giving business units a competitive advantage.
4) Intelligence Backgrounds are Useful for Building Great Threat Intelligence Programs
Two general backgrounds are common with building intelligence programs: US government intelligence community experience and those with a data engineering background. While data engineering is important for automation and bringing indicators into network defense tooling like a SIEM, intelligence community backgrounds are critical for building relationships and crafting winning value propositions across a stakeholder community. Asking the question, “what does success look like for you,” goes a long way between customers and vendors, particularly when a program is starting.
5) Return On Investment Criteria
When an intelligence program is starting, requirements are collected, and data that is needed is purchased, oftentimes return on investment comes in the form of storytelling. For example, sharing how you’re stopping credentials from being used or stopping an insider threat from leaking data. Over time these stories become common themes that can be built out at scale and will ultimately be used to capture “prevention dollars” and potential dollar loss from leaving the company. This storytelling to capture dollar loss should be the pinnacle of any threat intelligence program maturation.
BRANDON: In Client Success, we follow something that we have built out internally called our playbook. We call it the Client Success Journey Plan, and it is essentially benchmarks that we have with our clients along the way, and it’s everything from, you know, the beginning of onboarding, to adoption, to running operations, into renewal.
And along the way, you know, we constantly have a series of questions that we’re constantly asking, making sure that we are always well aligned, making sure that ROI is clearly captured, and as part of that, as you said, Landon, the executive business reviews or QBRs are part of that. It’s you know, usually a five month review of where we’ve been, what we’ve been doing, what changes have we seen, and then always looking 12 months forward, right?
It doesn’t matter when the renewal is, you’re always looking 12 months forward. If you’re not having that strategic, proactive look ahead, how are you gonna realign yourself and make sure that you’re perfectly positioned to answer the future questions that your client is going to have?
LANDON: Welcome to the award-winning Cyber5 Podcast. Here we discuss the most relevant cyber and physical security challenges facing enterprise businesses today. I’m your host, Landon Winkelvoss, co-founder of Nisos, the Managed Intelligence company.
Brandon Kappus, welcome to the show, sir. It’s been a long time, frankly, since yesterday when we had a call.
BRANDON: I know, and honestly, Landon, I have missed you so much since yesterday, so I’m glad to be here, man, thank you. This is something I’ve wanted to do for a while now, so I’m glad we can make it happen and come together.
LANDON: This is your first podcast ever, right?
BRANDON: First podcast ever, yeah, this is a big deal for me.
LANDON: It’s gonna be legendary. It’s going to be legendary.
BRANDON: I called my mom, she said it’s going in the baby book, so pretty excited about that.
LANDON: You’ve been a world-class practitioner and professional since you joined Nisos, and even obviously, in your previous life. It’s been an honor to work with you a lot, and I can’t wait to dive in and talk about customer success. Give the audience a little bit about your background.
BRANDON: Yeah, sure, so Brandon Kappus, I’m a Senior Director of Client Success here at Nisos, so essentially lead our Client Success team. Been with Nisos just over two years now. It’s been a wild ride, it’s been a ton of fun.
Prior to that, I worked for an NGO or non-profit rather, doing counter human trafficking work, but the bulk of my time was in the US Government. So I was in the Foreign Service for about 15 years, focused on counterterrorism, so I spent a lot of time overseas working with international partners, focused on policy, and obviously, collection of information and dissemination, a lot of the things that we’re doing here at Nisos, so that’s it in a snapshot.
LANDON: When people think of customer success in the technology sector, they think of a lot of things. Walk through what customer success looks like, you know, with an intelligence company like ours.
BRANDON: So Client Success at Nisos, and really in Managed Intelligence, we’re effectively the face of the company, so we are the points of contact for our clients, and really act as their advisors day to day. So this includes everything from helping contextualize information into actionable intelligence, providing recommendations and guidance to deal with the threats of the day, or just providing, you know, more strategic level insight as clients look to build out their threat intelligence programs with outside capabilities.
So, Client Success at Nisos, you know, we handle everything from the scoping of requirements. We help shape both tactical and strategic direction for our clients, and we really, I think most importantly, act as the bridge, right? Between our analyst teams, you know, the people behind the scenes doing all of that intelligence collection, you know, analysis and dissemination, and our clients.
So we’re facilitators at the end of the day, to ensure that deliverables meet expectations, and we always chart a path forward. And honestly, you know, sometimes, we’re just a shoulder to cry on. And I think Nisos is a little different in the market. As most of our Client Success Directors, in fact, all of them come from the intelligence community, and in other government roles, we have an average of 12 to 15 years of experience in operations or analysis, so I think we really understand not only the adversary mindset, which I think is so important in this space, but most importantly, we understand how to collect, produce, and consume intelligence.
That’s really just a major differentiator. I think our clients, you know, look to someone that, you know, they have a problem, they don’t really know how to tackle it, and being able to use the experiences we have to understand, you know, what that person’s ultimately trying to get to, and understand how we can kind of reverse engineer that outcome through our experience.
LANDON: Based on what kind you were saying there, you know, where does the background of customer success and having intelligence experience help in customer success?
BRANDON: Okay, so I’d say diplomacy in the foreign service or intelligence operations within the IC, you know, all focus on one fundamental skill, and that’s making friends, so you know, everything we do is about genuine relationships, and that translates with our clients. It’s really about building that trust, right?
And being able to operate with ambiguity, making quick decisions for our clients with limited information. It is really all about people, and the more genuine relationships you can forge, the more our clients will lean on us for those tough questions, because they know we have their back, right?
So I think that’s the importance of having that regular cadence with our clients, and being there really acting as their advisors. Having that rapport and that trust upfront, one, they’re going to lean on us, and we’re gonna stay top of mind when they have a problem, and that’s what we want, right? We wanna be there and be able to operate for them quickly to solve those problems that they have. If they don’t know you, right? If you’re just an email, you’re not gonna have that kind of relationship, so I think that’s fundamental to not only intelligence operations, but how we operate at Nisos within Client Success.
So really I’d say that the core skills that you mentioned, Landon, I think, developed in government all translate pretty seamlessly. It’s also about asking the right questions, you know, making sure we have a solid understanding of what our client requirements are, and then really, in many cases, you know, understanding what that ultimate outcome is, you know. Using our experience, we can really reverse engineer that, and I think that’s key to be to not only translate what clients are looking for, but help really serve that up to our intel services team, who are ultimately going to be diving in, and this is how we drive value.
If we can make our main client POC an internal champion, I mean, we’ve succeeded. That’s ultimately what we strive for day in and day out. This is core to intelligence operations, and transitioning those skills into the private sector, I think, allows us to provide really that white glove service that separates us from some of our competitors.
LANDON: Yeah, it kind of goes down that path a little bit, right? I remember early on having a conversation with one of our POCs, and I won’t name names of, you know, who his other vendors were, but it was other competitors, and he said, you know, this one organization is, they provide amazing service, amazing capability, but there’s no external, you know, business review or you know, quarterly business review or yearly business review, so when I had to go time to go make budget, right? It was always painful. Where when you talk about other different, you know, clients, and of course he’s giving this as advice to us, right? When we talk about other clients who had, you know, executive business reviews or quarterly business reviews, that made it pretty easy to basically say, when it came budget time to say, “Here you go.” Kind of just curious, you know, what goes in, to how important those business reviews kind of are.
BRANDON: In an ideal world, I want my clients to not have to worry about anything. Like, I want this to all be laid out for them on a silver platter. That is what we are here for, right? So we have something, you know, I could have a whole podcast on just this honestly, but in Client Success, we follow something that we have built out internally called our playbook.
We call it the Client Success Journey Plan, and it is essentially benchmarks that we have with our clients along the way, and it’s everything from, you know, the beginning of onboarding, to adoption, to running operations, into renewal, and along the way, you know, we’re constantly have a series of questions that we’re constantly asking, making sure that we are always well aligned, making sure that ROI is clearly capturing, and as part of that, as you said, Landon, the executive business reviews or QBRs are part of that.
It’s a, you know, usually a five month review of where we’ve been, what we’ve been doing, what changes have we seen, and then always looking 12 months forward, right? It doesn’t matter when the renewal is, you’re always looking 12 months forward. If you’re not having that strategic proactive look ahead, how are you gonna realign yourself and make sure that you’re perfectly positioned to answer the future questions that your client is going to have?
So unless we sit down, we get the stakeholders in the room, and we talk through not only what we’ve done, but where we think we can go providing those recommendations for what we’ve seen, I think that really helps, one, provide, help provide our clients with some of that direction that they’re looking for. It helps make sure that Nisos is very well positioned to be able to quickly answer and pivot as needed if there is a change of requirements or a realignment that needs to take place, and also, like you’re getting more time, you’re getting more time with your clients, you’re getting more time with your champions, your executive buyers, right? Going back to people, it’s incredibly important.
LANDON: When you talk about collecting and consuming intelligence, walk through that process as it relates to private sector clients, and even different industries and different verticals.
BRANDON: Sure, yeah, I mean, I think that the main kind of aspects of what we would call the intelligence cycle really can be the same inside government and outside, right? And it’s everything from you’re planning your strategic direction based off the needs of your program to collecting, you know, finding the data sets and the collection that you need, to analysis, over to dissemination, and then repeating that cycle, right?
So it really is, you can operate the same in private private sector, so it’s all about understanding, you know, what your security program is, what your needs are, what your requirements are, then taking that, building some strategic direction as to how you’re going to tackle those issues, and then go and you find your data, you find your sources of information that then roll into your analysis, and ultimately, lead to some actionable result.
Going into some of the challenges that I’ve seen coming from the government into private sector is I think there’s a common misconception out there that data is intel, right? And getting past that can be challenging upfront. I would argue that’s not the case. I think, you know, data is raw facts. I think information is data combined to answer a question. And really intelligence is information contextualized with concise analysis and a bottom line upfront assessment of why something matters. I think that’s the differentiator here.
Intelligence should always include clear recommendations for moving forward, and it must be actionable. You can’t take action on information. It’s not intelligence, right? So I think having a keen understanding of not only collecting but analyzing information into intelligence and then using it to take and make those next concrete steps is what sets managed intelligence services apart from some of the competition, in my estimation. And it’s not always clear really for our clients the true benefit of finished intelligence, I think. So it’s our job as Client Success directors acting as those advisors to create not only the consumers of intelligence, but also prove through those real world results that ultimately show that value. So it’s easy to confuse managed intelligence with data feeds as well.
You know, we hear that often as we talk to new prospects, you know, “Hey, can we see a demonstration of your platform?” et cetera, and you know, at least those were an analyst driven service that runs the full intelligence cycle, like I said, so a little bit different than some of the kind of more traditional threat intelligence platforms out there.
LANDON: You said something around very critical, I want to kind of dive into. You mentioned planning strategic direction. What does that look like when you talk to our clients, right? Because I think if you’re talking to some cyber threat intelligence analyst.
LANDON: That strategic direction is what does the CSO want for their direction? And then the CSO might say, “I want to tackle third party risk, ransomware, vulnerability management, and you know, a slew of other things around what is IT,” right?
But you might go to another stakeholder, and they might have a completely different set of intelligence requirements. What are different, you know, strategic directions that you’ve kind of, you’ve seen?
BRANDON: I think the biggest challenge is really understanding what your threats and vulnerabilities are, and then being able to shape a program around that is step one. And that’s not always clear because there’s so many unknowns out there, but I think once you have identified, you know, these are the main focuses that we need to, you know, we need to build a program around it, we need to build requirements around, it’s a bit easier, right?
When I talk about strategic direction, it’s more about how are we going to solve a problem or patch a vulnerability long term, you know? There’s the tactical, right? We have alerting, and we have, you know, an event that happened, and we need to do a quick attribution on a potential actor. Those are tactical, right?
Well, how are we looking at proactively getting ahead of these from a strategic nature so that we have, we no longer have to be so reactive? And I think there’s multiple ways you can do that. I think managed intelligence, having both a preactive tools to be able to monitor and get ahead of some of those threats, and then, you know, coupling that with a tactical, being able to quickly react to when something happens.
So there’s a lot of learning along the way. As you gather more data, you have a better understanding of your ecosystem, which helps define and tailor your requirements so that you can be much more hard-hitting on the action side of ultimately solving some of those threats.
LANDON: When we talk about executives and their understanding of threat intelligence, and the return on investment that’s associated with that, I’m kind of curious where your thoughts are from that perspective. Let’s be honest, security spending is 50% compliance driven.
BRANDON: Yeah, sure.
LANDON: Compliance will tell you, “I have to have A, B, and C tools,” and depending on what the compliance framework that they’re following, whether it be the NIST framework, or ISO 27001, or whatever regulatory framework they have to follow, a lot of times it’s when it’s buried, you know, in those frameworks, there is elements of threat intelligence that are, you know, super important.
Walk through kind of like what ROI kind of, you know, has meant to, you know, where you’ve kind of driven that with, and how that ROI has been very critical, you know, in a customer success mission.
BRANDON: I think it really depends on the maturity of the security or intelligence function within an organization, so I mean, we work with, you know, large Fortune 500 companies that have hundreds of employees in their security functions, right?
So their requirements are generally going to be much more complex and sophisticated in nature, and there’s a clear understanding of threat intelligence and how it can be used to harden defenses about threats to risk an organization, because they have the experience, right? They’ve been doing it for years, and have been able to go through the motions. The ROI in that sense is generally easier to define in these organizations.
Perfect example, you know, we can enumerate a sophisticated, you know, disinformation network, and provide actionable intelligence to be able to shut it down. That’s very clear. We have a requirement and we have a threat, we have collected and disseminated actable intelligence, and we have, the client now has what it needs to be able to take that down, right? I mean, that’s immediate ROI, given that the proprietary information loss, for instance, that would’ve taken place otherwise. So there’s a great opportunity to prove your value of threat intelligence, managed intelligence. Smaller, mid-market clients usually have a good understanding of what they need in their security stack, but they may be less experience working with finished intelligence, as they may be more used to, you know, kind of the data streams or platforms to run their own inquiries by having kind of a full analyst team behind them.
The ROI there I think is generally more nebulous, as you have to make sense of all the data and provide context to it before it can be actionable, right? So the goal here is really to understand first what their ecosystem looks like and then, you know, what their present vulnerabilities are. So from there you can better understand the risk and the current threat picture. I think from this comes a better understanding, which leads to, really which leads to detailed requirements. It’s a process here, and this is what CS, you know, Client Success is positioned to help with, you know, guide that process with our clients to help kind of define the importance of threat intelligence, and then capture that ROI to brief the executives and other stakeholders. So a lot of it is, you know, here’s the requirements, we’ve done the collection, we understand kind of what the outcomes were.
Now let’s go back, you know, with a methodical approach with our client, with the Client Success Director, and kind of figure out how our information has been actioned, right? It’s the time that we have with our clients being able to meet with them regularly and really act as that extension, right? Providing that data, I think is critical to us being able to not only help inform future requirements, but help our contacts rather internally be those champions within their teams.
If they can work with Nisos and have a series of questions or vulnerabilities that they need to tackle, and we can work with them to help them not only understand what requirements they need, but help collect, dissem, you know, push out the information to them, and then very clearly through those communications, understand how our information is being used, we can capture that, provide that to our client to be able to pitch up to stakeholders. And again, I think that’s the importance of having that time with the client and really just being there as that extension.
LANDON: So Brandon, what I kind of heard you say is you’re really talking about, on the sophisticated clients, you’re talking about threats. On the unsophisticated clients, they’re talking about risk, and I know those things are kind of sometimes used interchangeably, but they really do mean a lot of different things, right?
BRANDON: Yeah, they sure do.
LANDON: Kind of walk through threats versus risks, and the different maturity, you know, elements, you know, the program maturity elements that are kind of critical along the way.
BRANDON: I do think it’s important to understand the differences there, ’cause I do think that there is a clear difference between risk and threat, and it matters.
Threat is really the intention to conduct a negative act, such as, you know, an example, an exploit of an identified vulnerability, right? I mean, threats are essentially all the ways an adversary could target you or get into your systems, so basically, anything in your ecosystem that could be exploited.
This could be traditional malware, executables, ransomware, you know, to a criminal element tracking your executive team’s pattern of life, etcetera for you know, a malicious event. The more intelligence you have on how adversaries can target your people, places, or assets, the better prepared you can be to guard against them. So it’s about knowing where you have security gaps, and finding ways to button them up, right? So I’m saying, you know, at Nisos, in just CS in managed intelligence, we also stress, you know, that proactive approach to this intelligence collection to limit the need to be so reactive. So the more you know, the better prepared you will be.
So risk, on the other hand, I think is the potential, it’s more the potential of loss, damage, or destruction of people, assets, or infrastructure, right? Usually through unrelenting threats. So an organization’s risk profile is gonna fluctuate. I think that’s depending on both internal and external environmental factors, so this includes, really not only the potential of an adversarial then, but the impact that that may have on your assets or infrastructure. So the goal with risk is, you know, it’s always to mitigate the best you can, but I don’t think there’s anything, yeah, I don’t think there’s any such thing as being 100% risk free. I mean, adversaries and attack TTPs, you know, they’re just too agile and ever changing, right? So it’s a constantly moving target. So the goal here is to keep your risk level manageable, but most importantly, know.
So I think to get back to your question, Landon, I think companies care about both. I think the issue here is there’s just so many threats out there, it’s difficult for companies to know what they need to focus on. So you know, what is a true threat that’s a risk to my organization, or what’s just petty, you know, poking along the surfaces of my infrastructure, right?
We all know there’s only so much budget that can go into a security program, so a constant challenge for threat intel leaders is that they must constantly prioritize. You know, the more intelligence can provide our clients on why they should or should not focus on a threat, the easier it can be for our clients to make those decisions internally and really vector resources onto where they need to be. It’s all part of what we do as CS to having that constant conversation, again making sure that we’re perfectly realigned, and providing the intel that’s gonna help them make decisions on a day in and day out basis.
LANDON: And I think we’ve kind of covered this a little bit already, but executives I think very much understand risk, right? I don’t think they necessarily understand intelligence. That’s the conversation you’re having all the time, versus, you know, an analyst who’s in the weeds, constantly looking at threats all the time.
LANDON: You’re more having that risk kind of conversation of like, okay, where is this actually impacting the business? Where is this actually providing loss? What is it, why does it matter? Is that a fair assessment?
BRANDON: 100%, I mean, the most important thing to our clients is a really strong executive summary, right? And that executive summary should basically say that we have kind of our thesis here. This is, you know, everything we have can be summed up right here, but the most important sentence is why this matters, right?
There should always be a very clear, concise assessment of why something matters. So you can go into the weeds. The weeds are important, we need to know all that, but ultimately, our clients really wanna know what the threat is, how it can be mitigated, and how important it is to them, right? If we can capture those things and then again provide those next steps, provide the action to be able to mitigate that, that’s great.
We’ve had certain clients where, you know, we’ve had people come to us and like, we think something is a threat, and we’ve gone through, and we’ve listed everything out, but honestly, like, to the priorities they have day to day, it may not be something that they need to focus on immediately, and being able to have that assessment, say, “Hey guys, you’re working on your priorities. This can be a back burner issue right now.”
Based off all the assessment we’ve done, all the collection that we’ve done, our clients love to hear that because you’ve just solved, or you’ve just taken away hours of their own assessment that they need to do. And backing that up with our work, and backing that up with the research to how we got there, I think is very much appreciated to a lot of our clients.
LANDON: When you have those types of conversations, and you’re going through the playbooks of how to build an intelligence program, there’s a lot of different vendors that provide the playbooks. There are certainly no shortage of self-proclaimed experts that have a variety of different playbooks for how to build intelligence programs.
LANDON: Which ones do you find most helpful?
BRANDON: I think there’s a lot of great playbooks out there, but I think, you know, for me and what I’ve kind of learned, I think that there’s many ways that you can build out a program based off, you know, your specific threat picture or need. But I can say that personally, you know, in my experience, you know, working at Nisos with our clients, there’s kind of three key points that I have found have been very helpful in at least getting thoughts wrapped around how you’re going to design or how you’re going to build a program.
And I’d say first in building on a new intelligence program, it’s important to provide really an education to stakeholders, which I think I touched on briefly previously, to create those consumers of intelligence, right? So understanding the true value of actionable intelligence by its data, and show the difference, right? Show what you’re going to get versus each. There’s a clear distinction between noise, right? And just alerting, going off constantly and not knowing where to put your focus, not having that context behind what is a real threat, and true finished intelligence. True finished intelligence can be used on its own as a standalone product. And I think providing the education, and really, again, building those consumers of intelligence is step one. That’s how you’re gonna get that buy-in. This is also, this understanding is going to help you build out the right data and tool sets, and not fill your shops with nonstop noise, right?
Secondly, I’d say, you know, companies really need to understand the types of data that is required for your analysts, for your analysis, rather, including, you know, potential tools and platforms, but also ensure you have the right analysts to make sense of the information. So you know, as part of the intelligence, you know, cycle, you know, I talked about this already, but planning and direction, what do you know and what do you need to find out? The collection piece, go out and find out what you don’t know, analysis and production, put the pieces of the puzzle together and add context so people can make sense of it, number four, the dissemination, right? Get it to stakeholders and consumers with a clear understanding of who, what, where, when, why, how, and what’s next, right? What are the next steps?
Third, be flexible and manage expectations. Threats are always changing, and you’re gonna need to be able to adapt and improvise along the way to get what you need, right? So level setting that I think is very important to kind of building out your program. I will say in working with clients here at Nisos, the most helpful thing for us has been asking the simple question, what does success look like for you? If you can get a firm understanding of what that is, you’ll understand what is driving a client’s requirement. You can design a collection program to develop their needs, and ultimately find that value. And that’s what we’re here to do at Client Success.
LANDON: I think so much of that can be, you know, just general, you know, career advice in general, right?
LANDON: What does success look like for you, for sure. Final question, what’s the future of the program look like, and what does success look like for customer success, and what does scale look like?
BRANDON: It’s growing. I mean, managed intelligence is growing. I think there’s such a clear need and a clear niche for it in the industry, and I think, you know, what I’ve seen just over my two years here is just the, you know, working in Client Success and being able to bring in amazing analytical talent and having those intelligence backgrounds to really build these teams up, it’s been incredibly rewarding to see our clients and our clients’ programs mature very quickly. And playing a role in that, I think you’re gonna see more managed intelligence. I think, frankly, you know, especially as you start looking at more, you know, services coming together as kind of suites of products, you know, where frankly, teams can completely outsource a lot of their intelligence functions. It’s the whole, you know, build versus buy question, right? You know, you can have data sets, but you gotta staff it with analysts. It costs a lot of money. Managed intelligence can do all of that for you, and can do all of it very, very well.
I think it’s only up from here. I think, you know, specifically speaking of Nisos, I mean, we’re growing like crazy. You know, we’re adding talent, you know, every week. It’s amazing to watch, and it’s been a fun ride. I’m grateful to you, Landon, you know, having crossed paths overseas a few years ago, you know, taking a shot on a knuckle dragging government guy. But it’s been a blast. I can’t wait to see where it goes.
LANDON: Brandon, I can’t thank you enough. You’re a true pro, and you’ve been a game changer for us. I appreciate it very much, and thank you for joining the show today.