Scott Schur (2:41)

But it was more like drive the hour into town so you could check your voicemails and you know, talk to people and do things like that because you're kind of really out in the middle of nowhere. And that's what drove me. Once I realized a, did I want to be doing this type of lifestyle for the rest of my life? The answer was maybe it's not very stable and it is hard, right? And it's something you want to do forever, hard to do, you know, as you get older and things like that. So what made me realize, hey, while doing that was, you know, every time I would talk to family at home and you know, go back home to visit every once in a while, it was, well, what do you mean? You're out there in like the woods and you don't have technology and like, how do you get food and how do you do this? And it's like, well, you know, you grow the food and you get the animals and you know, the same way you get it. And they're like, what do you mean we go to the grocery store, it's like, yeah, well, you have to, someone's got to get it so that it can go to the grocery store. And that always kind of left the impression in me of the idea that as a society we aren't really prepared to live without modern technology. For the most part.

Sam (3:42)

Right.

Scott Schur (3:42)

Well, we would mostly figure it out, but in the, the, the immediate term, if we lost that technology or the ability to use some of that technology, it would be kind of a bad day for most people. In the beginning, that's what really drove me to cyber is, you know, also like living in New York City like all my life is, you know, you would lose power for a couple of days and the place would turn into a riot zone.

Sam (4:02)

Right.

Scott Schur (4:03)

So that's really what drove me towards the idea of, hey, we need to be able to protect the technology that we have and be able to as best we can, maintain people's access to it.

Caleb Tolan (4:12)

Right, right. That's really cool. You know, as we were preparing for this, you told me that story about the homesteading and it's something I've always thought is so fascinating. So glad you got that experience and makes a ton of sense how you would get from there to getting into cybersecurity. Yeah, we're so, so reliant on technology these days. I'll touch on that a little bit later too. I'll come back to that topic for sure. But something I wanted to talk to you a little bit about is intelligence versus policy versus defenders. I hate to put verses between each of those groups because they often are. Are groups of people who all have to work together. Sometimes not so well. But you do happen to have experience bridging these gaps. So what needs to happen from each of these groups to make the magic happen to effectively combat cyber threats?

Scott Schur (4:52)

Yeah. So just to kind of pick on you a little bit, since you mentioned it before. Right. With the versus is the first thing is don't think of it as a versus. Right. So don't think of it as me versus them or them and us kind of situation, but in kind of leading into that is instead of verses, I would use and I don't know if it's a plus sign and a multiplication sign, some type of mathematical, you know, symbol to talk about them being together and then being a formula for doing good cybersecurity work.

Sam (5:23)

Right.

Scott Schur (5:23)

Because now we've kind of moved out of just intelligence to the broader picture there. And the way I kind of see that and what needs to really happen there is one for all of those teams to understand what their function and role is and how that fits together with the other teams. And with that is right when we. Or when I think of the policy piece of that, I'm really thinking for, you know, people who aren't, you know, in government and things like that, for, you know, the listeners of. I'm thinking strategy, goals, objectives of the team, the organization, whatever level you're kind of putting that on. And then the defenders, obviously, they're your frontline defense teams. They're the ones, you know, preventing, mitigating, responding to. And then you have the intel piece, which is the support of all of those things. And which is why I kind of like to look at them as together in some kind of formula is intel in understanding what it's supposed to be doing is we are supposed to be the gap where the connective tissue of those other teams and departments.

Sam (6:21)

Right.

Scott Schur (6:21)

Is our job as the intel team to understand the policy objectives, strategies, goals, and be able to translate that and push that in informed action for the teams, the defenders to take so that they understand what the goals and objectives are. And then it is our Job as the intel team to be explaining the actions taken and how this all fits to, in the tactical piece of what these defenders are doing to the policy people to then drive either new strategy or to reinforce, hey, the strategy is working, or, you know, we're working towards the thing that we're trying to achieve.

Caleb Tolan (6:58)

Right, right, definitely. And you're totally right about, about the verses. I was, you know, even debating if I should. How I should formulate that question.

Scott Schur (7:05)

Yeah, of course. No, I just wanted to give you a hard time with that one.

Caleb Tolan (7:08)

I know, I know. But saying it as a formula is definitely a more accurate way of looking at things. And so looking more specifically at the relationship between intelligence teams and defenders, where have you seen the best collaboration happen between those groups? Do you have any stories that you can kind of pull from?

Scott Schur (7:22)

Yeah, so what I would say in terms of kind of like seeing it, I would re. I kind of want to talk about it from more of where they work well together kind of space. Right. The idea of. And kind of how they do that. And it's really around being integrated and what I mean. And that could mean all being in a same kind of threat management function where they all report to the same kind of team leads and things like that, where they're integrated by like role and organizational department. But what it really means is even in that sense, there's a lot of times where things aren't integrated just because they're all together. It's really integration of process. It's integration of, you know, the intel piece being a component of all of the defense functions is when it really works well. And that's from both sides.

Sam (8:10)

Right.

Scott Schur (8:10)

Intel needs to have them integrated into our process as well. And really some of the best work and like the idea of what this is and what I try to implement places as I've learned, this is Threat Informed Defense.

Sam (8:21)

Right.

Scott Schur (8:22)

Mitre's Threat Informed Defense center, they kind of push out all the really kind of groundbreaking work towards this idea of this being a strategy for doing defense and security rather than just having separate functions who all kind of maybe work together and share things. It's really that piece of. And it works well when it's integrated and it's understood who's doing what and how to use what you're getting from. Interesting, right?

Sam (8:45)

Right.

Caleb Tolan (8:45)

Totally, totally. There goes that formula again. Just, you know, pulling the right levers and trying to get that best cyber resilience outcome.

Scott Schur (8:52)

Yeah, absolutely.

Caleb Tolan (8:53)

So looking at these groups too, again looking more so at the intelligence teams and the defenders, what do you think is one thing that you wish defenders better understood about cti? And what is one thing you think that CTI analysts could better understand about Defenders?

Scott Schur (9:08)

Yeah, actually, I think this is a really good question and a question that if we aren't talking about it as much as we should be, we should be talking about it more kind of thing as an industry is. And I will start with what it is that I think intel teams need to need to understand about defenders.

Sam (9:24)

Right.

Scott Schur (9:24)

I think this is really important for us to kind of keep it in the back of our, you know, forefront of our minds is that defense teams, and not just defense teams, but many teams across the organization don't always understand what intelligence is and how to use it. And I think that second piece, how to use it, is really kind of key. There is if we understand that they don't always know what to do with the intelligence we give them. And it is imperative that while either building that relationship in, you know, meetings or whatever it might be, or the products themselves, the outputs themselves, that you kind of give to those teams, you have what to do with it kind of embedded in. And I know this is, you know, depending on how you look at it.

Sam (10:06)

Right.

Scott Schur (10:06)

Like, I've talked about this before of, you know, being kind of an intelligence professional first before a cybersecurity person and kind of doing intel and then cyber is a lot of times in traditional intelligence. As an intel analyst, you don't really make recommendations per se. You don't really tell people like, what actions to take. It's really more about laying out here are the pieces of information that you need and here's the analysis and the context there of like decision options. But then it is a decision maker who kind of decides which ones they want to do. And we don't really tell them, go do this one because this is the best option. Kind of say, here's all your options, here's the plus and minuses, the, you know, the positive, the negatives, outcomes, all these things about those options, and then you go off and do it. In particularly in the business world, it's a lot different of, hey, kind of need and want the CTI team to at least recommend something to do to say, hey, we think you based on all this intelligence we've given you, and that output could be anything from a written report to, you know, attack flow navigators and, you know, whatever it might be. And then this is what you should go and do with this information. So I think that's really important for us to understand is that we need to be providing that so what piece of hey, not only so what of what this means for us, but so what should I do with it? And now in terms of what I would really like, you know, the defenders to understand about, you know, CTI and there, there's a whole bunch of things, but I think if in terms of finding one piece that is the most, that would have the most benefit for everyone involved is that CTI needs to be looked at from you know, a kind of as their cover. And what I mean by their cover, I don't just mean like hey, when something bad happens, please like it's not our fault, it's someone else's fault. It's more that justification and prioritization piece, which is what I kind of. That again I'll kind of talk more formula because I think CTI is an opportunity to give like a scientific like approach to how you can like make this information usable. Is that formula of what cover equals is justification and prioritization. And what that really means is it allows the defenders to say we did or didn't do something based on the intelligence that we got from the CTI team. And that is your justification. And for taking an action, not taking an action. And what that instead of looking at it, which is what I think happens a lot, is as someone either telling us what we need and should be doing, which is, oh well, if you say this is bad, that means we have to go do something about it. And that's not necessarily true. We may recommend you take some steps, but it's really more of an opportunity for you to then take our intelligence, put that in your decision making process and say based on the information we got from a CTI team, we are deciding to do X or we're deciding not to do something else, like patch a vulnerability or not. It's hey, this is a priority one or it's not because it's not being exploited by threat actors that are relevant to the organization or something like that. And then if someone comes and asks, well why didn't you patch this thing? We could then say where those teams can come and say, hey look, we didn't patch it because of this output from cti. Now go talk to CTI and cti. If we're doing our job right, it's we're doing the hard work of being able to show the accountability of why we made that, why we said this wasn't a high threat or this wasn't a priority. And if we can show that, then there's There, there's that cover, that justification, right?

Caleb Tolan (13:26)

Totally. It's all about context and informed decision making. I mean, you know, if you don't have that bit of intelligence that has those recommendations, particularly in cyber, oftentimes I know defenders can be like, okay, this is a lot of information. What do I do with that? And then it becomes kind of inactionable. So having that piece of context or those recommendations, I know, is so important for the teams to be able to make informed decisions. So totally, totally resonate with that. Cool. And then I, like I said, I promised I wanted to come back to something you mentioned at, at the top of the conversation, which was about the homesteading. So you mentioned before you really got into your career in cyber intelligence, that you were a homesteader and you were living pretty much off the grid for, you said, I think, four years. So my question for you, who would win in a fight? 10 homesteaders or 10 of the most ruthless cybercrime actors?

Scott Schur (14:12)

Oh, okay. I mean, I feel like this is a super easy thing to answer, but then I'm like, am I giving not enough? Am I underestimating, you know, one of these two groups in my head? But I mean, I think the easy answer is the 10 homesteaders, right? Like, we're looking at physical hard labor out and, you know, digging holes, taking care of livestock, doing stuff that requires, like, some physical strength and activity. And then most of our, like, ruthless cyber threat actors, depending on which ones.

Sam (14:42)

We'Re looking at, are.

Scott Schur (14:43)

I mean, we sit. And now, like, my job too, right? Like, I sit behind a desk and I type on a keyboard. So maybe I'm being overly generalized in, like, the stereotype of what I think of both of these two groups. But I would say most likely the 10 homesteaders are probably going to win in a physical confrontation with, you know, 10 cybercriminals or threat actors.

Caleb Tolan (15:04)

Right, right. I was, you know, leaning in that direction too, as I was thinking about that question, but then I was kind of turning my opinion around a little bit later where I thought, you know, cybercrime actors can come up with really strategic, interesting approaches to all sorts of different security. That's true aspects of a business. So don't underestimate the group. I do think probably, probably the homesteaders would still overtake the cybercrime actors, I think.

Scott Schur (15:29)

So I guess it depends on how this confrontation, you know, unfolded.

Sam (15:33)

Right.

Scott Schur (15:33)

Was it a long, drawn out thing that these. That these threat actors might have had an ability to, like, kind of plan their. Their approach and, like, because to your point, Right. We have threat actors that are pretty creative. Or is it, hey, they just happen to both be in a bar at the same time and they get into a fight, probably betting on, on the homesteaders.

Caleb Tolan (15:53)

Right, right again, there you go. You go back to context. That's the context of, of the dispute, if you will. So I guess for those listening in, if you have a strong opinion, whether it's the homesteaders or the cyber crime actors, you can sound off in the comments. But back to kind of the topic at hand in talking about threat intelligence. Again, it typically acts as a support function for many other parts of the business like we've talked about already. So how can CTI better help us achieve stronger data security specifically?

Scott Schur (16:22)

Yeah, so in the general sense, and I'll try to give not an exact example, but like a little bit more tangible of a thing here, but to your point, yes, CTI can, is a support function for all of the business function across.

Sam (16:36)

Right.

Scott Schur (16:36)

You know, teams from your defenders to your privacy to your risk teams to, you know, mergers and acquisitions, all of that kind of stuff. I've kind of seen CTI play that support role for, in terms of data security, the thing that, that I think CTI can help with is in the sense of one understanding, you know, what data is at risk.

Sam (16:55)

Right?

Scott Schur (16:56)

So like, I think that's the first piece is, hey, using CTI reporting and support for doing data security in an organization can help you understand what data you have that is likely to be favorable or targeted by threat actors of interest, right? Who that might be. So it's what type of data and then how do we best secure that? But then it's also from a little bit more technical that might help with policies or, you know, like the way in which you keep that data and what you do with it is, you know, how will they target that?

Sam (17:26)

Right?

Scott Schur (17:26)

And you know, when we start talking through mitre, you know, framework and things like that, like giving those tactics, techniques and procedures of the way the threat actor goes after this stuff will help you understand, do we have the right technology and encrypting the data, Are we storing it in the right place? You know, is the place we keep this data stored, isolated from the other places that the data exists so you can't jump from spot to spot. So like, we can really help with like where you can invest that prioritization and that, you know, policy, whether it's policy, whether it's technology, whether it's people and resources, that's really where, where I think CTI can play a Pretty critical role across any business function, but particularly for data security, right?

Caleb Tolan (18:09)

Absolutely. I mean, at Rubrik, something we always say is you need to understand what data you have is sensitive, be able to classify that, understand who has access to it, what they're doing with it, and really be able to understand the whole structure of your security data security posture in order to kind of take any next steps from there.

Scott Schur (18:26)

Exactly. And CTI again can help with, once you understand all that stuff, applying. Well now here's the threat actors view. Here's a threat actors perspective.

Sam (18:35)

Right.

Scott Schur (18:35)

Because I think that is if I can circle back to one of our other questions, right. Of what I would like people to understand about CTI is one of the things, and maybe we've done ourselves a disservice in calling ourselves cyber threat intelligence. We're really more cyber counter threat intelligence. It's really we are meant to be looking at things the way the threat actor looks at and presenting it that way to an internal audience. So it's really being able to give that. Well, what is the threat actor care about that we have here? Right, right.

Caleb Tolan (19:04)

Yeah. And that's absolutely a great transition into kind of our next topic at hand. So one of the common themes that we've heard from many of our guests is that a key skill technologist and threat analysts need to develop to advance their careers is effective communication with non technical peers and their leaders within their organizations. And you've talked about tailoring intelligence to both executives and operational teams. What is the biggest difference in how you present that intelligence to those two audiences in a way that resonates with them? And are there any examples that you can share?

Scott Schur (19:32)

Yeah, so yeah, I think I would. You know, we have to kind of agree with everyone that has said that in the past because it is definitely true. Communication and the ability to do that well is key to pretty much all functions.

Sam (19:45)

Right.

Scott Schur (19:46)

Whatever it might be. So in terms of how doing that and you know, and talking through it is right. I think the main difference or one of the first difference between you know, presenting things to a more technical or you know, defense oriented team and function to a leadership function is simple. The format.

Sam (20:06)

Right.

Scott Schur (20:07)

So like the way whether it's a briefing, you know, getting on a call and talking like this, whether it's, you know, a written report, whether it's, you know, technical diagrams, whatever it might be, that is useful for one set of that audience and then the other.

Sam (20:22)

Right.

Scott Schur (20:22)

Is more useful for the other.

Sam (20:24)

Right.

Scott Schur (20:25)

Like so the leadership people.

Sam (20:26)

Right.

Scott Schur (20:26)

Like giving them a briefing, giving them Something that is, you know, succinct, short understood in business terms, which is, I think, is the second key piece of that is what you say and how you say it is going to be different for both of those audiences. And I think it's really just comes down to being able to understand who your stakeholder is and what they really need. And that is around the idea of, well, what is their main function and what are they doing?

Sam (20:51)

Right.

Scott Schur (20:51)

Leadership is making decisions, so they need information and context that will allow them to make the correct decision or the best decision. Defenders, their main job is to defend. So they need the information that is going to allow them to, you know, put in detections or identify threat actor activity in the environment, things like that. And the way to do that will be different, right. The more technical, machine to machine that you can start, you know, sending your information to them, probably the better. Whereas if you tried to send machine stuff to, you know, a leadership, they're going to look at you like they have no idea what any of this stuff is. So it's really translating into the words and the terms that they use while still keeping true. Because I do think there is, as we're talking about communication, I do think that there is a kind of a loosely defined set of how intelligence should be written, spoken about, conveyed, like certain terms and things like that that need to still be in there, but it's still. If it is completely foreign to the end user, then they're not going to understand it and they're not going to listen.

Caleb Tolan (21:56)

Right, right. You know, we had an episode with Amy, BoJack. Gosh, this was probably about a year ago now, or at least maybe a little over a year ago, where she said that, you know, hopefully all CISOs or someone in a senior security leadership position should have some expertise within operations. So hopefully they are able to at least speak some of the language. But then in another episode that we had with Maureen Allison, I think a little bit before that, she mentioned about how the CISO's role has evolved so much to talk more about the business function and being able to communicate risk to the business in terms of what's happening with information security. So that's definitely a skill that everybody could kind of benefit from on the technology side.

Scott Schur (22:34)

For sure. For sure. And I mean, honestly, that like talking sort of the CISO role, right? Like, as someone who's obviously not a ciso, but that role, and it depends, right. Organizations. I've seen organizations do this, right, where there is not necessarily two CISOs, but there is, you know, first line defense, which is the more tactical operations function that has all the security apparatus and you have what? Right, like second line defense, which is, hey, we have oversight, we have risk, we have all that stuff. And there's not two CISOs, but there's two people who kind of have each side of the CISO function rather than it being one role. It'd be, here's your tactical technical operator CISO who's running all of the teams. And then you have your risk business based security officer who is, you know, going to then take all of that and translate that to, hey, here's the risks that we have as an organization, here's how much it's going to cost, all that kind of stuff. So I've seen it done that way. I've also seen, right, hey, one CISO who needs to do both in a place as well. So which is better is unclear. It's kind of, I think what works best for an organization is also sometimes hard to find one person who has both of those skill sets. So sometimes maybe two is better. Just kind of depends.

Sam (23:48)

Right, right.

Caleb Tolan (23:49)

Definitely different from organization to organization. But it's a great note to end on. So thank you again for your time today, Scott. This was really an incredible conversation. Great getting to hear more about your experience in homesteading and cyber threat intelligence of course too. So I really appreciate the conversation and look forward to next time.

Scott Schur (24:06)

Awesome. Caleb, thank you so much for having me. I hope everybody enjoys listening. Thanks.

Sam (24:12)

Sam.