Video: Unlocking the Power of Cyber Threat Intelligence (CTI): A Practical Guide with Bitsight | Duration: 2380s | Summary: Unlocking the Power of Cyber Threat Intelligence (CTI): A Practical Guide with Bitsight | Chapters: Introduction to CTI (16.495s), Vulnerability Management Challenges (748.695s), CTI and Supply Chains (1907.005s), Staying Up-to-Date (2044.115s), Concluding Remarks and Gratitude (2297.3901s)

Transcript for "Unlocking the Power of Cyber Threat Intelligence (CTI): A Practical Guide with Bitsight": Thanks for joining us today for, unlocking the power of cyber threat intelligence, a practical guide with BitSight. We have a great discussion plan for you all today. We have two speakers with us, Chris Campbell, CISO here at BitSight, and Dor Gaussher, director of product management, for our CTI products. So, this webinar is being recorded. You'll receive a copy of it, when the webinar has concluded. And with that, I'm gonna pass things away to Chris and Dorr to get our discussion started. Awesome. Thank you, Sarah. Yeah. And thanks again for everybody for joining today. It's certainly a topic that I am, I am passionate about as a technical practitioner and CISO, and certainly Dorr as well from a product perspective. Really, the goal today is for us to walk through how CTI is helping security teams anticipate threats, improve decision making, and strengthen certainly cyber resilience overall. We'll start by touching on why CTI matters, hit some of the use cases, and kinda walk through the cyber six skill platform as well, and then, wrap with some takeaways. So, hopefully, everybody's able to get something from the, webinar, and certainly, we're hopefully able to answer, a lot of questions that folks have. So, yeah, jumping into it, when we talk about the threat landscape, you know, this is something that resonates, you know, certainly at BidSite and certainly throughout our customer base. It's really the the perfect storm of, technological, economic, geopolitical shifts. It's transformed our view, forcing organizations to really rethink how they're defending against evolving threats. The the first being the attack surface. You know, everybody hears that the traditional network perimeter is no longer there. Cloud adoption, remote work, IoT, you know, pick your flavor. It's expanded beyond what security teams really can manually monitor. And attackers really have more entry points into, exploiting misconfigurations, unpatched systems, compromised credentials across the digital ecosystem and the environment. They really must evolve beyond that perimeter, and the base defenses there to adopt a more intelligence driven approach, to understand, you know, where threats originate from, how they might be exploited, in these expanding attack surfaces. So that jumps into really how threats are evolving. As I led off with, they're really drastically changing fueled by some of the geopolitical tensions, whether you have nation state actors, or really at the end of the day, what we've seen time and time again, financially motivated criminals. You know, with AI, that's certainly empowering them to automate reconnaissance, generate more sophisticated threats, and and even craft malware that, adapts in real time, specifically to target, you know, companies, organizations, what have you. I think organizations really have to embrace, more proactive threat intelligence here to understand and detect those emerging risks before they can escalate and become a larger problem. As we look at the third phase, you know, economic pressures are forcing organizations to do more with less. You know, certainly security leaders are expected to, I I think, justify their investments more than they have in the past, but ultimately demonstrate, you know, real measurable impact to the investments that are being made. Board shareholders, you know, certainly, they no longer view cybersecurity as just a technical issue. It it's now something where, it it's a business objective. It's imperative that, you know, it affects reputation, compliance, financial stability. Organizations really need data driven, risk based intelligence to to make smarter security decisions and, again, optimize the resources and focus on threats that matter most. And lastly, kind of goes hand in hand with what we talked about, a little bit early. It's like regulations are evolving at a rapid pace with governments and industries demanding stronger controls. We've seen an increase in reporting requirements regardless of the the geo that you're in, stricter data privacy and protection laws, more aggressive enforcement actions against companies that really fail to protect their customers and their data. And this means that security teams really must anticipate these changes, ensure compliance, obviously, ahead of any mandate, and leverage CTI to really demonstrate due diligence in protecting those assets. And the world we operate really is is fundamentally different from just a few years ago. Like I said, the attack surface is broader, threats are more sophisticated, security budgets are being scrutinized, And certainly, regulatory expectations are rising. As we jump in into kind of the next slide, you know, as the CISO of BitSight, you know, my job is really ensuring our security strategy aligns with the evolving threat landscape that I just mentioned on the previous slide. The reality is that that organizations are are facing a complexity of of threats and risks, like we talked about from an expanding attack surface, you know, to effectively manage this. We kinda see four key areas that that CTI is helping mature our own program. And certainly following the acquisition of Cyber Six skill, we're excited to to take that platform, fold it into really everything that we're doing almost on a daily basis. And, you know, we're focusing on risk based decision making and prioritizing what matters most, exposed credentials as, you know, as we have a platform that that our customers are logging into. It's a leading attack vector that, you know, nothing's changed. You know, anybody that has a portal that's facing the Internet, you know, you it's a it's a, you know, piece of low hanging fruit for, for bad actors, and we have to stay ahead of that threat. As we talked about too, enhancing the attack surface management aspect of things and really understanding what our exposure is, especially as with those cloud assets that that face the Internet and are being scanned, you know, every day, every hour, every minute. And lastly, you know, when we look at, vendor visibility, you know, and managing the threats and risks beyond our own walls and what are in our control, but certainly focusing on what we feel are some of our key or critical vendors that provide services to BitSight or our customers and ensuring that, again, there's no risk to them that we have to, to bring forward or surface for any reason. So, you know, how do we tie it in? Obviously, you know, following the, the acquisition of CyberSix skill, you know, this has already helped us as I alluded to in several ways in securing BitSight. You know, as security leaders, you know, one of my top concerns, and and I'm sure one of the the top concerns of those on the call, is really identity based attacks. You know, when compromised credentials provide attackers with, direct access to the sensitive systems that you're trying to manage, it it it's a significant problem because then they're within the four walls or within your platform. And, obviously, it goes beyond just, you know, what it would be deemed as as scanning. It it becomes potentially more malicious if they're able to extract data or poke around beyond that. And with customers relying on our platform, securing it, and managing access to it, it's certainly a shared responsibility. But cyber threat intelligence is gonna play a critical role for us in the past and certainly more so in the future in strengthening our security there. Exposed credentials, it it it's like I said before, it's one of the top security risks for any organization with a login portal. And it helps us detect risks early, take proactive action, and more importantly, work alongside our customers to ensure strong security. Now when we look at vulnerabilities, you know, they emerge every day. And the the challenge isn't just identifying them. It's it's certainly determining which ones require immediate action, which ones can wait. And this, again, this problem won't go away for the next year, three years, five years, but certainly, we can continue to chip away at it. And what we tell, you know, what I tell my teams is we we wanna trend in the right direction. We wanna make sure we're prioritizing what means, or what will gain the most traction or will provide us the most ROI. The reality is that security teams are often overwhelmed by thousands, you know, if not tens of thousands of vulnerabilities, but not all of them pose, an immediate risk. And, you know, certainly dynamic vulnerability, exploit intelligence, it's it's already starting to prove value for our team to kinda help cut through that noise, focus on the threats that that truly matter. And really, in today's environment as it's changing rapidly with threats, you know, it seems like every Friday afternoon is when the vulnerabilities drop. Your organizations can't afford to waste time patching, you know, low risk, vulnerabilities while real threats potentially go unaddressed. And being able to layer that with context with DVE provides us a better lens to arm my teams, to be able to go through our environment. And, again, look where we wanna, you know, have that surgical approach, but certainly looking at the entire landscape at what our exposure is. And then lastly, you know, as organizations increasingly rely on third parties, you know, vendors, suppliers, service providers, third party risk, it's it's not just an IT issue. As we talked about before, you know, security and security programs, it's a it's a business. And it's a business critical concern now that when you have a security incident that affects your supply chain, this can really have operational, financial or reputational consequences. And that's why, you know, we've made actionable third party intelligence a key focus for our third party risk management program. And with today's expanded threat landscape, third party risk isn't just about compliance. It's really about real security and and ultimately resilience. So, you know, how do we kind of tie in, you know, the the modern security programs and and cyber threat intelligence? We talked a little bit about, you know, kind of the use cases and certainly how my team is using the platform. But in in today's rapidly evolving threat landscape as we hit just a few slides ago, you know, organizations can no longer rely on, you know, outdated or reactive security approaches or controls. You know, we wanna be able to tie in how cyber threat intelligence can play a critical role in these modern programs, like I said, including bit sites. And, you know, with risk based decision making, you know, CTI certainly makes it so that, you know, we can have smarter security decisions by providing the real time intelligence, contextual insights into, you know, threats that matter, ensuring with the focus of our teams and resources where they matter most. Again, shifting from really a reactive approach to that risk based decision making process so that, you know, we can prioritize efforts and and one most importantly, kind of reduce unnecessary alert fatigue. As we talked about credentials, that kinda continues to be top of mind. You know, anyone on the call that that has a login portal certainly knows, you know, knows the pain or or has something where customers or or prospects or really anyone can log into. It's definitely something that you should be aware of, be mindful of, and certainly, layer on the controls and defenses behind it. But identity is the new perimeter. As I said before, you know, exposed credentials, it's it's one of the most common entry points. And proactive monitoring for stolen or leaked credentials, ensures organizations can really respond before attackers can exploit them, certainly strengthening your overall identity security and identity program. And then, you know, as attack surface constantly evolves, we've seen traditional security controls lack visibility into those external risks. And I think by integrating the threat intelligence with EASM, organizations can correlate, you know, real world threats, certainly tying it back to their assets with certainly integrations to, you know, whether it's, vulnerability management platforms or other things that can feed in some of that data, providing more importantly earlier warnings for, stronger defenses. And then, you know, kind of closing it out with vendor visibility again, it's, you know, your security is is only as strong as your weakest third party link. I think, you know, continuous intelligence, and I think, really, this is where the partnership where, with BitSight and certainly CyberSixSkills even gonna shine further is it it plays a critical, role in today's interconnected, you know, ecosystem with third party CTI. Organizations can certainly gain real time visibility into those emerging threats, enabling them to anticipate risk before they escalate. And I I think to close it out, you know, when when we look at modern security programs, they must be intelligence driven. I mean, that's where you're gonna feed in a lot of the rich context, whether it's something as simplistic as, you know, sharing with peers through an ISAC, but more importantly, you scale to your, more mature programs that are pulling this intelligence into the daily task, the process, and the runbooks to be more proactive. And by leveraging this CTI, like I said before, you can stay ahead of threats, optimize resources, so preventing fatigue, and certainly building more resilient, security programs and posture. So now let me turn it over to Dor, who's gonna talk through a little bit of the combination of, you know, BitSight and CyberSixSkill and what we're able to collectively bring to the table together. So thank you, Chris. Personally, I gotta say that this is an a very exciting time to be a product in product management and specifically inside Peatsight. So we're very excited with the position of Cyber six, Dylan. And the first thing that we did when we looked together at the Bose product team, the joint product team, is we tried to analyze what does the existing customer base and the existing users of Pizza are using and what are their interesting in terms of use cases. So when we looked up the existing customer base and we analyze the usage of the first party and the third party, intelligence that they're using inside the system. We identified the existing use case that that Chris was talking about that may be of concern to the different user users. So starting with the vulnerability intelligence, the identity intelligence, what we call the leaked credentials, the attack surface intelligence, the third party intelligence, and two additional concerns that CSOs, SecOps, CTI analysts have in their day to day, which are staying up to date and also providing reports to their managers, to their colleagues, to their counterparts in different teams, the vulnerability management team, and other teams that they're working with together. And what we're gonna do in the next couple of minutes is we're trying to take these use cases and to zoom into each one of them. We're gonna talk about the problems that Chris as the CISO or the manager of a security organization, he's facing, and then we'll try together to see how can CTI help you solve these different use cases, those all these pains, And that's up specifically about cyber sixty, and then how can we help you do that. So we'll start with vulnerability management. Chris, do you wanna share a bit about the problems you're facing there? Yeah. And I think it's not it's not just me. I think this is every company. And if anybody has it solved, you know, certainly feel free to reach out to me directly. But, you know, security teams struggle, you know, with prioritizing vulnerabilities. Just the sheer volume, and trying to understand where they should, you know, rank one specific vulnerability ahead of another. Certainly, as we talked about, you know, large attack surfaces, you know, it expands the scope and the footprint, especially as you head into the cloud. And, you know, your your your team is not scaling, you know, with the vulnerabilities as they continue to to pile on. You've gotta make more smarter and efficient decisions. And then a lot of times you lack context around, you know, what what should I look at? What could be exploited, beyond the CVSS? You know, how do you take that and enrich that at some point? So, Dor, how how can CTI help? So I think CTI can help directly with all of these problems. So we understand that threat actors are looking at your attack surface the same way as you guys are looking at your attack surface. They're basically trying to find their way into, to your organizations. And the way that CTI can help is basically starting with the identification of vulnerabilities that are being actively exploited. So we know that threat actors are sharing information with one another. They're talking about the vulnerabilities that they're using. We're talking about things that are working for them. So first thing is to tell you not only that this is the vulnerability that you currently have, this is also something that everybody are talking about. The second thing is to provide you with the real world threat intelligence. Not only that they're gonna use it or they're right now they're using it, also how are they using it. What are the TTPs that they're using? What are the entry points that they're using? And lastly, is to or by using this contextual information to help you to reduce the noise. We know that today, common organization have a lot of different CVEs that are related to their softwares or to their third parties, and you're gonna have the tools to help you prioritize what's more important and what's less. And for that, we think that you can use CTI. Drilling into exactly how are we doing it. So the first phase of understanding what's important is first to understand what do you have or the asset relationship. So the first thing is to know what are the third parties or what are the what are the different softwares that, you're specifically using. The next phase will be to convert the software or these CPEs into the specific CVEs. Now this is a big challenge. The challenge because there's a lot of software that you guys are using. There's a lot of third parties that you guys are using, and, also, you're updating it all the time. You're upgrading the versions. You're buying new software. And on top of that, there's also new CVEs that are being discovered all the time. So what's important about that is to have a tool that is continuously scanning your attacks, telling you these are the software that you're using, and then checking against common databases like NPD or MITRE to try and find the CVEs that are connected to these specific software that you guys are having. So the first thing will be to tell you this is the software that you're using, and these are the related CVEs that are connected to your specific organization. Then the second thing will be to help you prioritize. So for that, one of the things we developed in the last couple of years is what we call the DBE score. So we're all familiar with different scoring mechanism for CVEs, such as the CVSS score or the EPSS score. What we try to do with the DBE score is to provide a dynamic score based on the discourse that Fred Archer are talking about these specific CVs at this moment in time. So, basically, gathering all of the data, all of the body of knowledge about these specific CVs coming from the different sources, from us and from the news, from the dark web. And then based on the people that are talking about that, the malware that is being mentioned with that, the, likelihood of that CV to be exploited given a score. This score can be a high score, referencing to the likelihood of that CV to be exploded as high or a low score showing you that this is that this should not be prioritized at the moment. Another important thing that you need to take into account when looking at CV is is not only a score, but also what we call the color behind that CV or the attributes. So this is another tool for you to understand why is this CV important. It is important for you to fix or to patch because it already has the POC expert. Somebody already used it. It is related to a specific ransomware group that right now are driving crazy everybody in the market. It is related to a specific APT tool to a stair actor a player that is now using that CVE against different players. So all of these are different mechanism or prioritization tools for you to understand what is important and what is less important. Another way of looking at CBAs is drilling into specific CB and then understanding what you need to do with these specific CBs. So we think what we do best in terms of that is basically not being a black box, showing you everything that we have. So it's not only a score that is a 9.7 or 4.5. We show you exactly what are the different events that led us to understand the DCB is dangerous or not. Another thing that we do is we show you the affected product. So as we said, directly from this page, you have the ability to understand not only that DCB is dangerous, it is connected to this specific software and and to this specific domains and IP addresses and endpoints, and then allow you to consider the potential risk of that CV for your specific organization, not in general, the risk like the CVSS score, but for your specific organization, what's the potential business context that this CVE may affect? Another important thing is the relationship with GitHub. GitHub is a very major source when talking about CVE because people publish their code inside these places. So this can be a potential risk for your organization, but it can also be a potential remediation, learning on how to use the code of that specific CVE and then patch it on your side. And disconnect me to the last point here, which is the remediation information. So we know there's a lot of different advisories, CPLEX, Microsoft, and different advisories that allow you to understand how to patch these CVs. I think one of the interesting thing that Cyber sixteen is doing is on top of all these advisories, we also provide you with a summary of everything that we know in terms of remediation on that CV. So we summarize the information from all these advisories, and we also summarize all the intelligence items about that CV and then providing you with a summary about that. Next, the attack surface. So, Chris, you wanna talk a little bit about the problem? Yeah. And I think I framed it at the top of the conversation, but, you know, organizations continue to kinda struggle with that expanding attack surface. And, you know, you hear it all the time with shadow IT and and certainly unknown assets. Certainly, there's not a lot of times that organizations are communicating internally with different teams that may be siloed and understanding what's popping up where or, you know, what is now on our external perimeter that's, you know, publicly accessible or available. And then, you know, unmonitored assets. You know, this is definitely, again, whether you have a a misconfiguration, something that pops up somewhere that you're just unaware of, and it may not have, you know, the security controls or the monitoring or even that telemetry built in for you to be able to see it. And then, you know, asset management, lastly. This is an area that organizations continue again to struggle with. I don't think anybody has perfected it, and it requires a lot of operational overhead and work. And, you know, marrying that up with, you know, kinda real time threat context is sometimes a problem. You know, if you've got external facing infrastructure, you know, that you understand it well, you know, sometimes you can't build or bridge that gap between the intelligence to truly understand, you know, what is the risk that's facing me and my organization. So feel free to walk through how CTI can kinda help with some of these. Cool. So I think we can help with all of these problems. And I think the combination of six gigabytes and pizza together basically tackles this together in in a perfect way. So if you talked about the vulnerability management, it is in fact a subset or a subuse case of the attack surface discovery because vulnerabilities are just one section of your specific attack surface. So, basically, combining Six g and BTI together, combining the two twos together can help you with the first chance with mapping the known and unknown assets and then connecting the business context. How does your organization look like from the outside with the bit with the threat context? How does the threat actor looking at your organization from the outside? And I think what's most important about the CTI in this case is not only to telling you not only telling you that this is dangerous right now because people are talking about it, but also to help you make it more actionable and act upon these threats and then close the loop very quickly in case you have any different threats. So taking you through what we have today in cyber cyber six teams. So the first thing is the way to manage assets. So what's, Krista? One One of the biggest challenges is asset management in general, even regardless to the threat context, just to know where you're exposed in general. So one of the things that we do is first, we use the EASM engine that was developed with Big Sight, trying to find all of your external facing assets. Another thing that we do is we allow customers to integrate with their existing tools. So in case you're using Qualys or Tenable or any other EASM tools or if you wanna input your assets into the system, this is something that can be done and basically use the system as a federated asset management tool to show you all of your attack surface. On top of the, let's say, just general attack surface, there's also different layers to the attack surface. So it's not just a flat line or a flat view of your organization. It has layers in it. So for example, we're looking at a domain. We know that that domain or that IP address or that endpoint is related to different software and to different third parties and to different CVEs. So we wanna show you the entire hierarchy of that asset for you to understand the business context. So if there's a CVE, that CVE is connected to that software, into this domain, into this IP address, into this certificate, etcetera, etcetera. Another layer of information is the ability to see the CBEs that are related to that specific asset, but not only that this is a CBE, also the risk score directly from this page. So, basically, for people who just wanna see a view of their asset and see what's the potential risk of that specific asset, they can just use this page, get the hierarchy of the asset, the business context, and also the risk of these specific CVs to this specific asset. Another point of view will be from the alerts point of view. So some organization, specific organization that have different stock teams or that have a lot of different alerts tend to manage their alerts in a queue. They wanna see all their alerts and then go one by one and make sure that the threats are not dangerous and that I treated it. So, basically, this is, the specific view in order to do that. So, basically, seeing all the different threat context that is on top of the business context. So taking all of your attack surface and then correlating that with the knowledge that we have that is taken from our database, from the deep web, from the dark web, from telecom, from all these sources, try to find correlation to mentioning of your assets in these different places that might indicate that there is a potential risk for your organization. So on top of seeing it in this user interface, you have the ability to consume it via API or to consume it via integration. So in case you're using Splunk, SIM, or any other platform, or if you're building your own application and wanna consume it there, it's also available via API. I think what's most important about that, other than the fact that you will now be aware that there are potential risks to your organization, is the ability to act upon this risk. So in order to help you with that, we basically created two main mechanism. One is internal treatment. So you have the ability inside the treatment inside the system, sorry, to see all the different alerts that you have and to define if you treated them, if it's resolved, if it's required, to tag different users, to work as a team, to add notes, to mark as read, and different capabilities that are available inside the system. What's more important or what's more interesting is the ability to integrate these alerts into your existing security tech stack. So let's say you're using existing tools to create your own table. So for example, no code automation tools like Torq or Tynes or Microsoft, or if you're using JLab to manage your IT tickets to install different things for your security teams, we're integrated into these tools, allowing you to either push alerts on a on an ad hoc basis. So I got this alert. Now I wanna push it to a specific playbook or to a specific project in Jira. Or to create a policy, every time that I'm getting this alert, I want the following playbook to take place. I got an alert about lead credential. Please go to active directory and check it. Please notify the CSO. Please send a Slack message, etcetera, etcetera. So basically taking all these sections, making them more actionable in order for you to take action directly from the system. Next, leak credentials and expose endpoints. Chris, do you wanna talk about the problem? Yeah. And I think you closed the last slide with this, and, you know, we'll certainly kick off a more in-depth conversation. Yeah. I will just, you know, tie it home to make something more personal with BitSight. This is where we're seeing certainly significant value from the platform, and and, you know, we're having to reach out to to customers and and say, hey. You know, we we see credentials to our platform somewhere out there in the web. You know, valid or not, you know, we're certainly doing our diligence to understand, you know, what could what impact could come from it. You know? And we've seen, you know, when you frame out the problem, you know, employee credentials, you know, that's of utmost importance. You know? Whether your identity provider, you know, is allowing for single sign on, or if you have other platforms within your environment that folks are logging into, it it's one of the most frequent, you know, areas for breaches, especially too if organizations don't have MFA in place. You know, attackers are absolutely using these stolen credentials for for taking over accounts, you know, to be able to pivot or move laterally within your environment or just exfiltrating as much information as you can get. And, really, when you look at a lot of the traditional security controls, you know, they struggle to detect when a, you know, credential is misused, and you're having to reply on some of the more downstream controls, you know, to be able to stitch together whether it's something as simplistic as impossible travel or, you know, you know, misuse of that credential based on behavioral detection. So how how can CTI help, Dore? So I think the most important thing about CTI lead credentials is basically two things. First thing is to find the lead credentials where they are being posted. So the reason why people stay credentialed is because they wanna monetize based on that. They wanna sell it to different people, and then they will use it against your organization. So the first thing is to know where to search the Indeed credentials and then collect that data. And the second thing is to help you reduce the noise because there is a lot of noise coming from this. There is former employees. There are credentials that are not real credentials. There are credentials with password that are not really matching your password policy, so nobody can really use them against you. So the challenge there is fair to find all these big credentials, then to provide you with a good view of the real and the relevant credentials that are relevant for your organization. And lastly is to help you remediate the risk of these credentials. So not only to tell you if this is relevant or not, but also in the case that one of your credentials is being sold, to take these credentials down and then save you the risk of somebody being exploited and these credentials against you. How are we doing it? Very, very straightforward. We collect all that data. We extract the username, the passwords, and then we present you with a table showing you all the data that you have from all the different sources. Very straightforward, very easy to use. You You have the ability to filter this table based on the username, the the password, the description. Is that password was already leaked in the past or not? What's the detection time of that password? And more specifically or more importantly is the ability to reduce the noise here using different mechanisms, which I think the main ones are password policy and the ability to connect with IDP tools, with identity providers. Password policy. So you basically have the option inside the system to define your specific organization password policy based on complexity, based on different mechanism. And then if we found a username password and the password does not match your password policy of your specific organization, we will filter this out of your specific view, and you will not be alerted about it. Second thing is the connection to the IEP, to the identity providers, to the Okta, to the Microsoft AD of the world. So, basically, if you're one of the customers of these different identity providers, you can integrate with the system and then get a view if this specific username and password combination is currently active in one of your systems. So if somebody is using this specific username and password, you will be notified that this is active, and then you will know that this should be remediated even faster. I think an important use case of this or a sub use case of big credentials is what we call the initial access brokers or access that is currently for sale. So we know people or hackers use different stealer malware to steal credentials in a bulk in in in, you know, in big box of data. So in order to do that or once they do that, they basically go and sell the access to these endpoints in different marketplaces. One of the things that we do is we go and collect the data about, your lead credential in these different marketplaces, recognizing a potential, not only lead credential combination of username and password, but a specific endpoints that is being compromised at the moment. So we collect all the data, and one of the things that you can do using our system is to purchase these credentials using us, basically taking it off the web and making sure nobody can use it against you. I think what's important about lead credentials is not only the fact that we provide you the ability to research or go passively into the system and see what you get, but also be alerted on potential risk to your organization. So all the things that you see here can be, ingested as alerts can be pushed into emails or different systems in order to help you automate that. Supply chain attacks. Chris, you wanna talk about that a bit? Yeah. Sure. I think tying it back into the the threat landscape, you know, ransomware actors, they're increasingly targeting, supply chains. This is nothing new, and it's but it's certainly not going away. It's kinda continuing to increase in complexity and severity. You know, companies often lack visibility into their third party risks, you know, not being able to have that full picture of where they potentially have the exposure. And then and then, really, you know, sometimes there's delayed response times, you know, which could increase, you know, anything upon financial, reputational, or even operational impact to the business, which, you know, really makes it, you know, even a more significant threat. So walk through how CTI can help us there. So I think CTI can help in two different perspective. The first perspective is the recent perspective. So in general, every security operation and organization wanna make sure that they're aware of all the different ransomware attacks that might come from different perspective. And the second thing is to look at specifically your attack surfaces, specifically about your supply chain, your third parties, and are they being attacked at the moment by different ransomware groups. So I think the way that we do it is pretty straightforward. The first thing is the research base. So in case you wanna monitor all the different BLS sites, the data leak sites, the the dedicated sites where these ransomware groups post their victim data or publish their victim's data. So one of the first thing we do is we basically monitor these sites all the time. We look at the webs at the website data. We look at the victims. We look at the screenshots of the databases that they publish, and we collect that data, and we also summarize that data for you. So for organizations that wanna research different ransomware groups, they can just use the portal and get that information. This information, by the way, is available in a very easy to use interface showing you a summary of all that information. So the insights about that ransomware group, the IOCs that are related to that ransomware group, the different prevention and mitigation mechanism, the victims, and also the intelligence audits themselves in case you wanna drill down and read more about these specific third parties. Another point of view will be for your specific third parties. So you wanna monitor all the different third parties that you use and make sure that they're not being targeted by these ransomware groups. So this will also be part of the system, allowing you to be alerted on that. I think this is the last one, so staying up to date with cyber events. Chris, do you wanna talk about the challenge? Yeah. I I I, you know, echo the challenge. I mean, it's a part time job to try and figure out, you know, what is going on outside the four walls of rebuilding. You know, oftentimes, it's 09:10 o'clock at night, you know, that I'm trying to just catch up on what happened in the last twenty four to thirty six hours. So, you know, security teams and and rightfully so are just overwhelmed with information. So synthesizing that is is the challenge and, you know, filtering out the noise, you know, to really say, well, this is everything that I've consumed today, and and this small slice is actually what's actionable. And, you know, what it leads to is is slow reaction times because something you know, that that gem or or that hidden piece of information is often buried, you know, in in, you know, a lot of alerts. It leads to fatigue and just really understanding how the events outside, again, of your four walls are impacting your visits business, your assets, and really your day to day operations. And, you know, with these emerging threats, it it leads to those slow reaction times. So talk through how CTI can kinda help there. So I I think looking at the last ten years of CTI, what are the biggest challenges about the fact that the information is very not contextualized. K? It's coming from different sources. Every source look different. The data is not structured. So for people who are not used to reading all this data all the time, it's very hard to be or to stay up to date with all the relevant information. One of the things that we try to do here is to use the different technologies that are available today, such as LLM tools, and then provide you with a feed of information contextualized based on your specific interest to allow you as a CISO or a decision maker to stay on top of the information all the time and not needing to be reliant on CTI teams that need to create reports all the time. So how do we do that? So we created recently, and we're gonna launch actually this product officially on April, a new product that is called Pulse. Post allows you to customize or get a customized speed of threat intelligence directly into your system in a very easy easy to use interface dedicated for people who are not dealing with CPI data all day long. So, basically, based on your interests, such as malware, ransomware, data breaches, based on your sector, based on your geography, you can create your own channels of interest and then consume summarized information of the most important events for your specific organization and for your specific interest. On top of that, in the case that you didn't have the time to customize your own channels and your interest and sector, etcetera, we provide a feed of what we call hot topics. These are the things that we think are relevant for all of the CTI practitioners or security practitioners in general. What's trending right now? What do you need to know in order for the CSO not to wake up one day and get a a WhatsApp message from the CEO talking about a threat that he didn't have any idea about. So we're trying to keep you up to date with all the recent events and all the things that are most important and most precisely for your organization and your interests. So bringing everything back to the table or making it organized. So we talked in this webinar about five main use cases where CTI can help with CISOs or with security practitioners in their day to day work. So we talked about vulnerability management and the ability to help you prioritize what's important, what's important to patch based on the discourse, based on what people are talking about, these CVs. Then we talked about the attack surface. We talked about the ability to discover and to scope your attack surface. But on top of getting these business contacts about your organization, also putting the threat context and understanding what's important or what's at risk for your specific organization. We talked about the leaked credentials or the identity intelligence use case, where we talked about the challenge of continuously monitoring the underground to find these leaked credentials to remediate the risk of these potential, credentials for your specific organization. We talked about the supply chain attacks about third parties. How can we use CTI to monitor potential ransomware attacks against your third parties or or against yourself? And then we wrapped it up with staying up to date with cyber events and how can you use CTI to help you, and maintain or understand all threat landscape these days. Chris, you wanna take us to the end? Yeah. No. I just basically wanna, you know, thank everybody for joining today. I think, to provide some insight on the BitSight side of things, you know, I'm excited in really two ways. I think, one, you know, it's certainly elevated when we look at CyberSix skill and the acquisition. I'm grateful to the entire team at the company. I mean, it it's provided insights that daily. You know, we're getting alerts to my team that we're certainly elevating the maturity of our security program. You know, also too, if it's leaked credentials, you know, we're informing customers of, you know, hey. You might have a leaked credential here, and you have to drill into it. And we're partnering with security teams to elevate their program and hopefully provide insights that they may or may not have had. I think I'm really excited on the others, end of things that, you know, collectively, we can bring, you know, a lot of this information and this data to our existing platforms, but certainly, as a separate product in in in CTI, you know, really, look to evolve and mature others' security program. So certainly very exciting on our end. Hopefully, you know, attendees today took away some practical insights, and, you know, we were happy to, and excited to kinda provide value to, to those who joined. So thank you, everyone. I appreciate it. Bye bye. Thank you.