Organizations invest heavily in threat intelligence feeds, but most struggle to translate raw data into meaningful action. The challenge isn’t gathering intelligence, it’s operationalizing it. Security teams face three critical bottlenecks: threat intelligence provides information rather than actionable decisions; remediation ownership is scattered across multiple teams; and manual processes can’t keep up with attacker speed. While threat actors move at machine speed, defenders are stuck submitting tickets, waiting for approvals, and manually updating controls.
In this episode, Jamie Zajac, Chief Product Officer at Recorded Future, explains how autonomous threat operations can close this gap by automatically deploying intelligence across security controls at machine speed. Joining him are Dan Holden, CISO at Commerce, and Arvin Bansal, CISO at C&S Wholesale Grocers.
Want to know:
- Why do organizations still struggle to operationalize threat intelligence despite massive investments?
- How does threat intelligence translate into board-level metrics that demonstrate business impact?
- What do autonomous threat operations mean and how do they differ from traditional threat intelligence?
- How can intelligence drive faster incident response and more efficient SOC operations?
- Why third-party risk intelligence matters more than vendor questionnaire scores?
- How AI is changing the threat landscape and what defenders should prioritize?
- What does the future of threat intelligence look like in two years?
- How to use intelligence for policy decisions and budget building, not just tactical blocking?
Check out the episode for the answers you need.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Recorded Future
Full Transcript
Intro
0:00.000
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today we’re talking with Recorded Future and what they’re doing in Threat Intelligence. Now, the problem that they’re addressing is how to operationalize threat intelligence.
That is the whole thing that makes it valuable. Helping us get answers to these questions are Arvin Bansal, CISO, at a large-scale grocery wholesaler, and Dan Holden, CISO at Commerce. Arvin, let me start with you. Why are we still struggling with operationalizing threat intelligence?
Why is it still a problem?
[Arvin Bansal] I believe there are three reasons why we still have this problem. The first one is information versus decision, the second one is ownership for the action and the third one is the speed with which we act on it. So the information, we don’t get a direct decision that, “Hey, go ahead and block this, prioritize this vulnerability or escalate this incident.” And on the ownership, even though security looks at the threat intelligence, but all the actions are sitting with different teams.
And then the speed, attackers are moving very quickly, but in our case, we have to go through the tickets, the approvals and then manually update the controls.
[Rich Stroffolino] All right, Dan, what about for you? Are you saying the same thing? Why are we still struggling with something that seems like is the reason we’re getting the threat intelligence, right?
[Dan Holden] I think it’s just the typical human dynamic of the constant desire to have situational awareness. It’s the same issue we have with and the changes we’ve seen with news. It’s the same issue we’ve had throughout security’s history, whether we’re talking RSS feeds, tips, threat intel portals, SOAR,SIEM.
It doesn’t really matter what the technology that we’re using is or what the methodology we’re using is. Fundamentally, it’s about situational awareness. So that is, I think, always going to be a challenge. The technology is always going to be changing.
Our processes and how we perceive and ingest information will change. And so I think it’s just a natural sort of dynamic that’s always been there and will probably always be there to some effect or some extent. The challenge is, even if we were great at it, then the challenge will be, “Hey, we probably want even more.” We’ll always want it more high level or want it lower level, more detail, whatever the case is.
So it’s going to be dynamic. It’s always been dynamic. I don’t know that there’s any endgame here.
Set the table
2:38.600
[Rich Stroffolino] All right. Well, now that we have a understanding of why this remains a challenge, we’re going to be talking with Jamie Zajac, the chief product officer at Recorded Future. Now, Jamie, you need to help us out here with answering three essential questions.
So how do I explain the value of what you’re doing to my CEO? What does your solution do? What does it not do? And can you help us out with the pricing model? Set the table here, Jamie.
[Jamie Zajac] Yeah, awesome. Dan and Arvin, I think you did a great job describing the problem here. So I’m looking forward to getting into that. But if we look at what Recorded Future does and how to explain itSIEMply, we all have a lot of security tools that we’ve invested in, firewalls andSIEMS and SOARs and EDRs and everything.
Threat Intelligence really helps us understand who are the attackers that are likely to target us, how are they likely to come after us, and are we’re going to actually be able to stop them if they attack us? And being able to answer those three questions really then transcends across all the security tools that we have to make sure that they’re working.
What we do at Recorded Future is we’re focused on intelligence, delivering threat intelligence, operationalizing it, measuring it, putting it to work. What we don’t do is we’re not every other security control. So we’re not aSIEM. We’re not an EDR. We’re not an XDR platform.
We’re an intelligence tool that actually integrates into those to make them better, to get you more value out of them, to make sure they’re detecting the right threats, to make sure that they’re reporting and giving you context about the threats. From a pricing model perspective, we really sell in four key pillars where we apply our threat intelligence, cyber operations, digital risk protection, third party risk management, and payment fraud intelligence.
And largely within there, it’s either based on the number of users or number of API calls, different things that are being consumed within each of those four pillars.
Discussion set up
4:13.200
[Rich Stroffolino] All right. Well, CISOs, you’ve gotten a taste for this solution, but I’m sure questions abound. So, Dan, I’m going to start with you. What other questions do you have for Recorded Future?
[Dan Holden] Let’s start with third party, because it’s one of my favorite topics. As the many CISOs and many companies hopefully are going increasingly quantitative and away from frameworks that don’t have a whole lot of business context next to none and we’re talking about security more as we would insurance, for example.
In other words, these are numbers, here’s the risk to the company and here’s what it would cost the company.
And third party, I find fascinating because we know it is a huge part of any company’s annualized loss expectancy or however you want to carve those quantitative measurements up, but at the same we don’t actually control every other company. I think it’s one of the best things that’s happened to security, probably some of the best security improvements we’ve seen in the industry have been because of the peer pressure of these questionnaires that we all hate so much.
But the great part of it is it’s been a direct line to our customers and prospects, telling us what the expectation is. From you all’s side, how do you view that equation? It’s not about you can’t prevent security problems from a third party so much as you can have that context and understanding and hopefully some kind of risk profile and risk understanding from you all’s side trying to build out that information.
Is your viewSIEMilar? How are you all approaching it from a provider perspective?
[Jamie Zajac] I mean, it’s definitely a big problem. And we see that with attackers moving to attack the weakest link and going after the software supply chain and all these things. The approach that we try to take is or if I look at the typical approaches that have been deployed, a lot of companies have tried to bury everything down or marry everything up to a single score.
Hey, this vendor’s an A. You should do business with them. This vendor’s an F, you shouldn’t do business with them or ask a lot of questions before you do. What I think that that misses, and where we’re trying to focus with an intelligence-led approach, is what are the real-world threats relevant to that vendor?
How do you interact with that vendor? Do they have network access? Are they holding critical PII? Are they a critical vendor because they’ll cause business disruptions and financial losses to your business if they’re impacted or are they really a tier three vendor that’s not super critical?
And burying those two together to say, well, if these are the likely threats, these are the likely impacts to that vendor based on their dark web exposure, ransomware exposure, stolen credentials that exist, unpatched vulnerabilities, then we can actually bring that together to say, well, this is where you should actually focus on these threats and actually try to shorten the questionnaire as opposed to being 400 questions, be 15 impactful questions that really matter to improving the posture.
[Rich Stroffolino] Arvin, let me turn to you. What other questions do you have for Recorded Future?
[Arvin Bansal] So firstly, great response on the third party risk piece. I believe one of the thing overall we are missing from the industry perspective is the kill switch. So while it makes great progress that, hey, we have a direct line of access to the third party, but the problem is when we get these intelligence, when we get these responses and we find the level of risk we have, who owns the kill switch to terminate the vendor?
Is it the legal? Is it the business? Is it the security team? Who’s doing that? And I think it’s beyond what we are discussing today, but that’s, to me, is one of the key problem that we need to resolve to be more effective in preventing third-party breaches.
Now, in terms of a question from Jamie, I mean, the product is great, the intelligence we get is awesome. How do we convert threat intelligence into a board-level metrics where it demonstrate the impact, the probability, and the business risk?
[Jamie Zajac] Yeah, I think this hits at a lot of, I think, the heart of the challenge in threat intelligence around operationalizing it. So if we think about threat intelligence historically, it’s been about doing deep research on threat actors or IPs or producing a report that sent out situational awareness.
Dan, was a good term. Where I see the future of intelligence is putting intelligence to work to drive those impacts in the tools. So how many things have we detected in ourSIEM because we had intelligence there that we wouldn’t have otherwise detected?
That’s a key metric. How long is it taking us from a detection to respond? What’s the dwell time? Are we doing proactive hunting to go and seek out what’s in our environment or waiting until one of our tools alerts us?
Those then become key metrics around the efficiency and the effectiveness of the intelligence in the environment to say we are detecting, we know who’s targeting us, we know that we can detect them, here’s how long we know it’s taking us to detect them, here’s the gaps that we know we still have that we’ve either accepted or have a roadmap to fix.
Now I think we’re getting from intelligence being, “Here’s a long report about this particular APT,” into the actual impact and effectiveness and efficiency of the intelligence in our environment. And I think that requires operationalizing it and putting it to work to get that.
[Dan Holden] I see… it’s a really good question, Arvin, and I think it’s also a struggle, mainly because, as Jamie said earlier, it’s a very complimentary value prop. And so when I think about threat intel, which I’m a huge fan of, it is about the situational awareness and having the context, yes, but I think of the value prop across three different areas, one, the day-to-day moment of a SOC process.
The whole mission is to defend against attackers at the rate of speed they’re moving, which can be line speed. So that’s got to be pretty darn fast and we all know that the longer you take, the worse it can get. And so if you can process your own alerts faster and better, you’ve got immediate one there.
And so if you’ve got the time and the ability and you’ve got the resources for that sort of thing, you can really dig into that kind of metric.
The next one is incident response. So many incidents over my career, which were more efficient and fasterSIEMply because of good situational awareness and context due to threat intel. And then the last dynamic is budget building. I would almost look at threat intel the way we looked at pen test 25 years ago.
25 years ago, pen tests were used to build budget because people just didn’t know how bad it was. These days I argue, “What do you need a pen test for? The attackers are doing it for you every day.” And that’s where threat intel comes in. So what exactly are the attackers doing?
What are the trends? What are the themes? And where do I need to be thinking about budget and how do I stack rank where my investments are going to end up?
[Jamie Zajac] Yeah, and I think on the budget, I think internal policy is another one. So for example, one thing that I’ve seen a lot of people using intelligence for is we think about info-stealer malware that’s been coming up over the past few years where we collect and we see, “Hey, look at the amount of stolen credentials.” At least Recorded Future we can tell you, is this coming from a home machine or a work machine?
What’s actually getting impacted? And then you start saying, “Well, wait a minute, why are all our stolen credentials coming from home machines? That seems like a big risk.” And then you realize, “Oh, we’re letting people sync their Chrome profiles to their home computers.” And you start saying, “Well, what’s the policy?
Should we let that happen?”
And so you actually can go from moving up that chain, as you mentioned, from a very tactical use of intelligence, “We’re going to reset credentials in a really fast way, in an automated way, only novel credentials, things like that that meet our policy,” to a slightly more operational or strategic level decision, which is, “Well, wait a minute, why are we having to keep reset these passwords?
What’s the actual root cause? How do we go about solving that?” So I also see that intelligence as, if you think of it more of a maturity journey, where are we using it today in our organization? And sometimes it’s very tactically oriented in the SOC or in this incident response.
And then how can I actually move up that maturity curve to be more proactive and more strategic about it is another way of applying intelligence and getting good value from it.
[Dan Holden] A quick response. I want to latch onto that. And then, Arvin, I’m curious if you feelSIEMilar here. I love that, Jamie. I think people look at the CISO role and security in general. I always joke, the last thing you want is the CFO thinking the security program is a bonfire of money.
And I think a lot of executives, they’re brought in and the task could very well be lower spending. CISOs aren’t exactly known for lowering spending. That is not our MO. However, it’s entirely possible. And I’ve posed two executive teams before. We can either spend money on controls and people to manage those or we can just make policy changes.
There’s a cultural dynamic to changing IT policy.
And so what matters more to this particular business at this particular time? The cultural freedom or the cost and risk dynamic. And those are fantastic conversations to have. And you might land on, “No, we’d rather lower the risk and lower the cost.” And if you can provide me data to highlight how that’s actually going to occur so that we can hold myself and the rest of the team accountable, that is a gigantic win and not something we’re generally known for.
Arvin, where you land on that?
[Arvin Bansal] Look at the CISO role is, “Hey, we are the stewards of risk reduction.” What is the security risk that the organization have? Which of those risks are priorities? And then rest, how do we plan to manage them? And threat intel plays one of the very crucial role there.
So something asSIEMple as, “Hey, we started seeing a lot of attacks in our industry,” let’s say finance. And we know what are the methods threat actors are using and that sort of drives the investment we need to make if we want to prevent a certain type of breaches.
So it gives you the backline, it gives you the foundation of having those discussions and providing the substance on why the investment is needed. And then, of course, at the end of the day, Dan, like you said, it’s a business decision. We’re in the business of making money and how do we optimize our spend out there?
I just have one more question. Shifting gear towards future, so thinking about, “Hey, AI is enabling attackers to move very, very quickly.” How do we start thinking about threat intelligence moving at speed of attackers? And if we need to look two years down the line, what organizations will benefit most from the threat intelligence versus those who doesn’t use it as much?
[Jamie Zajac] Yeah, I think, you know, this hits again at how exactly do we use intelligence and I think AI has given us a great opportunity. So let’s think about the speed of the attacker. When an attacker targets your organization, if the process is to wait for it to be detected, to then execute an incident response process, you’re fundamentally moving at the speed of humans.
Somewhere in that loop, someone’s going to check and make sure that we’re going to contain this machine, take it offline, execute these processes. Where I see and where we’re trying to go with Recorded Future is to say, because we have all the intelligence about every attack that’s happening, we can then prioritize what are the attacks relevant to your organization based on your tech stack and your vulnerabilities, what we’ve seen in your environment before, all of these things, and then proactively deploy that intelligence in an automated fashion.
So we call this autonomous threat operations. It’s essentially taking threat intelligence, the operationalization of it, and automating it using different tools. So we have all the attacks, we know what’s a priority. We take all the intelligence, deploy it out to your tools automatically, and keep it up to date.
What that means is that think about an incident response process where today you get an alert that says there’s some sort of an issue or you get an alert from an intelligence saying there’s a threat actor targeting your industry or company. Where we’re going or what we’re doing now with autonomous threat operations is instead we’re saying we’ve identified this threat actor that’s targeting your industry.
We’ve automatically deployed the intelligence so your controls can detect it in your firewall and yourSIEM and your EDR. We also launched a hunt to see if you’re already impacted because maybe they actually attacked you three days ago before this hit the news.
Luckily, hopefully nothing came back, but we’ll keep that intelligence up to date. So we’re really trying to move so that the intelligence is continuously updating itself and being deployed at the same speed as the attack at machine speed. So the humans are focusing on that more strategic policy change, on those more strategic impacts as opposed to, “Is this IP bad?
Should I block it?” Let the machines do that. They can do it really well at this point and let the humans do the more strategic work.
[Rich Stroffolino] Dan, we’ve got time for just one more question. Do you want to jump in there?
[Dan Holden] Yeah, actually, alongSIEMilar lines. Jamie, it wouldn’t be a podcast without ending things on AI. Everyone’s talking about the adoption rate, whether it’s the attackers or whether it’s the defenders, but I haven’t heard anyone talk about the adoption rate or the trends really from a threat intel perspective.
I assume it’s something you’ll attempt to track, but of course, it can be difficult to understand. Obviously, phishing’s gotten better. There’s some experimentation and stories around the malware dynamic, but how you all categorize, identify that sort of thing and how you’re trying to communicate it, how does that either changing right now?
And do you have any view, which is difficult because none of us know what’s going to happen with AI on any front? But if you’ve got a future-looking statement on that, that would be interesting, I think, to myself and the audience.
[Jamie Zajac] Yeah, I think from an AI, like you said, phishing getting better, getting more believable, the speed of being able to adapt phishing websites and park domains and spin them up and really the things that are back to the basics because they’re targeting the users who will click on anything, those are still the real threats.
The use of AI and generating malware and running autonomously, it’s still quite nascent. It’s still quite early in terms of what’s actually happening there. I’m sure all the attackers are using Claude Code to generate things, even though they’re not doing AI attacks.
And so I think we’ll continue to see those things getting better. I think it will be less about categorizing the threats as an AI threat. And I think it’s just the new normal that we all expect our employees to be more efficient with AI. Attackers are more efficient with AI as well.
And we just have to do the basics, make sure we’re staying ahead, being proactive, rather than trying to chase AI-specific malware or things like that. I think that’s more hype than reality.
[Dan Holden] Great answer and I think the right one. Just be prepared that people are going to ask for the categorization so they can build a budget for the AI hype.
Last question
19:03.200
[Rich Stroffolino] Jamie, before we get out of here, what’s one thing we didn’t ask about that we need to know?
[Jamie Zajac] Yeah, I think one thing that I really want to make sure is important is intelligence isn’t just about information. Arvin, you mentioned it at the beginning is one of the challenges, and I think it’s really spot on. Having intelligence that’s informational, that situational awareness is nice.
Having intelligence that’s actually being put to work and driving the controls and driving that better protection, that’s the future of threat intelligence. That’s where we’re going. That’s where I think we all need to be moving towards. Nice to have isn’t a good enough product.
And so putting the intelligence to work to drive the controls, to understand what we can detect, to have that prioritized based on the threat landscape, I really think that that’s the important point to think about as the future of threat intelligence because I do think when we wake up two years from now, the way we use threat intelligence is going to be much more focused on action than on information.
And I think that’s where we as leaders in the industry need to continue to drive and push for that to happen.
Outro
20:02.800
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to recordedfuture.com. If you have any feedback or questions for Jamie or about the show in general, send it to us, feedback@CISOSeries.com.
A big thanks to Arvin and Dan for helping us learn more about what Recorded Future is all about. And thank you, Jamie, for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends, and leave us a review. All company showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOSeries.com or just email us at info@CISOSeries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.