RSAC 2024

Interview: Paul Reid On The Importance Of Threat Intelligence In The Fight Against Cybercrime

Paul Reid, Global Head of Threat Intelligence at OpenText Cybersecurity, discusses the need for cybersecurity companies to share their research and intelligence with the rest of the industry.

Expert Insights interview with Paul Reid of OpenText Cybersecurity

As cyberthreats are becoming increasingly sophisticated, it’s never been more important for cybersecurity providers to collaborate with one another. Sharing threat intelligence—detailed information about potential or actual cyberthreats—plays a crucial role in identifying emerging threats more quickly, enhancing defensive strategies, and mitigating the risks of cyberattacks more effectively. This cooperative approach not only benefits individual organizations, but also strengthens the overall security posture of industries and even countries, creating a more resilient front against the tide of cybercrime.

“The bad guys share all the time,” says Paul Reid, Global Head of Threat Intelligence at OpenText Cybersecurity. “So, we need to be sharing as well.”

OpenText Cybersecurity is a security provider that offers a broad portfolio of products and services including those for threat detection and response, triage, and remediation. Powered by AI, these solutions enable OpenText Cybersecurity’s internal team of cyber threat hunters to help organizations of all sizes defend themselves against the most prevalent cyberthreats.

In an exclusive interview with Expert Insights at the 2024 RSA Conference in San Fransisco, Reid discusses the need for cybersecurity companies to share their research and intelligence with the rest of the industry, as well as some of the latest trends that OpenText Cybersecurity’s threat hunting team have recently uncovered.

Note: This interview has been edited for clarity.

Could you please introduce yourself and tell us a bit about your security background, and your current role at OpenText Cybersecurity?

I’m Paul Reid, Global Head of Threat Intelligence for OpenText Cybersecurity. My cybersecurity background goes back almost 27 years. I started off early on working on and developing servers. Then I moved into the PKI world; I did cryptography for a number of years, working with smart cards and biometrics, and I published a book about that. From there, I moved into email and document security. I worked for a number of years as a Technology Strategist and helped develop a number of innovative solutions to protect emails and documents. Then about eight or nine years ago, I joined Stephan Jou and his team at Interset to do behavioral analytics and, through a number of acquisitions, ended up at OpenText.

My role today involves looking at the threat intelligence inside of OpenText Cybersecurity and how we can leverage it across our own product base to support our customers. I also run our global team of cybersecurity threat hunters, who actively hunt in our customers’ environments for 18 hours a day. We find a lot of threats for our customers on the left-hand side of the attack lifecycle, very early on around the initial compromise, installation of attack tools, and reconnaissance.

I’m also the subject matter expert for both ArcSight Intelligence, which is our behavioral product, and cyDNA, which is what we’re going to talk about today.

What influenced your switch from the product side to the threat intelligence space?

It was a natural progression. As I was the defender protecting things, I came to realize that at times, we were fighting a losing battle. No matter how hard we tried, the adversary was always finding something new and different to attack us with. And I became interested in the idea of whether there was a way for us to find attacks without necessarily knowing what the attack was going to be.

That seems counterintuitive, but behavioral analytics actually does that! We learn what normal behaviors look like and when those behaviors change, that’s how we find attacks. So, it was more curiosity on my part to try to find—and be a part of—a better way to do it.

Having a diverse background in cybersecurity is very useful when you’re thinking about threat intelligence. I understand everything from Windows desktops, subsystems, and filter drivers and all that type of stuff, all the way up to internet protocols, how we route internet, and how we share information. Having that broad range of experience in a threat intel role is absolutely crucial because you never know where you’re going to need information from to be able to identify the next cyberattack.

As Global Head of Threat Intelligence, how important is it for cybersecurity companies to share their research and intelligence with the rest of the industry?

Sharing is absolutely critical, and cybersecurity companies have a lot of ways we share information amongst ourselves. There are public information threat feeds that we participate in, and of course, as a company, we sell our private threat intel as well. There’s also a lot of unofficial sharing that goes on. I have a number of friends and colleagues in other companies that I know I can call up and share information with privately—and they’ll share stuff with me privately—that helps us keep our customers more secure. Quite often, we share the same customer base. So, by us working together to share information together, we’re still protecting that client. We both have a responsibility to keep them safe, so if I share something with my friend who’s protecting the same company, I can give him some visibility. It’s really important that we build up those relationships over time. Cybersecurity is really a trust relationship, right? We build trust with our customers, we build trust with our partners, and we build trust in the community. It’s in building that trust that allows us to share that information. The bad guys share all the time. So, we need to be sharing as well.

While you’re walking on the expo floor, it can feel like there’s a bit of competition down there, so it’s good to take a step back and remember that we’re all on the same side.

There’s a lot of behind-the-scenes cooperation that takes place in this field, because you want to make a difference and you want to leave people more secure than you found them. So, a lot of times, we work together and share information amongst ourselves, even if people might see us as competitors. We have a responsibility to be upfront and forthright with each other, because there’s no use not sharing information that I know could protect someone.

Now, that’s not saying that we compromise our customers’ privacy. If OpenText Cybersecurity finds a cyberattack against a company, we don’t go broadcasting that; it’s not our story to tell. We’re there supporting them and working with them, and if they if they want to share that, then they’re more than welcome to.

That being said, what trends are your Cyber Threat Hunters currently seeing in the cyber space?

We’re seeing adversaries working together more closely. We’re seeing a lot more reconnaissance taking place. We’re seeing threat actors showing more patience, reading more and taking their time before the attack, and getting a better feel for the lay of their victim.

The attack surface has gotten larger over the past several years, with the move to the cloud, hyper scaling, the ability to store your data in other people’s clouds, and delivery of content through CDNs [Content Delivery Networks]. So, when we ask organizations, “Where are you protected today?”, a lot of them are still thinking about their corporate boundaries, and how everything they need to protect lies within that area.

OpenText Cybersecurity’s background in information management gives us a unique perspective on data protection. If you don’t know where your data is, what your data is, and what’s inside your data, it’s really hard to protect [your data]. So, when we talk to customers, that perspective allows us to say things like, “Do you deliver content through a CDN? Do you store data on hyper scalers?” And we try to help them understand what their cyber exposure is.

Because, if you’re storing information in a CDN because it’s critical to your ability to sell your products, and that CDN gets compromised, that could have a very detrimental effect on your business.

Could you give some examples of how OpenText Cybersecurity applies that intelligence to your products, to help support your customers?

Recently, we were working with a large Ministry of Defence, and we put together a situational report for them with cyDNA. When we do that, we ask about the customer’s coverage space and how you want to be protected. And one of the things we talked about in this case was expanding their coverage space to their supply chain. We asked them to identify five or six verticals and three or four companies in each of those verticals that, if something happened to them, it would be very detrimental to the business. Then we created this covered space for them that included themselves and their departments, plus their supply chain.

When we looked at the adversary threat intelligence coming in and out of that, we saw some really interesting things. One of the things we saw was the attackers weren’t bothered with them anymore. They knew they were a hardened target and that they spent time protecting themselves. Instead, they went after their supply chain. We saw them targeting companies that provided critical logistics and supplies to them, so the attackers could still cause harm to the Ministry without directly attacking them.

We also see nation states carrying out Denial of Service attacks against websites for the citizens of a country, denying them access to information or flooding the website with fake information or fake reports or comments.

And we also see cases where companies are compromised through no fault of their own. For example, we had a customer that accidentally exposed two pieces of SCADA equipment to the internet—like programmable logic controllers—and we could see where a nation state adversary had pushed new firmware to those controllers. Based upon the size of the package and the protocol being used, we’re pretty sure it wasn’t the latest version that would make them more secure. We’re humans and we all make mistakes, but that company had no idea that it had taken place, so we gave them the visibility they didn’t otherwise have.

How important is it to make sure you have that visibility and access to that intelligence across the entire ecosystem? How much of a role do integration and breaking down siloes play here?

We need to have commonality across our security tooling. We need to be able to share information better across different software, and that’s something that OpenText Cybersecurity is doing a really great job at. We’ve brought numerous products together, including BrightCloud, Webroot, ZIX, ArcSight, ArcSight Intelligence, cyDNA, Fortify—there’s such a suite of them. We’re working to share that information at process so that if one product learns about a threat, we all learn about that threat. And we’re really pushing hard on that because that information sharing is so critically important.

We also belong to a lot of open-source communities; we support Mist, which is a great way to share threat intelligence; we publish our MISP as well and share that; and ArcSight is also part of VirusTotal now. So, when someone submits something to VirusTotal we’ll check it as well. And I believe BrightCloud does that as well. So, we are part of the community; we want to be sharing. We also announced a partnership with JCDC [the Joint Cyber Defense Collaborative] here in the U.S., to be part of their critical infrastructure sharing opportunities. We get access to information that other people may not get access to, but we can also provide information in a very confidential way that other members of JCDC can take advantage of as well.

If you could give one piece of advice to the CISO and security leaders here at the conference today, what would it be?

My message to any CISO starting out is: get your fundamentals right. Get a good strong foundation. If you have that, that’s half the battle right there. Then of course good threat intelligence, good products, good interoperability, staying up to date on the latest things—all those types of things will make you better and more cyber secure, but for me, it’s critical to do your fundamentals first.

Knowing your information is also really important. If you don’t know where your information is and you can’t see it, it becomes really difficult to understand what’s inside of it and protect it. We see a lot of companies that have information stored in a file share somewhere, that they have no idea is there. Or they may think that the file is innocuous, when it actually contains their customers’ credit card information. So, having products that do strong information management is also very critical, to provide that visibility.

Finally, what are you most excited about in the cybersecurity space as we move further into 2024, and then beyond into 2025?

It would have to be some of the work we’re doing at OpenText Cybersecurity to build those relationships, like we did with JCDC and others. Also, the release of our cyDNA product to give our customers adversary signal threat intelligence they don’t have today, and give them early warnings of compromise and attack.

I’m also excited about the ability to make cybersecurity more accessible for people, which is only going to make us more secure. A lot of the AI and machine learning work we do at OpenText Cybersecurity is going to provide our customers with solutions better, quicker, faster, and more naturally, too. One of the things we pride ourselves on is our ability to explain things in natural language and talk about threats from a standpoint that provides context and meaning to what you’re doing. That’s the promise of generative AI; if we can ask really interesting questions, we should be able to get some really good results back. Because of our information management background, OpenText Cybersecurity has spent a lot of time thinking about that and we’re coming in with a whole line of aviator products around that, starting with our information products, and then moving into our cybersecurity products in the near future.

Thank you to Paul Reid for taking part in this interview. You can find out more about OpenText Cybersecurity’s portfolio of security solutions via their website.

Expert Insights provides leading research, reviews, and interviews to help organizations make the right IT purchasing decisions with confidence.

For more interviews with industry experts, visit our podcast page here.