The past 12 months have been marked by two key trends in adversary activity: increased scale and increased sophistication. Threat actors are operating at a scale like never before – leveraging platforms across the internet to conduct multi-channel attacks. And the sophistication of those attacks is only increasing: adversaries are getting smarter and faster, creating entire enterprises within the underground economy. For security teams to address these growing challenges, they need to understand the tactics and strategies used by those actors.
ZeroFox has invested heavily in providing security teams the right people, access, technology and intelligence needed to stay ahead of adversaries. To lead that mission is AJ Nash, ZeroFox’s new Vice President of Intelligence. We sat down with AJ to discuss his background, his shift from public to private sector and why he’s joining ZeroFox. Perhaps most importantly, we discussed his view on the value of intelligence for the cybersecurity industry and why he’s so passionate about building effective intelligence programs. Below you’ll find a transcript of that conversation.
Let’s start with the basics, tell us about your background and how you got into intelligence.
AJ Nash: I guess I’d call myself a “traditional intelligence guy,” having grown up in the Intelligence Community (IC) for nearly 20 years. My career started as an Air Force cryptologic linguist but, frankly, I wasn’t a very good one. So I worked more in analysis, reporting, and briefing – areas that capitalized on my strengths – while still supporting gifted linguists on collection missions. I was medically retired after nine and a half years in uniform, but wanted to continue serving so I stayed in the IC as a defense contractor. Over my career I conducted research, analysis, reporting, and briefings on missions across Asia, Europe, Africa, the Middle East, and Latin America. Focus areas included countering terrorism and insurgency, chasing war criminals, combating human trafficking, supporting combat operations, nation state cyberspace capabilities and operations, and strategic geopolitics.
What made you shift to the private sector? What was that transition like?
AJN: While I was fortunate to work for and with some brilliant people in the IC who taught me so much, and I enjoyed a sense of mission and accomplishment that is pretty special inside a three-letter agency, the work takes a toll. I was a bit worn out and needed new challenges and fresh air. Additionally, I was strongly influenced by a conversation I’ve never shared publicly. Maureen (Mo) Baginski and I were talking in her office in 2013 when she was the CEO of a company I worked for. It was just a friendly chat at the end of the day when she shared her belief that the future of Intelligence was in the private sector. While I couldn’t see what she was talking about then, over the next couple years I started to see how I could build – or help others build – world-class private sector Intelligence programs.
As for my transition, I cut my teeth building a new Cyber Threat Intelligence (CTI) team at a massive financial institution. It was a great learning experience that educated me on the intelligence needs of cybersecurity organizations and some realities of the corporate world; both good and bad. When I moved over to Symantec a year later I consulted with dozens of companies worldwide who were struggling to defend against adversaries they didn’t understand. Few had a CTI team and even fewer had what I would consider to be Intelligence. Even the word “intelligence” was undefined and usually applied improperly to data or information. Our own sales teams, who truly wanted to help customers, also didn’t know enough about Intelligence. So I built new training materials and started teaching our sales and support teams, prospects, and clients around the world about the fundamentals of Intelligence and how to get ahead of threats. I also jointly taught a session on building effective intelligence programs as part of the RSA security conference.
Working with customers at Symantec gave me a global view and a service provider’s perspective for the importance of ensuring security teams and decision makers had the resources they needed to make the right decisions at the right time. After a couple years in that role, I was offered the opportunity to build a new intelligence team in support of the Chief Security Officer’s vision of Symantec as the “global standard-bearer of cybersecurity.” This was exciting because, in my opinion, the only way to be the best in cybersecurity is to be the best at Intelligence. In nine months we built the foundation for an intelligence-driven security program rooted in IC standards. It was a tough journey, but some great teammates made it all worthwhile.
Leaving Symantec and joining Anomali provided me an opportunity to go back to travelling around the world (literally) to talk about building effective intelligence programs. Beyond prospect and client engagements, I often presented at conferences and events, spoke with social and traditional media, and had articles published in digital and print magazines. I also lead Anomali Threat Research (ATR) through a transformation that added product innovation, thought leadership, and collection management to our intelligence production mission. It was an honor to work for and with so many great people.
What’s your approach to intelligence? How do you see intelligence fitting into the broader cybersecurity space?
AJN: I could probably talk for a long time on this topic, but I’ll try to be brief. My approach to Intelligence is rooted in foundational government doctrine and standards. Intelligence Community Directives (ICDs), Joint Publication 2-0, structured analytic techniques, and the like.
I strongly believe in building intelligence teams and programs around the Intelligence Cycle, focusing first on identifying stakeholders and documenting intelligence requirements as part of Planning and Direction. If we accurately capture who we are serving and their needs, we can get the right materials to the right people at the right time for intelligent decisions.
I’ve also talked and written about my belief that, instead of building a CTI team and burying it in the Security Operations Center (SOC), I see Intelligence as an executive-level function supporting enterprise-wide concerns; maximizing the value of funds spent on access. Beyond cyber threats, Intelligence can support insider threat, physical security, executive protection, brand protection, marketing, corporate communication, mergers and acquisitions, and possibly more. Our industry isn’t here yet, but the future is forming.
Intelligence is also the ONLY path to shifting from a reactive to a proactive security posture; what we often referred to in the military as getting to the “left of boom.” Imagine a timeline from left to right with the “boom” – an attack of some sort – in the middle. Staying to the “left of boom” means preventing the attack. Conversely, being to the “right of “boom” means responding to and recovering from the attack. Intelligence is the only way to understand threats before they make it into our environment. The further away from ourselves we can focus, the more room we create “left of boom.”
Intelligence is THE critical investment for proactive cybersecurity; providing context on known or suspected threats and warning of things to come. While AI and ML will play big roles as we move forward, dreams of a future dominated by those technologies are premature.
What’s your perspective on the current threat intelligence market? What’s next for intelligence?
AJN: Well, we are a lot further along than we were five years ago – particularly domestically – and things are moving in the right direction. But there’s still much to do. Firstly, I still see people conflating the terms data, information, and intelligence. We need to do a better job of educating everyone on the fundamentals.
Next, I still see widespread underinvestment in Intelligence that likely stems from the inability to create a standard for measuring the value of Intelligence in a language the Board of Directors and C-Suite understand. These executives primarily see things in terms of risk reduction or profit growth, and the cyber intelligence industry has yet to do enough to align our value proposition to either metric. We are getting there, particularly when it comes to comparing the time to detect and time to remediate based on access to Intelligence. But we need to do more to inject intelligence into risk ratings. This is a problem we must, and will, solve.
Having said all of that, I’m excited to start working with so many amazing people at ZeroFox. The company has been on an impressive streak of constant improvements to the platform, access, content, and services. The next couple years will be even better!