The threat intelligence market has evolved: the needs of today’s security teams look very different than even pre-pandemic times. No one knows this better than Brian Kime, ZeroFox’s Vice President of Intelligence Strategy and Advisory. With an extensive career in intelligence spanning the military, private sector, as an industry analyst at Forrester and now here at ZeroFox, Brian has had not only a front seat to the evolution of the market but played a large role in the actual development of today’s threat intelligence space. We sat down with Brian to learn more about his background, how he came to ZeroFox and his perspective on threat intelligence. This is a transcript of that conversation.
1. Tell us about your background. How did you get to where you are today?
Brian Kime: I wanted to be the next Frank Lloyd Wright, but quickly realized architecture wasn’t what I wanted to do professionally. In my 5th year at Georgia Tech, 9/11 happened and I felt compelled to serve. I ended up enlisting in the US Army Reserve after I graduated, serving as a nuclear, biological and chemical specialist. When I returned, I decided to go to graduate school for planning and economic development, where I joined ROTC and was commissioned as a military intelligence officer after I graduated. From there, I went to work for the federal government as a civilian before spending about four years on active duty assignments culminating in a deployment to Afghanistan where I provided tactical intelligence support to Army Special Forces conducting village stability operations.
When I came home from Afghanistan, I decided to take everything I had done in the military and apply it to an intelligence role within the cybersecurity space at SecureWorks. I started as an IT Security Intelligence Analyst internally and then shifted to consulting for one of SecureWorks’ biggest financial services clients. I helped them build their nascent internal threat intelligence team which is now over half a dozen strong. After four years at SecureWorks, I moved over to Southern Company in Atlanta to help them manage intelligence for critical infrastructure. It was at that time that Forrester approached me to join as an analyst leading threat intelligence research. I really saw this as an opportunity to broaden my horizons into the analyst world. It allowed me to engage with all kinds of people – from marketing, to product, to sales – and gave me a new perspective and awareness on how vendors operate in the threat intelligence space. After nearly two years at Forrester and many reports like the Forrester Wave: External Threat Intelligence Services, Q1 2021 under my belt, I felt I was ready to go back to the vendor world, and so here I am.
2. What made you take the leap from the analyst world to ZeroFox?
Brian Kime: I first got to know ZeroFox through the Forrester Wave: External Threat Intelligence Services. It was clear to me that ZeroFox was the leader in what I called “brand threat intelligence”, which represented a real, critical need for organizations of all sizes. All brands need a trusted partner alerting them if their name or logo is being abused or if their customers are being targeted. Beyond brand intelligence, ZeroFox has made investments to extend threat intelligence and disruption into areas like ransomware operators, in order to ultimately answer more intelligence requirements for customers and disrupt cyberthreat operations. I’m excited to now join the ZeroFox team and help build new products, advise customers on building their own threat intelligence teams and help forecast the future of the cyber threat intelligence landscape.
3. How have both your civilian and military experience shaped your view on threat intelligence?
Brian Kime: I think there are some things that the military does very well in intelligence, and there are some things the private sector does very well, and throughout my career I’ve worked to meld the best of the two. For example, I tried to adapt the military’s Intelligence Preparation of the Battlefield process for private sector use and I discovered two challenges that make the process extremely hard to complete in cybersecurity. One, unlike military maps, network maps are fleeting or non-existent. Second, there’s also a difference in the threat landscape: while in the military, we’d be focusing on one or two threats in the battlespace, in the private sector we’re looking at hundreds if not thousands of threats at once. What I realized quickly when I tried to apply the counterinsurgency and intelligence preparation strategies I learned in the military to Southern Company, is that the military view of intelligence does not easily scale in the private sector.
On the opposite end, there are private sector or business-centric strategies that I have found valuable in the intelligence space as well. At Forrester, during the Wave process, I worked to apply more of a design thinking approach to threat intelligence. Design thinking is an empathy-based method for building products. It involves spending a lot of time with buyers to determine what is valuable to them and where their challenges lie. In the threat intelligence space, it allows you to pivot from simply asking “what are your intelligence requirements?” to instead seek to understand what the critical business processes are and what the impact on those business processes would be in order to help define intelligence requirements.
4. What is your perspective on today’s threat intelligence market?
Brian Kime: The space has evolved from 8-10 years ago when threat intelligence was very immature. For one, the vendors serving the space have changed through acquisitions and consolidations. Years ago, vendors were very specialized, whether they were tool vendors or collection vendors. While researching for the External Threat Intelligence Services Wave, our data showed that enterprises had, on average, 5+ commercial threat intelligence sources. This is really unique to the threat intelligence market; by comparison, you wouldn’t buy multiple EDRs. The use of so many different sources has left us with data and engineering challenges. With so many external and internal sources, the engineering challenge is how to wrangle all of that data into a single source or threat library. The data challenge is how to avoid “analysis paralysis” to actually help stakeholders drive down risk.
Over the past year or so, we’ve seen a trend of consolidation that I imagine will continue in the short- and mid-term. For vendors, there is now a need to get creative and ensure real value is being provided to customers. This means finding more signals in the data they already have. Another trend I’ve noticed is the desire by enterprises to bring more threat intel in-house. While the visibility, collection, analysis and processing is still reliant on external vendors, more enterprises want to track the threat landscape themselves and produce their own finished intelligence.
5. How do you see threat intelligence evolving in the next 5 years?
Brian Kime: There are a few trends I think we’ll see more of in the next 5 years. For starters, I think we’ll continue to see acquisitions, with smaller, niche players being picked up by bigger firms. As the market consolidates, vendors will need to find new types of signals to track new types of threats and data science techniques to cluster threat behaviors, tools, and infrastructure. I think we’ll see a greater emphasis on leveraging data in a more effective way. As an example of that, one large enterprise I’ve worked with has already begun shifting from subscribing to APT type reports to simply consuming raw intelligence to track threats internally. Some large threat intelligence shops are investing in collections managers much like the military to help leverage data better. This internal shift will require real investment in analytical and engineering talent over the next 5 years as well.
One of the other key trends we’re already seeing that will likely accelerate is the breaking down of silos between the physical and cyber world. Traditionally, physical security and cyber security have existed in different departments with different leadership. As the physical and cyber silos are broken down, enterprises will be able to think more broadly about their threat landscape.
Finally, I’m anticipating we’ll see more enterprise threat intelligence teams, like the one I mentioned above, rely less on threat intelligence vendors for finished intelligence. They’ll buy more raw intelligence and track their specific threat landscape themselves. Additionally, I see threat intelligence moving up the enterprise and contributing to cyber risk reduction at the C-suite and Board of Directors levels. There is a lot of room for innovation in threat intelligence vendors and enterprise threat intelligence teams that we’ll see over the next five years and I’m excited to continue to help move the industry forward.