5 Questions with Jonathan Couch, Senior Vice President, Strategy, ThreatQuotient, Inc.
1) How did your Air Force service influence your decision to pursue a career in cybersecurity?
I was actually designated to be an Electrical Engineer doing acquisitions/program management for aircraft ("go build the F-22" kind of stuff). However, early on, I was recruited for an assignment at the NSA because of my experience/knowledge of information technology (thank you, Dad!). That got me involved fairly early in the "cyber" game and my follow-on assignments trained me up even more in both networking/IT basics but also cybersecurity - both offensive and defensive. Those basics and the feeling of being at the forefront of something very challenging are what drove me to stay involved in cybersecurity even after the Air Force.
2) Prior to joining ThreatQuotient, you co-founded iSight Partners, which was acquired by FireEye in 2016. What excited you about joining ThreatQuotient?
My entire time at iSIGHT Partners was spent working with clients and the industry in general around how to use cyberthreat intelligence as part of their operations. My last few years were focused on services to build out infrastructure to organize, manage, and operationalize the threat intelligence they were receiving not only from iSIGHT, but from other providers (I've always said that a good intel program has multiple sources so they get as wide coverage and viewpoints as possible).
After the acquisition, I wanted to keep helping clients integrate cyberthreat intelligence into their security operations and to better connect security operations to the business (part of the mission statement for iSIGHT at the time). ThreatQuotient's threat intelligence platform (ThreatQ) does exactly what I had been doing manually. It excited me that I could move from intel provider to intel operations and management. The extensibility of the ThreatQ platform allows for the art of the possible: a move from traditional reactive security operations to forward-looking, proactive and anticipatory threat operations. I *really* want to enable organizations to leverage and find value in cyberthreat intelligence and I want to be a part of helping to redefine security and threat operations.
3) What is the biggest cyberthreat against both government and commercial organizations?
At times, I feel the biggest threat is ourselves: the basics of cyber hygiene are often overlooked. Most attackers aren't using state-of-the-art hacks to break in - they are merely aiming for the low-hanging fruit or going for known vulnerabilities and exploiting the people and processes of the organization.
4) How important is attribution in threat hunting? Do most enterprises care about who is on the other side of the keyboard?
I have written about this a few times: it depends on your specific organization and situation, but, overall, I believe that attribution only really matters from the perspective of "organizing" your adversaries. For cybercrime, attribution matters so that you can identify very large risks/threats and pursue law enforcement action against them. For hunting and cyber espionage, attribution matters only so much as to group campaigns, infrastructure, capabilities, and TTPs.
If you can say that person or group X has executed these attacks with these capabilities (and associated indicators/observables), then you have a wide net to cast on your network when hunting. If "Joe" broke into 20 houses in 2011 by picking a lock and he only stole TVs and Jewelry, then "Joe" broke into 10 homes in 2013 by kicking in the door and stealing the same stuff, then I know what signs to look for to hunt for Joe. Knowing a specific military unit doesn't buy me much, but knowing the various attacks they have conducted over the years gives me a basis for a hunt.
5) Many security vendors, such as ThreatQuotient and Farsight Security, work together to help their customers reduce risk. What role does industry collaboration play in the fight against cybercrime?
Industry collaboration is key because no intel provider or organization has complete awareness and insight into all the various attacks that are ongoing on a daily basis. Through collaboration, organizations can now discuss what they've seen, what has been effective at evading defenses, and what groups have done to either prevent or quickly respond to these attacks. We can all learn from each other in a community defense model: not to sound too corny, but we are stronger as a group than we are individually and we can learn more quickly by discussing our successes and failures as a group than we can by trial and error individually.
.
