Intelligence Unfiltered

Currently the Senior Director for Cyber Intelligence Strategy for Anomali, A.J. Nash is a cyber intelligence strategist and public speaker focused on building cyber intelligence programs that capitalize on disparate data and information to create and deliver tactical, operational, and strategic intelligence to protect personnel, facilities, data, and information systems.

I speak with him about the cultural differences in Cybersecurity between the Government and Private Sector, his time spent at the NSA, Threat Intelligence best practices and more.

SYMLINKS
Anomali
MISP
Snowden
Section 230

DRINK INSTRUCTION
WHISKEY SOUR
2 oz Bourbon
1 oz Lemon Juice
1 tsp Sugar
Combine components in a cocktail shaker and shake. Add ice and shake again. Strain over ice in a rocks glass.

CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com

Chris Glanden 01:06

A.J. Nash is director of Cyber Intelligence strategy at Anomali. He has over two decades of experience in intelligence collection, analysis, reporting, briefing, process improvement and leadership. Prior to Anomali, he was a senior manager of Cyber Threat Intelligence at Capital One, Global Head of Cyber Intelligence at Symantec, and a guest lecturer at several universities. His background includes time spent in the United States Air Force, the National Security Agency, and the United States Cyber Command. A.J., thanks for joining me.

 

A.J. Nash 01:51

Yeah, man. Thanks for having me. Good to be here.

 

Chris Glanden 01:54

First off, I’d like to know about the evolution of your career, and how you ultimately landed at Anomali, would you mind taking us down that path to help us gain a better understanding of your experience?

 

A.J. Nash 02:07

Yeah, no happy to do it. You know, it’s funny, I don’t know anybody that has. I mean, it has a path that they planned, right, and I’m no exception. So, I joined the Air Force in Canada for going on 97. Originally, I thought I was going to be a cop, and I was going to be a lawyer, and look where I ended up. So, I ended up in a career in intelligence in the Air Force, I was a linguist, and not a very good one, to be honest. So, I ended up doing Intel analysis, because we needed analysts. 

 

So, I had a really interesting career. I did a lot of fun stuff, I did counterterrorism and counterinsurgency and kind of trafficking in persons and traceable criminals for a while, and then got into some work. When I moved out of the Air Force, I moved in some where doing counter ID working and eventually got into countering threats against cyber, I did about nine years and change, active duty, and then nine years or so as a contractor. 

 

So, a good time in the government space, learned a lot, and then transitioned to the private sector. Can I guess, within about five years now, I worked at a large bank, as you mentioned, you know, working Capital One and started figuring out what intelligence looks like in the private sector, which is very different, the private sector is still learning the game a bit. So, I was there to try to help build a program and had a good learning experience there. And then went to Symantec and spent a few years over there, first couple on the commercial side, helping organizations who needed to consume intelligence and helping them build some programs along the way or mature and then moved inside and actually took over the opportunity to build a program inside the company itself. Caused it turned out a lot of things that I was out speaking about, and helping people with lecturing on with some of the same mistakes we found out we were making inside. So, I did that, and then ended up at Anomali because I had been a customer actually at Anomali, I really liked the products and the team, and an opportunity came up to come over and be able to help people over here. 

 

So, primarily, my focus has been on intelligence fundamentals and standards and building programs and maturing programs. I do a lot of public speaking on the topic, and opportunities like this to talk to folks, but also, firsthand getting on site with customers – at least prior to the pandemic. And it’s what I’m really passionate about. So, now I have a chance to do a lot of that I also oversee the Intel team, to our company and what we do to help people. So, it’s been, it’s been an unusual journey, but I’m really happy to be where I’m at right now. It’s worked out nicely.

 

Chris Glanden 04:25

What would you say was the driving force that took you into the private sector?

 

A.J. Nash 04:29

It’s interesting, it’s a good question. There’s been a couple of those journeys. So, military, the defense contracting was a very different life. So, you learn to adjust to those things. And then you spent some time in contracting and you hear a lot about what’s going on in the private sector, and it’s actually really challenging because when you’re in defense contracting, and you’ve been doing it a while, you begin to think your career is pretty much tied to your security clearance. So, you jump from opportunity to opportunity and you know, the money is decent and the work is meaningful, but it is tiresome after a while. Frankly, as good as the missions were, there was a lot of frustration with it. And I knew some people in the private sector that seem to be happier quite honestly. 

 

So, between the opportunity to be a little bit happier and have a bit more freedom and just a new challenge it had me interested but to be quite truthful, it was an accident. Ultimately, I ended up in the private sector, because a friend of mine finally convinced me to get on LinkedIn, a good plug for those guys. I was afraid to I don’t do social media, you know, coming out of the government space and being a clear contractor for So, long. But somebody convinced me and I got on LinkedIn. And then somebody reached out to me from there. So, I was actually recruited to move into the private sector. And now I just wish I had moved a little bit earlier. And I So, I work trying to help veterans and folks in the intelligence community who want to make the move, trying to help them do that, if that’s what they want to do. Leap over the fear of leaving, which you know, because a lot of great opportunities out here to help a lot of people.

 

Chris Glanden 05:52

What aspects of your military training did you apply in cyber security within the private sector?

 

A.J. Nash 05:58

So, I mean, I’ll talk about military training and a little bit about the intel community itself in the training with it because they’re tied together. I mean, strictly from a military standpoint, you learn how to be flexible, you learn how to be disciplined, you learn how to take orders when necessary, you also learn how to lead. So, all those things come in handy. The private sector, cyber security is I don’t want to overstate it, people talk about it being a war, and that’s really not true. Bullets are not flying and bodies aren’t falling, but there is a sense of mission, and there’s a lot going on all the time in cybersecurity and there is conflict, there’s no way around that we have adversaries that want to do bad things to us, and it’s our job to stop that from happening. 

 

So, there’s some sense of purpose and mission, and focus that I think you learn how to manage a lot of those things in the military, how to manage time and stress. So, I think that really plays nicely in working in cybersecurity. But then the real pieces that I was able to bring forward, were what I learned in intelligence, which my career in military was intelligence, but the fundamentals of intelligence that some of us who spent 5, 10, 15, 20 years in the intelligence community, we take it for granted that everybody understands the things we understand. And then you realize they don’t, you know, Structured Analysis, you know, analytic techniques, you know, and standards, just the framework for analysis and the language of Intel analysis, the processes, it turns out, are not well known in the rest of the world. 

 

So, the private sector is moving now, into intelligence, and more and more there, you know, we’ve got people talking about cyber threat intelligence, or Cyber Intelligence. You know, it turns out there’s a lot of need for people who have careers, you know, from the government side, to bring that knowledge out. I mean, really, the government’s been doing intelligence for decades, you know, five, six decades at this point. And there’s some real strong standards there that can be applied in the private sector. And there’s a not insulting but there’s an ignorance to it in the private sector right now. 

 

So, people are mis-defining what intelligence is and misrepresenting what it is, they’re misunderstanding what it is. And then as a result, they’re Mis-applying that information. And what you end up is with teams that, say, their intelligence teams when you dig in, they know nothing about intelligence, a lot of times, there are technical analysis teams, which is, they do other things that are really important, but it’s really not intelligence, they’ve applied a word incorrectly. So, I think that’s really been beneficial for me in the private sector, and a lot of people I know that have come out along the way, is that there’s a real need in the private sector to understand fundamentals of intelligence, and why that’s different from other things we do in cybersecurity and where the value is and where intelligence can drive cybersecurity solutions. And you know, what the mistakes are, and the pitfalls can be if you do it wrong. For me, I’m really thankful that I had the career I had in the government both in in uniform and out and learned so much, and was taught So, much with So, many great mentors, because now I have an opportunity to help a lot of other people, and there’s just a great need for that in the private sector right now.

 

Chris Glanden 08:52

I’m sure it also helps instill discipline in regards to process, procedure, and also understanding attack methodology in general.

 

A.J. Nash 09:02

Yeah, definitely. My background was always adversary focused, whether I was dealing with countering trafficking persons, for instance, or whether I was dealing with war operations, I worked the Balkans, I worked In the Middle East, I worked Asia. I’ve always been very focused on the adversary, not necessarily the technology, but adversaries, their mentalities, their tactics, their techniques, or procedures, whether it was physical or later in cyber. And that all applies now very well. So, I’m still not remarkably technical. I’m not a ones and zeros guy. I’m not a network engineer. I don’t have CISSP. I work with people who are brilliant in those areas. 

 

But for me, it’s always been about applying it back to the adversaries, and that’s a really transferable skill, and it’s also something that again, we’re getting better at in the private sector, because people are starting to understand that really understand really what’s going on, you have to understand more than just the technology. You also have to understand your adversaries and see things in a more holistic light about what are they trying to accomplish. When I see a geopolitical change? What is that going to do for us in cyber, if we see a change where their sanctions are raised against Iran, North Korea, for instance, what will be the changes from a cyber standpoint? Because they’re probably will be. Or if we see the China five-year plan is a good example of an opportunity to take a look at what does that mean from a cyber standpoint, understand your adversary, and the same thing can be true in the criminal enterprises. Or even in economics, you know, Bitcoin prices reaching all-time highs, what does that do for things like crypto mining? Really understanding adversaries and their motives and their thought processes. 

 

And then from there also being able to tie back into their tactics and procedures with it and known to do, it gets more and more comfortable in the private sector, the more time you spend out here as somebody who was in the military, or in the IC, because you see the same things happening over and over again, it’s really very similar processes and units. So, it gets to be more like home as we go along, frankly.

 

Chris Glanden 10:48

Got it. I know, you said you’re not particularly specialized on the technology side. But from what you have seen, where does technology lie in terms of the pace and capability versus the framework? It sounds like in the government side, it’s more based on framework. Are there I guess, proprietary tooling that gets used there? Or is there commercial tooling? What have you seen from that standpoint?

 

A.J. Nash 11:15

Yeah, there’s technology plays a huge role. Our biggest challenge, or one of them, at least in cyberspace is time. It’s a constant problem, in that everything’s happening all the time. There’s a massive overload of data and knowledge. So, you know, if you go back 10 years, the challenge was just getting enough data, enough information to actually process to understand what was going on. 

 

And now we’ve gone the other direction, we have more than enough we have everything we could possibly want is handed to us. But how do you process it all? How do you make sense of it? How do you find the important things? And how do you do it rapidly, because adversaries are constantly there, this is a never-ending problem. So, the tools become really important and the technology is, whether it’s a threat intelligence platform, So, you can bring in large amounts of data and information and intelligence from massive sources, bring it all together in one location where you can make sense of it. Unified search, quick investigations, being able to do the graphical analysis and reach conclusions. You know, that’s a technologist when important. SOAR, The automated response technology being able to tie intelligence back to a SOAR, so, that you can do some things automatically. Again, you’ve got to keep up with the speed of cyber. So, your SEIM coming in and being able to bring everything all the network traffic that’s coming across. So, when you tie these things together, and you get these unified systems, SEIM and intelligence and cyber, they’re all working together. 

 

So, that you have intelligence driven answers, right? Intelligence tells you what’s going on, the SEIM brings things in, you tie those two together, and you get context, that might lead to a SOAR to say, based on this signature tied to this intelligence, we have a confidence rating of 80% or better, and that’s where our threshold is, for an automatic response. I think those are all vital, we’re not going to win a cyber battle, we’re not going to stay ahead of adversaries manually, like it’s just not possible. 

 

There are constantly evolving tools that are making things better and easier, relatively speaking for cybersecurity. The problem is, adversaries also are getting better all the time, and there’s plenty of them. So, it’s a never-ending game of cat and mouse, I think, between adversaries and defenders. But tools play a huge part of that, and Endpoint Protection gets better, and how we handle our signatures, and you know, the changes in signatures over time and what we’re using now, but we’re also going to see dynamic improvements from adversaries in code, and encryption is going to play a role in how this all plays out. Again, there’s a lot there. There’s a lot to go through. But I do think, the combination of talent, and the tools and the access, and then making sure you do it in a timely fashion is really how you tread water, if not, when the Intel game when it comes to cybersecurity.

 

Chris Glanden 13:50

Yeah. 100%. And on that topic of technology and how it’s ever evolving, what level of confidence do you have with AI and ML in regard to intelligence? How do you see AI and ML playing out in that in that field?

 

A.J. Nash 14:09

Yeah, So, it’s funny. I’ve been an Intel guy for what I say, I got to Fort Meade – the NSA in 99. So, I’ve been an Intel guy for a couple of decades. My entire career, I’ve been told that AI and ML are going to replace me. We’re two decades down the road and hasn’t happened. There’s still 10s of 1000s of Intel analysts in the intelligence community. So, I will start by saying that I’m not convinced that this is the panacea. That being said, it’s gotten much better. I think we’re going to get further down the road. I think the challenges are, first of all, when it comes to AI, it’s about understanding what’s real and what’s fake. Now, there’s a lot of people talking about AI and ML, and they throw these terms around and they’re interchangeable to them, and when you dig in, they’re not talking about AI, or in demand, we’re talking about ML that might end we’re talking about ML, they might just be talking about, some a series of processes being pulled together. 

 

I used to work with a couple of really brilliant guys in the AI space when I was at Symantec. And you know, as brilliant as they weren’t as much as they were advancing, they also educated me and said, Listen, as far as we are as an industry, we’re getting better but we’re also a long way. I still can’t completely teach my machine understand a dog and a cat. So, there’s a long way to go in AI from experts I’ve talked to, and I’m not an expert, but I’ve talked to a few. Machine learning is coming along much faster, you teach the machines, right, So, as long as you can teach the processes, and you can teach the machine 60,000 times how to do something, and it figures it out. So, ML is great in that, it does create some automatic solutions we can work through, but again, it’s about feeding it the right thing. 

 

So, ML works really well, when you’re dealing with structured data, when you’re dealing with repetitive processes, that’s not going to replace an Intel analyst because it doesn’t have the ability to handle nuance and some unstructured pieces of information that require people. Ultimately, I do think, maybe in my lifetime, that will get to a point where people start talking about AI and ML, really doing the majority of things, systems of systems, whether it’s intelligence to weapons, systems, intelligence to cybersecurity defense systems, getting there, but I think there’s always going to need to be people, maybe less people, and I’m sure there will be over time but ultimately, there has to be responsibility, and I don’t think you ever have responsibility, if you get it to just simple automation. 

 

In the military, we just talk about it, I never really worried about it, because bombs on targets. Generally, somebody has to be responsible, when there’s a flaw, you can’t turn and say, well the box told us to do it, and there’s always going to be people involved. I think there’ll be less over time, but I think technologies like AI and ML they’re force multipliers, I think it’ll speed things up. I think it will allow analysts to do better work, but it also is going to take a generational shift in that. Right now, as an Intel guy, if you told me the magic box gave me all this Intel, and this is where we are, I’m probably still going to want to go do my own research, and most old school Intel analysts will. Because even if you tell me, this is the box of data I have to work with. And we trust that the machines gave me everything. If I work with that box of data, and I do all my work, and I make my conclusions, and I’m wrong, and it turns out, I’m wrong. So, there’s a missing item from that box. 

 

I’m now accountable, and I’m responsible, and that’s a huge leap to get past I do think generationally, we will we’re going to have a whole generation of Intel analysts that are raised on nothing but AI and Ml and the technologies and trusting the research, our understanding of risk, and who accepts the risk for missing, you know, research is going to change, and I do think we’ll get there, but you’re talking one or two more generations, probably before that happens. The old heads like myself, and people certainly been, that taught me how to do it, we’re still going to want to do a lot of our own research and the magic box can’t be the solution for us.

 

Chris Glanden 17:40

Yeah, Agreed, I believe there’s always going to be that human element needed. Simply for fact checking. Even down to voice to text on your phone, you know how that’s supposed to be ML and I’m constantly fixing it.

 

A.J. Nash 17:55

Yeah. It’s a good example of voice recognition. You know, we’ve been playing around with voice recognition for at least a decade now and I don’t know anybody who really loves it. I will say the technology’s gotten much better if you’ve got a home system to use, you know, Alexa or Google or something like that. They’re much better, but they’re still not great, right? They’re far from perfect. I don’t trust any machine to dial a phone number for me yet. But I’ve never found one that does it consistently well, but they’re getting better, too. We’ve seen that. So, yeah, I think we’re getting there. I think, you know, our promises of having it done, by now are far from true, and we may be three or four or five decades away, but we’re still waiting on flying cars do some things just take longer than anticipated.

 

Chris Glanden 18:35

You had a flawless system that did voice to text or voice recognition, you’re also sacrificing data, and you have to look at that from a security standpoint. Where are you trusting your voice commands to go? If it’s coming out of 100% accurate, there’s still risk involved, and I guess it comes down to calculated risk. Risk versus convenience.

 

A.J. Nash 19:03

Yeah, and I think, when you look at that, if you want to look at how the culture is going to shift, I think we’re working towards being a post privacy world. I don’t think it’ll happen in our lifetime, but it may be near the end of it, depending on how long we last, but I think we’re getting there. If you look at the generation now, like, if you look at millennials, if you look at Gen Y millennial, and I think we might even be on the next generation now The Gen Z’s, what their thoughts are on privacy are very different than what privacy was for Gen X, certainly for baby boomers or if you want to go even further back, right. 

 

I mean, privacy, the whole concept of privacy is changing. I think the next generations will be more than willing to give up their privacy. In some cases, they don’t even want it. You know, they’re on social media everywhere. They’re broadcasting everything. They don’t even think about privacy. I think we’re going to get to a Post Privacy world. I don’t know that that’s going to be a good thing. But I think it’s going to happen. I think we’re headed down that path, and unless that pendulum starts to swing the other way, which I don’t see right now. The whole concept of privacy, and whether that even matters or not much has changed. 

 

Chris Glanden 20:06

That’s a great point. It’s not something that is thought about anymore really with everything being publicized.

 

A.J. Nash 20:13

Yeah, and it’s not universal even right now from culture to culture. Countries have different ideas of what acceptable risk is, what acceptable privacy is. So, it’ll be interesting to see, I’d love to live another couple 100 years and see how it plays out, but I think we may have down that track, and if we do that changes, how the technologies are used changes a whole lot of processes. 

 

Chris Glanden 20:35

Very true. So, you mentioned your time at the NSA, I’m curious, what was that experience like?

 

A.J. Nash 20:43

It was a good learning experience, I spent a long time with the agency, just how it worked out, right, I got there in 99, in the Air Force, still, but I was stationary, essentially my entire career, and then in contracting with the exception of a short stint working on counter ID work in Virginia, almost all my other work was also spent at the agency. So, I mean, it’s home to me a lot of different opportunities, a lot of different missions. I was there for three different endurances, different focuses as well. What I would say is, it was a great learning experience, it can be a really exciting and interesting place to work, it can also be a really boring place to work and also be really stressful place to work. It just depends on where you are, what mission you’re working at the time, no two missions are the same. The buildings themselves are different, and the cultures are different, and which organizations you’re in, but the one thing I took away from it that I really enjoyed was the mission itself. Whatever you were doing, there was very few days when you didn’t realize at some level, what you’re doing probably was important to somebody. 

 

On a daily basis, it is just work, like you sit at a desk, and you do work, and it is easy to lose track of what that works meaning is, but if you’re not careful, but the truth is almost everything going on in there is impactful and meaningful, you lose that when you leave the government space. That’s one thing that can be challenging for some folks is that loss of sense of mission, and you have to really define what am I doing now? What’s important to me? And what am I doing to tell the other people and am I still contributing somehow? You never really have to question that much when you’re at the age, you’re contributing. So, it’s all different in that regard, but overall, it was a good experience. I’m glad I was there. I’m also glad I’m not anymore. Quite frankly, I really enjoy what I’m doing now, and I’m happy where I’m at today.

 

Chris Glanden 22:30

So, I was kind of late in the game, but I saw the movie “SNOWDEN” not long ago, like within the last year, and it was essentially dramatized version of the Snowden story, and around that, I don’t know if you had a chance to see that but I’m just curious if you did see it, how accurate was that portrayal of the NSA culture?

 

A.J. Nash 22:56

Yeah, I got to be honest, I didn’t see Snowden’s movie, or the movie about Snowden, I should say, I was at the agency when everything happened. I’m very familiar with the story of Snowden. So, I didn’t actually watch the movie. So, I can’t tell you how accurate that movie was. Edward Snowden story is public story, is not the truth. I mean, it’s as simple as that. Edward Snowden wasn’t a crusader are fighting for American liberty, civil liberties and trying to out the government for abuse of collection systems. That’s just not the truth. That’s not the story. Edward Snowden story is actually much more boring. It’s much more like most stories of people who violated oath of the US government and went ahead and divulge secrets to adversaries that generally comes into a couple of categories. 

 

You either have people that have financial difficulties, you have people that have romantic difficulties and open honeypot situation or you have people with oversized egos, and narcissism and feel like they’re underappreciated, and Snowden falls into the last category. He was an IT guy, not an Intel guy, he had access to things as an IT guy. He misunderstood some of the things he saw, he tried to follow protocol, he was told through protocol not to go any further that we understand what you’re looking at, and not to worry about it, and he decided he knew better. So, he stole a bunch of intelligence. He lied and took vacation, and he went to China. And he gave me once for intelligence, China, and then he went to Russia and intelligence to Russia. It’s not a complicated story. And for people who think he is a crusader, it very much frustrates me personally, he did a lot of damage to the US government more than anybody in my lifetime probably. He released massive amounts of intelligence about Chinese cyber actors and organizations that has absolutely nothing to do with us civil liberties. Nothing. There was no reason to be involved in that intelligence. 

 

There’s no reason to take it, there’s really no reason to give it away to anybody. Nothing there could be argued had anything to do with us collection systems against US persons. His story really falls apart when you look at what was involved and so, I could go down paths on what I think all of his reasons were and who is actually behind some of it, but I’m going to go Too much further into it other than to say that his public story is bullshit, quite frankly, and to me, he’s a traitor and he should not…People who are talking about him being a hero or him being pardoned, do not understand the situation. Now he got exactly what he wanted. He was a narcissist, who thought highly of himself more than others did, and now he’s a hero to a cult following and he’s world famous, and he’s done well financially. All it does is encourage another generation of people like that, but Edward Snowden’s public story is just really good PR. The reality is, his real story is kind of boring. He stole intelligence and then ran way to foreign power.

 

Chris Glanden 25:36

You were actually there during that time when all this happened?

 

A.J. Nash 25:39

Yeah, I didn’t cross paths with him personally. I don’t know him personally, he was in Hawaii working for Booz Allen Hamilton, I was at the fort, not working for Booz Allen, and not a shot at Booz, by the way, great company, lots of good people just happened to be where he worked at the time. I don’t know him personally didn’t cross paths with him but I was at the agency, I did see some of the investigation and some of the Fallout and he made life very difficult for a lot of people, a lot of contractors, anybody who want to clearances, people looking for renewals of their clearances. The whole community was shaken and had to be hired to take it seriously, which is which is needed. 

 

But the unfortunate part is the clearance process isn’t necessarily the issue like this is going to happen, you clear 10s of 1000s of people, and the occasional person is going to get through that’s going to make bad decisions. It just made it hard on everybody else. But he has some of the same personality traits that have happened in previous people who’ve chosen to violate their oath and give away US secrets. So, yeah, I was there, it was not fun. Not a good time for a lot of people.

 

 

Chris Glanden 26:39

All right, I’m going to shift gears just a little bit. I mean, not entirely, but, looking toward the next presidential administration, where do you hope to see the Biden Administration take cyber?

 

A.J. Nash 26:52

I think we’ll see some change. I mean, it looks like, it goes without saying, administration’s change, things are going to change. I don’t know exactly what those things will be. I think we can look at what happened in the Obama administration. And then what we’ve seen Kamala Harris’s background based in California, California has one of the strictest cybersecurity policies or laws actually, in America, it’s very similar to GDPR. So, I think it’s reasonable to believe that a policy like that a law like that could become a federal law at some point, and frankly I think that’s reasonable to believe, regardless of who was in office GDPR is setting the standard for the world. I think. I think we look back at Obama era policies, we’ll probably see some of those come back. Net neutrality is something a lot of people talk about. I’ll be interested to see where that goes. I would hope that that would stay around. 

 

There’s been discussions about getting rid of, you know, provisions, I think, President 230, for social media, I don’t think that will change in the administration, I think social media organizations still are going to be protected against liability for things that they post that are third party materials, but in cybersecurity, in general, what I hope to see is furthering of federal opinion publicly on how we’re going to help shape the world’s laws. We don’t have, and it’s not just us, by the way, the US can’t do this alone and shouldn’t do this alone, or even the Western world, we’ve all got to figure this out together, people that might be considered adversaries, and at some point, we’re going to have to get to a unified understanding of what the laws are internationally on  cyber, because we don’t have that right now. We don’t right now, if I throw a missile at your country, that’s an act of war. If I conduct a cyber-attack against your banking system, that may or may not be an act of war, you know, it depends on who you’re asking right now. We don’t have international norms established. They’ve been trying to do this for decades now, at least a decade now. And I think that needs to happen. 

 

So, I’m hopeful that that that’ll happen with this new administration. And that is to say, really administrative change is  the issue. I just in general, hopefully, that’ll happen. I do think cyber is going to be taken quite seriously. I think election security will definitely come up again, you know, there’s some debate as to the importance of election security in the current administration. And I do think it’s going to be taken a hard look at, there were a lot of opportunities for election security bills to be passed and improve security, and that didn’t happen. But some of that also is dependent on what Congress and what Congress knows the administration changing alone doesn’t change those issues. Congress makes laws, not the president. 

 

So, we’re going to hopefully be able to get back to a point where all sides can communicate a little bit better. I’d like to think that we’re going to get to become a nation with a little more cooperation. But if I’m being honest, I don’t see a lot of that right now. I think we’re pretty divided. Cyber is not going away. Cyber is a big problem, our inability to focus on this issue and get better at it is a national security risk. So, I am hopeful that as a nation, and as leaders in the government, regardless of your political position that people come together and recognize if we don’t do some things in cyber, and we don’t set some boundaries and create some laws and work with the international community on it. 

 

We have some serious concerns and those are threats that are for countries like the US, who are technological powers, it can become a weakness as much as it is a strength for us in terms of our economy and a lot of things we do. We also create vulnerabilities. The more we become dependent on technology, if we don’t handle these issues, you know, we’re vulnerable to attacks that can shut down power grids, and travel, you know, and financial systems, and we create a real dependency there. So, I’m hopeful that we’re going to see movement forward on that but it’s tough. We have a tough political environment right now,

 

Chris Glanden 30:29

Agreed. It’s crucial to also appoint the right people that are cybersecurity focused. So, let’s say you were selected to run CISA, what would be first on your task list?

 

A.J. Nash 30:46

Well, first thing I’d have to do is hire a whole lot of people smarter than myself. Because I’m not qualified for that gig. We have great cyber experts in this country. We have great expertise in a lot of fields in this country. And me personally, my biggest concern, and my frustration is this heavy politicization that we’ve seen in areas where politics don’t belong, science comes to mind, technology comes to light, right? So, cyber is another one. I would hire Krebs back, quite frankly. Smart guy, I think both sides agree on that. I think he got caught up in a political argument that he couldn’t win, because he’s not a politician. I would be very interested in trying to put the best minds in the right positions. 

 

This shouldn’t be about politics. Science, speaks for itself in most cases, if you let it. Follow the data to the logical conclusions, do your research, do your analysis, do your tests, and let the data tell you the answers. That’s what we all learn in intelligence. It’s not about politics, we’re all trained to put our politics aside to put our bias aside, there are entire structures designed to allow us to double check and make sure bias didn’t help us with our decision too much. We bounce ideas off other people to make sure bias comes out of it. 

 

These systems exist in Intel analysis, they exist in scientific process. To me the data needs to be useful to speak for itself, and politics shouldn’t matter. The right answer is the right answer regardless what you want the right answer to be, and I think in recent years, we’ve seen a big shift away from that where the right answer is what I say it is, it’s what I want it to be, and if you can prove I have the wrong answer, I will change the argument. But I won’t change my opinions on what I think the right answer is, because I want it to be when I want it to be still. And I think that’s really dangerous. You know, that’s led us into a lot of bad places right now. Science is smart, for lack of a better way of doing it way of doing it, right? Follow the data, let it give you conclusions. 

 

Also, it helps to help people understand if science gives you a conclusion, and later on new data comes and that conclusion changes. That doesn’t mean science is invalid suddenly or the original conclusion was, it’s valid based on the data you had at the time, conclusions change when you get new inputs, that’s supposed to happen, but that’s another problem we have. And I think this goes back to an education system that’s challenged and STEM that’s not really being taught. There are people who have a hard time understanding what science isn’t what the scientific process is. And So, the minute somebody tells them something, and then it changes, they point to that and say, Aha! so, you never really knew anyway. And they try to invalidate all of science in the process, and that’s just failing to understand the scientific process. 

 

So, I think we need to understand, we take everything we have available to us now. We draw the conclusions based on that we have reasonable conclusions, we do testing and analysis, and then we go forth, and then if we get new intelligence, we get new data, we reassess, and sometimes we change based on the new intelligence we have available to us. But those are the people I would want to hire. If I was at CISA. All I want to do is hire people that are focused on the data, they focus on the intelligence, they’re focused on making logical conclusions. And they are devoid of politics as much as possible. They believe in the systems and the processes, and whatever that leads us to those are the recommendations you make, and we fallen a long way from that. I think, right now, as a country, and politics doesn’t belong in science.

 

Chris Glanden 33:52

You know, along with the many tasks that lie ahead for the next president, I have to hit on the COVID-19 era, and the COVID specific threats that are starting to emerge, such as the nation state attackers targeting the COVID vaccine cold chain. I’m sure you’ve heard about that. What are your thoughts on that? Should organizations be prioritizing threat Intel to help defend against these types of attacks, and do you see this becoming more aggressive as time goes on?

 

A.J. Nash 34:25

Yeah, COVID-19, we’ve been doing this for a long time, we’ve seen a lot of different threat actors try to take advantage of this and that happens with any major event, any news event, this is just going on longer. So, we’ve seen anything from the obvious — Phishing campaigns, people are registering websites to appear to be from World Health Organization or Nation State organizations, etc. We have also seen misinformation campaigns, which is a whole separate discussion about why nations or individuals might want to misinform people and foment discontent and create arguments against science based on a whole bunch of searching or reporting of false information. But you know, what you’re asking about specifically, some of the cyber-attacks. 

 

We’re going to see some of that. We have, vaccines are on the way now, and there’s going to be haves and have nots, as there always are with things like this. So, I’m sure there will be more organizations and probably nation states, a couple come to mind that will try to steal the IP, as they’ve done with many other things, you want to hack into organizations, hacking the companies that have created these vaccines and see if you can’t steal, everything you can get your hands on, because if you can you can create a vaccine yourself quicker, cheaper, faster, you know, whether that’s to help your own people witness to undercut the market, and start selling something cheaper. You know, China has a long history, I mean, of stealing IP, they have doing it for a long time and a lot of different technologies, and they do it for market advantage. And again, I’m not even vilifying China, when I say this, this is a cultural difference. The Chinese don’t think of this the same way we do. 

 

US has a long history of doing lots of r&d, spending years and billions to do this, and the Chinese opinion is that we can just take it from you, and do it and take that and cut the r&d costs, why wouldn’t we, it goes back to a fundamental difference in the societies, best example, somebody came here wants a Chinese expert, not myself, but she said, In the US, if I leave my bicycle on the front lawn, and you steal my bicycle, you’re a bike thief, the cops will arrest you for stealing my bicycle. In Chinese culture, if I leave my bicycle on the front lawn, and you steal my bicycle, that’s my fault, I didn’t care enough about my bicycle to take care of it, I deserve to have it stolen. So, they don’t really think of it the same way. It’s just a cultural difference. And I’m not going to say whether this is right or wrong, I’m not here to judge. It was education for me, and it explains how it expands to this, if we don’t protect our IP well enough and somebody else takes it, then they can say in their minds, well, you didn’t protect it well enough, you must not have cared. 

 

So, you got what you deserved. And I think we’ll see some of that with some of the science. More concerning for me, frankly, than that would be if organizations are either being attacked, So, that it can stop their production lines, it can stop their ability to create these vaccines that people need, or somebody could get in, and I don’t think they can at this point, I haven’t seen any evidence to support the possibility but if somebody could get in and manipulate the data to maybe change the formulas of a vaccine, you know, there’s a lot of scary things that could happen. In theory.  I haven’t seen any of that in real life. So, I don’t want to be a fear monger. But there’s a lot of concerns with that. 

 

So, if you’re in the business of building these vaccines and doing this research, you have to be extra cautious. Early on we saw ransomware, it was a big issue with companies that were working in medical organizations working to develop vaccines. Now that’s an easy way for an adversary to try to make money is simply to attack your networks attack your systems. And if they can get ransomware into a system and the medical organizations tend to have a tough time with cybersecurity. Now, they’re just profiting, it’s like hey listen, give me so much money and I’ll give you back your computer systems. And since you’re in a hurry, and you’re trying to get something accomplished in a multi-billion-dollar, pharmaceutical industry, I’m sure it’ll throw a few $1,000 at the adversary just to get back your stuff. And you know, if I’m the adversary Im probably going to hit you up over and over again, because now you’re the ATM to me. 

 

So, there’s a lot of back and forth there. But you know, COVID-19 is going to be around for a while. We have vaccines. My guess is by summer, we’ll probably most of us will have gotten vaccinated at least in the in the Western world in the modern world, and then we’ll see some of that die down and then the adversaries will move on to whatever the next thing is. And there’s always a next thing.

 

Chris Glanden 38:22

COVID-19 caused a surge in the remote workforce. So, I’m curious, you know, what use cases are threat Intel platforms, such as Anomali, addressing in this environment?

 

A.J. Nash 38:38

Yeah, it’s a good question. It’s funny, we’ve had some chats about this internally. I’m not going to divulge too much, but we’ve had some good discussions about this, and what COVID-19 means, right? I think culturally, we’re forever changed by this, we’ll see for the next few years what this means, but  companies that were against remote work, were sort of forced into it, companies that were, you know, dipping their toes into the water, maybe 20, or 30% remote, are now understanding what it’s like to be nearly fully remote, if not fully remote, and I think we’re finding out how to do it better. And I think a lot of that’s going to be sustained, you know, I expect to see you know what it’s worth, I expect to see some pretty big changes. I don’t have to keep paying people in New York City money, just because my office is in New York City. So, now I can pay people in Tennessee who have the same skill set. 

 

So, I think we’re going to see a big change in hiring, in HR and competitive balance, I think we’re going to see people move out of some of these very expensive areas, like New York, San Francisco, which then will make them less expensive because supply and demand is what drives all that. We’ll see a leveling, I don’t think– Tupelo, Mississippi is going to have the same cost of living in San Francisco anytime soon. But I think we’ll see some changes; we’ll see some changes in how employment works and how the competition works. I mean, I feel the demand is higher salary in a more expensive place anymore because the company can hire somebody else because now, I have to compete with somebody who lives in a much cheaper place because they have the same skill set. So, we’ll see that. We’re also going to see a big expanding of our corporate footprint. 

So, how do you defend against that? You know, I’ve said, I think we may see companies re assess how they do cybersecurity, at what point if my company is mostly remote- Do I decide I want to be responsible for my employees, home network? And the security that goes along with that? And where do I draw that line, where’s my employer willing to let me draw that line. How much more dependent in my on-VPN accesses and encryption and encrypting data in motion and some of these things. But most importantly, the piece you asked about the Anomali standpoint, is, you know, the SOCs been around for a long time the SOC model, and we’re starting to see the fusion center model, and I think we’re going to see a link directly into the virtual fusion center model, where you have all these different organizations, not just your cyber security organization, but your entire organization and your HR and insider threat and your business development perhaps, and your m&a organization. And all these different organizations that have shared needs, are going to be able to work on the same kinds of platforms at the same time, with different segments that matter to them. So, a company like ours is actually in a really good spot there. Because we do cloud based, you know, we have software as a service. So, our platform is everywhere. 

 

So, when you talk about resilience, the next pandemic, or, worse yet, you know, a natural disaster or a terrorist attack. We’re really prepared for that; our system is structured fast. So, anybody using software as a service. If you’re using a platform like Anomali threat stream, which is a SaaS platform and you’ve got storage tied back to– s3, buckets from Amazon, AWS, and they’re running Splunk in the cloud, and these kinds of things you can do from anywhere. So, you’ve now understood that you’re fully remote, but your workforce can be anyplace, your redundancy is everywhere, there is no single center, you have to worry about going down, if the power grid goes down the east coast doesn’t matter to you, or, frankly, you’ve got operations everywhere else in the world. So, you’re dynamic, you’re really 24/7 you’re very resilient, it does beg the question of just how much further we’re going to go with security in these cloud environments. And who’s going to be responsible? Because I think that’s the other thing, we’re getting with this is, those who were locked into go to the cloud, were forced to do that as well. Many people kept all the things on prem, and really didn’t want to be cloud environments. But you didn’t have a choice anymore. 

 

So, much more move to the cloud. So, I think we’ll see that shift and how those impacts are over the next couple years here, in terms of where security shifts, where the adversaries choose to shift. You know, and there’s always that balancing act, I think organizations will be resilient and flexible. Again, where they hire and how they hire and their structures and their pay structures, and the costs are going to change. But ultimately, platforms like ours, and technologies that are cloud based, put you in a position to do anything from anywhere. I’m in Maryland today, I could get my car and be in Tennessee tomorrow, and work from Tennessee, and nobody in my company would know the difference. Or I could cross borders, you know, we’re not for pandemic. I could work out of Mexico, I could work out of Puerto Rico, I could work in Europe, and nobody know the difference. It’s all the same technology in the same place and I have all the same accesses. And I think that’s the future of our industry, and all industries. But for cybersecurity, I think that’s going to be incredibly powerful to get away from the demand of physical SOCs.

 

Chris Glanden 43:17

Yeah, and it’s definitely having companies rethink their infrastructure as well and that could be a good thing. How valuable Do you find OSINT, or Open-Source Intelligence and Social Media Intelligence versus an Enterprise Platform?

 

A.J. Nash 43:33

So as an Intel guy, and as most of us are, you know, I’m an addict for access. I want everything. I even want stuff that’s invalid. I’ll figure it out later. But I want everything. So, there’s a lot of value in what is available open source right now, and what you can work with and whether you’re talking about open-source access to data, whether it’s social media, and news and things like that, or open-source access to Cyber Intelligence, like MISP for instance, is a pretty cool project that people like. All that stuff’s really valuable. But it’s just all parts of the puzzle. You know, when you’re dealing with trying to understand your threat, you want as much access as possible. And some of that’s open access and some of its closed access. 

 

A lot of it is deep and dark web and a lot of it is going to be, you know, telemetry that you’re not going to get much you’re going to pay somebody to get it because it’s large data, massive stores of data. So, I think when you talk about collection, you have to be able to talk about building a collection plan and just understanding what your needs are, you know, being able to understand intelligence requirements, I come back to the same things over and over again, which is stakeholder engagement, identify intelligence requirements, built off those requirements, you can figure out what your collection plan should be, what do I need to solve those problems and answer those questions. And then from there, take a look at what you have access to and what you don’t have access to and how to fill those gaps- have a gap analysis. 

 

So, there is a lot of very valuable intelligence or data or information depending on which category is available. Controllers just aren’t going to be enough to close all your gaps, you know. So, the key piece is being able to analyze and understand those gaps and then know when you need to close. Otherwise, you see organizations who buy two or three solutions that are really pretty much the same solution that have way too much overlap. And they still haven’t closed their gaps, they spent a lot of money and then they make themselves feel better, but they haven’t necessarily closed the gap. Whereas if you did the analysis of what the needs were, you might recognize all those opportunities you have is great. But then we still need to know a little bit more, we need some deep dark web criminal marketplace, stuff, we need fraud data, we need a lot more telemetry. 

 

So, we can really dig in and get some signatures, there’s a lot of things we’re missing here. And the only thing that is really, the analysis in terms of open source. MISP comes up every once in a while, in my life now. And, this was a really good platform with a lot of cool things in it. When I was at Symantec we happened to be using MISP, and we happen to have been using MISP for this process, and so, we were going to switch over to a threat intelligence platform, because with open source, one of the challenges you have is maintenance, it’s just the nature of open source. Things need to be maintained, and you got to get somebody to write the code. And when you deal with platforms that are commercial, generally, part of the advantage is that things are better engineered and maintained for you. 

 

So, we did that. We shut off MISP, we went to a platform, we went to ThreatStream, and then once we had assigned everything and got everything put in place, we then took a look back at MISP- and said, well, let’s see what might have been there that we weren’t getting, because you can integrate these together, you don’t have an either or. And ultimately, we determined there were some feeds that were in MISP that we weren’t getting any longer, and we just integrated them back in. So there was value, there was a lot more value in going the direction we went to my opinion. But there was still value in what was open source, it was just part of the of the puzzle. So, we only integrated that back in, and overall, you’re able to get a much better collection picture. 

 

So, when you talk to people who say, Oh, I just, you know, I don’t need Intel, I monitor Twitter. You know, I watch social media, I’ve got, you know, some open source, they are just, I give them credit for trying and probably thinking they’re correct, but they’re ignorant about their gaps. Timely, accurate and relevant, are really, really important. And that is why you need to technologies and you need enough data, enough information or enough intelligence, to make the right conclusions, you need to really do the assessment of what your needs are, and to really take a look at a comprehensive collection plan. And then also you have to be able to accept some levels of risk, you can buy all the intelligence in the world, at some point, you’re going to have diminishing returns, you bought too many things that overlap. You know, nothing’s perfect. 

 

But I think another challenge people have is not understanding, you may want some overlap. You know, finding a vendor that’s really good at criminal enterprise deep and dark web, then you find another vendor that is open source, they do a little deep and dark web, that’s not bad to have a little bit of that overlap. So, you get some validation, and they may still have some bits and pieces that are different, or finding another vendor that’s doing telemetry, you know, is important, but you may need more than one of those because telemetry is different depending on which vendor they are, and what their coverages are. The same thing and in any trade. So, I think it’s also being able to accept, you want some overlap, to validate some of what you’re seeing. You got to be able to have a wider aperture, and cover as much as possible So, you can address your needs.

 

Chris Glanden 48:16

Gain as much as you can, and then rely on the technology that you have to properly filter that. How can our audience connect with you online? What is your current social media footprint and do you have a blog? You have a website?

 

A.J. Nash 48:33

So, it’s a good question. I’m not a huge social media guy. I don’t have a Twitter you can go to. I don’t have a Facebook. You can email me at A.J.@anomali.com. So, if anyone wants to talk corporate stuff, if you want to talk threat platforms, demonstrations, partnering, anything like that, that’s a good place to go. Me otherwise, LinkedIn is probably the best place to find me. I’m on LinkedIn, it’s A.J. Nash, and I work for Anomali. I’m pretty easy to find in there. So, it’s a good place to reach out, if you want to chat with me, I’m readily available, I talk to people all the time, I’m happy to connect and I like talking about whatever I can do to help people. So, whether it’s intelligence, whether it’s cyber security, I didn’t talk much about it, I happen to have a master’s degree in organizational leadership. 

 

Actually, a big passion of mine is servant leadership, I love to talk to people about that, and the basic concept being, if you’re in a leadership position that’s not about title and power, that’s about responsibility. Our jobs, as we grew up in our careers, are to help more people and the further you go, the more opportunity you have the more reach you have to make things better for other people. You know, it’s not about being in control. It’s not about telling people what to do. That’s a lousy way to live. It’s about how do I help these people succeed. What are the problems, How do I assess those issues, and then knock down obstacles and get out of the way.

 

So, I’d love to talk about that, too. But yeah, I mean, I, you know, I’m happy to chat with anybody. Like I said, I’m readily available on LinkedIn or somebody wants to drop me an email, I’m AJ at AJ at Anomali.com. You’ll find me pretty quickly. And then yeah, I’m just happy to help. That’s kind of my big motivator. I really enjoy, whenever I feel like I’ve done something that made somebody’s life better, I like to do it.

 

Chris Glanden 50:10

Well, I think you definitely demonstrated that during this interview, and I want to thank you for sharing your insight with us. I actually just heard last call. So, I have one last crucial question for you. If you opened up a cybersecurity themed bar, what would the name be? And what would your signature drink be called?

 

A.J. Nash 50:28

Well, I can’t use BarCode. You’ve already got that, right? So, I got to think of my own name now. What my signature drink be if I opened a cybersecurity themed bar… So, yours is “BarCode” and I’m pretty sure your drink is the “Anomaly”.

 

Chris Glanden 50:44

Yes! Very good!

 

A.J. Nash 50:46

Oh, I did my research. So, what would mine be? That’s a good question. I might go with something like “The Stack”. I think people love to talk about their security stack. So, I might call it “The Stack”, probably have to set it up as a really tall, narrow building, which be kind of interesting, and then I guess for the drink, man! “The Blackout” I’m going to go with a really scary hacker drink, it’s probably going to be “The Blackout”. It’s going to have to be really powerful. So, a lot, a lot of booze in it. I’m not a mixologist, I have to look but I definitely want it to be black. So, I’d have to look at what we put in there that makes it dark enough to qualify for the name. I think that’s what I’d be going for. 

 

Chris Glanden 51:32

Awesome. You might have to include an Uber voucher to get home after that one!

 

A.J. Nash 51:37

Yes, in fact, what we’ll do is we’ll charge like 30 bucks for the drink, but it includes the Uber ride home. So, you go build it right into the cost. If you order the drink, we take your keys, we valet your car, we’re going to call it “The Stack” so, you know what the first three floors of the building will just be parking ramp. So, we will design it for this purpose will be a high-rise bar. And yeah, well, if you order the drink, your key is going to safety vault, you can secure it with a password or whatever, and we give you a voucher home off the deal. So, we build it all into the process. That way, nobody can try to drive out after they’ve had a “Blackout”. 

 

Chris Glanden 52:10

I think you’re onto something. Thank you So, much for your time. I really appreciate you coming on. I’m sure great things are to come with Anomali, hopefully with the upcoming administration we’ll start to see some changes, and I’ll point people to reach out to you with any questions that they have around threat intelligence.

 

A.J. Nash 52:30

Yeah, man, thanks. I appreciate the time. It was great. Having a chance to chat. You know, I see the bartender’s waving me out the door right now. So, I got to be careful. So, he doesn’t throw me to the street too fast. But no, I appreciate it, man. And I did help people. You know, feel free to connect me with anybody and I’ll come back anytime you want to talk about other stuff. Just let me know. 

 

Chris Glanden 52:43

Thanks man!

 

To top