INTERVIEW: A Q&A with Jason Keirstead
Threat intelligence • Sep 7, 2023
Tell us a little bit about your career.
I started working deeply with technology in middle school, after we got our first PC. I think it was less than a year before I started learning about things like the open-source movement and had installed FreeBSD on it. While going through university, although I was trying to focus on programming, I still ended up with a number of internships in the networking and network security spaces as well as working in open-source communities like the KDE project. After I graduated, I joined a start-up called Q1 Labs that had a product in the network security space (that IBM ended up acquiring in 2011 after we had assumed a leadership position in the SIEM market). Over the two decades at Q1 Labs/IBM I had a number of different roles, from UI Architect, to product owner, to Chief Architect, eventually the CTO of Threat Management.
What was it that attracted you to cybersecurity and intelligence?
I somewhat “fell into” cybersecurity, entering the space as a developer. Although I had a strong background of networking fundamentals, I never imagined I would end up in the cybersecurity space. As for intelligence – while I had worked with IBM X-Force on threat intelligence projects on-and-off for a few years prior – I really became involved in threat intelligence when I was asked to research an up-and-coming format called “STIX” that some of our clients were requesting in 2013. At this time, I became involved with the STIX community, coincidentally at the same time as it was moving from being a DHS-Sponsored MITRE project to a standard hosted by OASIS Open. Following that work I was able to participate in and lead many other open-security initiatives, and was happy to get back to some of my open-source roots.
What is your approach to help an organization develop a strong security posture?
When starting a new security program, the most fundamental thing that one needs to get a handle on, before anything else, is a solid understanding of your current environment. Until you know that, it is impossible to make well-informed decisions on how you are going to prioritize. You need to understand where your crown jewels are, what your mission-critical services are, who your vulnerable employees are, and what high-value targets you have.
The second step is understanding and prioritizing your threats. Where are you likely to be targeted, and by what categories of actors? What is the current threat landscape with respect to my industry and the geographies in which I operate? The final step is to map these two things together. By combining the knowledge of your environment, with knowledge of the threats you face, you can use that to create a risk register that helps you prioritize everything else - from what tools you need to invest in to how you are going to structure your detection engineering program. This paradigm is often called “threat-informed defense.”
What will you be focused on in your role at Cyware?
As the VP of Collective Threat Defense, my role is to help develop and evangelize what we call “collective defense” capabilities both inside Cyware as well as in the industry as a whole. Collective Defense is a strategy that goes beyond threat-informed defense, by allowing you to work much more closely with trusted community peers as you manage intelligence, develop detections and response plans, and respond to threats. It is a topic I have been passionate about advancing for a long time.
Why is collective defense so important to cybersecurity?
In order to understand why collective defense is important, you first need to understand the concept of the “security 1%,” a concept Richard Bejtlich championed. The security 1% are the small exclusive club of “people and organizations who have the personnel, processes, technology, and support to implement somewhat robust digital security programs.” What about everyone else? They are barely scraping by – and more importantly, those 99% are not even part of the discussion most of the time; concepts like “detection engineering” or “threat intelligence” are way beyond the scope of what they have resources to deal with.
The second thing that you need to realize is – even in the security 1% – those organizations are routinely re-inventing-the-wheel every single day, especially when it comes to commodity threats - everyone is building their own detections and response plans for threats that are shared and in common by everyone else. This creates incredible waste in an industry where there is already a vast skills shortage. As an example, no one should be building detections for something like LockBit ransomware. The TTPs and how to detect them are well-known yet, it is still highly successful. Why is that? Why isn’t everyone else just automatically protected once someone in the wider community has figured out the detection? This is the mission of collective defense - to allow the industry to work together, to allow more rapid response, and to reduce the delta that exists between the “security 1%” and everyone else.
**What industry-related misconception drives you crazy? **
Whenever I talk about sharing information and participating in collective defense, I get hit back with the age-old misconception that doing this will leak too much information about your capabilities to your adversary – it will cause them to change tactics, and therefore we should not share anything with anyone and/or we have to be ultra-careful about how much we collaborate.
There are many, many ways I can poke giant holes in this argument, which stems from real-world counterintelligence theory that simply does not all hold up in cyberspace, with a few very specific exceptions that surround national security (and are irrelevant for most).
In your opinion, how is the cybersecurity industry changing?
There are multiple things coming together that give me hope. The first is advances in AI, and its ability to be used as a force-multiplier for security teams. I remain highly skeptical that large AI models are useful for detecting threats, but they are proving to be extremely useful for tasks like adding context and accelerating the incident response process. The second thing that is happening is folks are finally starting to open the door to more sharing and collaboration. It is the combination of these two things – AI and collaboration around defense – that I think have a chance to finally move the needle and get us some measurable improvement.
**What three words would you use to describe Cyware? **
Collaborative – Not only is Cyware working to enable collaboration in the industry, it is also a very collaborative company with an open culture.
Innovative – During my time here I have seen a fantastic innovation-oriented culture, where people simply want to “get stuff done” and work hard to do it right the first time. It is fantastic.
Mission-Driven – Cyware is not trying to be all things to all people in cybersecurity. It has a purpose and knows what outcome it wants to achieve and a method and plan to achieve that.
**If you were a professional athlete, what would your walkout music be? **
It would probably have to be “Lose Yourself” by Eminem
**If you could live anywhere in the world for a year, where would it be? **
There are so many places! Ireland, Australia, Switzerland are all beautiful places and would probably all be on the bucket list.
