Analytics & Intelligence Cybersecurity Featured Incident Response Security Awareness Security Boulevard (Original) Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

CTCI a Game-Changer for Threat Intel

Avatar photo by Alan Shimel on July 27, 2021

After 14 years and plenty of blood, sweat and tears, threat intelligence company CTCI emerges from stealth with some game-changing technology. Co-founders Andrew Grealy and Michael Freeman talk with Alan Shimel about the company, startup misconceptions and the opportunity in the threat intel space. The video is below, followed by a transcript.

Alan Shimel: Hey, everyone. Thanks for joining us on another TechStrong TV segment. We’re out of our normal TechStrong studio here in MediaOps headquarters because we have guests. It’s post-COVID. We have people coming to the office. I want to introduce you to a new company that’s just emerging from Stealth that actually features a long-time friend of mine, Andrew Grealy, immediately here to my right. You’ll tell it’s Andrew; he has a funny French accent. Andrew, if you want to say hello to everyone.

Andrew Grealy: Hi. Good morning, or good afternoon, wherever you are. I’m Andrew Grealy, the CEO of CTCI, Cyber Threat Cognitive Intelligence, and today we’re going to talk about some cool stuff we’re doing.

Shimel: Absolutely. Joining Andrew and me is Andrew’s co-founder, who I’ve known a few years, as well, Mike Freeman. Mike, welcome.

Michael Freeman: Hello. Happy to be here. My name is Michael Freeman, and happy to introduce you to what we’re up to today.

Shimel: Absolutely. You know what? Andrew and Michael have literally flown across the U.S. from Seattle, which is where they’re based, here to Florida to our studios, well, not just for this video but to talk about this company that, though it’s coming out of Stealth today, actually represents, Mike, it’s about 14 years ‒

Freeman: Yes.

Shimel: ‒ of work and research on your part.

Freeman: It is.

Shimel: As an entrepreneur, so many people think that these start-ups are overnight successes. Very few are really overnight successes. Maybe it’s overnight from when people found out about them to when they see things happening, but generally there has been a lot of blood, sweat, and tears, and years of work that people put into it. Andrew, Mike, let’s start off with this: CTCI stands for Cyber Threat ‒

Grealy: Cognitive Intel ‒

Shimel: Cognitive Intel.

Grealy: ‒ Intelligence.

Shimel: Sounds like a threat intel ‒

Grealy: Yes.

Shimel: ‒ play, but share with our audience a little bit. What are we doing here?

Grealy: Yeah, Mike, do you want to take through the background of how we started? That’s always a good start.

Freeman: Yeah, so the background is I spent many years developing advanced offensive, as well as defensive, technologies for different government agencies. When I had the opportunity to go into the private sector, I realized there was a huge gap in the technologies that were available to the intelligence space versus what is actually available in the commercial space. I had the opportunity to go work for a Fortune 100 company, where we utilized some of this technology and that’s where I met Andrew. Andrew was running the analytics side of things and was able to validate to me that the technology was actually working at that point. The value was immense, and so we decided to start a company out of it.

Shimel: Excellent.

Grealy: Yeah, we said before starting this work, at Nike, Nike has a thing called edit to amplify. Where can you make the biggest difference in a company? What Mark was doing, Mark was saving us 19 to 35 times a year, and we said, “With his intel, it shouldn’t be one company, it should be a thousand companies that can get that opportunity.” With ransomware, with threats, it’s only getting worse in the cyberspace, so we said, “Nike is a great company. Should we stay in there and ride out COVID, or should we leave during this pandemic and start it?” We said, “You know what? Let’s start it. There are too many people getting hurt from this.”

Shimel: Absolutely. Look, our audience is a cyber-savvy audience, and I think when we talk about threat intel, they know what we’re talking about. A lot of companies have pioneered the threat intel space. The idea behind it is, of course, that we’re going to give you the intel, the 411, the information about potential threats that are out there, which will then hopefully be actionable, allowing people to ‒ you know, a pound of prevention is worth, or no. An ounce of prevention is worth a pound of cure. What’s different about what you guys are doing, though, with CTCI?

Grealy: Yeah, so there are a number of answers to that question, and I’ll start off with the first part, on what is actionable intelligence. Some organizations in the threat intel space will say, “Russia are focusing on banks, compromising banks.” With that information, it’s like, I did 23 years in banking, “Oh, what do we do?” Mike and I said, “What is the most actionable nugget we can give people? Can I give you something where you can grab that and you can run with it? You can work out what preventions, detections, mitigations. Are you using the right security products? Are you using the right security features?” We said, “That nugget of gold is CVEs.” If we can roll up the threat actors, what they’re using as a CVE saying, “They’re using this CVE.” Sixty percent of all companies are still compromised by unpatched, but there are 200 to 500 new vulnerabilities a day that the team has to go through. Which one should they do? What detections should we put in place? What should we mitigate?

We said, “Let’s roll that up and say, ‘This threat actor is using this CVE,'” and then, from there, you can have what we call a honey badger process, which every group can help, “My security tool, does it block that ransomware? Does it block that SMB call? What detections should I put in place? What can my threat-hunting team do?” We have a thing called a flash, which is our FAST alerts, flash alerts, and what they do, they’ll have the mitigations in there, the _____, so the threat-hunting team can go through their logs with Splunk or Devo, they can search for those logs and see, “Oh, this nugget of gold, we’ve been compromised or not.” What we produce is a thing called CEWL. I’ve always wanted to work for a cool company, right? Everyone wants to work for a cool company, so C-E-W-L, which is the CVE Early Warning List. With that, it’s about what CVE threat actors are using in the world right now, and what they’re about to use.

Shimel: Excellent. I guess my question is still out there to you, which is why your threat intel versus others?

Grealy: Yeah, so ‒

Shimel: I mean, should the average company collect threat intel like socks and underwear? What makes what yours is special?

Grealy: Mike is our chief threat officer, our CTO, so Mike, talk us through that.

Freeman: In most threat intelligence companies, what they do is the scan the Internet for keywords. They’re looking for regular expressions to identify what might be an interest for an analyst usually at the customer’s side to go through and find something actionable out of that. That doesn’t really work in the real world, in most cases. What we decided to do is take the intelligence lifecycle, which starts with a question and then you build your entire threat intelligence program around answering that question. What we did is we wanted to know what CVEs threat actors are actually using now, which ones they’re wanting to weaponize, and which ones are easy to weaponize and leverage. We built our entire technology stack around answering that one specific question for people, and so we do the whole entire lifecycle for you instead of you trying to build your own analytical team to answer those questions.

Shimel: Love it.

Grealy: If you take that a little bit higher, as well, is that when we look at the problem, a lot of people, as Mike said, are doing collection, they’re getting a big bucket of data and there are companies there you can search for a CVE and it will say, “Here are all the hits and mentions on the web.” What an analyst has to do is go through 300 clicks, and clicking _____ Twitter that says, “Is anyone going to exploit?” What we do, we roll and do that analysis. At different levels, we do the threat determination, the threat actor conversation. We do all the parts to say, “This is actually really actionable.” Mike does _____ validation, so we validate when the _____ on GitHub is actually going to do that exploit, and it’s not going to compromise your organization. Doing that validation, as well, and the last level we have, and it’s always curated, that means we’re talking about quality. Spend less time going through all those clicks and searching and actually spend time using that data to make change. For us, it’s about our knowledge driving that better outcome, and everyone wants better outcomes.

Shimel: Agreed, it is about better outcomes. All right. I think we discussed the technology. Let’s talk a little bit about now, for our audience out here, how is this consumed? Is it a service? Is it a monthly service, yearly? Is it a one-time? Is it an on-premise thing? Is it SaaS?

Grealy: Yes, we’ve done what the world is using today, which is SaaS, right? I think if you do an on-premise solution in today’s threat intel world, you’re dead in the water, right? There is cloud. SaaS is the way to go. When we first built it, we did it straight as API. We thought, “Ah, everyone will get the API and it will be fantastic.” But, what we found is people also wanted a portal where they could do a number of things. One was search for those CVEs and look at it, and get all the information from what we have, and the second part there is they may have a network group and they say, “Hey, we use Cisco products. I want to know if there is anyone in the Cisco product that comes up. Send it to that group.” We have notification, notification filters, groups, send it to Slack, to _____, to Jira tickets.

A lot of times, we’re nine days earlier than what is in the VM products of their testing, so then people wanted to create Jira tickets to say, “You give us a new one, and we’ll do that as our process. Instead of the 200 to 500, we’ll use yours as the first part of that process.” What we found, some interesting things in the list, when we did that, we give you the _____, we do pivot tables, graphs, all that sort of stuff, and you can mine that data for really interesting stuff. One thing we find is that 80 percent of what the threat actor is using is non-critical.

Shimel: Really?

Grealy: Most organizations are just getting through the criticals today, and that’s not what a lot of times the threat actor is using, so they’re leaving themselves wide open. That’s where we say, “Hey, if you’re patching this critical, here are these other ones that are actually three or four low that they’re using to compromise, as well.” That becomes an easier part of your process to say, “What do I patch? Look it up in the CEWL list. If it’s in the CEWL list, then I should put more priority to that.” The other way there is we added two-way, so when you’ve done it in the organization, process that list, you can have it grayed out or not showing, and that’s really important because we also understand supply chain zero trust.

With partners, we’re saying, “Well, if you’re secure, there is still 25 percent chance you’re getting compromised by your partners, so how about you license that to the partners and then you can actually watch them, with that two-way communication feeding back, are they being compliant.” It’s not just a tick in the box. You know, then they’re reducing their security, they’re then improving their security posture, reducing the chance of being compromised.

Shimel: Got it. Excellent. How is it priced? How is it consumed like that? What does it cost?

Grealy: Yeah, so we’ve presented to about 25 companies, and we’re told we’re in the mid-range, so we’re $160,000.00 a year, and that’s with CEWL and flash alerts, and then we have another thing called LEGIT, because I’ve always wanted to have a legit company, because in threat intel ‒

Shimel: It wasn’t enough to be cool, you had to be legit and cool.

Grealy: Well, because threat intel, there has been a lot of blood in the water, right?

Shimel: Right.

Grealy: There have been companies, like Norse and other companies, that haven’t made it a really good environment, and a lot of threat intel there is not actionable, and there is still too much _____ for an analyst. We have to build up a big, cyber threat intel group, which is too expensive and too hard to run. We’re still in a cyber security shortage, so we created LEGIT, which is the Lookup Explanation for Genuine IP Threats, and it’s IP IOCs, so don’t pay $150,000.00 to the other companies that are just doing IOCs. The important thing is if you’ve got an IP address and you’re typing in virus total today, it will give you, “Here is that IP address and what it is.” We give you up to six years of 400 fees of what attacks were used for that.

We’ve spent a number of time in investigations, and, in investigations, you may be going back 200 to 400 days. When you go back to that time, you want to see what those IP addresses were, if there is something of interest during that time. There are about 40 different types of tagging we have, from attacks to phishing to cryptomining, to all those different parts, and we give that for free. Today, you can actually register on our portal and use that today.

Shimel: Excellent.

Grealy: We want to give back. It’s also important for us to give back to the community.

Shimel: What about, you know, it’s a new product, is there a trial or anything people can do to use it today and check it out, make sure?

Grealy: Totally. CTCI.ai, and CTCI.com, I think, is a Chinese company. We are not ‒

Shimel: Don’t go there.

[Laughter]

Grealy: ‒ that company. Yeah, don’t go there.

Shimel: Don’t go there.

Grealy: Yeah, CTCI.ai, for artificial intelligence, because we do a lot of AI and machine learning, of course. If you go there, there is Start a Trial, and you can do that. We just set the company up in a way you can add users and managers and do that, right?

Shimel: Got it.

Grealy: Yeah.

Shimel: Well, Andrew and Mike, we’re going to have you back on, we would like to hear more, but good luck on the launch of the company. That is CTCI.ai, the newest thing in threat intel. Check it out here on TechStrong TV. We’re going to take a break. We’ll be right back with another guest.

[End of Audio]
Recent Articles By Author
Avatar photo More from Alan Shimel
Alan Shimel , , ,
Avatar photo

Alan Shimel

Throughout his career spanning over 25 years in the IT industry, Alan Shimel has been at the forefront of leading technology change. From hosting and infrastructure, to security and now DevOps, Shimel is an industry leader whose opinions and views are widely sought after.

Alan’s entrepreneurial ventures have seen him found or co-found several technology related companies including TriStar Web, StillSecure, The CISO Group, MediaOps, Inc., DevOps.com and the DevOps Institute. He has also helped several companies grow from startup to public entities and beyond. He has held a variety of executive roles around Business and Corporate Development, Sales, Marketing, Product and Strategy.

Alan is also the founder of the Security Bloggers Network, the Security Bloggers Meetups and awards which run at various Security conferences and Security Boulevard.

Most recently Shimel saw the impact that DevOps and related technologies were going to have on the Software Development Lifecycle and the entire IT stack. He founded DevOps.com and then the DevOps Institute. DevOps.com is the leading destination for all things DevOps, as well as the producers of multiple DevOps events called DevOps Connect. DevOps Connect produces DevSecOps and Rugged DevOps tracks and events at leading security conferences such as RSA Conference, InfoSec Europe and InfoSec World. The DevOps Institute is the leading provider of DevOps education, training and certification.

Alan has a BA in Government and Politics from St Johns University, a JD from New York Law School and a lifetime of business experience. His legal education, long experience in the field, and New York street smarts combine to form a unique personality that is always in demand to appear at conferences and events.

alan has 90 posts and counting.See all posts by alan