flashpoint-threat-matrix.jpg
Flashpoint's 2016/17 threat matrix, setting out the capabilities and potential impact of key threat actors on different verticals.

Cybersecurity experts often make broad-brush predictions about the ever-evolving threat landscape, usually at the turn of the year, and many companies offer tactical Cyber-Threat Intelligence (CTI) platforms and services. But what if you could get ahead of the game by listening in on the forums and communication channels where 'bad actors' hatch their dastardly plans? That's the idea behind Business Risk Intelligence (BRI) company Flashpoint, which combines deep and dark web searches with human analyst expertise to deliver strategic insights to enterprises.

We recently spoke with Flashpoint's CEO and co-founder Josh Lefkowitz, and began by asking about the company's genesis:

flashpoint-josh-lefkowitz.jpg
Josh Lefkowitz, CEO and co-founder.
"My co-founder Evan Kohlmann and I had grown up in the 2000s as intelligence analysts focused on how terrorists were exploiting the internet for fundraising, propaganda, networking, sharing best practices, bomb-making, travel routes to conflict zones and so on. We spent the better part of the 2000s working with federal law enforcement here in the US -- the FBI, federal prosecutors -- as well as law enforcement in allied nations, such as the UK's Metropolitan Police and the Crown Prosecution Service."

"The world that we lived in was incredibly manual -- opening up a broad range of Tor browsers, operating virtual personas across the underground -- and it was incredibly inefficient and woefully unscalable. So when we founded Flashpoint in 2010 there were really two core drivers. One was the recognition that the methodologies, both analytical and data-gathering, that we'd utilised to track terrorists online were more broadly applicable to a wider set of illicit actors -- hackers, credit card thieves, malware developers, fraudsters etcetera. Second, around that time there was a real revolution in the way that technology was empowering field visibility across the surface web. So there were a host of solution providers that were plugging into APIs from social media like Facebook and Twitter, RSS feeds from news sites and blogs and so on. They were very well marketed and had sleek UIs and visualisation, and afforded near-real-time visibility into threat and risk on the internet."

"But we felt strongly that if you really cared about threat and risk on the internet, it was not going to be concentrated on Twitter, or the comment section of a blog or a news site. Instead, it was spread throughout these virtual rabbit-holes across the internet that required a tremendous amount of domain expertise, operational savvy, foreign-language expertise, knowledge of the slang and vernacular of these communities and so on."

"So we really looked at ways we could blend deep subject matter expertise but overlay technology, automation and innovation to provide widespread visibility into risk emanating from the underground of the internet."

How do you define Business Risk Intelligence, and are there many other companies operating in this space besides Flashpoint?

"What we've termed 'Business Risk Intelligence' is really aimed at a broader application from the traditional CTI -- or Cyber-Threat Intelligence -- lens. So when we look at cyber-threat intelligence, it's overwhelmingly tactical: essentially it's a feed of malicious indicators -- malicious hashes, malicious IP addresses -- that are fed into the SOC or the SIEM. When we look at our partnerships with enterprise customers across 18 different verticals, we are a true extension of their team that's helping them to drive a better decision-making process about risk that spans not only their cybersecurity teams but also, more broadly, insider threat teams, fraud teams, physical and executive protection teams. We even support non-traditional use cases such as third-party vendor risk or M&A cyber due diligence, which is increasingly a hot-button issue in the wake of some high-profile M&A transactions that had some complexity to them due to breach issues."

"We're seeing a number of other vendors in this space adopting the language around risk: they recognise that the risk calculus is a critical component of business decisions, and that increasingly has the eye and attention of the C-suite. We're also seeing other vendors emerging with a focus on the deep and dark web, but we have the benefit of having operated in this realm for many years and are humbled to be the go-to source for enterprises across the Fortune 500 for assistance in this domain."

Presumably your targets on the deep and dark web are well aware that the forces of law and order are covertly tracking them. How does that scenario play out?

"I think the 'bad guys' have known that the 'good guys', so to speak, have been tracking them for time and eternity. In many ways, that's what makes this landscape that we focus on so dynamic and so challenging, in that it's a constant game of cat-and-mouse. They [bad actors] are highly sophisticated, extraordinarily dedicated and highly adaptive, and are constantly looking for new technologies and methodologies that they can utilise to stay one step ahead of their adversaries -- however they define them, be they law enforcement, security agencies, security companies like Flashpoint and so on. This is the antithesis of the surface web, where you may plug into a social media API and come back four years later and nothing's changed. That's really why there's not a single enterprise that we've encountered across the Fortune 1000 that has attempted to take on this challenge internally. Instead, they're working diligently to identify best-in-class partners to help them navigate this challenge."

flashpoint-platform-architecture.jpg
The Flashpoint Intelligence Platform

When you approach a prospective enterprise customer, who's your principal point of contact and what's the basic sales pitch?

"It can range from the heads of cyber-threat intelligence, fraud, insider threat or physical security, as well as being driven by conversations with the CISO or CSO. Three or four years ago you'd have to do a lot of education on what the deep and dark web holds, and why it matters from a risk perspective to the enterprise. Now, with so much publicity around Silk Road and front-page stories in prominent publications, as well as the evolutionary nature of the threat landscape, the conversation has moved beyond that educational component. Now it's around 'how can I access insight and intelligence from the deep and dark web to help better protect my footprint?'"

"A powerful vignette here is around the legal vertical: two years ago this was still very much in the evolutionary realm as far as proactive intelligence-oriented solutions were concerned. Now they see themselves increasingly in the cross-hairs of dedicated cyber criminals, who recognise that they are safeguarding a tremendous amount of sensitive information, as well as the pressure they're getting from their institutional clients -- whether they be large financial institutions, retailers, technology firms and so on. They've recognised that they need to have a proactive lens to understanding threats emanating from the deep and dark web, and that has increasingly become a 'must have' rather than a 'nice to have'."

What are the key features in the new Flashpoint Intelligence Platform 3.0?

"One aspect is the ability to plug into a vast array of finished intelligence reporting that provides a lens of the tactical and the strategic. Tactical examples include emergent malware, an emergent DDoS method, or an analysis of a large compromised database that's been dumped on the underground. A strategic report looks over the horizon, many months out, helping customers make more informed decisions as to what's going to be coming down the highway. A great example is the way we helped our financial customers in the US make more informed decisions about their impending roll-out of the EMV chip-and-pin technology, with different fraud communities across the globe, and how they were discussing various vulnerabilities and weaknesses they'd identified in that roll-out strategy. And complementing that is the ability to drill down into a deep and dark web search engine for their own research investigation and analysis, giving them access to corners of the web in a sanitised ecosystem that otherwise would be completely beyond their reach. Overlaying that is a dashboard where you can customise your view based on your vertical, your regions of interest, your topics of interest and so on."

What do you mean by a 'sanitised ecosystem'?

"When we say 'sanitised', we mean our technology is collecting data from the most relevant corners of the deep and dark web, that are inaccessible to traditional search engines and do not have the benefit of an API or an RSS feed attached to them -- whether those corners be malware communities, fraud communities, jihadist communities etcetera."

How easy is it to customise Flashpoint's platform so that it aligns with an organisation's particular focus?

"The customisation is extremely lightweight -- it's achieved via the dashboard that customers access at onboarding. They can also provide keywords that can be utilised for monitoring across the deep and dark web -- whether it be executive names, credit card BIN numbers, M&A project names and so on. We can be that 'radar' out on the deep and dark web looking for relevant mentions of those particular keywords."

What's the balance between machine-learning-style automation and human input in Flashpoint's platform?

"We see them as working hand in hand. We have a team of subject-matter experts who are speaking 15 different languages -- Russian, Mandarin, Farsi, Arabic, Turkish, French, German and more -- and they'll work side-saddle with our product and engineering team, who really automate as much of the intelligence process as possible, from the collection to the processing to the dissemination. As I mentioned earlier, we grew up as analysts with the acute pain of trying to do this in a manual way. The fundamental DNA of Flashpoint is, how can you automate as much as possible while recognising that it's unachievable to automate 100 percent, given the nature of the sources -- the slang and vernacular that's utilised, and so on."

Let's talk about the general state of the cybersecurity industry. There have been plenty of general warnings about ransomware and the Internet of Things, for example, over the last year or two -- but attacks like WannaCry, and Mirai still seem to strike with regularity and catch organisations unawares. How can Flashpoint help to turn the tide?

"When you look at the impact of an intelligence solution like Flashpoint, we're really going to have a balance of proactive and reactive. When you think about reactive, the goal, fundamentally, is how can you dramatically shorten the window between impact and detection? So whether it's helping a company understand that RDP access to its systems is being sold on the underground, or that a malicious insider is selling access to sensitive source code, or sensitive databases -- the goal with reactive reporting is to dramatically shorten that window. And then, of course, as frequently as possible you want to be left-of-incident, whether it's providing a heads-up to the exploitation of particular vulnerabilities such as those seen in WannaCry or Mirai. I think the reality is, the landscape is so incredibly complex, dynamic and multi-variable that no solution on earth is ever going to deliver 100 percent proactive coverage, but the goal is to be left-of-incident as much as possible, and then minimise that window between impact and detection as aggressively as possible on the other end of the spectrum."

Given that 100 percent protection is unlikely to be possible, isn't it essential that organisations become more resilient -- able to absorb the attacks that inevitably get through, without affecting business continuity?

"That's a great question, and in Q1 we've rolled out a small advisory services team to really help companies across the maturity spectrum think about building a threat intelligence programme. Here at Flashpoint we have the benefit of team members who have built and led programmes at organisations like Bank of America, PNC, Citibank, FIS Global, Deloitte, Hewlett-Packard and others, and so have deep expertise and experience in the trenches. And so whether it's 'how do I think about metrics and KPIs that I utilise for my vendor portfolio?', or 'what is the cadence and content of deliverables that I should be providing up to my CISO and beyond?' -- all of those are critical elements that help with leveraging the benefit of our experience in the seats that those folks are now sitting in."

Is this advisory component likely to become a bigger part of Flashpoint's portfolio going forward?

"Our core focus is as a product and technology company, but we certainly see an opportunity to assist customers who are either still in the process of standing up their intelligence programmes, or want to further optimise what they're currently building. We feel we're in a privileged position, given our deep expertise and experience in that realm, to be a trusted partner in doing so."

Flashpoint's offering depends heavily on human experts: is there enough cybersecurity talent out there for the company to achieve its growth targets?

"We think of building out our analyst cadre much as you build out an engineering team. You have a foundational base of seniors who are deep experts in their particular domains; then there's our analyst team with expertise in malware, DDoS methodologies, fraud, cyber-crime and so on; and then we tutor and mentor a cadre of more junior analysts who are coming out of school with maybe one or two years' experience. While they're not coming to the table with domain expertise, they are bringing the intangibles that make an analyst successful: intellectual curiosity; strong written and oral communication skills; the ability to piece together disparate data nodes into a coherent narrative; persistence and vigour -- as well as, in many cases, language skills. That's the way we look at it."

"The brutal reality is, there's a ferocious war for talent out in the security landscape: we've been fortunate to attract best-in-class talent across the organisation at Flashpoint, but we're certainly mindful from a scalability and professional development perspective that you have to have a pipeline of junior talent that you can mentor and tutelage."

Read more