Episode 30 of the podcast covers current trends of the cyber threat intelligence industry. 

• Q1: (01:21) From your cyber threat intelligence research, what were the primary categories of CTI vendors?
• Q2: (04:30) You classified 13 TIP vendors and 34 solution vendors. As you know, many research firms often have stated that CTI vendors often have much different access and therefore it's not uncommon for large enterprise to have numerous data feeds or solution vendors as you describe. Are you seeing a balloon effect from too many solution vendors? Is it becoming too much noise?
• Q3: (08:02) You indicate the growth of some companies in your research. What are the key factors you see as tangible reasons for growth as it relates to providing customer value? Any reasons why you saw the reverse effect?
• Q4: (09:40) If you were a CISO for a medium sized business and had to be lean in threat intelligence, how would you advise them to spend after they read your report?
• Q5: (12:22) Where do you see the future of the threat intelligence industry going? Do you see the ability for managed services disruption to the market?

Episode 28 of the podcast covers a director's and officer's view of mission-critical privacy and cyber security issues. 

• Q1. (03:13) What are the NACD’s guiding principles for effective cyber-risk oversight?  Do boards actually follow these principles?
• Q2. (08:50) With regard to governance and cyber risk management frameworks, when a cyber incident occurs, what are companies doing right and wrong in addressing this interplay?
• Q3. (12:57) What role do these principles play with D&O insurance?
• Q4. (16:16) How detailed have you seen board rooms get on how to classify risks.
• Q5. (21:13) Understanding that security incidents are inevitable, how do you advise clients to work with outside experts? Should everything be under privilege that relates to a potential vulnerability that may result in a future breach?

Episode 27 of the podcast covers important attributes and characteristics of selectors critical to investigating digital crime including data engineering considerations that facilitate quicker and more accurate analytical assessments. 

• (00:40) Question 1: In the world of digital crime, what do you define as a selector? 
• (08:02) Question 2: What are the importance of these selectors from an analytical perspective? What are the properties and values of various kinds of selectors? 
• (11:38) Question 3: How do you grade the value of a selector and what are some investigative use cases.
• (18:56) Question 4: From a data engineering perspective, how should we think about aggregating data that allows analysts to query for selectors of interest?
• (29:31) Question 5: What business problems do you solve through these definitions and how are selectors evaluated in the process?

Episode 26 of the podcast covers important tools that gives security teams a fighting chance to catch bad actors in the environment before they’ve met their collection and compromise objectives.

• (01:07) Question 1: Organizations are never as well resourced as adversaries. What are the technical tactics that really underpin everything that advanced adversaries do in a network environment? (Gain foothold, Lateral movement (see MITRE ATT&CK for example, etc).  
• (02:13) Question 2: What is your general guidance for being lean in cyber security defense that gives an advantage for security teams over well-resourced adversaries? Sub question: Some say that organizations with limited resources should prioritize and “move left” on the MITRE ATT&CK framework and focus on initial access and execution because if they try and focus on signatures and behaviors that are associated with collection and command and control (LOLBINs, WMI, etc) that it gets far too complicated for an organization. Do you agree or disagree?  
• (05:01) Question 3: Odds are, the place a bad actor lands within the network of an organization, is not the place they need to be to achieve their operational and collection objective. They will need to move around and at some point, that will not be natural. What tooling (including threat intelligence) should be prioritized to trigger anomalous activity for medium sized organizations? 
• (10:09) Question 4: An adversary's chance to be detected increases with time and it's important to collect the logs that matter. What strategies have you used for implementing log aggregation at scale to reduce noise and reduce the time a SOC can detect and respond to actual bad events?
• (12:00) Question 5: From a readiness and testing perspective, with many companies going to the cloud, what are the most effective testing mechanisms? Is escalating to domain administrator less important to protect against?

Episode 25 of the podcast covers important blocking and tackling steps to take in information security for smaller mid-sized organizations, and where threat intelligence can be applied in a focused manner.

• (01:22) Question 1: Being in the telco space, there are infinite amount of resources that large companies have at their disposal. What are the primary disciplines or categories you’ve used to define blocking and tackling for small enterprise? 
• (03:15) Question 2: What are tools and logging that is critical for you to maintain in the case of an incident and how do you weight the risk vs cost?
• (05:10) Question 3: What kind of threat keeps you up at night and how do you take the measured and appropriate steps to combat those threats?  
• (06:40) Question 4: When you’ve conducted M&A activity, what are the critical items you are reviewing from a security perspective? Anything you wish you would have done differently from a security perspective?
• (09:45) Question 5: Understanding small enterprise needs to be lean, where can intelligence that alerts and mitigates risk overall be useful?

Episode 24 of the podcast covers common outcomes with cyber threat intelligence and some common pitfalls with implementation.

• (00:50) Question 1: When talking with CISOs, what is the right narrative for clients in terms of investing in intelligence?
• (01:39) Question 2: What are some common risk-based outcomes you try and contextualize for CISOs? What actions can be taken from those?
• (06:05) Question 3: When you are talking to a CISO, and they have their budget front of mind, where do you tell them to spend in threat intelligence? What are intelligence delusions do you see in this space?
• (10:00) Question 4: When dealing with threat intelligence platforms, what are some considerations to keep in mind for implementation?
• (12:50) Question 5: What metrics have you driven in other security programs that show progress? For example, many SOCs use time to detect and time to respond as the metrics? Do you build off that with threat intelligence and/or go much further?

Episode 23 of the podcast covers automation for stronger cyber threat intelligence, red team, and blue team collaboration.

• (01:25) Question 1) Explain the difference between attack simulation techniques and MITRE ATT&CK techniques and elaborate what is more useful for a blue team.
• (03:04) Question 2) Is an attack simulation more useful to a blue team than threat intelligence?
• (06:27) Question 3) In your opinion, should MITRE ATT&CK start incorporating red team techniques into their framework(s)? Why or why not?
• (07:56) Question 4) What's a role automation can play to better remediate between numerous stakeholders following a red team? What are some of the challenges with automating behavior as well as malicious adversary tools and TTPs? Is it difficult to automate specific cyber actors?
• (16:53) Question 5) How can red teams and threat intelligence teams be combining their skillsets and efforts more efficiently?

Episode 22 of the podcast covers ransomware negotiations, threat intelligence, and the role risk management plays into corporate enterprise following ransomware events.

• (01:22) Question 1: What are the defendable conclusions that companies can use with legal counsel that avoid disclosures after ransomware events? Secondly, what’s some details behind the uptick in public release requests?
• (04:55) Question 2: Describe the details behind ransomware negotiations. 
• (07:03) Question 3: Describe how threat intelligence and investigations outside the firewall can assist your team in incident response investigations.
• (07:56) Question 4: Ransomware occurs from attacker’s ability to move laterally in an environment to meet the collection objectives. After the breach, how do these scenarios play out from a corporate governance perspective?
• (12:30) Question 5: How can threat intelligence and risk management programs help prioritize these efforts to avoid future breaches?

Episode 21 of the podcast covers the role disinformation plays in the United Kingdom compared to the United States, and the rising threat of disinformation to the enterprise.

• (02:37) Question 1: Provide us some background on your research and academic work.
• (03:57) Question 2: How has this research helped you conduct your threat intelligence research?
• (08:39) Question 3: Can you give us some examples where disinformation has influenced the Brexit narrative and are there more similarities or differences to the influences disinformation has played in the political narrative in the United States.  
• (16:06) Question 4: Where do you see the future of disinformation going both on the political landscape as well as the enterprise landscape?
• (19:32) Question 5: What should countries and even businesses be doing to combat disinformation?
• (23:43) Bonus Question: Does attribution matter in disinformation campaigns?

Episode 20 of the podcast covers a discussion on business and legal implications around vulnerability disclosure.

• (01:23) Question 1: How would you advise clients/companies to react to security researchers with knowledge of a vulnerability when they contact the organization? Should companies treat this as incident response?
• (03:39) Question 2: What kind of business and legal issues do those disclosures pose? How should companies weigh out the risks?
• (06:17) Question 3: How should security researchers think about approaching companies with vulnerability disclosures?
• (10:40) Question 4: With regard to disclosure, what should organizations say and not say and to whom? Can those disclosures be coordinated with the white hats who bring the CVEs over to them? What’s the best way to get ahead of the media’s desire to shine light on these issues as news items?
• (14:09) Question 5: Are there any helpful case studies to delve into for our listeners - ie - where in your practice have you seen this work out well for clients and not so well?