Interview with Jason Hines

Editor’s Note: Additional information about Recorded Future appears in my interview with Christopher Ahlberg, April 5, 2011 at this link.

Recorded Future has compiled a remarkable record of firsts in the cyber OSINT sector. The company was the first to be jointly funded by Google and In-Q-Tel, the investment arm of the US government. The company was the first to move predictive analytics into the mainstream. The company was the first to make available reports about high profile events of interest to law enforcement and intelligence professionals available in the company’s intelligence analysis blog, the Threat Intelligence Blog.

For my research team and me, Recorded Future’s principal achievement has been bringing attention to the limitations of traditional information system processes and methods. In short, Recorded Future has allowed Google and other companies to move “beyond search.”

After the sale of Spotfire to Tibco, Christian Ahlberg, and Staffan Truvé founded Recorded Future in 2009. The engineers and scientists at Recorded Future wanted to address a specific problem that can’t be answered by keyword search: How can flows of real-time information be used to provide bits of information about the future. The shift is profound. While knowing what happened has some relevance for investigations, knowing what has a high probability of happening would be far more valuable.

The users of most information access systems assume that date and time data are available. That is not the case. One of the key innovations at Recorded Future has been the development of algorithms and parsing technology to identify dates at which events took place, the time when content became available, and implicit dates embedded within structured or unstructured data. The Recorded Future Temporal Analytics is not a semantic and brute force process like figuring out if a text is positive or negative. Making time components available to users allows law enforcement and intelligence professionals to evaluate data through time. Key events are related to other events and these are available within a time context. A typical Google search displays information without much emphasis on time. Recorded Future delivers the chronology of actions as part of the system’s predictive functions. Before Recorded Future’s system became available, chronology usually was assembled via a manual process.

In order to understand the structure, time, and metrics features of Recorded Future, I spoke in April 2015 with Jason Hines. He works from Recorded Future’s Washington, DC office. The full text of the interview appears below.

Jason, thank you for taking the time to meet with me. Let’s start with the basics. What’s your background?

I’m currently Global Vice President at Recorded Future but I joined as the first employee in 2009. Since then I’ve had an amazing time building, managing, and leading Recorded Future’s core commercial business with Global 1000 firms and leading government agencies. Most recently I had a chance to establish our partner program for threat intelligence service providers.

Before joining Recorded Future, I was at Google where I was an early employee on Federal Enterprise business team. Prior to Google, I was Principal Systems Engineer at Spotfire (now TIBCO), and I previously worked as a software engineer within the Intelligence Community, as well as within the Department of Defense.

Where did your interest in LE and intel originate?

I’ve been interested in information security since my high schools and college days when I spent an inordinate amount of time working my way into places I probably shouldn’t have been. My background has given me combination of strong technical grounding combined with great business experience working with the largest corporations in the world.

Where did you and your colleagues get the idea for your cyber OSINT service?

When our team set out about five years ago, we took on the big challenge of indexing the Web in real time for analysis, and in doing so developed unique technology that allows users to unlock new analytic value from the Web.

Today the vast majority of our customers are Global 1000 corporations, but in those early days the first customers were primarily government focused. I think we’ll continue to grow our business in both government and commercial areas proportionately.

How do you explain Recorded Future to a group unfamiliar with predictive analytics and temporal functions for OSINT?

I focus on the fact that Recorded Future provides information security analysts with real-time threat intelligence to proactively defend their organization from cyber attacks. Our patented Web Intelligence Engine indexes and analyzes the open and Deep Web to provide you actionable insights and real-time alerts into emerging and direct threats. Four of the top five companies in the world rely on Recorded Future.

How has your product evolved in the last few years?

A big challenge for us, and all threat intelligence providers I think, is providing information that’s “actionable.” A huge change in our business and product resulted from learning what information is truly actionable for our customers.

A Recorded Future interface makes it easy to spot key trend behavior. A click reveals additional data to the user who wishes to drill more deeply into the content or data.

Today we present every client with a library of templates for specific, actionable intelligence goals which can be configured and tailored within Recorded Future.

Does that mean your innovation trajectory is driven by your customers?

I have not thought about our engineering work in that way. But you are right. We spend significant time talking with our prospects and customers. If a specific type of feature or function is required, we try to implement that in our system. Unlike some analytics firms, we work hard to listen, understand, and adapt to the customer’s needs, not to our internal wish list of tasks.

What are the benefits to a licensee who uses your system for intelligence analysis?

Let me come at that in terms of our customers.

The benefits depend on your role within the organization. Let’s say you are an Information Security Analyst. Our system enables you to identify proactively, prioritize and mitigate emerging threats before they impact the organization. Customers tell us they are as much as 5 times more productive because they spending less time on data collection, manual reading and recurring monitoring.

If you’re a Security Director, Recorded Future helps your analyst teams collaborate more effectively in a common workspace, alert you to the most critical threats that really matter, and ensure your threat reports are not only visually compelling, but up to date. When it comes to security professionals we really enable them to become more proactive and intelligence-driven, improves threat response effectiveness, and helps inform the leadership and board on the organization’s threat environment. Recorded Future has beautiful interactive visualizations, and it’s something that we hear system administrators love to put in front of top management.

Why are cyber centric and content processing services important?

At Recorded Future we’re indexing the Web for threat intelligence analysis and our platform includes many ways to analyze this data. There are five categories we think about when it comes to organizing this data.

Would you highlight these points for me.

Of course. As I said we perform Real-time threat analytics. This means We provide dynamic analytics on actors, operations, vulnerabilities, and other indicators of compromise in full context.

Next we analyze Global threat visibility. This refers to our Internet-wide index of open and deep Web sources related to cyber threats, terrorism, geopolitical and social unrest, crime and violence, all continuously indexed and analyzed across seven languages.

Let’s see. The third capability is our historical threat baseline. The idea is that we provide turnkey access to a six-year archive with 7.6 billion data points (time-tagged facts) and growing, and all correlated and organized for threat intelligence. This is one of our services that has moved “beyond Google.”

Also, we make it possible to make use of intelligence-driven defense. We offer a common workspace that enables threat intelligence analysts to identify emerging threats, delivers enriched information for security/analytic team triage via comprehensive integration. The service provides investigative context for incident responders.

The final point I make is what we call “rapid time to insight.” Visually-rich, easy-to-use interfaces, tailored alerts, dynamic reports, tailored threat intelligence templates, and security integration and automation reduce the delay that other systems’ impose on a user. The user has to stop and figure out how to get an output from the system. We think we have gone a long way to eliminate this “how do I do this?” hurdle.

How do you manage customer expectations for your firm’s product/service?

One of the expectations we’re constantly managing is this idea of predictive analytics. If customers are looking for a crystal ball, we’re quick to point out that isn’t what we do. That said, I think we’re far ahead of the pack when it comes to early warning, and monitoring the horizon for truly new and emerging information.

Recorded Future uses a continuous pipeline architecture to deliver real time outputs to licensees.

How can a commercial enterprise like a pharmaceutical company or insurance company make use of your product/service?

Numerous large financial services firms use Recorded Future today and they are having great success. One large bank’s Director was recently quoted in the Wall Street Journal:

“We are increasingly looking outside our enterprise and attempting to be more predictive about threats. With tools like Recorded Future we can assess huge swaths of behavior at a high level across the network and surface things that are very pertinent to your interests or business activities across the globe. Cybersecurity is about predicting and understanding human behavior, and much of that is previewed on IRC channels, social media postings, and so on.” (http://blogs.wsj.com/cio/2015/01/07/an-optimistic-lens-on-cybersecurity/?KEYWORDS=recorded+future)

I think it does a great job summing up what we offer.

When did that appear in the Wall Street Journal?

I think it was in January. What’s remarkable is that the clients usually are reluctant to talk about our role in their security and analytics operations. We were surprised to read this statement.

How long does it take to get a Recorded Future system up and running?

Once the customer has received a brief training, set up time is five minutes. The only thing that’s required is a modern Web browser and an Internet connection. Ahead of the training we ask the customer to select the intelligence goals templates that are most compelling for their team, and from there it’s really very straightforward. I prefer to show our customers how to use the system, but it is enjoyable to answer the question, “How does the predictive math work?”

Can you estimate the cost of your product or service for its first two years of operation?

We have a variety of implementation and configuration options. Most contracts for enterprise implementation are in the six figures. We provide price quotes, and we are aware of the challenges of the funding procedures within commercial enterprise and governmental organizations.

What are the key differentiators for your firm’s cyber product or service?

That’s a good question.

I’d say actionable results.

We surface real-time information you can take action on. For example, if you were alerted as soon as an employee’s email and password were posted publicly, or your institution’s credit cards were for sale in a forum, or your closest partner’s intellectual property was being targeted by a hacktivist group next week- there are specific, proactive actions you can take to defend yourself via our system.

What are the broad areas of research which your firm is considering for your next generation product/service?

We’ve just released our first versions of integrations with popular log analyses tools like Splunk, as well as transforms provider Maltego. The response has been overwhelmingly positive and customers want more. We’re already working on the next version of these integrations. Customers who want the “single pane of glass” are really pleased.

What about the Dark Web?

We’re also doing more deep Web analysis than we’ve ever done before. Our CTO and Co-Founder, Staffan Truvé, PhD, recently gave a talk at the Kaspersky Analyst Summit on these dark corners of the Web which offer new sources of information.

I also want to mention that we are experimenting with offers geared for small businesses who don’t have any threat intelligence capability, but still desperately need these capabilities. In these cases we’ll often work with one of our partners who can provide the analyst reach back services.

What are the trends having a direct impact on your firm’s product or service?

I think that the interest in cyber OSINT is growing. Your seminar demonstrated that there is significant interest in the field.

How do you think automated threat detection and collection will evolve?

It seems that the interest is growing. As customers voice their needs, our company and others will continue to innovate. This will expand the market for us and others.

What industry is seeing the most rapid adoption of this type of technology?

Based on my conversations in the last six to nine months, interest is coming from many different business types.

How does an interested party contact your firm?

The best way to reach us is via our web site: recordedfuture.com.

ArnoldIT Comment

Recorded Future is an excellent example of a next generation information access company. The firm’s technology harnesses the math-centric approach of Autonomy, which preceded Recorded Future by 15 years. But Recorded Future moved information access to the next level with the inclusion of time-centric functions which provide for more advanced natural language processing.

Recorded Future’s technology pulls from OSINT the people, places and activities mentioned in source documents. The system scrutinizes the extracted events performing spatial and temporal analysis. It aggregates the positive/negative sentiment in the text. Recorded Future uses statistical and artificial intelligence techniques to discover relationships between and among people, events, and concepts.

Recorded Future has been a disruptive company. The firm has a solid base of customers among the Global 1000, and governmental entities in the US and in Europe. With the support of In-Q-Tel, Recorded Future is going to find similar interest among US law enforcement and intelligence agencies as well as commercial enterprise. The future of Recorded Future looks bright.

Stephen E Arnold, April 21, 2015