< Back
Episode #
105

Marsh McLennan's Casey Beaumont on Vendor Breach Assessments That Cut through Legal Games

When Casey Beaumont's entire CTI team departed just before new analysts started, she found herself running threat intelligence solo for months while directing incident response, threat hunting, and red team operations. That trial by fire taught her exactly what separates tactical intelligence from strategic value, and why the best analysts invest significant personal time building trust networks that enterprise tools cannot replicate.

Casey's teams at Marsh McLennan, where she’s the Director of Advanced Cyber Practices, received warnings about Scattered Spider infrastructure 20 minutes after domains registered, before threat actors sent a single SMS phishing message to employee cell phones. That early intelligence enabled blocking domains internally and preparing communications before the first report came in. These private intel networks, built through years of trust and after-hours engagement, consistently deliver the warnings that matter most for large enterprises facing sophisticated, targeted attacks.

Beyond tactical response, Casey explains how her CTI program produces strategic intelligence that drives architectural decisions. She also shares her framework for vendor breach assessments that cuts through legal wordplay, why attribution matters far less than response speed during active incidents, and how to scope CTI mission appropriately to prevent analyst burnout in organizations with massive attack surfaces.

Topics discussed:

  • Managing unified teams of CTI, threat hunting, red team, and incident response to eliminate resource allocation friction during active incidents and supply chain events.
  • Building private intelligence networks that deliver infrastructure warnings within 20 minutes of threat actor activity.
  • Transitioning from tactical incident response to strategic CTI leadership and learning analyst tradecraft through necessity when running solo.
  • Conducting vendor breach assessments using four critical questions about control gaps, persistence, data exposure, and remediation plans.
  • Evaluating intelligence relevance at large enterprises with complex environments where shadow IT, acquisitions, and distributed technology create unclear exposure.
  • Why vendor breaches should not automatically disqualify partnerships and how strong vendor relationships enable influence over authentication improvements and security controls.
  • Producing strategic CTI that drives architectural investment decisions by documenting systemic risks across technology ecosystems rather than isolated incidents.
  • Understanding CTI stakeholder needs through deliberate interviewing to prevent analysts from producing reports that leadership ignores.
  • Sharing unattributed intelligence with law enforcement that enabled warnings to seven or eight fully breached companies with no awareness of compromise.
  • Why leadership overemphasizes attribution during active incidents when tactical response and containment should take priority.
  • How great CTI analysts invest significant personal time building professional brands, attending conferences, and earning trust in private intelligence communities.

Key Takeaways: 

  • Consolidate CTI, threat hunting, red team, and incident response under unified leadership to eliminate resource allocation friction during active supply chain incidents and targeted attacks.
  • Conduct vendor breach assessments using four critical questions: what control gaps enabled the breach, does the actor maintain persistence, what client data was exposed, and what remediation plans address root causes.
  • Identify vendor evasiveness during breach discussions by listening for careful language around product names that insinuate limited scope while obscuring broader organizational compromise.
  • Produce strategic CTI reports that document systemic risks across technology ecosystems rather than isolated incidents to give executives justification for architectural investment decisions.
  • Interview CTI stakeholders systematically to understand what intelligence formats and content they need before analysts waste time producing reports that leadership ignores.
  • Scope CTI team mission to specific focus areas like tactical threats and supply chain rather than attempting comprehensive coverage of vulnerabilities, geopolitics, and fraud with limited staff.
  • Share unattributed threat intelligence with law enforcement partners when legal and privacy teams approve to enable warnings for other breached organizations unaware of compromise.
  • Deprioritize threat actor attribution during active incident response unless conclusive evidence enables tactical pivots, focusing instead on containment and remediation before forensic analysis.

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website