The NCAA Tournament ended just a few days ago and the pain or exuberance, depending on your bracket picks, is still fresh. As I watched hours of college basketball, I was struck by something the most successful teams have in common: they don’t get distracted by all 67 other teams in the tournament or even all the teams in their bracket. If they tried to prepare for every potential opponent, they’d get nowhere fast. Instead, to increase their chances of moving to the next round, they focus on what’s high priority and prepare for the team they’re immediately up against. They study the film to understand who the scoring threat is, and the defensive threat. They also know their own strengths and weaknesses and adapt their game plan appropriately.
As security professionals, we need to think about the threat landscape we face in much the same way. We need to move away from an “us against the world” perspective, which is inefficient and ineffective. Instead, we need to focus on a very specific world – our threat landscape. These three steps can help.
1) Tailor external threat data to you. Your view of the threat landscape consists of generic threat data that includes the signature updates you get from the defenses you use every day. These updates provide protection against the “known bad” or background noise every organization faces. You probably also consider Open Source Intelligence (OSINT) sources that offer free threat data that can provide valuable insights but also include noise.
To increase the level of personalization in threat feeds, you also should include:
• Geographic and industry-specific data provided by national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry.
• Commercially available threat feeds that provide more details on adversaries, their targets and their tools, techniques and procedures (TTPs).
• Threat data based on your supply chain and other third parties in your ecosystem, that adversaries may be actively targeting and can potentially use as stepping stones to infiltrate your organization.
2) Filter further based on your internal landscape. More specific external threat data is great, but the volume of data still becomes overwhelming. You need to start to pinpoint the data that’s relevant by analyzing threats and campaigns within the context of your current security infrastructure, security configuration and your overall organization. For example, you learn of a spear phish campaign that is targeting HR or finance departments within your industry. Or you hear of a ransomware attack that takes advantage of a specific vulnerability or mis-configuration to infiltrate organizations. By mapping that intelligence to your security infrastructure, configurations and personnel you can determine relevance and if you need to take action, like prioritize a specific patch, update certain settings or a conduct security awareness training.
3) Prioritize based on your risk profile. Every organization has a certain amount and type of risk it is willing to accept. Understanding your risk profile allows you to zero in on the threats that your organization considers high priority. With the ability to customize risk scores based on your own set of scoring parameters you can stay focused on what’s relevant. Automatically prioritizing and reprioritizing as the external and internal landscape changes, allows you to focus your resources and continuously adapt your security strategy.
Like the teams that progress through to the NCAA National Championship, you’ve now pared down “the threat landscape” to “your threat landscape” and set yourself up for success. When security operations are based on a foundation that includes focusing on the threats that are high priority and knowing your strengths and weaknesses, the odds are in your favor.

Marc Solomon is Chief Marketing Officer at ThreatQuotient. He has a strong track record driving growth and building teams for fast growing security companies, resulting in several successful liquidity events. Prior to ThreatQuotient he served as VP of Security Marketing for Cisco following its $2.7 billion acquisition of Sourcefire. While at Sourcefire, Marc served as CMO and SVP of Products. He has also held leadership positions at Fiberlink MaaS360 (acquired by IBM), McAfee (acquired by Intel), Everdream (acquired by Dell), Deloitte Consulting and HP. Marc also serves as an Advisor to a number of technology companies, including Valtix.
More from Marc Solomon
- XDR and the Age-old Problem of Alert Fatigue
- Removing the Barriers to Security Automation Implementation
- Balancing Security Automation and the Human Element
- Anticipation and Action: What’s Next in SOC Modernization
- How Organizational Structure, Personalities and Politics Can Get in the Way of Security
- Cybersecurity – the More Things Change, the More They Are The Same
- The Secret to Automation? Eat the Elephant in Chunks.
- The Pendulum Effect and Security Automation
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
