The NCAA Tournament ended just a few days ago and the pain or exuberance, depending on your bracket picks, is still fresh. As I watched hours of college basketball, I was struck by something the most successful teams have in common: they don’t get distracted by all 67 other teams in the tournament or even all the teams in their bracket. If they tried to prepare for every potential opponent, they’d get nowhere fast. Instead, to increase their chances of moving to the next round, they focus on what’s high priority and prepare for the team they’re immediately up against. They study the film to understand who the scoring threat is, and the defensive threat. They also know their own strengths and weaknesses and adapt their game plan appropriately.
As security professionals, we need to think about the threat landscape we face in much the same way. We need to move away from an “us against the world” perspective, which is inefficient and ineffective. Instead, we need to focus on a very specific world – our threat landscape. These three steps can help.
1) Tailor external threat data to you. Your view of the threat landscape consists of generic threat data that includes the signature updates you get from the defenses you use every day. These updates provide protection against the “known bad” or background noise every organization faces. You probably also consider Open Source Intelligence (OSINT) sources that offer free threat data that can provide valuable insights but also include noise.
To increase the level of personalization in threat feeds, you also should include:
• Geographic and industry-specific data provided by national/governmental Computer Emergency Response Teams (CERTs) and Information Sharing and Analysis Centers (ISACs) organized by industry.
• Commercially available threat feeds that provide more details on adversaries, their targets and their tools, techniques and procedures (TTPs).
• Threat data based on your supply chain and other third parties in your ecosystem, that adversaries may be actively targeting and can potentially use as stepping stones to infiltrate your organization.
2) Filter further based on your internal landscape. More specific external threat data is great, but the volume of data still becomes overwhelming. You need to start to pinpoint the data that’s relevant by analyzing threats and campaigns within the context of your current security infrastructure, security configuration and your overall organization. For example, you learn of a spear phish campaign that is targeting HR or finance departments within your industry. Or you hear of a ransomware attack that takes advantage of a specific vulnerability or mis-configuration to infiltrate organizations. By mapping that intelligence to your security infrastructure, configurations and personnel you can determine relevance and if you need to take action, like prioritize a specific patch, update certain settings or a conduct security awareness training.
3) Prioritize based on your risk profile. Every organization has a certain amount and type of risk it is willing to accept. Understanding your risk profile allows you to zero in on the threats that your organization considers high priority. With the ability to customize risk scores based on your own set of scoring parameters you can stay focused on what’s relevant. Automatically prioritizing and reprioritizing as the external and internal landscape changes, allows you to focus your resources and continuously adapt your security strategy.
Like the teams that progress through to the NCAA National Championship, you’ve now pared down “the threat landscape” to “your threat landscape” and set yourself up for success. When security operations are based on a foundation that includes focusing on the threats that are high priority and knowing your strengths and weaknesses, the odds are in your favor.