FROM ATTACKS TO ACTION - BUILDING A USABLE THREAT MODEL TO DRIVE DEFENSIVE CHOICES

By any historical standard, it would be fair to call today the "Golden Age Of Threat." As defenders, never before in our history have we known so much about bad guys, vulnerabilities, attacks, incidents, tradecraft, exploitation, etc. And it has become its own fast-rising industry of threat feeds, alerts, intelligence reports, standards, and tools.

But the sharing of threat intelligence is not a miracle cure. In fact, threat sharing is just the means to an end - we need a way to translate this information into specific and scalable defensive actions we can each take to prevent or manage these attacks in the first place.

The non-profit Council on CyberSecurity has taken a community approach to this problem, working with numerous companies and individuals who analyze attacks and adversaries for a living, and then we translate that knowledge into defensive actions that are captured in the Critical Security Controls.

We'll describe how this has evolved from informal brainstorming among trusted friends, to a community data call, to mapping from a single authoritative source (the Verizon Data Breach Report in 2013) to the Controls, to inclusion of numerous authoritative threat and incident sources, to building a consistent and efficient community workflow. We also discuss how such an approach naturally synchronizes with various Risk Management Frameworks, including the Executive Order Cybersecurity Framework from NIST.

This approach gives you value from information you don't have time to read, experts you'll never meet, insight you can't develop alone, and most importantly a translation to action that you must take in order to survive.

As long as the bad guys are beating up on us, we might as well learn something from it.

Presented by