Imagine walking into a board meeting with a tool that shows your board exactly how protected the organization is, based on the investment they have allowed you to make.
Or, imagine getting a call from your CEO, who saw something on X (formerly Twitter) about the “threat of the day,” and being able to show immediately how protected the organization is from that threat with the resources you have in place.
These capabilities can give boards and CEOs confidence, from a governance perspective, that there is coverage. But more important at this time with security budget constraints, is the ability to see if your defensive stack is up to the task. And if not, show what steps the team can take to optimize defenses and the resources needed – people, processes, and technology.
How can you make these scenarios a reality?
Staying Ahead of the Biggest Threats
Gartner talks about continuous threat exposure management (CTEM) as a strategy to prioritize whatever most threatens your business, and estimates the approach can help organizations reduce breaches by two-thirds over the next two years. With more than 70% of organizations feeling they’ve wasted 25-100% of their cybersecurity budget, it makes sense that CTEM is one of the top five cybersecurity trends for 2024. CTEM is comprised of multiple processes and capabilities like Breach and Attack Simulation (BAS) and Threat-Informed Defense (TID) that work together to advance your CTEM strategy.
BAS tools provide an important baseline function because they test and validate that your security controls are working against threat intelligence available in MITRE ATT&CK®. They are higher fidelity than purely analysis-based evaluation and have broader coverage than human-powered penetration testing and red teaming. BAS tools automate the process to provide faster, more accurate results and can be run repeatedly with dashboards and analysis for reporting of test results.
Illustrating Security Team Value and Investment Justification
Testing tool efficacy provides a critical function within CTEM, but you can’t stop there. To bring those boardroom and CEO scenarios to fruition, Threat-Informed Defense comes into play to help you optimize defenses and strategically manage exposure to threats.
Here are four steps security leaders can take with a TID approach to show how well the organization is protected, and what’s needed for improvement.
- Build on testing. Your test results may indicate what you tested is working, but you still may not have everything you need to secure the organization because threat actor tactics, techniques, and procedures (TTPs) are changing rapidly. Recent examples include Scattered Spider’s shift to SaaS and new techniques that came out of left field, the use of APT40 in new campaigns and new geographic regions, and Black Basta’s adoption of unusual TTPs to trick users into using a Window feature to compromise the system. And what about the tools you didn’t test and those that didn’t pass?
- Keep up with evolving threats. TID tools complement testing to help you assess your threat exposure across your entire defensive stack, not just select tools. Automatically mapping your existing security stack against a knowledge base that includes threat intelligence in MITRE ATT&CK, and other threat intel sources that are updated more frequently, provides a complete picture of how protected you are against the threat of the day.
- Understand your optimization options. Using insights derived by continually tracking different tools’ capabilities and how you have them deployed, coupled with intel on threats that matter most to your organization, a TID tool will provide recommendations for what to do next to optimize your defensive posture. You may learn that you can optimize what you already have with configuration changes or by adding internal resources to create a new custom rule or detection. Perhaps upgrading a security tool to a new version will provide the capabilities you need. Or you may genuinely have a gap you need to fill by adding a new tool to your arsenal.
- Complete the picture. As you make changes to your program, go back to testing. Validate that what you have done to optimize the organization’s defensive posture is working as planned and delivering the outcomes you want. Closing the loop will build momentum for your CTEM program and confidence in your team.
Unlocking Resources
When you advance your threat exposure management strategy with a threat-informed defense, you can walk into that boardroom and easily illustrate how well you are protected – at any given time or against the threat of the day – and what you can do to improve.
- You can show what you’re already doing to optimize existing investments and how changes made are reducing threat exposure.
- You get the justification for why you need more support to invest in either people, processes, or technology to fill a gap.
- You may even be able to show that there’s an opportunity to reallocate funds by eliminating redundancies and retiring tools.
Imagine that.
About the Author
Jennifer Leggio is the Chief Operating Officer of Tidal Cyber, the leader in Threat-Informed Defense, and has near 24 years of experience in cybersecurity marketing, operations, strategy, and business development. Her specialties include build-to-exit, build-to-grow, and rebuild-for-strength strategies. She excels in storytelling and crafting content-driven, integrated programs that drive brand awareness and revenue generation. Beyond marketing, she has overseen financial growth strategy, investor relations, change management, supply chain optimization, sales operations and enablement, and deal desk management. Her most notable growth and exit ventures include Fortinet, Sourcefire (Cisco), Flashpoint, Claroty, and Infocyte (Datto).
In 2019, she was recognized by SC Media for advocating aggressively for ethical marketing programs and the protection of security researchers. She’s also spoken on these topics at various industry events and conferences and continues to share my insights through articles and podcasts, and several speaking opportunities at DEF CON, RSA, Gartner Security Summit, and so on.
As a growth strategist, she advises startups and venture capital firms on achieving rapid and sustainable growth, earning a reputation as a game-changer in the industry. Jennifer can be reached online at [email protected] or on LinkedIn at https://www.linkedin.com/in/jenniferleggio/.
Source: www.cyberdefensemagazine.com