Embracing Threat Informed Defense helps defenders sharpen their focus and improve cybersecurity risk posture.
Technology leaders today, more than ever, are facing increased budgetary pressure to reduce costs while continuing to provide the same or even better service to the business. The need to drive such efficiency is especially true even in business cost centers such as providing cyber security, which is historically well-suited for significant growth due to its critical importance to the business.
At least three things need to happen to improve an organization's cyber risk posture while reducing operational expenses;
- Be laser-focused, prioritizing investment in the most severe business risks and associated threats.
- Embrace and implement, or enhance automation wherever possible.
- Remove complexity, even if this requires a higher short-term capital expense.
Threat Informed Defense helps technology teams and business leaders achieve the above by using observable threat intelligence data to understand which threats are related to the identified business risk and help inform and automate decision-making. Having risk, threat, and control data in a structured format enables the business to answer frequently asked questions such as;
- What are the detective and preventative control coverage/effectiveness related to our most critical business threats?
- How confident are we that we could catch actor x in our environment in a reasonable amount of time?
- What value are we providing to our customers?
The above questions take time to answer in a repeatable and data-based manner. Thankfully Mitre and other cybersecurity community members have developed tools and frameworks to help implement and automate elements of a Threat Informed Defense program. Frameworks such as Mitre Attack™ are now well established and embraced by the cybersecurity industry, enabling a standard nomenclature to describe badness, rank and model threats, and measure coverage and effectiveness.
Mitre’s Attack Navigator can provide a visual representation of coverage or specific examples of threat actor campaigns.
Projects such as VECR can facilitate tracking purple team exercises, measuring detection and prevention capabilities across different attack scenarios from each offensive security exercise.
Understanding specific cybersecurity Threat Scenarios is only one part of understanding the cybersecurity posture of the business. Linking threats to business risks enables a direct value measurement. Documenting business risk including associated mission-critical business processes and mapping to cyber threats, allow companies to understand overall cybersecurity posture. Frameworks such as the Rapid Risk Assessment (RRA) have existing taxonomy and tools for conducting such a risk assessment.
The above tools and frameworks are especially helpful in performing risk analysis, determining engineering investment in new and existing controls, aiding in the planning and execution of offensive security exercises, and reporting to leadership on the organization's overall cybersecurity risk posture.