Determining your top threats is not rocket science -- and the effort will pay off in successful mitigations Imagine your friend’s house is broken into over and over. Each time the intruder gains entry by smashing a window. In response, your friend notices that his door locks aren’t Bluetooth-enabled or biometric, so he buys intelligent door locks for his house.He is surprised, over and over, that no matter how much he upgrades his door locks and how many other door locks he installs, thieves continue to break in through a window. Sound insane?This type of scenario plays out over and over in most companies today. No matter how often bad guys and malware keep breaking in, companies keep spending millions of dollars fixing and fighting the wrong issues. Sometimes the obvious isn’t obvious until someone else points it out. Billionaire Warren Buffet is famous for telling people to buy low and sell high. Apparently that’s hard advice to follow because tens of millions of people sell their investments at a loss whenever a temporary panic sets in. Here’s my advice for vastly improving your computer security defense: Try to defend against that which has been most successful breaking into the systems you manage.It’s that simple. Don’t get distracted by the latest gee-whiz technology and the myriad of other projects that people try to get you involved in. Nope, if you want to be a better defender, figure how your company is getting compromised, especially the root causes behind the initial entries, and mitigate those issues. Unfortunately, this advice can be hard to put into practice in a complex environment with many distractions. How do you fix the window instead of the door? Here’s a four-step plan:1. Dig into threat intelligenceThreat intelligence is all the incoming data that you or your company analyze to determine which threats to worry about. Unfortunately, with 15 new threats coming at you every day, it’s hard to figure out where to place your concerns.Here’s my take: Turn your attention to what has already happened to you. Contrary to popular belief, most adversaries are not super hacking experts. Most like using what has worked in the past, and they’ll go with the same program and technique over and over until it has no more utility. Past behavior is one of the best predictors of future behavior. Plus, if your company is hacked a lot because of a particular unpatched program or another technique, this usually reveals a gap that needs extra attention. The most important threat intelligence isn’t a vendor’s threat “feed.” It’s your own data. Start locally before thinking globally.Next, pay attention to what’s happening around you. Have some of your competitors or partners been attacked by a particular hacking group? What are they seeing? Then, finally, you can start thinking about the popular global attacks that are hitting every company. But remember: Your own data is the best threat intelligence feed.2. Use threat monitoring and detectionIn order to ensure you’re getting the best local threat intelligence, you have to make sure your company is actually detecting malicious activity. I know plenty of companies that wonder why they haven’t been attacked by an advanced persistent threat (APT) when nearly everyone else in the world has. I have a clue for them: You’ve been compromised, but you’re not looking in the right places. Survey after survey reveals that most companies had the data they needed to detect malicious hacking, but didn’t look at it. They set up event logging and forgot it.While you need an enterprisewide threat detection plan, as with threat intelligence, start with your own experience. What would it take to detect those things? If you can detect what has successfully compromised your company in the past with a high degree of proficiency, then you’ve gone a long way toward a successful threat detection program.Lastly, if you tell me that you track billions and billions of events, I’m not impressed. Those are billions and billions of useless events. It’s almost all noise. I’m more impressed if you told me that you have defined one to two dozen events that always indicate maliciousness. Less is more in the threat detection world. 3. Communicate!Once you’ve identified likely threats and how to detect them, communicate what you’ve discovered throughout the enterprise. I’m always surprised that almost no one, even on the IT security team, understands the top threats. If neither the security team nor the enterprise knows, how can you fight the badness? The answer: You can’t.Once you’ve identified the top threats, distribute a ranked list to everyone, including all users and senior managers. You’ll be surprised by how much help you’ll get in the right places if you alert everyone to the main problems. Threat intelligence in secret does no one any good.4. Measure mitigation successWhen you’ve identified the top threats and spread the word, encourage everyone to think about and select mitigations. In fact, I would analyze every IT security project and rank them according to how well they help mitigate the top threats you’ve identified — no use in spending money on projects that fail to minimize or stop the top threats. Hold mitigations and their sponsors accountable. If someone said X product would stop Y threat, and you spent money on it, measure its success in doing what it said it could do. This is not about admonishing people for choosing the wrong implementations. It’s simply part of the process for figuring out why it was the wrong choice. Only by examining your mistakes can you improve future projects.5. Put it all togetherThe most intelligent threat intelligence yields successful mitigations. It’s not enough to report what you found out. Threat intelligence needs to be part of making sure the right things are deployed in the right places.Someone in the IT security team needs to make sure that root causes are addressed by the mitigations. Someone needs to understand the whole process — and speak up and correct mitigations that have little impact on top problem areas. Obvious, right? Related content news Bug in EmbedAI can allow poisoned data to sneak into your LLMs The vulnerability can be used to deceive a user into inadvertently uploading and integrating incorrect data into the application’s language model. By Shweta Sharma May 31, 2024 3 mins Generative AI Vulnerabilities news OpenAI accuses Russia, China, Iran, and Israel of misusing its GenAI tools for covert Ops OpenAI’s generative AI tools were used to create and post propaganda content on various geo-political and socio-economic issues across social media platforms, the company said. By Gyana Swain May 31, 2024 4 mins Generative AI news Okta alerts customers against new credential-stuffing attacks Hackers are using credential-stuffing to attack endpoints that are used to support the cross-origin authentication feature. By Shweta Sharma May 31, 2024 4 mins Identity and Access Management Vulnerabilities feature 3 reasons users can’t stop making security mistakes — unless you address them Understanding what’s behind employee security mistakes can help CISOs make meaningful adjustments to their security awareness training strategies. By Ariella Brown May 31, 2024 5 mins Data Breach Risk Management PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe