Question: I'm an IT person in a midsize company without a security staff. I'm concerned about all the cyberthreats I hear about, but I don't know where to get new threat information or how to determine which threats might affect my specific organization. Can you help?
Paul Kurtz, co-founder & CEO of TruSTAR: In an ideal world, every company would build and maintain a threat model unique to that company based on its business profile, assets, operation location, etc. However, this a challenge even for large, mature teams to accomplish.
Without a security staff, companies may struggle to appreciate the ROI of paid commercial intelligence feeds and be overwhelmed by the volume of open source intelligence. These challenges begin to diminish once a threat model is established and organizational capabilities to select and curate intelligence matures.
While every company's threat model is unique, there should be a significant degree of overlap with industry peers. You can identify and operationalize relevant threat intelligence by joining a sharing community, like an ISAC or ISAO. Correlating this shared industry intelligence with internal security events and alerts from MSSP providers, SIEMs, phishing emails, and case management systems is the ideal spot to begin understanding what industry threats are directly relevant based on that overlap.
This can occur in two ways: one, consuming community intelligence into a SIEM and case management tool, and, two, sharing out suspicious email and events back to the community to determine if anyone else observed the threat as well and can add more context.
What do you advise? Let us know in the Comments section, below.