"What threats are causing me problems, and what threats do I foresee causing me issues"
I went back through trouble tickets and assigned the treat sources to categories as I ran across them. I did not define my buckets before I started, as I did not want any bias to be present to confirm any of my current suspicions. I really came up with three categories of threat vector:
1. Googling downloads: A huge amount of the malware we deal with daily comes from malicious repacks of iTunes and Flash, among a few other things.
How can I block access to malware laden repacks?
2. Phishing: This one really goes without explanation.
How can I block the most common phishing attacks?
3. Personal Email: People need to be able to check personal email at work, I understand this. I know many of you will disagree, but the political impact of blocking personal email accounts at the office is significant and isn't a battle worth fighting for a lot of execs. I know of one CISO who lost his job because he implemented this, and would not relent.
How can I prevent users from bypassing email scanning and downloading compromised attachments?
With those three questions asked, the answer for me was even fuzzier than before. How does threat intelligence help with these problems, and is threat intelligence the answer to my questions.
For me the answer was no to two of these problems, and a maybe to the first. Would threat intel help me with the problem of people Googling downloads? Probably. Can I do it effectively without buying another blinky box? Probably.
If I were managing a perimeter that had a large attack surface, I could see spending the money on something to dynamically update lists of bad IP's and IPS definitions. But as we have seen in the past few years, most major breaches have come through much more hard to predict threat vectors that I am not sure current versions of threat intel really help with.
What I am driving at is that for me, I will be focused on securing from the Inside to the outside as opposed to focusing on the perimeter and trying to prevent script kiddies from port scanning my web servers. My analysis of threats that are the most prevalent leads me to look at workstation integrity first and foremost.
No comments:
Post a Comment