The best threat intelligence comes from your own
organization’s own endpoints. One aspect
to this is treating every instance of unwanted software such as malware or
adware that lands and installs on a machine as an indicator of a gap in
controls coverage.
A control that is present but somehow misconfigured.
A control that is missing or has been disabled.
An error by a user.
So, when you encounter evidence of malware, a key followup
item is to determine just how the malware got there.
In my organization, answering this question has allowed us
to add extensions to our email attachment block list, add compensating controls
on endpoints, and increase the frequency of specific user training where
necessary.
All based on real risks present in the network, not possible
risks talked about in a blog post.
And where that control or training required additional
resources, the justification to executives comes from on-site evidence from real incidents, not just pen tests. That’s usually been sufficiently compelling.
Continuous improvement as part of being a learning oganization.
All from simple questions purposely built into the response process.
Like what you've read
enough to follow me on Twitter? @Opinionatedsec1.
SEE ALSO
No comments:
Post a Comment