Creating a Threat-Informed Culture

Keynote Panel - Threat-Inform Your Organization

Estimated read time: 1:20

    Summary

    The keynote panel at MITRE's Center for Threat-Informed Defense delved into the importance of integrating threat intelligence into an organization's common practices and strategic frameworks. The discussion, led by moderator John Baker, explored the journeys and insights of industry leaders from Fortinet, National Australia Bank, and Citi's Asia-Pacific Red Team. Emphasis was placed on adopting a threat-informed defense approach to better prioritize resources, improve risk assessments, and enhance communication at all organizational levels.

      Highlights

      • John Baker emphasized the communal aspect of threat-informed defense. 🌍
      • Panelists discussed the need for prioritization and resource alignment in cyber defense. πŸ›‘οΈ
      • Derek Mankey shared insights on Fortinet's practical applications of threat-informed strategies. πŸ–₯️
      • The role of collaboration in advancing research through the Center for Threat-Informed Defense was underscored. 🀝
      • Challenges such as enterprise adoption and continuous stakeholder engagement were discussed. πŸ”„

      Key Takeaways

      • Prioritize scarce resources using threat-informed defense for an effective impact. 🎯
      • Building a universal threat language like the MITRE ATT&CK helps in aligning cross-organization teams. πŸ—£οΈ
      • Adopting and integrating threat-informed practices can foster communication across departments. πŸ’¬
      • Engage in continuous learning and stakeholder involvement to adopt new strategies. πŸ“š
      • The journey of threat-informed defense is ongoing and evolves with emerging threats. πŸš€

      Overview

      The panel discussion, part of the MITRE ATT&CK conference, spotlighted the dynamic integration of threat intelligence into cybersecurity practices. John Baker, as the moderator, emphasized the necessity of a communal approach to advancing threat-informed defense strategies, urging organizations to leverage collective knowledge and experiences to enhance cyber defense capabilities.

        Participants including Derek Mankey of Fortinet, David West from National Australia Bank, and Mark from Citi’s Asia-Pacific Red Team shared their unique insights and experiences in adopting threat-informed defense. They highlighted how such strategies help in prioritizing resources and aligning them more effectively with organizational objectives, ultimately enhancing security operations.

          Despite challenges in adoption and the ever-evolving threat landscape, the panelists reinforced the need for ongoing engagement and learning. They advocated for standardizing tools and practices, creating a common threat language, and nurturing a collaborative environment that adapts to the continuously changing cyber defense paradigms.

            Chapters

            • 00:00 - 01:00: Introduction and Welcoming Remarks The chapter begins with an announcement of the commencement of a special panel discussion. Participants are invited to join the panel one by one. The panel aims to discuss the topic of organizational transformation, and the moderator is introduced to the audience.
            • 01:00 - 03:00: Introduction of Panelists The chapter titled 'Introduction of Panelists' begins with a focus on insights from a leadership perspective regarding threat intelligence strategies. Derek Mankey is introduced as a key figure, leading the global threat intelligence team at Forag Guard Labs. Mankey's role involves coordinating partnerships in global threat intelligence, underscoring his expertise and the collaborative nature of the work. The chapter also mentions the introduction of a second panelist, David West, although details about West are not elaborated upon within this segment.
            • 03:00 - 05:00: Moderator's Opening Remarks The chapter opens with a focus on key figures in cyber threat management at prominent financial institutions. David West, who leads the Cyber Threat Management team at the National Australia Bank, is highlighted for his responsibilities in threat intelligence, adversary mitigation, and remediation. He is also acknowledged for advancing NAB's methods in threat-informed defense. Additionally, the chapter mentions Mark, who is part of City's Asia-Pacific red team, as another significant contributor in this domain.
            • 05:00 - 10:00: Mark's Introduction and Background This chapter introduces Mark, focusing on his expertise in adversary emulation and research and development in threat-informed defense. Mark has experience in incident response, security consulting, and intelligence across both public and private sectors. The chapter also acknowledges the panelists and introduces the moderator, who has been instrumental in establishing threat-informed defense in Asia.
            • 10:00 - 15:00: David's Introduction and Background The chapter introduces David and provides background information related to his recent endeavors, focusing on his involvement in the Pacific region and globally. The narrative credits the success of a particular initiative to the collective effort and support of the community, likening them to essential elements like soil and water. The chapter highlights the gratitude towards John Baker, the director of the Center for Threat and Form Defense, for his leadership and as a notable figure in the success of their mission.
            • 15:00 - 20:00: Derek's Introduction and Background The chapter titled 'Derek's Introduction and Background' begins with a focus on community building and unity. The speaker acknowledges returning members and newcomers, highlighting the unique opportunity to advance global defense. Derek, David, and Mark are introduced as thought leaders from organizations advancing in this field.
            • 20:00 - 25:00: Impact of Threat-Informed Defense - Mark's Perspective In this chapter, Mark discusses his perspective on the concept of threat-informed defense within the organization. He regards it as a journey that many are already undertaking, often without realizing it. Mark emphasizes that participants frequently encounter barriers, whether technical or organizational, along the way. The chapter highlights an opportunity to learn from the experiences of individuals who have faced and overcome these challenges.
            • 25:00 - 30:00: Impact of Threat-Informed Defense - David's Perspective David shares his insights on the importance of threat-informed defense, setting a tone for the day's discussions and offering guidance on advancing it within organizations. Mark introduces himself, sharing his background and experience in cyber security, noting his nearly seven-year tenure at City and his observations of the firm's progress.
            • 30:00 - 35:00: Impact of Threat-Informed Defense - Derek's Perspective In this chapter titled 'Impact of Threat-Informed Defense - Derek's Perspective,' Derek reflects on his extensive 16-year experience in cyber security, highlighting the significant changes he has witnessed over the years. Particularly, he notes that the past six to seven years have marked a rapid acceleration in these changes, particularly within his work in City. A key area of focus has been on threat-informed defense, which has been a central theme of the recent advancements. Derek hints that more details on this will be discussed as the panel progresses.
            • 35:00 - 40:00: Challenges in Threat-Informed Defense - Mark's Perspective Mark discusses the dynamic landscape of threat-informed defense, highlighting the challenges and changes in cybersecurity management.
            • 40:00 - 45:00: Challenges in Threat-Informed Defense - Derek's Perspective In this chapter, Derek discusses the evolution from general security to cyber security over the past 20 years. He shares a personal experience from approximately 15 years ago when he was managing network operations, specifically dealing with firewalls. During this time, he encountered a spike in network traffic caused by someone conducting a port scan on their firewall. This incident turned out to be related to a customer of the bank he worked for. This chapter highlights the practical challenges and the nature of threat-informed defense in the banking sector.
            • 45:00 - 50:00: Challenges in Threat-Informed Defense - David's Perspective David reflects on his early experiences with perimeter scanning and its effect on sparking his interest in cybersecurity. He shares his fascination with the security aspects of technology, which has continued to captivate him. The chapter also introduces Derek, who is attending the conference for the first time, expressing enthusiasm for the practical, real-world topics being discussed.
            • 50:00 - 58:00: Lessons Learned and Advice for Starting The chapter titled 'Lessons Learned and Advice for Starting' begins with an introduction to the speaker's role as the Global VP of Threat Intelligence. The speaker reflects on their nearly 21-year tenure at the company '4net', which began in 2004. Their journey into cybersecurity started even earlier, sparked by a childhood gift of a computer from their parents in the 1980s. Engaging with dial-up modems and bulletin board systems, the speaker was drawn to forums that discussed hacking, finding it intriguing and ultimately leading to a career in cybersecurity.
            • 58:00 - 60:00: Audience Q&A The chapter titled 'Audience Q&A' features a personal narrative about the speaker's journey into the field of cyber security. It began with a natural sense of curiosity and experimentation with debuggers, which led to learning about altering program outputs. This exploration further extended into firewalls, networking, and code development. The narrative progresses to a pivotal moment in the speaker's career when, in 2004, they received a call from a classmate about a job opportunity with a company named Foret. At that time, the company was relatively small, with fewer than 200 employees.
            • 60:00 - 65:00: Final Audience Question and Closing The chapter "Final Audience Question and Closing" concludes with reflections on the speaker's journey in the world of threat intelligence over the past 21 years. Initially starting as a Mau analyst, the speaker expanded their work into broader aspects of threat intelligence, emphasizing the development of public and private partnerships over the last 15 years, including efforts with MITRE in the CTI. The chapter also acknowledges contributions from members of the Center for Threat-Informed Defense, specifically mentioning Derk, Derek, David, and Mark.
            • 65:00 - 66:00: Closing Remarks and Farewell The chapter titled 'Closing Remarks and Farewell' includes a discussion about the journey and progression of member organizations in implementing internal capabilities and engaging in collaborative research and development in threat form defense. The conversation highlights the importance of collaboration and shared experiences in advancing defense strategies, with contributions from individuals like Neil and Mark.

            Keynote Panel - Threat-Inform Your Organization Transcription

            • 00:00 - 00:30 [Music] uh with that let us begin uh with have something very special for you all we're going to begin with a panel discussion I'm going to invite our panelists up one at a time uh and then introduce you to our moderator uh the discussion of our panel is to threaten form your organization so
            • 00:30 - 01:00 from the leadership view how can we apply a threaten form defense let me invite up uh first Derek [Applause] Mankey Derek Mankey leads forag guard Labs Global threat intelligence team at foret uh in this role he also orchestrates Global threat intelligence Partnerships uh our second panelist David West
            • 01:00 - 01:30 at the National Australia Bank David West leads the Cyber threat management team where he's responsible for threat intelligence adversary mitigation and Remediation David also spearheads nab's approach to threaten form defense our third panelist who traveled quite a distance Mark we leads City's asia-pacific red team a local favorite
            • 01:30 - 02:00 Mark focuses on adversary emulation and advances R&D including threaten form defense he's experienced an incident Response Security Consulting and intelligence in the public and private sector once more for our [Applause] panelists uh and now our moderator so um you all uh our moderator is the individual who has planted the seed for threat and form defense in the asiia
            • 02:00 - 02:30 Pacific region and in the world um it is because of all of you that that seed is you're the soil you're the water You're the Reason threaten form defense flourishes uh but that Original Seed is our moderator the director of the center for threat and form defense my dear friend John [Applause] Baker all right yeah thank you seil um it is amazing to be back here again for
            • 02:30 - 03:00 a second year um it's awesome to see some of the people returning from last year and uh new faces um so in the spirit of trying to build community and kind of unite the uh Community to advance threaten form defense globally um I think we have a really unique opportunity today um we have uh Derek David and Mark here with us they're all um thought leaders and represent organizations that are kind of far along in this journey of embracing and
            • 03:00 - 03:30 adopting threat and form defense within this organization um since the very beginning I've thought of threat form defense is kind of a journey I was talking to Derek as a little sidebar this morning um kind of recognizing that a lot of people are doing aspects of threat and form defense and maybe don't even realize it um people hit barriers and you know those barriers might be technical they might be organizational in nature um so today bringing the three of them together I think we have an opportunity to kind of learn from their experiences their
            • 03:30 - 04:00 perspectives and uh you know hopefully help set a a tone for the rest of the day but also leave you all with some thoughts and guidance on how to advance threat and form defense in your organization so as we get started uh Mark do you want to say a little bit more about yourself and kind of how you got started in cyber security um sure um good morning everyone my name is Mark so I've been with City for about I don't know close to seven years now and I've seen you know um The Firm start on its tread and
            • 04:00 - 04:30 formed defense Journey right so a little bit about myself um so I got into cyber security a long time ago maybe say 16 years and I've seen a lot of things change um but I but I do think in you know in in in the last six seven years um being being in City itself um we have really accelerated the changes um by focusing on tread and form defense we'll go into a little bit more detail I think as the panel progresses um but the last six or seven this has been probably the
            • 04:30 - 05:00 most exciting time excellent thanks Mark uh David do you want to say a little bit more about your role and how you get started in cyber security yeah hey everyone thanks John great to be here again this year I was here last year and it was a fantastic conference so looking forward to the rest of the day um so I head up cyber threat management at National Australia Bank n NAB um one of the big four banks in Australia and we are Australia's largest business bank um I've been at NAB for quite a while now about 12 years and in security for about
            • 05:00 - 05:30 20 years now which is used to be called security now it's cyber security um it's been around for a little while um and I got into security doing technology roles and I was doing a network operations role and I remember I was managing firewalls and I saw you know a spike in network traffic which was someone basically Port scanning our firewall you know about 15 years ago ended up being a custo I was working for a bank ended up being another customer that we were doing business with or looking to do business with and they were probing our
            • 05:30 - 06:00 perimeter scanning our attack surface back then and that got a lot of interest with our business and for me that just sparked just a fascination with uh with the security aspect of technology and I haven't looked back love it excellent well it's awesome to have you back here this year and uh Derek do you want to introduce yourself and say a little bit about your role and how you got in sure and I'll this is actually my first time at this conference so I'm really excited to be here um because we're talking about practical things that matter um you know not Pie in the Sky type stuff
            • 06:00 - 06:30 right so it's it's great uh my role I'm Global VP of thread Intel so I lead our thread Intel team at 4 net I've been almost 21 years at foret I started in 2004 uh and I got into cyber security before then I got a kid as you know as a kid I got a computer from my parents in the 80s started playing around with dialup modems around bulletin board systems I got into forums and there's even back then hacking post and I thought hey this is cool you know
            • 06:30 - 07:00 curiosity right I didn't kill the cat got me interested into cyber security it started playing around with debuggers and said hey I can actually change the output of process flow in a program that's pretty cool so I started tinkering tinkering around and took compai and did some basic stuff on firewalls and networking and and code development and then I got a call in 2004 hey Derek from a classmate of mine um there's this company called foret do you want to sign up I said sure didn't hear about it it was a small company at the time lesson 200 employees now we're
            • 07:00 - 07:30 14,000 here we are 21 years later right I started my life as a Mau analyst uh then I kind of branched out thinking you know there's much more we can do with thread intelligence and so for the last 15 years I've also been driving our public and private Partnerships which of course includes uh miter in the CTI excellent Derk thank you um yeah uh Derek David and Mark all represent uh Center for threat inform formed defense members and as I think about that
            • 07:30 - 08:00 journey I see you know those member organizations is like towards the far far right hand side of that timeline um not just uh sort of starting to implement internal capabilities but working together as Neil said advancing research in threat form defense through collaborative R&D um so I thought I would start with uh just the the sort of the why um as you think about your experience in threat form defense um I'll go with you first maybe Mark um can
            • 08:00 - 08:30 you talk a little bit about the impact that threat formed defense has had within your organization and how it sort of supports your cyber security strategy right um thanks Sean so um so the let let me talk about the impact um of how you know Trad inform defense has really um shaped the way we do things in city right um the biggest takeaway I have is City being a big organization I think we're in slightly slightly over 100 different countries itself and um keeping an estate this huge which is is
            • 08:30 - 09:00 is quite challenging right um one of the biggest takeaways we've had so far is the reduction in the overhead so if you think about it um you know City's operations the whole cyber operations itself was spending three different major country um three major different regions and out of all of that itself the collaboration across the different operational teams itself each of them have their own respective Frameworks um with the tring form defense being um sorry the Trad from defense being used
            • 09:00 - 09:30 as a method of prioritization overhead reduction we have seen the biggest gains in that space um on top of that uh try to keep up with everything that changes itself having Partnerships with M and some of our other other members in the center itself have also significantly driven up our the firm's ability to generate new IP to address this evolving threads that that that's amazing Mark um you know I think uh people kind of forget how important it is to have something like attack as this sort of
            • 09:30 - 10:00 foundational language that allows you to have collaboration and focus on specific threats how you mitigate those threats and you know that really is the the core of threat form defense um David S the same question can you talk a little bit about how threat for defense supports nabs C strategy I I think I'd Echo Mark's first point which is it's about prioritization so no matter what size organization you run if you run a I don't know2 200,000 or person org oranization across 100 countries or a 40
            • 10:00 - 10:30 or 50,000 person organization or even a 40 person small you know business um it's about prioritizing your scarce resources on on the right things and those things that are most likely you know from our perspective it's thinking about what are the things that are going to impact us from a threat or a risk perspective and and we think threat informed defense is the is the way to think about that and approach that we've got a threat and data strategy and you'll hear that across you know a lot
            • 10:30 - 11:00 of organizations where threat where data L well what does that mean how do you bring that to life it's it is using you know the guys here will talk about the definition but it's using the adversary as the lens in which we look at our defenses and prioritize our our scarce resources again um and for us that means it's prioritization it's also a way we communicate um cyber threat and risk such that we talk you know our investment prioritization we can trace that back to threat and when our when
            • 11:00 - 11:30 we're talking to our senior Executives or our sees those talking to the board they're talking in terms of uh risk exposures that are traceable right the way back to the threat and the work that our teams do to understand that and to get in front of it Derek so um I usually have an 80 80 slide presentation on this but we don't have time for that so um so look like we're a cyber security vendor um so it it very much applies in in in like a
            • 11:30 - 12:00 multifaceted approach I would say one 100% prioritization that is the sphere of threat and formed defense what does that mean to foring that many things um first of all so tid applies both internally to our own infos team our sock team uh our PT our product security team as well too um but even externally through Services we have Consulting through uh incident response Readiness uh tabletop you know SE Suite tabletop exercise is all of those have t touch
            • 12:00 - 12:30 points where we're doing threat and form defense we're doing minor messaging we have demo environment set up from an internal perspective uh if we look at product resilience right we've built something called outbreak alerts and this this actually helped to solve a lot of issues we had because when um I think we started these in around 2016 2017 um last year we issued over 60 of these so any sort of big campaign we see going on whether it's you know could be a log 4J
            • 12:30 - 13:00 it could be any one of those big ones where we see high prevalence we map that into our our product solution stack right so we'll have an outbreak alert and we'll say okay on the endpoint here's our detection capacity on the network like ndr here's our uh protection capacity is there a cloud native you know uh function for this and so forth so you'll have um a list across the attack surface into what products are supporting that that when we take that we're actually making making sure that we run through that attack that we
            • 13:00 - 13:30 are supporting that we we have packs that we put into uh virtualized environments uh like deception environments where we can replay the attack and make sure that we're actually detecting everything so it's it becomes a you know Gap analysis and that's tid of course purple teaming doing the detection engineering making sure that if there is a new defense EV asion tactic that we are catching it um and if you know if we're not then obviously we Implement that so from a product resilient stand standpoint it's really
            • 13:30 - 14:00 uh important but you know on the communication and training that's also a big thing um for our Salesforce right I mean we're a vendor we we we have too many products we have over 57 I think and we can't our CEO would love it but we can't just say sell everything right you know that's that's not prioritization like what what is really important to you based off of this threat and that's where we have those demo environment set up we actually do workshops internally uh for for sales on this uh and then we're also um looking
            • 14:00 - 14:30 at it from a thread Intel perspective also so easm external attack surface management attack service management Gartner now has come up with CM continual threat exposure management which is threat inform form defense in my point of view because it's AEV adversarial exposure validation and EAP that's purple teaming essentially right so they have another word for it but to me that's thre I'm learning some new acronyms so I don't know how of those yeah and you know Derek to your point
            • 14:30 - 15:00 actually uh we're looking at putting together uh with one of our Center members sort of a a guide book that shows how threat and for defense fits together um with uh continuous I'm drawing a blank on the acronym at the moment but buture yeah exactly so that's again sort of what you're were talking about before in our sidebar conversation to um you know when they come out with something like that it's not it's not just this brand new idea to me right
            • 15:00 - 15:30 it's like some people are already doing this but they don't know it yeah so it's it's it's called something different yes what I like about the work that we're doing here with the with the with the center is we are defining I guess new standards new nomenclature that hopefully aren't unique to a small community in 5 10 years time but are they they are the way that we think more broadly globally around how most organizations do do cyber security yeah yeah um yeah so I I think you know one
            • 15:30 - 16:00 of the themes we're starting to hear is is you know for me a lot of the whole reason why we got started with the center for threat form defense and and threaten form defense it wasn't about let's do threat form defense or let's do attack it was how do we get together and figure out how to make cyber defense much more efficient and more effective right and so that's those themes of prioritization improved communication improved collaboration um it's that whole Spirit of working together to drive to efficiency and Effectiveness um
            • 16:00 - 16:30 so it's not an easy journey I said it's a journey you obviously hit roadblocks along the way you got to get you know your stakeholders internal buyin um for uh really investing in prioritizing threaten form defense um maybe I'll start with you again Mark do you want to talk a little bit about some of the challenges that that you faced as as city's been working through this journey right um thanks John so um I'm just going to touch on four points on the challenges we have faced over the years and how we have kind of in a nutshell
            • 16:30 - 17:00 addressed um addressed this right so um the first is basically Enterprise adoption I think it starts there you know if you're the only person in Enterprise using it it's not really going to go anywhere um that has been our or that has been my own experience at the start of the the whole Trad and form defense Journey um and how we you know look to look to address it I would call it a resolution but it's um getting stakeholder buyin um so we we actually went I actually went around talking to different people and hey I've got this you know brand new idea and I kind of
            • 17:00 - 17:30 you know I need you to take a look at it and see what that means to you right is that going to be useful to you in some way from shape or manner right and um that's those those were those were recurring discussions that went on for you know in some cases years right to try and get folks warmed up to it um for a variety of reasons and um part of it as well is they are established methodologies within respective um operational teams right that um folks you know just generally sometimes don't feel comfortable shifting to something
            • 17:30 - 18:00 new that hasn't been tested um so if you look at you know things like the lockit Martin cyber Q chain um you know folks who are familiar with incident response would use the diamond model um so on so forth each of this have their own established processes has been tried and tested um you know no one's going to say hey you know what I'm going to Chuck that aside and just kind of go on this wild Journey where we don't know what it's going to look like so um getting stoda Buy in um and to that note itself trying to find areas of commonality have
            • 18:00 - 18:30 helped drive this discussions ahead um you know and as as you know you get small success cases with baby steps what they call it right you start building upon you start building upon all of that right um so the other ones that we have also found to be quite challenging at the analyst level it's the learning curve um so I I remember at the start itself right I was talking to to to different people um not not necessarily within City but you know folks used to use the MIT attch Matrix as the coloring book um everyone that I spoke to wanted to turn
            • 18:30 - 19:00 it green right and um so those of you who have tried you would you would come to the conclusion quickly that it's not feasible um you know and it it starts opening up discussion points where you think about how do you actually approach this right what does what does risk mean to your organization what does the rate on the spreadsheet actually mean right and um all of that you getting the right folks involved at the analyst level getting you know buying at the executive level um have having that alignment has
            • 19:00 - 19:30 really helped us um address a lot of this adoption challenges excellent thank you Mark uh Derek do you want to talk a little bit about some of the challenges you faced and how you've overcome them yeah uh so um a couple i i i hint uh I hinted on it earlier so first of all Enterprise adoption I think that to me that's number one for sure and I you'll probably see that across the boards um especially when you get bigger and bigger workforces is um as I said we
            • 19:30 - 20:00 have a lot of products and each each product obviously has a product management team and for us when it comes to training we have to be able to explain to each product manager why this is important right not only that but to also to be on board with us and implement the projects is remember in the center it's not just this concept of threat formed defense like we have if you see the impact report all these great projects that we've contributed to other members have have contributed to and we want to adopt that right so some examples of things we have adopted are
            • 20:00 - 20:30 the sightings ecosystem which is TTP based heat maps and Telemetry uh reporting we have that on our sandbox on our EDR on our ndr endpoint um so that you know that takes some time to to ramp up and and and do that on a project by project basis to have that obviously continually learning to be updated on all the new projects that we have that's it's a challenge and um you know Doug uh and and amaru are on my team here they've been doing great jobs but we're
            • 20:30 - 21:00 still limited resources and you really need to get people on board for that so that it's been a learning experience it's we've had measures of success with that um but then yeah the the other piece is the continued um stakeholder support I agree with that as well it's the same thing we're lucky you know we have a a CEO who's cyber security conscious who's an engineer so that helps but still when it comes to the board this is an investment right of time and resources like anything and what's the so what how do you tie that
            • 21:00 - 21:30 in and as I mentioned we're starting to do that now because it does tie into business for us it does tie into as I said cm and all these other things so um it has been a a challenge though um you know across a 10,000 plus Workforce uh to to do that and have continuous training along that uh David how how have you what are what are the challenges you faced and how have you been able to address them so far and it might still be a work in progress right it's always a progress and I I love that
            • 21:30 - 22:00 Derek coming from the vendor space is talking about picking up the the products and the tools that the center is developing and starting to use them to standardize I think we need to do that more you know holistically across the other vendors and across the how we do cyber security more broadly and things like yeah whether it's TTP heat maps and um even something simple like you know structuring thread in thread intelligence using miter attack consistently every time so analysts don't need to go and do that manually or
            • 22:00 - 22:30 using flow visualization the tool that the Cent's developed to to communicate and visualize what an attack path looks like all of these are things that we need to standardize as a as an industry um but the challenges for us I think probably similar to others is just knowing where to start and what to do first and what to do what to do next um and that's why um one of the projects that we've been working with the center on this year is is M3 tid which is measuring maximizing maturing threat inform formed defense and we think
            • 22:30 - 23:00 that's foundational just to setting the agenda around what we mean by threat in formed defense getting the industry aligned to that and then starting to provide a tool to be able to measure yourself see where you sit relative to see where you sit relative to what good looks like Benchmark yourself against your peers which I think is something that's coming that the team are looking at but also build a road map around what to do next and what of the
            • 23:00 - 23:30 tooling and um products that are out there and are available that you can start use to build processes in your own teams and start to pick this off the shelf and run with it so yeah for me it's about how what do you do first and what do you do next and um that that's probably the key challenge the the the road map I think is is is is another great conversation too and that that's in the spirit of of the idea Marketplace and the center what we do that that's what I maybe I'm going a little off topic here but with the with the center itself what I love there's so many great ideas that are spawn and like it's the
            • 23:30 - 24:00 art of the there's so much good stuff already happening with attack and and and see and and threat form defense but then I think about you know future applications of this too and yeah attack flow is a great example of that obviously everyone in their their dog and cat are talking about machine learning and AI but you think about applications of that to game boarding predictive analysis on flowcharts and there's so many things uh possible which also makes it exciting too yeah I I I share your enthusiasm for the
            • 24:00 - 24:30 M3 tid project and I'll say if you're here online you haven't checked out M3 T check it out um one of the things I think is worth pointing out is um when we create and publish a research project um what we do next is very much driven by you the broader Community how much you like it the feedback we get from you the impact it's having um we want to be continually focused on um you know creating impactful resources and advancing those resources to have that
            • 24:30 - 25:00 effect to drive towards more efficient more effective cyber defense um so two things we're GNA go one more question for you guys and then I want uh hopefully the audience to start thinking about any questions you might have we've got a unique opportunity here I've built in time to the panel to have some audience questions so get ready um so uh maybe just quickly in a couple minutes here uh if you had one lesson uh learned that you'd like to share that you wish you knew maybe as you got started what
            • 25:00 - 25:30 would it be Mark right um so John I I don't think it's um I'm going to reshape your question a little bit so um where we started five six years ago the center started I think it's a very very different landscape today um five six years ago Trend inform defense was was a really New Concept and I think a lot of folks um you know didn't quite it couldn't quite wrap their heads around what this actually meant from a practical execution perspective now that has clearly changed over the last six
            • 25:30 - 26:00 years um so for firms that are kind of you know if you're embarking on the journey itself right um you know in my conversations with folks outside of outside of city um one of the questions is where where do I get started right and um and I think over here it's the center has really published quite a lot of projects across a variety of different domains all the way from um standing up a tid tid initiative all the way right to specialized areas like
            • 26:00 - 26:30 Insider tread um pick something small that you know your organization can can relate to um find the stakeholders that have commonalities in the spaces and just go from there right you you don't have to consume everything at once but just pick pick a prodject that's that's in existence start there and kind of just develop it as as you go along right um you know the founding me the founding members that have start that that were part of the center the new members that have joined over the years um each of these organiz ation have contributed quite a lot of resources experience to
            • 26:30 - 27:00 all of these projects and that that would be a good start off point Thank You D yeah I'll keep it short um start using attack we're here for the miter attack Community uh APAC conference Workshop uh start using attack using your team use it to look at your detections look at use it to think about your response preparedness look at your controls your mitigations and start with that if you can get um think Mark talked about it before but ex you know Buy in with your senior stakeholders um starts
            • 27:00 - 27:30 more with attack try and get that buy in and then then build from there so Summit the Pyramid of pain right what he say um yeah so absolutely start talking in ttps instead of ioc's right um that's yeah so live eat breathe miter attack for sure um You Know lesson learn from my point is uh from you know this journey it is a journey um I think it's not just a uh a cookie cutter it's not a bootstrap TurnKey solution you can
            • 27:30 - 28:00 just go buy out of the box right it's not like do you have threat in form defense yes or no um so it's it's much more of again there's a lot of these existing pockets and elements and I think it's about that education where we go to um it's that that's so what to the stakeholders also like again from our I mentioned the outbreak alerts earlier that was something we realized that because we asked PMS to get involved with the center before and they're like I'm too busy then when when you start to say hey this can actually help you because dot dot dot right in this case
            • 28:00 - 28:30 product resilience and all of that then they listen right so it's um I think really understanding some of that stakeholder value upfront communicating that that will have that sort of um Snowball Effect it's like anything in cyber security though it's not it's not going to happen right overnight it's a journey and you can start with different elements of it yeah I obviously completely agree it's a journey um I love your your point there Mark um I think that the most important thing is to and and as you said too Derek to kind
            • 28:30 - 29:00 of get started uh pick something recognize that it's an ongoing activity you don't start and finish you're going to continue down this path and on this journey indefinitely because the environment we work in the adversaries that we're defending against are all changing and evolving with us right um so as I said we have a few minutes here to take a couple audience questions would uh all right there we go there a question over there go ahead thank you great great panel lot of
            • 29:00 - 29:30 interesting discussion so direct you just mentioned that start thinking of TTP instead of ioc's uh but actually uh a lot of the discussion are just about T and T how about procedure how do we go beyond uh the the techniques and the tactiques to talk about procedures that are more granular than than techniques yeah great question I think um so when you get to that stage again this goes back into from our perspective
            • 29:30 - 30:00 what we've done again in our demo environments right looking at how we break up one example of what we've done is built uh thread actor cards we actually we actually modeled this after Pokemon so we have like these thread actor capabilities right and like we don't have hit points and stuff like that but here are the you know different ttps that are associated with that but then when it comes to implementation of the procedures and again in in the environments we have in like with miter Caldera that's a great tool to use for that right when it comes into the actual
            • 30:00 - 30:30 breach simulation um the emulation component that's where you can actually start the procedure level more so it's not just a big list on paper of all the capacities um I think someone has a question uh but like the on on the the procedural level you have to demonstrate more I would say right than than just talk about it or or show a matrix yeah I'm not jumping on that as well um that's a great question because I think
            • 30:30 - 31:00 we talk a lot in terms of techniques when we think about miter attack but it's not until you dive down that next level to look at procedures where things become more more useful more interesting more um actionable if you want um and and we I kind of think about procedures as almost like the fuel for our function so our TI team are you know hopefully they're watching now they're not just looking at techniques but also articulating process proces that we passed to our detection team to write
            • 31:00 - 31:30 detections they're passing that to our mitigation team to properly understand our controls to be able to mitigate a particular procedure and then our um adversary emulation team are doing the same thing so I think we need a better community library and I know you've been doing some work on that Nicholas um on procedures at that level and I think that's something we we should be we should be driving because we spent a lot of time on it and I think it's something as you mature what you do with threat informed defense you need more and more of this uh that sort of
            • 31:30 - 32:00 data go ahead we have time for one more question here I have a g observation operations engineering and products and uh the user end there is a set of procedures that people follow on a daily basis each one of them have a
            • 32:00 - 32:30 Time constract birth to death how does one travel this seamlessly as an organization as a CTO or a CEO J mind just rephrasing the question I missed that in my perspective there are three aspects to the security related environment one is operations they have a
            • 32:30 - 33:00 perspective engineering team they have a perspective and then the products the sellers they have products they have a perspective and there is the problem space seen by each one of them slightly differently each one of them for change management has a time constant and of course investment if I'm the CEO or CTO how do I take a decision because I'm getting three perspectives
            • 33:00 - 33:30 and three time constants and three time cost estimates so okay thank you so I understand the question I I'll take it quickly from my my perspective um it's these are dependencies right so I I like if from a CEO perspective if you think of each one as a cost and each one as a silo that's not an effective approach right like they're dependent on each other so if I talk talked about our journey again um it starts with engineering right because engineering is developing the um implementing the
            • 33:30 - 34:00 projects that are coming out from the center for threat formed defense so the resource and time initially is in engineering then we have uis we have product views we have miter attack on there um then it's up to the rest of the Departments not to operate in their own bubble or Silo but to build off that engineering approach have that you mentioned standardization in Industry um once you have that it's it acts as that Force multiplier where now sales and operation sales and operations can then pick up on that messaging right so it's
            • 34:00 - 34:30 starting with one and then it's that sort of in as as we always talk about Diamond models and triangles and it's sort of that interdependency I would say yeah Mark you want to weigh in or sure so um you know it it goes back to my point earlier on on you know trying to get stakeholder buying and having this this common understanding as to what threats you're facing and I'm coming from the end user space right so apologies if it's you know you're on the vendor site but um if if you if you look
            • 34:30 - 35:00 across all of this functions today right um You everyone says we're going to need to buy a new firewall we need to buy a new product the question is why right and U Trad in defense really drives that particular thought process to answer the why are we doing this and what is the effectiveness of doing this right and um it's kind of getting both your your operations functions your engineering architecture functions to to have the same common understanding to say hey if we're going to design a system or process in this manner this is the
            • 35:00 - 35:30 threat that we're going to mitigate and it is to be a relevant threat to your organization right so um say for example the threats faced by you know a firm in the manufacturing sector would be very different from what what we face right it's kind of understanding the TR landscape you Opera in it's understanding what you're concerned about and having that common that common um language when you talk about um how the things are evolving within in reference to your own organization I think that that would probably be my Approach here yeah thanks Mark um and I
            • 35:30 - 36:00 think with that we're we're just at time I wanted to say thank you Derek David Mark um awesome discussion really appreciate you guys taking the time to be here and uh and hosting the panel with me um I would encourage you all at our next break you know reach out to them introduce yourselves um let's learn together and uh and work together to advance threat and for defense for everyone thanks Mark thank you thank you everyone [Music]