CyberGuardians

So over the last few years, there seems to be a trend of non-DIB companies starting to build internal threat intelligence teams and a big spike in security companies offering it as a subscription service. Ten years ago a paid service got you vulnerability alerts, some open source geopolitical information, and dated commodity botnet information. This space has matured quite a bit, even though some providers are simply repackaging free indicator feeds and CVEs as threat intelligence. I think the value proposition is there by using intelligence to reduce the dwell time of an adversary and potentially on good day thwarting the attacks from the start. I think the formation of strong, sector specific intelligence sharing groups will be key to being better defenders. Having had access in the past to great intelligence via clearances, I know what a huge advantage it is. Hence my strong interest in the subject. At the same time, I have little traditional intelligence analysis experience. Most o

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of