Blog Goal Of Threat Intel

Implementing a Threat Intel Program is Critical to Cybersecurity

Organizations today are under constant attack from cybercriminals so developing an effective threat intel program is imperative as a way to defend your organization. The recently published Consortium Networks’ CISO white paper The Goal of Threat Intelligence offers practical advice on the best way to set up your threat intel defense.

The basic steps cover setting clear goals, so you can target the right data set from the vast amount of data available to avoid “over analysis.” Then, you gather input from both your technical and business teams to establish priorities. This is followed by leveraging the knowledge of all stakeholders to identify common perceived and actual threats that currently exist.

Ideally, it’s important to find the right blend of data analysis and cybersecurity expertise. Combining this technical knowledge with business intelligence leads to a synergistic analysis of data that will yield the best results.

Setting up a successful threat intel program requires establishing a repository to hold the data discovered in the fact-finding stage. Ultimately, you need to document rules for classifying and organizing the gathered intel. Then you define how you will share updates, information, and other actionable communication.

As discussed in the CISO whitepaper, the key to an effective program is being able to deliver easy-to-understand, actionable intelligence to all relevant stakeholders, decision makers, and employees. An actionable threat intelligence program takes time, but it is never finished since it must be flexible enough to adapt to changes that arise. It’s important to keep the lines of communication open with everyone involved – vendors, peers, decision makers – to be able to correct any missteps that occur along the way.

Join Consortium Networks today to download the full white paper and to receive access to other valuable security technology content.

Intelligence Driven Security Programs

Cyber Threat Intelligence is an important component of any effective security program. The elevated increase of high-profile breaches in recent years has led to an increasingly complex and stringent compliance regime. Depending on your business vertical, you may already have some familiarity with the Payment Card Industry – Data Security Standard (PCI-DSS), Health Insurance Portability and Accountability Act (HIPAA), National Institute for Standards and Technology (NIST) Cyber Security Framework, and 800-53. The ultimate objectives of all of these standards in to ensure the protection of personal data held by our companies. Although building your security program around a particular compliance regime may insure compliance with that regime, it may not provide the best security posture for your organization.

To be clear, I am not suggesting that compliance is unimportant or to be ignored. However, I am a proponent of intelligence-led security programs, as intelligence - not compliance - should drive your security program. Our overall objective should be to move from a reactive security posture to one that is predictive.

The first thing to understand is your organizational risk and threat profile. You must position your resources against the threats that matter to YOUR organization. In order to effectively do this, you must first understand what your threat landscape looks like and establish the organizational risk tolerance within your organization.

The First Step to Establishing A Solid Foundation for Intelligence-Driven Security

A good friend once said (he says it all the time actually) “the first rule in cyber security is to know thyself.” To that end, you might consider your answers to the following questions:

  • What sector am I in? Am I considered "critical infrastructure"?
  • What are my business units, how are they interconnected?
  • What is my geographic footprint (the EU has a very different view of PII than we have in the US)?
  • Who are my partners?
  • Who are my customers?
  • What/where are my assets?
  • What is our threat history?
  • What data do I hold/process (customer data, HR data, business critical data, etc.)?

Once you have a firm understanding of your organizational risk, the next step is to understand your stakeholders and consumers. What are the roles of the consumers of your intelligence; what information is relevant for them? In what format and in what degree of frequency would they like to receive intelligence? What are the use cases for your consumers? Understanding the various use cases should allow you to tailor the intelligence for your customers, thereby increasing the value to your organization.

You must also establish your intelligence requirements?

Some questions to help establish requirements might include, but are not limited to, the following:

  • What intelligence is needed by our customer?
  • What vulnerabilities are being exploited in the wild?
  • Can we detect and defend against those exploits?

You must also establish collection requirements.

  • Liaison with like organizations within your business sector
  • Liaison with other members of the information security community
  • Open source feeds
  • Online forum monitoring where exploitation and vulnerabilities are discussed
  • Blog monitoring

Establishing requirements should allow for effective response to incidents. The intelligence must be categorized and prioritized in a way that allows for detection and response to the most critical information with the requisite speed and resources.

You must also develop sources (subscribed intelligence feeds, indigenous intelligence and/or intelligence provided by one of the many government entities) to maximize the intelligence value. Finally establish the expected actions on the intelligence.

Implementing Practices for Intelligence-Driven Security Programs

Step two is developing best practices (methods) for managing the intelligence life cycle. That lifecycle should include building and analytic framework, developing your analyst tradecraft and expertise, collection and processing, develop relevant production standards, etc.  Subsequently, or simultaneously, you must integrate intelligence within your technology stack. This could include feeds into your SIEM, Content Management System, anti-virus, endpoint technology, network traffic analysis tools, etc.

Realizing Capabilities

Assuming a strong foundation and the development of best practices, the benefit is realizing the capabilities. A mature intelligence program should provide a myriad of benefits to the enterprise, including:

  • Provide for proactive threat detection
  • Effective and repeatable threat communications
  • Effective two-way information sharing
  • Threat trending and predictive analytics
  • Proactive threat detection
  • Analytic/tactical support to security operations
  • Enterprise strategic decision support

I started this conversation with a statement that I believe in intelligence over compliance-driven security programs. Compliance does matter, but the fact is that you can do both at the same time. However, the intelligence-driven security model allows for the best opportunity to achieve a predictive security state.


Get access to more content by becoming a member of Consortium today.

Security Awareness Blog
21, 2017

Security Awareness and Building a Security Culture

User awareness is an important, but an often-overlooked component of your cyber security program. Statistics show that between 70 and 80 percent of all cyber security breaches emanate from some form of user behavior. One of my favorite lines “the greatest vulnerability sits between the chair and the keyboard” was true in 2008 and is no less true today. 

Creating a Culture of Security Awareness

So how do we reduce the risk of user error and vulnerabilities? Implementing a security awareness program is a necessary activity. However, instilling a culture of security is the most effective method for reducing user risk. According to a recent SANS institute report, the greatest challenges impacting organizations around security awareness are time and communication. The lack of dedicated resources (time) is a key blocker, as many organizations think of security awareness as an afterthought or a compliance concern. Few have dedicated resources to a security awareness program but allocate those responsibilities as ancillary duties to their information technology team. Communication is another challenge. How, how often, and in what form, does your organization deliver their security message? If it is only through online security awareness training, your program is likely failing.  

Before you begin transforming your company’s security awareness, you need to define your current awareness maturity level:  

Baseline and Metrics
Before developing your program you must establish a reasonable baseline as to where the organization stands. The best way that I have found to do this is to run a few internal phishing campaigns, capture and analyze that data. This should include at least two metrics that matter, total click rate, and from that data should come the second metric around the percentage of people that provide credentials. These data points should provide a pretty good optic on the security awareness maturity of your organization.   

Set your goals and objectives based on the results of the aforementioned baselining activities.  For example. If your internal phish indicates a click rate of 25% and a secondary credential compromise of 50% (of that 25%) then your goal could be to reduce those numbers to less than 10%.  

Executive Buy-in
Executive leadership must buy-in to the program and take an active role in its implementation. This could be in the form of a monthly security newsletter authored by an executive. Regular security messaging, visible participation in security training, etc. displays a security mindset from the top, and is the best way to influence culture.

It should be stressed that information security is not only the responsibility of the Information Technology and Information Security teams but also of every member of the organization. This can be emphasized through the executive messaging, newsletters, etc. Security awareness is not your annual online security awareness training but a continual program that might include that training coupled with other activities.  

In my opinion, online training is generally not very good. It is hard to hold an employee’s attention during online sessions. How many times have you gone through one of these sessions while you were answering emails, taking phone calls, etc. I know that I am guilty of this more times that I care to admit. Also, online training tends to become “check the box training,” meaning you have a requirement and the online training satisfies that requirement. All this being said, online training is the most prevalent means of providing security awareness today.  In addition to the online training, I would include stand and deliver (in person training) as well.  In person training from an engaging instructor increases the likelihood that your employees will remain engaged, provides the ability to give real life examples from recent events, allows for questions and answers, etc.  

Employee Buy-in
Encouraging participation and employee buy-in is an important aspect. Soliciting employee ideas, encouraging feedback, including recent event (breaches, scams, etc.), utilizing real life stories, and an engaging presenter helps to ensure employee participation.  

Soft skills, the ability to communicate effectively, are critical to increasing the employee buy-in to your program. However, information security often is left to the IT department. In my experience, technologists are generally not the best communicators. Entities should look for effective communicators to deliver training and security specific messaging. This could be someone from HR, legal, or some other team in the organization. In addition to a more effective messenger, it also demonstrates that the security mindset is endemic across the organization, thus enhancing the culture of security. Also, the organization might consider bringing in outside expertise.  

Another way to ensure engagement with your users is to relate the training to their personal computer usage. Virtually everything that we might discuss from a corporate information security perspective translates directly to personal information security. The security culture should extend beyond the workplace and into the everyday life of your employees.  

Reinforce the Message
As stated, building a security posture is a continuous process encompassing all of the aspects discussed above. Training should include both online and in person. The training should be reinforced with messaging from senior leadership about security best practices, praise for employees who operate securely, and maybe even some kind of award system for employees or teams that perform best during awareness testing.  

Finally, continue to measure your program. The internal phishing tactic mentioned earlier should be a regular part of your program. The two metrics (click rate and credential compromise) are good metrics to gauge the effectiveness of your program. Also, through these tests, you may be able to identify your “serial clickers” who can then take advantage of remedial training.  

Creating a strong security culture takes time. Installing a strong security, and security awareness program is key, but it must be more than just compliance with some regulation. The following steps should be helpful:  

  • Baseline – Where do we stand today, where do we need/want to be
  • Executive Buy-in – Let your employees know that the C-suite is all in and expects everyone to take ownership of the program
  • Training – Design and deliver an effective training program, online and in-person training with an effective communicator
  • Employee Buy-in – Get your employees to buy into the program, relate information security to their personal security, tell real life stories, incentivize security, etc.
  • Reinforce the Security Message – With monthly newsletters and other leadership communications
  • Test, Test, Test – How do you demonstrate to leadership the return on investment?  Internal testing is a good way to measure your organizations security awareness maturity

The Consortium Networks was developed to help you navigate through the maze of products and make the best spending decision for your organization.  Reach out to us at for more information.

Get access to more content by becoming a member of Consortium today.

Blog Network Security Without Visibility
30, 2017

There Is No Network Security Without Visibility

I have been in the security business for a very long time, both in the physical and logical realm. In my previous roles and in my current role with Consortium Networks, I often ask our membership about their top five security concerns. Invariably visibility, or lack thereof, is in those top concerns. 

Let me first clarify what I'm talking about. Visibility to the CEO or board is generally something very different than visibility for the SOC manager. A CEO may want to know how the company’s security posture compares to peer companies. However, in this instance, I'm talking solely about the visibility of assets in your environment. 

You have probably heard the adage “You can’t protect what you can’t see.” The CIS Top 20 security controls lists “Inventory of Authorized and Unauthorized Devices” as the number one control. Although I do not believe this list is prioritized, I think this is one of the most essential controls. So, what are some strategies and tools we can employ to achieve maximum visibility? 

First off, obtaining visibility should be the cornerstone of your overall information security strategy. As the title of this article states, there is no security without visibility. So, understanding the assets in your environment is paramount.  You must ensure you have the right tools in your environment, which provide real-time asset inventory or authorized devices.  Furthermore, these tools must provide alerts whenever unauthorized devices pop up on your network. I have been involved in audits that we have identified substantial shadow IT infrastructures with direct (unsecured) connections to production networks. 

The Risk of Network Security Without Visibility

I often ask members, “How many endpoints do you have in your environment?” After an investigation, the truth is usually 20 to 30 percent more than what the member thought they had. Situations like these put the entire enterprise at a significant risk. 

So, what do you need to address this challenge:

  • Senior leadership buy-in
  • Enforceable policy
  • A security strategy that includes asset management
  • The right tools
  • The right people

We'll assume that you have the senior leadership buy-in to take the necessary steps required to secure your environment (which would include asset management).  

The first logical step is the creation of enforceable policy detailing what types of assets are allowed/not allowed, asset tracking, how they are cataloged and the process for adding and removing/disposing of assets. 

Strategy - Asset management should be a key component of your overall information security strategy. Without a clear understanding of what devices (endpoints, servers, printers, etc.) are authorized to connect to the network, it is impossible to devise an effective security strategy.  Effective asset management will facilitate hardware and software management, license compliance, regulatory compliance, as well as security.  Therefore, it must be part of the overall security strategy. 

Tools - There are many tools that claim to map, categorize, catalog, track, alert on assets. One of the most significant benefits of membership to the Consortium is the ability to cut through the vendor noise and identify what is working for your peers and what is not. I have my opinion on tools that I think do the best job (and on those that I believe do not), but you can use our portal and review what the users are saying about the tools they use. This should help you make a more informed spending decision. 

People - Finally, you must build the right team. The pool of information security talent is shallow, and we all struggle with it.  Having the right team members, with the correct skills, in the right numbers, is crucial to every security program.  Attracting good talent is one issue, retaining that talent is another. Obviously, we must compensate appropriately. But also, we must provide other incentives to grow and keep our talent. Providing training, certifications, excellent working conditions, meaningful work, etc. will help retain the great talent you worked so hard to obtain. 

Building your security strategy must begin with merely knowing what is on your network. The explosion of IoT devices, BYOD, remote workers, contractors, etc. make this a daunting, but an important task. However, cybersecurity best practice and regulatory compliance demand that we have a firm grasp of assets in our environments.  

There are a number of tools that help automate the discovery of assets in an environment. These solutions range in price, complexity, and effectiveness. The Consortium Networks was developed to help you navigate through the maze of products and make the best spending decision for your organization. Reach out to us at for more information.

Get access to more content by becoming a member of Consortium today.

Security Disciplines Convergence
09, 2017

How Relevant is Security Convergence?

“Organizations should adopt a comprehensive and integrated strategy that encompasses all areas of security risk”
(ASIS Standard)

Historically many organizations have managed security functions as independent functions without recognition of the interdependencies between the physical and the logical security world. 

Convergence of the security disciplines is key to an effective enterprise security risk management program. Failure to integrate the disciplines would most likely increase the level of risk for an organization and could introduce unnecessary vulnerabilities. At a minimum, I am talking about the information and physical security world. But, one could also conclude that bringing in Privacy, Risk, Compliance and Governance also makes sense.

I am not surprised when I talk with a member company (or potential member company) to learn that their security functions are in silos with not much cross communication/collaboration going on. I have even been engaged with members whose information security and physical security functions in silos to the point whereby one side is unaware of the other’s activities. This is an obvious enterprise risk management (ERM) challenge, but there are organizations that continue to function in this manner.  

Security Convergence: A Holistic Approach to Security

Converged security/risk management offers a more holistic approach and there are many benefits. In addition to physical and logical security, risk management and general business benefits can also be realized. To be clear, I am not merely talking about the merger of security organizations (although that is a viable option), but more about developing practices, policy and governance that ensures that the all security related activities function in a coordinated way with each discipline supporting the others.

The first benefit from convergence is the cost savings that can be realized. The re-alignment of teams may allow for better utilization of personnel resources. This could mean the re-allocation of resources to fill gaps and cross training team members to perform multiple duties in either domain, etc. Leveraging teams in a more efficient manner makes good business sense and builds continuity across all of your security related functions. Finally, convergence will illuminate duplicate roles and allow for the opportunity to better address resource allocation.

Convergence should include convergence of technology as well. Think about the technology tools used in the physical security realm today. IP based centralized security systems for CCTV, access (physical) control, alarm monitoring, and the associated systems. Bringing all of that together in a security operations center (SOC) provides a single (maybe multiple SOCs) collection analysis point for security professionals. This enables the sharing of all relevant security/threat/risk data. Furthermore, having security analyst(s) from both disciplines in the same SOC increases the likelihood and speed of information sharing across the teams. Bringing teams together is to everyone’s benefit.

Finally, security convergence can provide a single “hand to shake” for the organizations. Alignment of all security functions under a single security organization lead by an executive-level security person (be it CSO or CISO) would shorten the timeline of relevant information provided to senior leadership and decision makers. Furthermore, it should reduce instances of inaccurate or erroneous information making its way to the executive suite. Depending on the structure and culture of the organization, the CSO/CISO could report into the Chief Risk Officer, the Chief Information Officer or even the Chief Executive Officer. Also, security risk is a board level conversation and should be sponsored by and owned at that level.

Benefits of security convergence include, but are not limited to:

  • Cost saving through the merger of teams and technologies
    • Reduction in tool duplication
    • Reduction is role duplication
    • Allows for the re-alignment of resources to better fit business/security goals
    • Improved information sharing
  • Increased efficiencies through the leveraging of the teams and technologies
  • Single point of contact for the flow of information to senior leadership
  • A single enterprise security vision
    • Elimination of internal “turf wars”
    • Elimination of silos of information
  • Improved alignment of business and security goals

The idea of security convergence is not new. In fact, convergence is happening whether you realize it or not. Use of the same infrastructure for information and physical access control is now common and can result in real savings, improved risk mitigation and increased business and security efficiencies, we should continue down this path and accelerate the effort.

Get access to more content by becoming a member of Consortium today.

Steps For Cyber Security Blog Header Template
14, 2017

5 Fundamental Steps for Cyber Security

Every business connected to a network is data rich target for cybercriminals. “Ransomware,” which was a term rarely unheard of until a few years ago, is now a daily threat. IoT hacking, DDoS attacks, and internal threats are all a reality today as well, making the job of IT security teams never complete. And as cyber threats and attack methods evolve, so must the way businesses think about IT security.

Michal Zanga, formerly of the Royal Bank of Scotland, stresses that having a cyber security policy document in place is the first step in protecting businesses data and other digital assets from malicious actors. “You have to start with a policy in place,” says Zanga, “and it has to be comprehensive across the organization.” But the policy is just that-a first step in a series of actions IT teams and businesses must commit to and stay on top of.

The whitepaper CISO Best Practices: The Starting Point for Cyber Security -- available to members of Consortium -- is based on the premise that, at some stage, all networks will face attacks that expose flaws in the system. On top of building a stakeholder approved policy document, the article covers four additional steps IT teams should take in order to be prepared for when the attack happens. These additional steps include:

  • Assume you will be breached and develop a response plan
  • Using external parties to test the system and obtain valuable, independent assessment data on how to strengthen current and future security posture.
  • Addressing the internal and external channels, including those that may come from stakeholders and employees.
  • Planning ahead and instituting a system for promptly addressing ongoing changes.

Join Consortium today to get access to the full article along with other information that will help keep your data, digital assets, and business brand secure.

Ciso Dlp System
01, 2017

Developing, Implementing and Maintaining a Data Loss Prevention (DLP) System

A data loss prevention program (DLP) ensures sensitive and critical data is not sent outside the corporate network in an unauthorized manner. Unfortunately, many organizations rely on a software-only approach to monitor and control the flow of data, resulting in large gaps that leave room for internal and external threats to damage business assets. Though technology plays an important role in any effective DLP program, it's only one component. Corporate governance, team resources, and processes also need to be established in order to maximize security within the DLP framework.

Developing a business-wide DLP program requires IT to create and conduct a detailed risk assessment. The results from the risk assessment inform the CISO and other corporate stakeholders on how to proceed in implementing a DLP program. The next step of the risk assessment stage, classification of breaches, requires CISOs to identify the type of incidents that lead to data loss. This stage also identifies which internal and external groups are most likely to trigger a data loss event. The final step for the CISO is to index which departments need to be involved as part of the DLP response plan.

After risk assessment planning, the real work begins. Implementing and monitoring, resolving challenges, DLP program sustainability, network versus endpoint choices are just some of the challenges CISOs face when keeping corporate data safe.

Join Consortium today to get access to the full Best Practices white paper. Inside, you'll see how one CISO successfully deployed a DLP solution along with the lessons he learned along the way.

Get access to the full article by becoming a member of Consortium today.

Ciso Best Practices Securing Big Data
28, 2017

Scattered data storage and access patterns have created a scenario where enterprise information is under constant threat from internal and external actors. It’s up to the CISO to design, develop, and implement a solution that secures big data and drives business value across the organization. The CISO must also be able to justify the big data security plan to the Board and obtain critical stakeholder buy-in.

Michael Zanga, former CAO of the Royal Bank of Scotland, understands the big data strategies faced by CISOs. In this article, he shares his best practices for:

Cleaning Big Data

Data needs to be unified, tidied, and cleaned before any thoughtful analysis can begin. More importantly, practicing good data hygiene gives all stakeholders access to the data in a way that can be understood or easily explained.

Addressing Access, Control, and Validation Concerns

After cleaning data, CISOs need to use the data patterns to identify scenarios and situations that constitute a red flag.

Presenting Big Data to the Board

CISOs should present big data findings to the board in the simplest way possible. Board experts need answers and solutions to business problems - not how to become experts in the language and practices of big data.

Leveraging Big Data to Drive Business Value

The problems that big data exposes can also be turned into business opportunities. The more data that enters the system, the more value CISOs can extract.

Get access to the full article by becoming a member of Consortium today.