Some solutions (eg. FireEye ISight) can provide a daily feed where they will mention each reported issue with it's severity and priority. Usually those companies will do some basic research and look for exploits on the wild and then estimate to set the severity and priority of the intel feed, but many companies don't have the right funds to fund such services. We want to make sure we set our responding teams and our asset owners to follow up with actions to mitigate the reported feed. How calculate prioritization and severity intel feed?
Asked
Active
Viewed 144 times
-1
-
Isn't this the same question as your other one? https://security.stackexchange.com/questions/194915/how-should-we-mitigate-threats-that-are-keep-coming-to-our-security-monitoring-s – schroeder Oct 03 '18 at 12:26
-
The answer to both is the same: you choose what to prioritise by determining if you are vulnerable to that threat – schroeder Oct 03 '18 at 12:27
-
@schroeder your answer is great and helps a lot! The other question you mentioned is different and I will make it more specific. – Filipon Oct 03 '18 at 13:40
1 Answers
1
The whole point to threat feeds and threat news is to determine if those threats are relevant to you. No outside source can make that determination for you.
The idea is to perform a risk assessment. It's all about risk.
Assuming that the listed threat is very likely (or certain), is your system/organisation vulnerable to that threat? Do you have mitigations in place to handle the threat or does the threat even apply to you?
If the threat is likely to have an impact, what is the size of that impact?
So if the threat intel says that there is a new Apache exploit in the wild, and you do not use Apache, then there is no risk (assuming that you truly do not use Apache and there isn't a hidden service somewhere). If you use Apache, but the server processes public data, you can respawn the server without downtime, and by gaining access to the server an attacker gains no further access anywhere else, then your impact, and your risk is likely very low.
Once you understand the risk, then you can prioritise appropriately.
schroeder
- 123,438
- 55
- 284
- 319