A Good Question: Should we Focus on Threats or Just Vulnerabilities?

My post “Should we Focus on Threat Assessment or Just Vulnerabilities” just went up on RSA’s blog. Hopefully, there, it will reach a wider (or different) audience than we have here and also drive some traffic back to an important post I did last year on community-based defense.

The post notes that despite growing industry emphasis on the value of threat intelligence as awareness of APT attacks grew during early 2010s, challenges remain with security data sharing.

“…threat assessment and security data sharing hasn’t become the panacea some had hoped for. CISPA failed to pass on privacy fears. Some enterprises still struggle with policies and operational challenges for security data sharing on threats. Meanwhile, threat attribution remains challenging. With actual or possible future physical crimes, one can often put a face to the threat. Not so with more amorphous cybercrimes. And even if you do pinpoint a cyberattack to a particular person or IP address, it may be difficult to prove the crime occurred and/or prosecute it in a foreign jurisdiction. “Hacking back” is almost never recommended for private companies and most other organizations.”

These challenges won’t be resolved with any magic bullet anytime soon. Meanwhile, as I say in the RSA post: “IT risk mitigation requires a focus on both threats and vulnerabilities. Enterprises should make appropriate use of threat intelligence, threat assessment, and security data sharing.” Please check it out.