Threat-Informed Defense, CISA, CVEs and ATT&CK w/ MITRE Engenuity

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us.  Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge.

They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.

Key Takeaways:

01:58 Backgrounds

04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities

07:45 Helping organizations prioritize vulnerabilities

11:31 Starting with either framework or threats: Which is better?

14:18 Seeing through the politics - What is actually happening behind the scenes?

19:07 Developing the mapping

23:54 Since the invention of CVE

26:14 CMMC v 2.0

29:37 How do we change the game?

31:09 Getting a large organization to agree with vulnerability prioritization

Links:

Follow Richard Struse on LinkedIn

Keep up with Jon Baker on LinkedIn

Follow Jonathan Reiber on LinkedIn & his website

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at Attack IQ