Threat-Informed Defense, CISA, CVEs and ATT&CK w/ MITRE Engenuity

This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us.  Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge. They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.   Key Takeaways: 01:58 Backgrounds 04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities 07:45 Helping organizations prioritize vulnerabilities 11:31 Starting with either framework or threats: Which is better? 14:18 Seeing through the politics - What is actually happening behind the scenes? 19:07 Developing the mapping 23:54 Since the invention of CVE 26:14 CMMC v 2.0 29:37 How do we change the game? 31:09 Getting a large organization to agree with vulnerability prioritization   Links: Follow Richard Struse on LinkedIn Keep up with Jon Baker on LinkedIn Follow Jonathan Reiber on LinkedIn & his website Follow Allan Alford on LinkedIn and Twitter Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Attack IQ