November 10, 2021
by Cyber Ranch
This week, Allan is joined by some serious heavy hitters in cyber. Richard Struse (Director for the Center for Threat-Informed Defense at MITRE Engenuity), Jonathan Baker (Director of Research & Development, Center for Threat-Informed Defense at MITRE Enginuity), and Jonathan Reiber (Sr. Director for Cybersecurity Strategy and Policy @ AttackIQ). The four are here to have a conversation about CISA's new BOD that outlines 290 key vulnerabilities that require focus, the coincidental mapping of the CVE database to MITRE ATT&ACK, and the implications for all of us. Of special note is the fact that ATT&CK is already mapped to NIST SP 800-53, meaning that we now have an opportunity to move bi-directionally from a threat-informed defense or to start with a framework and back into vulnerabilities. The implications for our industry are huge.
They also discuss briefly an overview of the bi-partisan work in both the Executive and Legislative branches to further cybersecurity interests and the release of CMMC v 2.0. This show is packed.
Key Takeaways:
01:58 Backgrounds
04:02 CISA – BOD 22-01, highlighting the key 290 known vulnerabilities
07:45 Helping organizations prioritize vulnerabilities
11:31 Starting with either framework or threats: Which is better?
14:18 Seeing through the politics - What is actually happening behind the scenes?
19:07 Developing the mapping
23:54 Since the invention of CVE
26:14 CMMC v 2.0
29:37 How do we change the game?
31:09 Getting a large organization to agree with vulnerability prioritization
Links:
Follow Richard Struse on LinkedIn
Keep up with Jon Baker on LinkedIn
Follow Jonathan Reiber on LinkedIn & his website
Follow Allan Alford on LinkedIn and Twitter
Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store
Learn more about Hacker Valley Studio and The Cyber Ranch Podcast
Sponsored by our good friends at Attack IQ