Feedly

An executive once asked me how security was doing. Innocent question, right? I mentioned a report I was writing that I'd be sharing with him at some point. I tried to BLUF it as best I could. He kind of nodded, then told me what he actually cared about: blocks and impact. It made a lot of sense, but hearing it out loud reshaped how I think about measuring a CTI team. The trouble is -- when security works, attacks don't happen. So how do you measure something that didn't happen? In our next Feedly CTI Sessions, Shawn Jaques and I will cover how to: - Separate the real metrics from vanity metrics - Adapt to your audience, since a SOC lead, a CISO, and a CFO all want different things - Build an ROI case that holds up when the top pushes back If you've ever felt like your team's work isn't getting the recognition it deserves, this one's for you. See you there👇

Cyber threat intelligence often involves making sense of incomplete information. Analysts reason through uncertainty to provide decision-makers with actionable insights. I had a chance to talk about this and a lot more with Baso M. from British Airways and Margherita Copioli from FINCANTIERI in a recent Feedly CTI Session hosted by Denise Claris. We went deep on what actually builds a career in CTI, including which certifications move the needle and how analysts from different backgrounds end up learning similar lessons. Check out the full article and recording on TI Essentials: https://lnkd.in/gUHZH_Dt #CTI #cybersecurity

Most CTI teams I talk to are doing incredible work, yet many struggle to translate their value into something leadership can see. The gap between the value a CTI program delivers and what leadership sees is a solvable problem. That's what Dave Johnson and I are tackling in CTI Session #025: Proving CTI value: Metrics program leaders need to communicate impact on June 17 at 9AM PST. We'll walk through the metrics that resonate at each stage of program maturity, how to build a business case that earns your CISO's confidence, when ROI is the right tool, and when it isn't. If you've ever had to translate threat intelligence into business impact, come spend an hour with us! We'd love to hear your challenges and try to answer your questions. p.s. This is not a pitch about Feedly's ROI, which is solid by the way. ;-) Register 👇 https://lnkd.in/gF5Hv35V

CTI practitioners are great at tracking adversaries but the best ones are also great at telling the story of why it matters. Join us for CTI Session #025: Proving CTI value: Metrics program leaders need to communicate impact on June 17 at 9AM PST with Shawn Jaques and Dave Johnson. We’ll break down the metrics that matter most at each stage of program maturity, and how to build a business case that earns confidence from your CISO and leadership team. Whether you're heading into budget season or making the case for your program's next phase, this one's worth an hour. See you there👇 https://lnkd.in/gSQKT7P4

You don't need a perfect background to build a career in cyber threat intelligence. You need the right mindset and a few honest conversations. Audra Streetman (now at Splunk) came from journalism. Baso M. (now at British Airways) from aviation technology. Margherita Copioli (now at FINCANTIERI) from IT and OT security. Three different paths, three different starting points and a lot of tips they wish they would have known sooner. Here’s an honest conversation around: which certifications actually matter, what no curriculum teaches, and what separates analysts who produce technically accurate intelligence from analysts who produce intelligence people actually use. The full article is on TI Essentials: https://lnkd.in/gMTY2CPQ

"How do I move into CTI?" I've been asked this question a lot so I'm very happy to share the answers from 3 leading CTI analysts. Denise Claris interviewed Audra Streetman (Splunk), Margherita Copioli (Fincantieri), & Baso M. (British Airways), here's the writeup: https://lnkd.in/eXb6AA2M Huge thank you for answering questions I know a lot of folks have right now!

Super excited to announce the CTI workflow automation guide will be ready next week! The workflows featured in the report include: 1. Mapping & visualizing TTPs from intel reports in MITRE 2. Ticket creation 3. Controls recommendations relevant to your assets 4. Producing a recurring threat landscape report 60% of 141 respondents voted in a LI poll for this resource to be created so if you voted, keep an eye on this post as I’ll drop a link in the comments once the report is ready.

Great threat intelligence platforms deserve great intelligence flowing into them. We're excited to share our new integration with OpenCTI by Filigran and a sneak peek of how Feedly Threat Intelligence automatically monitors your intelligence requirements and delivers low-noise, structured, contextual OSINT directly into your OpenCTI knowledge graph so your analysts can jump straight to pivoting and investigating. Read the full integration overview on our New Features blog: https://lnkd.in/egTE3GQj Filigran

Paul McCarty and I recently collaborated with Feedly on a guide to using GitHub as a collection source for malicious open source. This is an important technique for CTI analysts and researchers because it provides an evidence-based picture of how threat actors are abusing open source infrastructure, which campaigns are active, and which parts of the developer ecosystem are being targeted. A well-evidenced campaign cluster tells your engineering team which repositories in your dependency graph to audit first, gives your security operations team hunting queries tied to confirmed infrastructure, and gives leadership a threat picture with enough specificity to prioritize remediation. An IOC list without that context asks people to act without understanding what they are acting on. Get the guide: https://lnkd.in/gaX8ZRXU

GitHub is one of the most consistently productive collection sources available for malicious OSS threat intel, but only if you know what signatures to search for and how to interpret what you find. That's why we collaborated with Feedly to share a guide on how to do it. Check it out and let us know what you think >>> https://lnkd.in/g5cASFva We walk through the specific techniques using real North Korean Lazarus Group campaign artifacts as examples: - How threat actors hide payloads on GitHub - Practical collection techniques for surfacing payloads on GitHub - Decoding, retrieving, and characterizing malware payloads - Pivoting across GitHub and beyond to map adversary infrastructure - Distinguishing malicious payloads from poor engineering practices This process gives you a current, evidence-based picture of how threat actors are abusing open source infrastructure, which campaigns are active, and which parts of the developer ecosystem are being targeted. A well-evidenced campaign cluster tells your engineering team which repositories in your dependency graph to audit first, gives your security operations team hunting queries tied to confirmed infrastructure, and gives leadership a threat picture with enough specificity to prioritize remediation. An IOC list without that context asks people to act without understanding what they are acting on.