Three Pillars Of Proactive Security: A Threat-Led Approach To Defense

Forbes

2 days ago

Tony is CEO at CyberProof and is a CISO at UST. CyberProof, a UST company, is an advanced managed detection and response provider.
It's undeniably becoming harder to stay ahead of the expanding wave of cybersecurity threats. We are witnessing an unprecedented surge in sophisticated, often "branded," cybercriminal enterprises, meticulously targeting everything from critical manufacturing plants to vulnerable hospital networks with devastating ransomware and social engineering attacks. The financial toll is staggering, with the FBI estimating global victim costs totaling over $16 billion in 2024 alone.
Large, complex organizations with siloed teams, running applications and systems both on-premises and in the cloud, add another layer of difficulty. Managing an inventory of assets and applications, the risk they impose and security policies and controls, is often a difficult task for under-resourced teams.
A Strategic Shift: Starting With Clarity, Guided By Threat Intelligence
A more effective approach necessitates a strategic shift from reactive firefighting to informed, threat-led defense. Threat-led defense focuses on providing clarity: understanding what an organization owns in terms of assets and the risk those assets impose, what exposure and priority are relevant to the organization and addressing what matters most—optimizing the defenses and controls where needed. It's a three-phase strategy designed to align asset visibility and risk, threat exposure and detection and response tools in a continuous integrated lifecycle. The overall objective is to transform Governance, Risk and Compliance (GRC) to optimize better outcomes in security investment and security posture.
This strategic shift is fundamentally driven by the MITRE threat-informed defense (TID) concept. It involves collecting and analyzing data about the threat landscape, identifying the most likely and dangerous threats for that organization and using that information to guide the selection and implementation of detection playbooks and security controls. This strategic approach can be viewed as a system built on three interconnected pillars, transitioning from a strategy focused on visibility to one of informed action.
Pillar 1: Estate Management—Understand Your Technology Environment
The first step is to ensure that your asset estate is well-managed. Where IT teams are responsible for onboarding and managing IT assets, security teams should look for policy violations or discrepancies. Security teams have a tremendous amount of telemetry from vulnerability scanners, cloud posture management solutions, cloud inventory and other security solutions. Unfortunately, few organizations utilize this information to enhance the quality of their asset data.
One example is the identification of unmanaged or suspicious assets. The riskiest asset is the one you don't know about, the one that isn't managed by your vulnerability scanner or EDR is not installed. A well-managed cyber estate is one where unmanaged assets are discovered quickly and brought under control, but that's not all. It should also ensure that asset configurations meet policy requirements, assets are tagged accurately and grouped with risk categories and finally, there is a clear, accountable owner.
This continuous understanding of the complete estate is critical for the future of security operations, particularly with the rise of agentic AI. While AI agents for threat hunting or security analysis are emerging, to make them truly effective, these models must have context in terms of the IT environment. This data itself is extremely sensitive as it could provide a clear path for potential attackers if compromised. A well-managed estate, on the other hand, is the essential foundation for this data-driven, AI-enabled future.
Pillar 2: Exposure Management—Prioritize Exposures That Matter
Once you have a clear picture of your estate and your assets are managed by your security solutions, the next step is understanding your threat exposure. This involves identifying where your environment is exposed to threats.
This pillar involves analyzing your exposures from various sources, including vulnerability scanners, cloud posture management solutions, application security solutions, endpoint detection and response solutions and more. It requires correlation of all this information and prioritizing it relative to your organization's top threat actors. Exposure management is the process of deriving insights from your asset inventory and vulnerability data, and contextualizing them with threat intelligence to identify where the real, exploitable risks lie. It prioritizes these exposures based on their business risk, considering whether they are likely to be manipulated by relevant threat actors.
Pillar 3: Defense Management—Detect And Respond
The final pillar is defense management, which includes the ability of your security operations to detect and respond to threats. This phase utilizes technologies such as SIEMs and EDRs to establish a cohesive detection and response framework. It's also where emerging capabilities, such as agentic AI for threat hunting, can be deployed effectively, as they have access to the necessary environment and threat actor data. It prioritizes the development of detection and response, or in use case management, playbooks to guide threat teams in analyzing security event data, identifying incidents of compromise (IoC), triaging and then mitigating incidents.
An optimized defense management model is informed and by insights from targeted threat actors and the tactics and techniques used. It is about proactively creating detection mechanisms that address the entire attack path used by a threat actor versus individual alerts or detections. Effective defense management means taking the prioritized list of threat actors, understanding their attack patterns and using the more advanced orchestration and automation capabilities of a modern security operation, like alert grouping by time, to provide more sophisticated and accurate detection and faster response.
A Framework For Continuous Risk Reduction
Combining these three pillars creates a powerful framework:
• Asset Estate Management: Knowing if your environment is well-managed
• Exposure Management: Prioritizing exposures that matter most to you
• Defense Management: Prioritizing detection and response for optimal remediation
This integrated approach, supported by a platform that connects these areas, enables organizations to gain a unified view of risk and a quantitative approach to prioritizing the right investments needed to manage that risk. It also helps security teams achieve better security outcomes by providing clarity on what matters. As a result, security is transformed from a reactive, siloed struggle into a proactive, intelligent and continuously improving function focused on reducing risks that truly impact the business.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?