Tom Kellerman told iTWire in response to queries that once defensive teams gained better visibility, they would be able to anticipate things when it came to incident response, rather than responding to an attack when it took place.
He emphasised the importance of threat intelligence, which he said was "critical for building a strong security posture. It allows organisations to discover new threats and proactively put up barriers to defend against them. Without threat intelligence, organisations become reactive. Threat intelligence feeds must be integrated into endpoint detection and response and they should be relevant to the specific threats facing an organisation's industry.
"This also allows organisations to proactively hunt out prospective threats," he said. "This is increasingly important in today’s landscape, with more attackers seeking to linger for long periods on a network and more vulnerable endpoints online via remote access and distributed workforces.
Kellerman said there were plenty of sources from which could draw data from for threat intelligence, two of them being the Cyber Security and Infrastructure Security Agency and the Cyber Fraud Taskforces of the United States Secret Service.
He said too much importance was given to indicators of compromising which placed the emphasis on the weapon, rather than the attacker. "The focus needs to be shifted to the attacker and the larger campaign of intrusion which is where MITRE ATT&CK techniques, tools and protocols and the combination of those TTPs in the wild come in," he added.
He categorised Linux networks as the most intricate when it came to defence, adding that container security would be the most important area to look to in the future.
Asked about organisations that tended to create a checklist and grade security against conformance to that list, Kellerman said compliance did not equate to security. "Organisations must allow offence to inform defence with regular threat hunting," he said. "Additionally, it is imperative that organisations integrate security controls."
Kellerman said threat intelligence should be context-driven for environments, industries and threat profiles. "Organisations leveraging threat intelligence, endpoint detection and response, and threat hunting can suppress and take the steps to adversaries in real time," he added.