ECS Cyber Pros Discuss Intelligence-driven Security and Share Insights and Best Practices
Recently, members of our massive corps of ECS cybersecurity pros gathered to discuss intelligence-driven security. As these cyber leaders are working to protect some of the biggest and most critical government and commercial networks in the world, the conversation was lively and jam-packed with information and insights.
Here are some conversation highlights:
MARK MAGLIN
Vice President, Cybersecurity Services, Defense and Intel

As a former naval aviator and intelligence officer, I know how critical actionable and trusted intelligence is in driving decisions and action across any battlefield — virtual or physical. Over 2,500 years ago, Sun Tzu wrote ‘If you know the enemy and know yourself, you need not fear the result of a hundred battles.’ In cybersecurity, self-knowledge is as important as knowledge of the adversary, which is how intelligence drives security.
READ MORE
Having led the development and fielding of the SharkSeer cyber defense tool and the Enhanced Shared Situational Awareness (ESSA) initiative, I know it’s critically important to have visibility of all your assets and users and to know your risk posture.
Too often, we spend precious resources on low probability events. You need to know your critical cyber terrain, mission or business impact, and your vulnerabilities. Even though the NIST Common Vulnerability Scoring System (CVSS) may be high, it may not apply to your mission.
You must know your enemy. What do they want? There are numerous threat intelligence feeds that should be tailored to your environment and mission. We can dramatically improve the ways we share the threat intelligence we gather on our own networks, to protect the collective society. The technology is there, but policy is often not aligned. We are stronger together, using our crowd sourced intelligence to drive security.”

To navigate on land, you guide yourself with a compass. To traverse the complex terrain of cybersecurity, your teams need a precision instrument akin to a compass. Intelligence-driven security is that instrument.
By driving security with intelligence, your teams can chart the most efficient and secure course through their daily tasks and remain focused on the most critical threats. This strategic tool is essential for maintaining a resilient and proactive security posture.
READ MORE
I have seen firsthand at a national level and across federal, state, and commercial organizations the challenges of focusing on the right things at the right time. There’s no easy way for defenders to detect every tactic or technique that actors use in the wild.
However, by leveraging a proven threat intelligence framework, like the MITRE ATT@CK Framework, we can focus on the threat actors and their associated tactics, techniques, and procedures (TTPs) that present the greatest risk to ECS and our customers.
MITRE ATT&CK enables defenders to understand and counteract adversaries. Security teams can also leverage the framework to develop more robust defensive measures, driving an adaptive and proactive security posture.”
DAVE HOWARD
Senior Director, Cyber Operations, Enterprise Managed Services
GREG SCHEIDEL
Chief Cybersecurity Officer, Cyber Division

A good working definition of intelligence-driven security is: Proactive security that’s informed by up-to-date information on our environment and relevant threats, so that we can prioritize the highest-risk issues.
This prioritization is important because we always have more to do than we can accomplish. Even if we have an unlimited budget (which none of us do), we’re always constrained by time.
READ MORE
Examples of intelligence data that we can use include:
- Critical asset inventory
- Current operating state of the environment
- Abnormalities or unusual activity
- Attacker attributes most relevant to our business and data
- Status of commonly exploited vulnerabilities (for example, Cybersecurity and Infrastructure Agency Known Exploited Vulnerabilities and ECS Pathfinder)
We should constantly adjust our security based on the latest information. And I deliberately frame this topic as ‘intelligence-driven security,’ not ‘threat intelligence-driven security,’ because I think it is bigger than just threat intelligence. Threats are a big part of it, but so is knowledge of our environments.”

As threat analysts, we focus on analyzing relevant data and the current state of the environment by pinpointing abnormalities and unusual activity. I always ask ‘what can this information do for us?’ This question is fundamental because it’s about recognizing the value of the intelligence we gather and determining the most effective ways to apply it.
READ MORE
Valuable intelligence sources don’t have to be external. A wealth of valuable information can often be found internally, so we’re always looking within our own environments for actionable intelligence. This can be especially beneficial from a dependency standpoint where resources can be limited.”
RYAN FURR
Director, Cyber Threat Analysis Center, Enterprise Managed Services
HECTOR CRUZ-REYES
Deputy Operations Chief and CSOC & MSOC Lead, Centers for Medicare and Medicaid Services Information Security Support Services, Cybersecurity Integration Center, Cyber Division

I see intelligence-driven security as a way to set priorities and identify the next step you should take. One of the items you need to focus on up front is the threat landscape — who’s knocking at your door? Who’s targeting your specific industry or sector?
Once you understand the threat landscape, you can build out threat profiles using the MITRE ATT@CK Framework. As you gain an understanding of threat actor behaviors, you can start layering the different assessments on top of one another to produce a heat map that shows the areas you really need to focus on ― your gaps.”

By bridging the gap between intelligence and operations, we increase the accuracy of every action taken and every decision made. There are few fields where this is as true as it is in cybersecurity, where commercial hackers and APT groups keep their actions close-held and hide in the logs left by day-to-day activity.
READ MORE
Enabling analysts to peek behind the curtain at what adversaries are doing, how, and just as importantly, why, gives them the proactive edge to find and respond to attacks faster and more effectively.
The importance of timely and accurate intel only grows as the new normal of hybrid cloud infrastructure and hybrid remote workforces leaves the traditional perimeter behind, and we as defenders find ways to adapt.”
JAMES DIETEMAN
Director, Adversary Pursuit
HERMAN COWART
Penetration Testing Team Lead, Centers for Medicare and Medicaid Services Information Security Support Services, Cybersecurity Integration Center, Cyber Division

Intelligence-driven security makes me think of Darwin and evolution. It’s not the strongest that survive, but those who adapt the best. Intelligence-driven security helps us adapt. If I’m launching exploits from the 1990s and not staying up to date with the most current languages, frameworks, technologies, and methodologies, I’ll quickly become extinct.
Everyone in the cyber community should always be up to date on all the latest news and intelligence, so they can adapt to what’s currently happening and better protect the customer. The threat landscape is always changing. The industry is always changing. We have to stay up to date to adapt and survive, and intelligence is how we do it.”