Name: Shifting to Threat-Informed Defense: Strategies for the Technology Sector
Uploaded: 2025-08-26T18:31:20.130Z
Duration: 59 min 17 s
Description: Shifting to Threat-Informed Defense: Strategies for the Technology Sector

Transcript for "Shifting to Threat-Informed Defense: Strategies for the Technology Sector": for me. And so without any further ado, I'd like to hand things over to our speakers, JP and Daniel, to introduce themselves. Let's start with you, JP. Jardim. Hello, everyone. So I'm Jean Philippe, head of product, at Filigran, and I'm a next CTI analyst at the French cyber defense defense agency. And before that, long time ago, I was in the military intelligence. Excellent. Hey, everybody. This is Daniel. I joined Filigran this year in the fashion of a sales engineer. Prior to that, I was also in CTI myself and also was doing some work in incident response. And I can be found in today, very gloomy, London. So it's a pleasure meeting you all. And with that, we shall kick this webinar off. So for today, we would like to talk about ideas around threat informed defense. We'd like to look at the theory. Why does it exist? Where has it come from? How does it really apply to threat intelligence processes? As well as testing, meaning breach and attack processes, and give you concrete examples to get started as we we're we're here to proposition an exact workflow or playbook to get started with a threat informed defense strategy. Before we do that, I wanted to take a moment to introduce, Filigran. We're quite known by the name Open CTI, which, came into existence by our founders, Samuel Racine, who, comes from the French intelligence agency. The platform is meant to manage threat knowledge and share that knowledge about threats to both internal tools, people to really affect outcome within the business. So Open CTI is available on GitHub as an open source product just like our other product sets. And we also have a commercially available solution that you can receive from us. The company itself was filed 2022. We're growing pretty quickly. So there's a lot of, employees joining, more than a 100, I think, 30 already now. It's also more than a 100 paying customers representing over six different countries. And we're using a lot of that funding to really evolve our current product sets from, you know, threat management solution to make it, AI driven and invest in the tool to automatize processes for you. While today we'll be around Open CTI and OpenBAS, which is our breach and attack simulation tool, we also have a tool under construction as we call it, open GRC for risk assessment and management that is to be released as the next solution. So if you're interested in this or more, then you can always reach out to us. But without further ado, we'll be passing it on to my colleague, Jean Philippe, to get started with the next slide. Thank you, Daniel. Well, I I'm pretty sure a lot of you, know about MITRE organization, but, I I think it's important for us to to to quickly talk about it. So MITRE is a is a US, nonprofit organization with with decades of existence. And in the cybersecurity field, they they created widely used frameworks like, renowned ones like attack metrics but even CVE is coming from MITRE organization. MITRE is funded by some US federal organizations but also through a system of research and development centers and private companies can participate to fund such centers to bolster materialized research efforts. One of its, its center, was, the center for, threat informed defense. So they they research and develop upon, frameworks like the attack matrix, to to promote and explain how organizations can defend themselves, themselves, more efficiently than just applying compliance and regard regulatory, controls. So now what is threat informed defense basically? I'd say it is intended as a global approach for of cybersecurity practice in an organization focused on leveraging threat intelligence and as an alternative to just a formal, compliance approach. Threat informed defense is about being efficient in cybersecurity by identifying relevant threats and how they operate, then evaluate technically, make a reality check on your own defense capabilities against them, and finally, identify most important security posture improvements to implement. And, on this, maybe I I'd like to ask you a question then here. From your perspective, why private companies or even public organization, are looking at this not new, but, yeah, trendy threat informed defense approach? Yeah. It's a good question. I think we're getting at the moment a lot of requests on how, Open CTI or OpenBus align with these technical solutions. And, typically, the reasons that we receive are because companies want to shift from a reactive mindset to a proactive mindset. Since especially when it comes to reactive mindsets, a lot of decisions for buying solutions or hiring staff or investing processes, they're driven by previous incidents or they're driven by compliance frameworks. If I don't comply with this, then I will be in trouble. If I don't implement this posture or policy, then my insurance is, for example, not effective anymore. So that has been the modus to approach cybersecurity for a long, long time, but we're always looking to be more informed. And what better way to be informed about threats than using actual, real world intelligence. So, you know, the the biggest reason I always get is because, we don't want to be a step behind. We don't want to follow the the frameworks of yesterday. We want to be shaping our strategy based on what is happening in the world, and we need some way of connecting that with our environment and some way of connecting that with our defensive posture. And I think we will go into this in a bit more detail, but that's always the high level thinking that that I get from from our customers. I mean, from your perspective, JP, in product management, do you get requests from from customers where they say things like, you know, I'd like to have this specific thing because it aligns with the framework. You know, is is that something you see driving decisions for us internally sometimes even based on the customer requests? Yeah. Yeah. There is definitely a growing interest about the concept and, and more importantly about the the proactive approach of it, definitely. It's not often crystal clear demands and requests, but yeah. And and it's not only from customers or or prospects. It's it's also an interest from market analysts. And, most importantly, I think the underlying concept of directing your defensive efforts based on the knowledge you have about relevant threats is a is a subject of importance for many year, many years now. And I will even say it is why Filigran and its solutions are so successful today because I I remember when I I am working with someone at the French cyber defense agency, it was already a subject of, importance, being proactive, anticipate, threats, anticipate the the good investments, for to to face the the right threats. It was already a subject. So maybe, yeah, just just maybe a quick, quick info, yeah, a quick word about our vision of extended threat management because I think it's really related to the to the threat informed defense approach. Our our CEO, Samuel, is really into the into the concept. We had a a lot of talk with, MITRE about about it. We we were on on discussion to to join the the effort on this. Unfortunately, now it's, is that there is a lot of movement, on MITRE, so it's not not, of course, the best time. But, we are really into this, and we have here you have here, a small testimony of it, from our our CEO. And, here a slide about how we structure our product suites as a extended threat inform, threat management suite. And it's really related to the to the threat informed defense because, basically, it is about knowing your threats with Open CTI, knowing if you're ready to face them with OpenBAS, and knowing what to do to improve improve your defenses, what what, which investments, security investments, make, in the in the future. Currently, the extended threat management, which is composed okay. So with Open CTI, so as as you said down, a threat intelligence platform, where you can manage your, let's say, external feeds, intel feeds, for example, regarding future ones, with your own internal threat knowledge, for example, from your incidents and alerts, from from SIEM and ticketing systems. So with OpenStack, you know and you qualify threats that are really relevant to you. And the XTM suite is also composed with open BAS, so an adversarial exposure validation platform where you can emulate technically the threats you qualified for, before. And it is how you know better if you are ready to face them. OpenBAS also propose remediation guidance to know what to do to make your defensive capabilities, your security posture better, against your threats. The whole suite is also supported by two important elements that make it really great, and complete this kind of threat informed defense approach. First is the XTM hub. It is a a community hub where every newcomer or seasoned user, in our community can find resources to better use our solutions. It is entirely free, and you can, for example, find custom dashboards to import into OpenCCI or custom CSV CSV feeds, for example. And the second element, is a brand new brand new agentic AI platform called XtM one. Not really, not in production yet, but soon. And one of the major difficulty, in the community right now is to qualify and analyze this right information in time. So because there is too much data to collect in NICE. So analysts must be helped with this, but, help with AI of course but not replaced by AI. I mean it's my conviction here. It's I think we we are developing AI agents capable of handling specific tasks like gathering intel on a threat, qualifying prioritized IOCs, highlighting new relevant threats to help analysts apply their own human intelligence on the most important things. And in my opinion, all of this, even if it's not the name we chose at the beginning, for for what we do at Filigran, so XTM, street is threat informed defense. Or at least the extreme street is an enabler for applying this strategy, to your severity cybersecurity practice. Maybe, Dan, the best now is probably to explain more, the threat and form defense methodology, and what can be leveraged in OpenSTI and also product to apply it. Absolutely. Yeah. Thank you for that. And one question I have, JPS, there's a lot of different security products out there in the world, but we have focused on products that are driven by intelligence outcomes. So they seem to be very tightly integrated rather than having disparate tools because coming from sort of the incident backgrounds, you have sometimes here a portal, here a portal, here a portal, and just talking between them is difficult. Is that a foundational strategy we have that it's, like you said, threat informed, intelligence driven? Whatever we develop in the future has that cycle in mind, right, rather than having Yeah. Absolutely. Separate. Absolutely. Our our conviction actually, Grant, is that, well, it's it's a common conviction, but, threat intelligence must be leveraged in other aspect of cybersecurity practice. So when we are building a product, it is CTI driven by Essence. And we are focusing on integrating it with OpenCTI, our most successful product yet. And our vision, long term vision, is also to, through extend one, through AI, agentic AI, like, cockpit, where you can find every everything you need, regardless, it is in OpenCI or OpenBAS or later in open open GRC. Amazing. So let's get started then, and we wanna look at the methodology. So it's good that we can talk about the theory and practice, but we wanna give you some tools to implement the threatened form defense using a threat based or threat tooling based approach. So we have thought of this in-depth and thought, how do we, number one, visualize this across the chain of steps? And then what are the underlying sub steps that someone can take to go from zero, which is in the past, I've always relied on compliance and insurance and somebody else tell me what to implement, how to implement it to we are very much proactively self sufficiently driven with our requirements, our primary intelligence requirements as it's specifically referred to in CTI. And we wanna really have our own stake in defining how we approach the creation of threat defenses. So the first step that we have is to start at high level and to leverage, strategic intelligence. So this basically tells you who is out there, why they matter to you, what exactly they're doing. And it's relevant because not every single adversary is going to be relevant to you. Not every hacktivist, not every APT group is going to be as relevant to a defense contractor as it is to a retail company, as it is to a company in The UK versus US. So we do have to understand at a high level what kind of threats exist specifically perhaps to us. The easiest way to go about it is to perform a threat modeling approach. So let me try to understand using assessments. As you can see, geopolitical or sectorial, What kind of threats target us? With open CTI, you can leverage the living knowledge graph. So everything is linked through rich structured sticks relationships. So we can understand how we can we can model how adversary behavior affects infrastructure, affects malware, malware families, exploit vulnerabilities. And we can draw up at a high level, what the threats are to us specifically. So this is great for me to understand capability, motivation, when which kind of events would trigger an attack, but also to give executives a clear view of the baseline before we start going to market and invest in solutions. So I really like strategic threat landscaping because it really puts cyber risk into business risk quite often. And we're able to understand what kind of threats we might face. Now there's other tools as well with open CTI where we can perform analyst annotation and case management. Some of which I will also show you in a bit. But the goal overall is from high level to now go to the next step. And as we're going through this methodology, there's gonna be a little lifetime at the end as well. But as we go through the methodology, we will show you the is scenario right now with open CTI. And I will now pass it over to, JP, and we will also be looking at what might be coming in the very close future. You're on mute, JP. Sorry. All good. Thank you. We we want to, yeah, we want to go further in OpenCI, about, helping analysts to make their assessments. Usually, analyst assessments are related to directives, direction from the top management questions, defined by management to to be answered. In cybersecurity or even in intelligence in general, it is often called priority intelligence, requirements. And this concept, of priority intelligence requirement is not currently formally structured in OpenCCI. Even if you can create, Christian Dalgardia, like like you you show related to your to your priority intelligence requirements, you you cannot express them in the platform, and and the platform cannot really take them into account. So it's why we are currently developing a new feature in OpenCCI, a big feature, really difficult to develop, to define priority intelligence requirements. And this this PIR, will then drive, automatic triage of ingested data to highlight what analysts should should should investigate and can qualify first. For example, each ingested report will be automatically assessed after ingestion with regards to each defined, priority intelligence requirement and assorted with a relevancy score, let's say. And on top of dedicated, priority intelligence panels like you you can see here in our alpha version, Such scores will be available in the filtering engine of the of the platform, allowing users to adapt, well, dashboard views and, feeds with it. And so guided by, your priority intelligence requirement in the platform and the the assorted highlighting of reports and and threats, users will be well, analysts will be able to prioritize their efforts based on their threat knowledge. And, I mean, it's it's the essence of the threat informed approach, on, for for me. Thank you, JP. I mean, this is pretty cool. We're getting a sneak peek behind the next version that is coming out, and I think a lot of a lot of people ask for this. Right? To be able to define their PIRs, to track them, to score them, because without knowing your goals and tracking them, you don't really know what you're working towards. So it's really exciting. Now as for the next step so let's do a recap. The organization needs to understand the threat landscape. We need to understand, who's targeting us, when, why, how, which kind of rhythm, what kind of tools they're using. Next up is to go one level deeper into the tactical side of things and to look at what kind of specific actors and malware is related to these, threat attacks that are going against us. So, Open CTI can help with actor and malware tracking because once you know who's targeting you, the actors won't be stale, but evolve their tools, evolve their campaigns. They might go after specific sectors and evolve the way they go after them. Even their infrastructure, meaning what they host to go after you, even that might change. And there might be some recycling happening as well rather than just continuous innovation, maybe to even, trick the analyst and the the defense to not, let them know that they have, maybe moved on to further techniques. So knowing what the actors use, being able to track their current, threats, as you can see on the screen, by performing link analysis and seeing how they're going after new sectors, what kind of tools they're using, and then creating reports about that. Well, you have the ability to create finished intelligence reports is what's open CTI gives you as a capability. The output from this act on malware tracking is, in a lot of cases, very specific threat feeds or threat detection rules that represents the actors of your interest and that you can now take into security operation centers or detection engineers can manage them or red teamers can keep them fresh. So there is an ability to go from high level to act as immediately to a feed or to a a a report that details how they're evolving and then, to make it actionable to your infrastructure. Having said that, I think we're quite excited to hear from JP what's coming next. Yeah. So, first, in my opinion, as a as a ex site CTI analyst, I think tracking threat actor and malware activities is the most interesting part in Central. And, by by leveraging enrichment connectors, investigation graphs, and saved filters now in OpenSTI, the platform can be of great, great help, for such high value tasks. And in the coming months, we want to focus on two two area of improvements. First, is improving our graph views. Graph engine is a very very old part of OpenCVI present from day one when OpenCVI was not intended to handle high volume of data. And, and currently it shows limits in performance and usability usability. This is something we want to work on, especially performance, on bigger reports, for example, with a lot of, object in it, but also improving a lot, user integration within the graph. For example, by adding the ability to launch enrichment directly from a graph for a selection of objects of nodes in the graph. Filters in graphs are also very old and separated from the main filter engine in the platform. So we want to change that, to allow to allow, users to leverage full filtering capabilities into graph directly. And another aspect, important aspect in threat tracking is having a clear view and understanding on, how are qualified technical traces by external sources. So various total, for example, or ULL scan, and many others. Currently, OpenCTI does not offer granular visibility on score and simply applies the score of the most trusted sources. We went to change that also and offer analysts with the the ability to explore in details how how indicator or observable, have been qualified to better understand the relevance and criticality of it. So the the objective is to have within one interface with within the OpenCTI inter interface, the ability to see the result of all the qualification efforts from your sources. Yeah. Well, we we hope to be able to deliver this, on the coming quarters, and if not in 02/2025, in the 2026. Amazing. Thank you, JP. And, again, everything that we do, I I think you've done great. Just aligning it always with the threat informed defense framework, just showing how close it is to our development efforts. So once we have an understanding of the landscape and we know the actors and malware, we are tracking them now. We're basically got a magnifying glass. We're always looking at what kind of steps they're taking. Now it's the next step. It's to take those steps they're taking and to map them to a common framework, which is, of course, for many companies, MITRE. Right? MITRE is threat and form defense. So we're also using, as an example here, the MITRE ATT&CK framework. Now this screenshot shows you how we're mapping a threat actor by the name of all typhoon to the MITRE ATT&CK ICS and techniques. But you're able to also map malware groups, threat campaigns, and intrusion sets to the MITRE ATT&CK framework and overlay that over the TTP to understand, how they might be changing in their approach if their tactics going from x fill to destruction might be evolving, but then also to compare them to different tools. The other thing that is really interesting is that when we create TTP or report mappings, the CTI team starts talking with other teams, starts talking with the detection engineering team, starts talking with red teams because those teams wants to have access to this kind of information. The actual steps, the actual techniques that an actor has. So traditionally, there has been a bit of a gulf between those units. There has been a lot of Excel sheets, a lot of JSON files that have been shared. Being able to give the red team or the the the pen testing team access to this and allowing them to see how actors are evolving and changing their tactics helps them to formulate their breach scenarios. And speaking of breach scenarios, we're quite excited to see how that validation might evolve in, in the next iteration. Yeah. Well, one of the key aspects in qualifying threats and reports, reports about them is to find a way to immediately leverage creative intelligence. Attack metrics and sticks, framework offer a common language to translate intelligence into actionable elements, and we are developing a way to use them directly to assess the security posture of the organization. So we are currently improving the integration between OpenSTI and OpenVAS to translate not only TTPs, but also other stick objects, like vulnerabilities and indicators into real detection and prevention tests into your IT infrastructure. So the objective here is to have a direct, assessment of the possible impact of a new attack campaign or threat based on real time atomic testing on your endpoints. So for example, here in the slide, knowing immediately if your IT can be impacted and how by the SALT, Typhoon, Stratactor, for example, based on available open source intelligence, but also, thanks to OpenCI, your own intelligence about it. So it will, it will be added well, a part of it is already added in open bus. We need to improve the OpenCI part further in the coming months. Excellent. I think we're all looking forward to it. And even the way it works right now where you can import the DTPs, so getting that so like that DTP matrix mapping it to a technical inject is something that, I think a lot of us are already using. So once we have the idea behind it working, the next step would be to look at the breach assessment simulation. So in order to do breach assessment, we will be using the open BAS agent. So OpenBAS is a completely separate platform. BAS stands for breach attack simulation, and it allows you to simulate the attacks that you have captured or that the intelligence has captured. And some key features that are part of this integration between Open CTI and OpenBus is that by having a report about a threat actor, like a key or ransomware or, bolt or assault typhoon or some intrusion around espionage, you're able to create not just atomic tests, but also you can create full scenarios that you can schedule and continuously test daily, weekly against your infrastructure. And the result of those scenarios can then be transmitted back to your open CTI instance. And the reason why we've created that connection is so that Open CTI and OpenBAS as tools, but more specifically CTI and Red's team or pen testing team, are able to speak with each other and are able to share results of their work and their analysis. Not every attack, be it in cyber or general crisis simulation, will be technical. And therefore, you're also able to mix the TTPs with human interactions or create pure human simulations. For example, if you want to test your, incident response plan, if we wanna see how well we align with what we have detailed in the individual steps of the plan. So this would now bridge the gap from if we look at the triangle, the threat intelligence portion at the top, to now validating our defenses. I'm essentially asking, am I ready to face the next threat? And with that, I think as always, as, security analysts, we're always very keen to know what's possible now, but we're always looking at what's possible in the future. I will hand over to JP to take us through where we're going. Thank you, Dan. Currently with OpenBAS, you you can do, atomic testing, and you can also chain, let's say, atomic test to to build scenario of attack. And this chaining is limited to, like, simple, previous execution condition. Is the previous atomic test has been executed? If so, proceed to the next one. If not, proceed with another. Explore our flow, but it is not enough to mimic, threat actor behavior, that leverage everything they found along the way. So we are currently working on expanding the chaining feature, in order to to to leverage results from previous atomic tests. So for example, if the result of a test, a step in the scenario of attack is a creds dump, these creds can be leveraged by the next step test mimicking autonomous lateral movement or privilege escalation. And with that, we hope, it opens infinite possibilities of building complex and autonomous scenario that will be shared, in the XTM hub, for for the community. Yeah. That's it for for this part. When I mean, this is really exciting as well, how we're expanding some of the capabilities within the tool. When it comes to some of the expansions we've done recently, JP, within open BaaS, I mean, just from technical inject to other areas, maybe vulnerabilities or so, are we expanding the capabilities more into further types of, say, executors or checks for OpenBAS? What's the philosophy there? Is it to Currently, we are we are improving the platform for the, let's say, endpoint security, part, on top of the, the human interaction test we we we had before. And after that, we will, we will go to the to the network and both our security part, also, and, of course, the cloud environment elements. We we are trying to have an, a generic approach when we add injectors and so on. So the idea is to offer the maximum, possibilities of for for the customers to to customize the platform, customize their scenario. We are I mean, in the market, there is a lot of, vendors, giving threat libraries right off the bat. It is it is important. It is it is really useful. But our physical philosophy applied for OpenCI is to offer maximum maximum customization possibility in OpenBAS. Amazing. So that leads us to the last step in the methodology, which is control validation and investment. So now we know the threat actors, the threats in general. Now we know and we've been tracking those specific threats relevant to us. We have created the TTPs, the individual steps they're taking. We've taken them under the magnifying glass. We know what they are. We've mapped them to attack scenarios and tested our environments. So when I go to my CISO and I tell them we know the threats, we know what they're doing, I can also tell them we've tested their approach against our environment. Here's the results. And now we can use those results and drive validation, or we can also drive investment within our environment. So that brings me to reviewing gaps strategically. And there's a lot of gaps in every single IT environment, especially one that is falling or large. Which ones do we focus on? Well, I would say we should focus on those that are currently being exploited by those actors that are specifically targeting us. We wanna drill down and as JP said, those gaps can be on the cloud, network, endpoints. It could be anywhere. So being able to test specific parts of the network, return results, and then map them to scores against different asset groups, different machines, different time periods even to see how it's changing. That's the goal of Open Pass. Using that data, I can then go to someone and say, I don't only think we should buy something because it's mandated or somebody else has it, but I think we should buy it because we need improved network based detection in this specific part of the network. And it should only work with these protocol or it should specifically work with these network protocols, which might be SCADA or manufacturing because that's where the third actors have been leveraging their techniques lately. So here's the results of the test. Here's where we're weak, and here's why I think we need to make a investment decision that is informed about it. And then also being able to report back to management and say, here's how our security landscape and our security posture is changing. Not because we've paid less to ransomware, not because we've spent more on tools, not because we have more detection rules in our SIEM, not because we have more threat sources connected to our SIEM tool, But because our detections have improved and have outpaced the threat landscape. So it's a fight, a race, and we've currently outpaced the landscape and have evolved our our posture compared to them. That's our goal with the open CTI and open bus connection. And then the question is always, where else can you take it? Because this already sounds really cool, JP. Where else can we take it from here? Yeah. Thank you then. Yeah. You're right. Often, threat intelligence is leverage only for better prevent, better detect, or better remediate. But, let's not forget that it can also drive, security governance, and security investment, choices. And, because at the end of the road, CZO have have to convince their board for keeping budget or invest into further security resources. And this conversation between CISO and board is conducted through a specific language, managing the risk of losing money and threat intelligence language, and even cybersecurity language must be translated into this new language, this specific language, the risk management language, to have a real impact on security investments, and budgets and governance. And that's why we are building a dedicated product to it, along OpenCII OpenBIAS. It is called OpenGRC for governance, risk, and compliance. And it will, bridge the gap between cybersecurity language and risk language. Open GRC allows CISO, and risk managers also to transform their static risk and compliance assessments, you know, the document how, everyone has, into dynamic metrics and actionable alerts, to pilot their security posture and investments. With Open GRC, risk quantification option is not based only on generic benchmark, for your sector, for example, but refined an evolution based on your own threat profile and security posture capabilities, fed, feeds, from OpenCCI and OpenBot. You can imagine a platform where you you can easily see the impact of an evolution of your security posture, either from the addition of a new detection rule or the addition of a new EGR, for example, directly on your quantified risk scenario. Your risk assessment becomes dynamic, CTI driven, and your operational team's trade craft is directly feeding your strategic business risk assessment. That's the vision for OpenJRC. We will, we have begin the the development of the platform. It will it will be a a huge force, of course, for for such a young company as Filigran, but we hope to deliver the first version of the product in 02/1926. Excellent. I can see you're getting a lot of, Christmas postcards, JP, when we deliver it because there will be a lot of analysts that will say, I love the analyst work, but when somebody asked me to create compliance reports or risk analysis reports and write these things to translate it to somebody in business that they can make something out of it, then it's such a time sink and it's not my job. Usually, I didn't get trained in it. You know? So it's like, I think, for a lot of different teams, it will be hugely appreciated too. Maybe not being not having to do that from scratch. Let's put it that way. Yeah. Definitely. So we've shown you the threat informed defense pipeline. I would actually like to take many more hours of your day and show you this whole process flow from end to end in the platform, show you how you can create the strategic view, show you how you can track malware. I think JP is very passionate about this. He might even grab a coffee with you and just talk about the files and hours, do the TTP reporting, do breach assessments, you know, connect it with your tools, run the test through maybe an EDR or test the Centimeters tool with their detections. And then get that result back and say, where's the gaps? Where do we need to invest? What do we need to change? So in the interest of time, what I'm going to do is show you specifically one single case of an integration or a methodology as such. And if you would like to learn more about how you can implement open CTI, open bus, and a second form defense strategy, then we can follow that up on a separate occasion or a call specifically. So I'm gonna kind of highlight out how I thought about it. I am a company that is very prevalent in Southeast Asia, and I'm going to be using Open CTI's customizable STIX framework to create a region that is specifically capturing where I am represented. So think ahead and think back. We're only looking at the threats targeting us. So here we can see Southeastern Asia. Now with STIX, we can nest specific objects. So when I look at what is nested underneath it, I'm looking at the specific countries that are part of my geographic footprint. So it's both geopolitical intelligence, and it's also cyber intelligence. If there's any reporting on attacks against country x in Southeast Asia, then the STIX knowledge graph will do its magic. We also have inference rules, meaning this is a rule engine that will automatically propagate relationships between a country and a continent or a region based on their proximity in a report. So this is my starting point. I now know the region that I am represented in. To get to a beautiful dashboard that I can take to my execs and tell them, this is the threat landscape to our region as we understand it today. This is the starting point based on which I will do my analysis. This is exactly what somebody wants to see when they are trying to formulate a security posture. So here we can see all kinds of reports that have come in regarding finance in Southeast Asia, threat actors that have talked with Southeast Asia, the top threats. So we can see many different familiar names and many different familiar, countries and reports and techniques and vulnerabilities being used. You name it in the way you want to look at the threats to your specific area of interest. Also, the kind of malware, the type that beacons, the type that performs phishing, ransomware, all very prevalent to reverse shell, the campaigns that have targeted us. So if I show you now how you can use these individual sticks objects to refine one of these widgets, to refine a search, then you can see the combination of the object and relationship. The intrusion set targeting Southeast Asia, and we can see a number of those here. Now some of them are delivered to us by AlienVault, some of them by some premium intelligence providers, Sequoia, for example, and then some also by MITRE, and they're being merged by different intelligence sources. But the platform, leave it to do the merging deduplication, the cleaning of the data. I'm now creating a view that is specific to me, and there's around 89 different actors known as intrusion sets that are targeting my region. So this is the high level. Now I've identified the actors going after me. I can now start tracking them possibly. We also perform full region breakdowns as you can see here under the knowledge tab, where you can see malware tools, attack patterns linked to them. And to fulfill my threat informed defense process, and here's where the priority intelligence requirements that JP was talking about will come in really handy, I am going to be labeling with these tags my spread actors based on their current status relative to me. So now I'm doing the next step. I know the situation. I know the actors. I wanna know how they reflect on my company, on my area of interest. These tags will be absolutely essential because based on an analyst's understanding of whether they represent a threat to us, I'm able to label individual actors. Let's take a p 20 or 38. It's categorized as center of threat informed defense for this demonstration, actor. Zero two, it's a current threat to me. This North Korean state sponsored threat actor is a threat to my business based on victimology, based on who they have targeted, the countries, the sectors they targeted, and also based on the kind of impact they have. I have qualified them to be relevant enough. I can then perform a diamond analysis, get a rough understanding of how they operate, and then dive deeper into the actual tactics, techniques, and procedures they use. And at the top right, you can see the button already here, simulate. But I will tease you today and not click on this button. I will leave this for a subsequent session in one of our next webinars or in a previous webinar where we have already discussed open bus. And if you don't want to wait, then you can always reach out to us, and we can walk you through the full end to end workflow we think the company might be able to use with our threat informed defense methodology. And with that, I will be hooking right back into the presentation slides, and we will finish off the presentation. So as mentioned, Open CTI has an open source and premium or commercial, platform. If you haven't tried OpenCTI yet, I think somebody has already mentioned our demo platform in the q and a's or the links. You can try it out, deploy it. There's many, many different people. We have a Slack community. Please join it. And join some of these, numerous companies that you can see on my screen that are currently using open CTI. And with that, I think I'll pass it over to the questions, and we get started with some q and a. I've tried to answer some question. You're muted, Adam. I don't know if you are talking right now. Can you hear me? Yeah. A bit. Yes. We can hear you. Awesome. Sorry, guys. Having a little bit of, some technical problems. But, again, if you guys have any questions, please feel free to leave them on the q and a tab on the right hand side of your screen. We've gotten quite a few, which is great. Obviously, a a great topic if we're seeing this kind of, you know, feedback on here. Looking through these now, got a question on what effect will the recent cuts at MITRE have on organizations that would like to utilize a threat informed defense as a strategy? So I think I can take that one. It's quite regrettable that these cuts were, announced, and, we do understand that they made some changes, to their organization. And I think what can't be underemphasized is that they had a massive impact on the industry. As you can see, while not completely informed by the threat informed defense framework, our product aligns very closely with their philosophy and ideology. And, I would also emphasize that many different projects, including the open CTI alignment with the threat intel threat informed defense, they still exist. And at least from our perspective, our positioning with the threat informed defense will also continue to be valid and continue to exist. At least what I've seen from the community, my client conversation, it hasn't really subsided or even gone down in terms of the interest that people have. The philosophy itself is strong enough to, I think, overcome this particular blip in its history. Awesome. Thanks, Daniel. Very insightful. Obviously, a lot going on. I know we're running a little bit low on time. We have five minutes. But, again, if we're not able to answer your questions on today's call, we'll be sure to reach out to you, via email, afterwards. Got another question or got a few questions on Open CTI. And one of the questions was, what's the difference between the community edition of Open CTI, and the enterprise the paid enterprise edition? I don't know if you guys wanna speak to that. Yeah. I I've tried to answer the question, in the chat, but, yeah, there there is a lot of additional features in the enterprise edition version of Open CCI. Is is it about Open CCI? Yeah. Right? Mhmm. Yep. Yeah. Yeah. A lot of additional features, on top of it. I mean, the the one of the main additional feature is automation, the pay book part, allowing you to automate some action in the platform to ease the work, the daily work of analysts. There is also, for example, the ability to segregate data by organization inside the platform. This is a really useful feature for, for example, MSSP or big organizations with multiple multiple teams with area different area of responsibility. There is also an under I think an underestimated feature, the full indexing, the full text indexing features, it can be cumbersome for analysts to take every report and make sure that everything from the report has been extracted, structured, and so on, even if with with the help of the OpenStreetI platform capabilities. These features in enterprise edition, ensure that even if it has been not detected by user analysts, you can still find by full text search the information in the initial documents uploaded in the platform. It is really a powerful feature of the enterprise edition. And there is a lot of additional features. I cannot go through the the our list, here, but, we have, dedicated documents to to send, if you're interested, of course. Awesome. Thank you, JP. I think we got time for one more question, and then we'll start to wrap things up. Regarding open BAS, how often do you recommend running BAS simulations? Do do do you want to take that, Daniel, or I can go I can go in? Yeah. I can take it. So I think when it comes to running breach and attack simulations, it's very important to understand that you can run technical and nontechnical. And with OpenBaaS, you have the capability to do both. With the nontechnical, you can even do things like, AI driven templates. So, of course, when it comes to nontechnical, it's an organizational question. Do we want to run them every couple of weeks, every month, every half a year? Do we need to maybe refresh our phishing approach or phishing response, our ransomware response from a tech from a human perspective, our instant response plan? Do we need to do a refresher every once a year? So that will vary based on the type of simulation and the organizational profile and what you're specifically testing. When it comes to the technical injects, you have to understand them to be really, inject payloads that are running on the local machine or they can also be agentless. So they're running in or around your network or against the cloud. And here you can set the cadence to your liking where you want to maybe measure differences. The normal cadence I see is two or three weeks or every month because what you want to do is take the results. We give you remediation guidance. We give you actual results from if it's been picked up or not. You wanna take the results, implement the the improvements in your platform, and then you want to test again. But I'll stop there because, otherwise, I'll go into too much depth. No. No. That was great. Thank you, Daniel, and and thank you, everyone. We've gotten a ton of great questions. We weren't able to get to them all today, but we'll definitely, follow-up with anyone who asked any questions afterwards. But that about does it for, for our session today. On behalf of myself and our entire team at Filigran, I'd like to thank you all for taking the time to be here. We really hope you enjoyed it. There's a survey that should be popping up on your screen any moment now. We'd love to hear your feedback on this session, as well as any topics that you'd like to hear us present on in the future. Any feedback is greatly appreciated, and it'll help us improve our webinars and produce the most relevant sessions for you in the future. So on that note, thank you all again for joining us, and I hope you all have a great rest of your day. Thanks all. Thanks everybody. Thank you. See you soon. See you. Bye.