Case Study
Get an inside look at how a CISO gathers threat intelligence to track a developing incident.
ImpactPicked up on trending vulnerabilities in Feedly before they were ratedSaved an hour each day with streamlined intelligence workflowConsolidated the team’s research workflow, improved effectiveness, and reduced overwhelm
David Ortiz is the Chief Information Security Officer (CISO) of Church & Dwight, the company behind brands like ARM & HAMMER, Trojan, OxiClean, OraJel, and other products. As CISO, David’s primary focus is to oversee cybersecurity, IT Risk Management, data privacy operations, and manage risk to the company so he can keep leadership informed.
Unlike a threat intelligence analyst looking at the day-to-day intel and mitigation, David is concerned with the big-picture impact of cybersecurity on the business. “We don’t want to talk too much about the widgets and the tech, we want to talk more about the impact to the overall business.”
On a “typical” day: David’s daily news progression for effective threat intelligence
Every day, David looks out for indicators that there may have been a critical cyber attack somewhere in Church & Dwight’s supply chain. With that information, he can inform leadership of the business implications. Church & Dwight has a large provider network including contract manufacturers, manufacturers, vendors. The company needs to keep track of what’s happening across the entire supply chain to protect the business at all levels.
To stay in front of the news, David goes through a systematic news progression every morning before his team’s 9am scrum. He works his way through sources including:
Cybersecurity-specific news sources like WSJ Pro Cybersecurity Cyber Security HubTwitter, Reddit, and LinkedInNational newspapers and news sources like the Wall Street Journal, The New York Times, and 1440Wikipedia
The “Today” page in Feedly, where David starts his news progression each morning.
Before using Feedly, he had to visit each one of these sites individually. Now, he says “It is a single place for my news progression. I can go through Feedly and see everything.” Instead of fielding emails from different sources, David gets his newsletters delivered to Feedly as well.
Feedly has saved me an hour a day. It is a single place for my news progression. I can go through Feedly and see everything”David Ortiz, CISO, Church & Dwight
How David used Feedly to monitor the log4j vulnerabilities
The week that the log4j vulnerability broke in December 2021, David’s news progression looked a little different than on a normal day.
“When I woke up on Friday morning, our managed security provider had already sent out advisories at 4am East Coast time. I saw that, and I had already gone into Feedly and started reading news and seen it breaking. We knew log4j was coming and used breaking news in conjunction with our vulnerability response activities.”
The Threat Intelligence Dashboard in Feedly shows trending articles, trending vulnerabilities, and trending attackers. Cybersecurity professionals like David use this page for a quick glance at what’s happening if they only have a few minutes to check Feedly.
By the Saturday after the vulnerability broke, news started flooding in. David remembers, “I was looking for critical vulnerabilities and CVSS scores. That’s when Feedly started working its magic: We started to see the news propagate and get organized by Leo.”
“I was looking for critical vulnerabilities and CVSS scores. That’s when Feedly started working its magic: We started to see the news propagate and get organized by Leo”
David can see trending vulnerabilities before CVSS scores are assigned
Even before a CVSS score is assigned to a vulnerability, Leo estimates a score based on the machine learning models we use to prioritize CVEs. And as the story developed and it became clear that log4j was really four distinct vulnerabilities, Feedly helped show that they were trending. David explains, “When the other vulnerabilities were still at a low level — not yet elevated to a critical or high level — Feedly was telling me it was trending, which meant more people were talking about this and more articles were being published about it.”
When the other vulnerabilities were still at a low level – not yet elevated to a critical or high level — Feedly was telling me it was trending.”David Ortiz, CISO, Church & Dwight
David was watching both Feedly and the National Vulnerability Database news to see if one specific vulnerability was going to trend and become a critical vulnerability. If it was identified as a critical vulnerability, that would dictate how Church & Dwight security teams respond to the vulnerability.
If no CVSS score has been assigned to a specific CVE, Leo estimates a score based on the machine learning models we use to track CVEs.
David adds, “Feedly helped me follow the vulnerabilities that weren’t yet rated. By looking at the trending vulnerabilities and estimated CVSS scores in Feedly, I could estimate that they would eventually get assigned a high or critical rating, which they did.”
Why this CISO uses Feedly to centralize and optimize his team’s open source threat intelligence
David chose Feedly as his team’s open source threat intelligence tool for three main reasons:
He wanted a centralized place to reduce information overload for his team He wanted a place where his team can share common data and benefit from shared knowledgeHe wanted to get in front of the news
1. A centralized place to reduce information overload and notification fatigue
David’s extremely conscious of the impact of information overload on his team, and designed his Feedly setup with that in mind. “Feedly is a common area to share data so that we’re not fatiguing one another with more news and more notifications.”
David strategically set up two main Team Newsletters to send automatically and summarize news, instead of sending one-off texts and Slack messages that would distract his team.
One weekly newsletter that sends every Friday and includes any articles David and the team saved to a Feedly Board that week One “breaking” newsletter that sends automatically — but only when there’s what the team considers breaking news
David and the team save relevant articles to a Team Board, which sends a Newsletter automatically each week.
2. A place to share common data and avoid duplicate work
Instead of everyone on his team having separate, siloed security sources, David and his team use Feedly as the common area to share those trusted sources of data. This means everyone’s on the same page about threat intelligence and risk management, and the whole team benefits from having multiple smart cybersecurity minds working together.
3. A way to get in front of the news
Before adopting Feedly as his open source threat intelligence tool, David used to complete his daily “news progression” every day across various different sources. But now, he’s able to consolidate his intelligence in one place and streamline the process.
Beyond the feeds he organizes in Feedly, David checks the Threat Intelligence Dashboard daily. “It brings me information that I don’t have to go get on my own. Instead of having to manually trend or use other sources to trend, Feedly’s trending that for us.” David estimates that Feedly has saved him an hour each day, which means he can make more progress on Church & Dwight’s security roadmap and projects for risk reduction.
What’s next for this CISO
When there’s not a critical vulnerability front and center, David focuses on projects on the company’s security roadmap, including risk reduction and safeguarding data. “Feedly helps me stay in front of the news so I can help keep the company safe.”
And what’s next for David’s work with Feedly? David continues to work with his team in the process of gathering open source threat intelligence . He’s looking forward to the upcoming Customizable Newsletters feature (coming soon!) that will make it even easier to send advisories and customize them with internal knowledge.
Stay ahead of attacks and vulnerabilities Try Feedly for Threat Intelligence so you can gather open source intelligence and share insights with the people who need them, faster. START FREE 30-DAY TRIAL
Source: Internet Gov forum