How do you actually stay on top of cyber threats week-to-week?

[-]

Agitated-Fly3564@reddit

Honestly you can’t keep up with everything. I’d focus on patching, MFA, backups and checking CISA/vendor alerts. If you’re a tiny team, outsou͏rcing some of it to someone like Avo͏ira probably makes more sense than trying to watch every feed yourself.

Reply

[-]

Attenborough_Naela@reddit

As someone already mentioned that it's a full time job, I'll skip that but my company uses avoira to handle our cyber security, in my opinion i'd rather have a full dedicated outsourced team rather than hiring someone in house, just in case anyone is looking for advise for a business point of view

Reply

[-]

According-Run-4428@reddit (OP)

Came back to this thread because the discussion genuinely shaped how I thought about this problem. The consensus seemed to be that nobody stays fully informed, you triage, you curate, you accept the gaps. But that daily awareness layer kept coming up as the piece most people handle inconsistently. Not because anyone is lazy or incompetent just because it’s fragmented, noisy, and genuinely time consuming to do well. I’ve been quietly working on something that addresses exactly that gap. A daily brief for IT generalists at SMBs what actually changed this week, whether it affects a typical M365 environment, and one thing worth acting on. No vendor content, no recycled headlines, nothing behind a paywall. I’ve got the first one ready. Looking for 3-5 people willing to receive it free for a few weeks and tell me honestly whether it’s useful or just more noise. No signup flow, no pitch just a brief in your inbox and your brutal opinion. DM me if that’s of interest. US, UK, and Australia all welcome

Reply

[-]

ArtistPretend9740@reddit

You can't keep up with everything, pair basic hygiene with platforms that surface what's actionable instead of dumping raw feeds on you. Cato networks does this well, threat intel is baked into the same console you're already managing network policy from, so you're not context switching between five tools just to investigate one alert.

Reply

[-]

Unable-Entrance3110@reddit

Security Now podcast. Can't recommend it enough.

Reply

[-]

dnev6784@reddit

They're always SOOO long, but there's usually lots of good info!

Reply

[-]

CriticalGarbageInfo@reddit

Action1 CISA alerts

Reply

[-]

BoltActionRifleman@reddit

We’re just about fully enrolled now in A1 and I have to say I already don’t know how we got along without it. My biggest surprise is just how many vulnerabilities there are in Edge and Chrome. We always updated them via GPO, but we never really saw how many there were. A1 makes it all visible and it’s kind of shocking.

Reply

[-]

modder9@reddit

Mostly because they don’t update unless launched. Chrome sits neglected on an edge users pc. Kill chrome and switch everyone to edge. You’ll have a much better time. Plus, no more duplicating config profiles to cover both.

Reply

[-]

CriticalGarbageInfo@reddit

I hate to say how great it is simply because I don't want them to increase their pricing and get rid of the free tier. Don't want them to get a big head. But yeah it's pretty amazing. We are now adding our Linux systems in there.

Reply

[-]

Leg0z@reddit

I'm in a ~100-person environment on a 2-person team. You don't try to keep up with everything. You focus on best practices such as having good patch management, good AV, good firewall rules with GEO IP blocking, good identity management, MFA all the things, good backups that fit the 3-2-1 methodology, etc. Focus on deploying tools with best practices first. Then focus on keeping and maintaining a schedule to audit said tools. I have a spreadsheet of everything that I need to check on a monthly, quarterly, and yearly basis. I have a column for the date and initials of the last time it was checked. I simply make recurring calendar entries for all of the items. The Monthly one is one entry, the quarterly and yearly ones I break up into random entries throughout the year. Next, I simply monitor this subreddit and a few other cybersecurity subreddits. I figure that if something major hits, I'll hear about it. But if I don't, it is what it is. The reality is, good cyber hygiene, keeping up with best practices like removing stale accounts from your Active Directory, and doing easy things like GEO IP blocking every country you don't need internet access to, will prevent 99% of every "cyber threat" there is.

Reply

[-]

pleri3321@reddit

Securing cloud only?

Reply

[-]

pleri3321@reddit

If this is cloud security, I could absolutely help make your life easier.

Reply

[-]

GeneMoody-Action1@reddit

\^\^ 100% More failures come from an IT departments not going back to clean up vs decisions that they actually make daily. You win in this game by automating, and auditing. It's the only way to do more with less, and therefore the only way to \*make\* time.

Reply

[-]

qwikh1t@reddit

Keeping up with threats could be a stand alone full time job.

Reply

[-]

Arudinne@reddit

Especially with all of the AI-based vulnerability analysis and exploitation, it's all getting to the point where a single person simply can't deal with all of it. We're in the process of bringing in a Managed XDR service.

Reply

[-]

pleri3321@reddit

What CNAPP tool are they using?

Reply

[-]

Dr_Doctor_Doc@reddit

We did that, and still havr to stay on top of em.

Reply

[-]

Demented_CEO@reddit

One could argue it's better business sense to pivot resources into a very solid backup and restore system instead of focusing all that much on threat intelligence. Depends on lots of factors, too. Outside of automating patch management and doing best practices, what are you going to do? Even a Palo Alto firewall might not be able to flag a 0-day by a state actor. The waters are very murky.

Reply

[-]

According-Run-4428@reddit (OP)

That’s a fair take honestly. At a certain point you have to ask what’s actually realistic for a small team to influence. even very capable security tooling won’t magically catch a true 0-day or a well-resourced attacker.

Reply

[-]

OneSeaworthiness7768@reddit

>Not trying to sell anything, Yet. This is the research phase. Trying to find people having the problems you want to solve. Your post history suggests running a business and nothing about working in tech support.

Reply

[-]

Trust_8067@reddit

You have security products that release consistent updates, and you follow the standard Patch Tuesday patching.

Reply

[-]

Azadom@reddit

The Ivanti Patch Tuesday Webinar [https://www.ivanti.com/resources/patch-tuesday](https://www.ivanti.com/resources/patch-tuesday)

Reply

[-]

viral-architect@reddit

THANK YOU

Reply

[-]

According-Run-4428@reddit (OP)

Definitely a new book mark appreciate it

Reply

[-]

TerrificVixen5693@reddit

I try. But my coworkers are so incompetent I can’t do their jobs, mine, and info sec’s.

Reply

[-]

itskdog@reddit

Follow best practices, e.g. MFA all the things, get patches installed quickly, cybersecurity training for staff (I'm sure there must be example slide decks out there you can adapt for your environment, maybe put a different focus each year), phishing tests, etc.

Reply

[-]

Frothyleet@reddit

Realistically you delegate it - to an MSP, MSSP, or at least a MDR/SOC product. A one man show can't be 100% covering every important area.

Reply

[-]

imnotaero@reddit

The best tasks to delegate are the less important, less subjective, most tedious tasks. If you're going to have in-house IT, how can business-existential risk assessment and remediation *not* make it on to the list of things too important to trust to third parties?

Reply

[-]

Frothyleet@reddit

Realistically, a single IT guy simply can't competently service all of the needs of an organization of just about any size. That's one of the reasons MSPs just make more sense than internal IT below a certain employee count. When you do have an internal IT guy in those situations, it's better for them to act as a higher level manager setting strategic goals, QA'ing third party work, and acting as a PMO, then try and have them be a full-bore network, help desk, server admin, security guy, and strategic guy.

Reply

[-]

imnotaero@reddit

> a single IT guy simply can't competently service all of the needs of an organization of just about any size. This is a well-polished sales pitch, and I'd much rather have orgs purchasing security services than not having security services. I'm glad you're there. The line I've quoted, however, is false. Like really, really false. I know many, many one-person IT departments that are security and operations rockstars for their smaller orgs, and you'll never convince me otherwise.

Reply

[-]

Frothyleet@reddit

>I know many, many one-person IT departments that are security and operations rockstars for their smaller orgs Sure, to be fair, my pool of anecdotal evidence is heavily skewed towards less-competent (or at least less successful) one man shows that we've come in to rescue. On the other hand, even with a rockstar, if they're a one man show, that's an unacceptable bus-factor of 1 for a critical business service (not to mention they should be allowed to take proper PTO). I dunno if you can get past that without third party support.

Reply

[-]

imnotaero@reddit

Absolutely agreed on the risks there. But orgs have ways to manage them, and they're demonstrably not unacceptable. (And in the current hiring environment, the Bus Factor risks are way down.) Orgs can and do choose this risks over others, such those associated with an MSP providing inconsistent quality of service as staff rotate, or suffering their own security events that spread to their clients. I'm not saying MSPs are always a bad model. I'm saying they're not the only model, and not always the right choice.

Reply

[-]

Rakajj@reddit

>one-person IT departments that are security and operations rockstars for their smaller orgs How small is 'smaller' org? Small enough to manage like this is frequently too small to have dedicated staff on that job. And it's all going to hit a wall quickly when the Bus Test occurs.

Reply

[-]

JustTechnician1522@reddit

here are a few thougts: you can't keep up with everything, and trying to will burn you out without making you meaningfully safer. Most threats hitting small organisations exploit weak passwords, unpatched software, misconfigured access controls, and users clicking things they shouldn't. You can counteracts some of these threats with general cyber hygiene tactics. Here's what I mean by that: [ebrand.com/blog/cyber-threat-intelligence-the-critical-advantage-against-ai-attacks](http://ebrand.com/blog/cyber-threat-intelligence-the-critical-advantage-against-ai-attacks) In terms of what tools or services or providers you might need, it depends entirely on budget and where your gaps are. If you can afford it, DRP or MDR service handles the monitoring layer and surfaces what's actually actionable, which is a much better use of money than trying to replicate that in-house on a one or two-person team. If budget is tighter, lean on community resources. This subreddit, CISA alerts, and vendor security bulletins can also help you out over time. The signal-to-noise ratio beats most paid feeds at that level anyway. At the end of the day, we all have a bit of a capacity problem. That being said, we do what we can, and we make sure that when something does get through, it doesn't take the whole organisation down with it.

Reply

[-]

q123459@reddit

>stay on top this is an illusion. you cant, use cyberinsurance that has history of actually paying, split your systems into business critical, and those that can lead to instand business loss (like critical data), make sure they are properly backed up find a juridical pr agency/person that know how to communicate with clients in the event of breach about compliance find an msp that is knowledgeable. one of the least important things(because when hit your priority is to not lose clients and to not get all business destroyed): furtner separate by threats to it systems: data theft; data damage; slow to restore process; cloud authorization management ; have two disaster recovery plans 1 for minimal workable state, and 2 for most important clients. try to rebuild your infrastructure in a way that it allows consistent restoring into working state, (like making sure that in event of data encryption your backups will not get damaged, your end user pcs could be quickly reimaged, all cloud data wont get wiped from single credentials theft). >more reactive enterprice monitoring solution, small firms cannot afford that.

Reply

[-]

imnotaero@reddit

You can't, won't, and shouldn't try to "keep up with everything." There's a firehose of updates, threat feeds, and attack chains, and most won't apply to you, and many of those that do don't actually contain actionable information. The good news is that for these smaller orgs, we can neutralize the vast majority of our threats with the basics. Keep up to date on updates for any internet-facing services, particularly firewalls/VPN head-ends. Require MFA everywhere, preferably phish-resistant, and find a way to address alerts on suspicious sign-ins. Make sure that your users cannot choose passwords from known breach lists, and that they know how to report phishing. The bad news is that every org will need to subscribe to/tune their own feeds to make the information small enough to continually review, so there's no "one thing." But community orgs and online groups can be a great resource for the moment a SonicWall/Fortigate/Palo update becomes urgent.

Reply

[-]