These missed attacks often stem from either hidden gaps in detection coverage - or due to alerts that got buried in a sea of noisy alerts and were never even pursued by the Security Operations Center team.
In other words, we need to be able to report on the organization's detection posture.
A key tenet of security is that you cannot effectively prevent all attacks.
The current thinking is that our mindset needs to shift from prevention to rapid detection and response.
According to Dr. Eric Cole, a well-known SANS Fellow and security consultant, prevention is ideal, but detection is a must.
As the standard framework for understanding adversary behavior, MITRE ATT&CK now describes more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and LAPSUS$.
According to ESG research, 89% of organizations currently use MITRE ATT&CK to reduce risk for security operations use cases such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary TTPs. Another advantage of MITRE ATT&CK is that it provides a common language to communicate about attack behaviors across internal security teams as well as across organizations.
As a result, tracking MITRE ATT&CK coverage is an ideal metric to track and report on your organization's detection posture.
Despite the benefits of MITRE ATT&CK, many organizations find it challenging to measure their detection coverage and address the highest-priority coverage gaps that can lead to breaches.
Based on our data-driven research analyzing more than 4,000 rules across diverse SIEM platforms in production environments - including Splunk, Microsoft Sentinel, IBM QRadar, and Sumo Logic - enterprise SIEMs are typically missing detections for 76% of all MITRE ATT&CK techniques used by adversaries.
New log sources are constantly being added and detection engineers find themselves struggling to keep up with the latest vulnerabilities and changes in their attack surface.
These challenges are compounded by the biggest challenge: finding and retaining skilled detection engineers, especially when organizations are at the same time adopting newer SIEMs - such as cloud-native SIEMs with unfamiliar query languages - to reduce data ingestion costs.
What needs to happen: focus on streamlining detection engineering processes.
Automation is widely-accepted as a top priority for improving the effectiveness of the SOC, but until now it has only been applied to other areas besides detection engineering, such as incident response and anomaly detection.
Security teams are often required to manually map detections to MITRE ATT&CK using spreadsheets, which is time consuming and error-prone.
They are responsible for manually identifying existing detections that are broken or misconfigured, due to missing telemetry or other data quality issues, for example.
Finally they are also responsible for continuously researching the latest exploits and manually developing high-fidelity detections for them.
Security leaders will benefit greatly from freeing their security professionals to think creatively and focus on more complex and interesting challenges - such as threat hunting and understanding new and novel attack behaviors - rather than mundane tasks related to managing their SIEMs and tracking their MITRE ATT&CK detection coverage.
Michael Mumcuoglu is the CEO and Co-Founder of detection posture management company CardinalOps.
Prior to CardinalOps, Michael co-founded LightCyber, a pioneer in behavioral attack detection acquired by Palo Alto Networks in 2017, where he served as Vice President of Engineering for the Cortex XDR platform.
This Cyber News was published on www.cyberdefensemagazine.com. Publication date: Sat, 16 Dec 2023 06:13:07 +0000