How have you built your detection framework?

Possibly one of the most significant trends over the last few years is the over proliferation of security tools within our SOCs. While there can be a number of reasons for this, often this problem can be a symptom of either a new tool with great new potential, or it’s previous iteration with less than a full implementation.

Tell me if you’ve heard this. “We have great tools. I wish we had time to fully implement them!” The role of the SOC is often to keep so many threats at bay that they can suffer from an inability to think about the threat landscape from an architectural perspective.

Combine both of these problems, and what is often the case is we have a beleaguered staff without the cycles to properly consider the tools they have, let alone the proper operating procedures to effectively and efficiently use them.

Not sure if this is you? Or, maybe you’re sure it is you! Here is your test.

Look at the MITRE ATT&CK framework and consider the probability of any of the different attacks listed there. Let’s take an easy one, say credential access. If you’re not familiar with ATT*CK, it is really worth some study. For example, it lists 24 different techniques which could result in a loss of credentials. Pick a few and ask two questions. First the easy one. Could someone from my SOC use the data available to them to determine if there had been a loss of credentials? Maybe an attack in progress using one of these techniques. But second is the more interesting question. Would this attack automatically come forward from the data and present itself for action by the SOC? And for those of you wanting extra credit, ask yourself if your defenses are designed to always defend against these in an automated fashion.

For many of us, the answer is a qualified yes. To some extent, we have one or more capabilities in this area. But that really isn’t the question for a framework. Our question should be, have we systemically evaluated our risk probabilities and created a baseline capability to manage all of our risks within our tolerance level for pain?

What separates us from the headline of the latest breach, or malware attack is more than just luck. It is the systemic application of these principals and a staff capable and equipped with the skills and cycles to doggedly go after this very question.

So next time you look at the awesome machine learning, deep insight, artificial intelligence tools that the market throws at us, ask the pragmatic question, before I add on the next tool, am I implementing the framework correctly? Where is my risk? Do I understand probability and impact? How are my people spending their time when protecting the organization.

Bill Weber is the Cyber Security Sector Manager at MIT Lincoln Laboratory, a Federally Funded Research and Development Center in Lexington Massachusetts. This article does not represent the organization, or it’s views.

Comment on LinkedIn

https://www.linkedin.com/pulse/how-have-you-built-your-detection-framework-bill-weber/

Leave a Reply