TEL-AVIV, Israel and BOSTON, July 11, 2023 /PRNewswire/ — CardinalOps, the detection posture management company, is delivering an educational session about Splunk and MITRE ATT&CK at the Splunk .conf23 User Conference on Tuesday, July 18th at 1:30pm PDT in the Conference Theater.
Why MITRE ATT&CK Matters
As the standard framework for understanding adversary playbooks and behavior, MITRE ATT&CK now describes more than 500 techniques and sub-techniques used by threat groups such as APT28, the Lazarus Group, FIN7, and LAPSUS$.
According to ESG research, 89% of organizations currently use MITRE ATT&CK to reduce risk for security operations use cases such as determining priorities for detection engineering, applying threat intelligence to alert triage, and gaining a better understanding of adversary TTPs.
Why New Coverage Metrics are Required
The concept is simple: preventing breaches starts with having the right detections in Splunk. But how do you know if you’re missing detections for the adversary techniques most relevant to our organization?
Traditional MITRE ATT&CK coverage metrics and heat maps are too simplistic because they only add up the total number of detections aligned to a given technique, without measuring how much of your attack surface – such as endpoint, network, IAM, cloud, and containers – is actually covered by all your detections.
In the traditional approach, for example, having five detection rules for the endpoint layer counts the same as having five detection rules but with each one covering a different layer. Security teams want to know they’re covering multiple layers in their attack surface rather than concentrating all their detection rules in just one or two layers, since this concentration leads to gaps that attackers can exploit at other layers.
Developed by CardinalOps, MITRE ATT&CK Security Layers extends the concept of ATT&CK coverage by ensuring you have “detection-in-depth” across multiple layers for the techniques that matter most to your organization. Additionally, Security Layers enable you to immediately identify blind spots from missing telemetry for crown-jewel assets such as your cloud applications.
Splunk .Conf23 Session
In this session, Phil Neray, VP of Cyber Defense Strategy at CardinalOps, will discuss:
- Why more detections don’t always equate to better security.
- How CISOs, SOC Managers and Security Engineers/Architects can measure “depth” of detection coverage by enumerating the number of distinct security layers covered for each MITRE ATT&CK technique.
- How the CardinalOps platform uses automation and MITRE ATT&CK to continuously ensure Splunk instances have the right detections – based on organizational priorities – and eliminating coverage gaps due to missing, broken, and noisy rules.
Platform Demos and Book Giveaway at the Conference
CardinalOps will be demonstrating how its detection posture management platform integrates with Splunk in Booth #T301. Also, join us on Tuesday, July 18 at 4pm PDT to get your complimentary, signed hardcover copy of “Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks” by Scott J. Shapiro, director of the Yale CyberSecurity Lab and the Yale Center for Law and Philosophy.
Backed by detection engineering experts with nation-state expertise, the CardinalOps platform uses automation and MITRE ATT&CK to continuously ensure you have the right detections in place to prevent breaches, based on a threat-informed strategy. What’s more, it improves detection engineering productivity by 10x and reduces the need to hire additional SOC personnel. Native API-driven integrations include Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle SIEM, CrowdStrike Falcon LogScale, and Sumo Logic. Learn more at cardinalops.com.
About Phil Neray
Phil Neray is VP of Cyber Defense Strategy at CardinalOps. With 20+ years of cybersecurity experience, Phil comes to CardinalOps from Microsoft Security, which he joined after the acquisition of CyberX, an early innovator in IoT/OT security monitoring. He previously held executive roles at IBM Security/Q1 Labs, Guardium (acquired by IBM), Veracode (acquired by CA), and Symantec. Phil has a BSEE from McGill University, is certified in cloud security (CCSK), and has a black belt in American Jiu-Jitsu.
For Media Inquiries:
Nathaniel Hawthorne for CardinalOps