Reduce your organization’s exposure to threats with Detection Posture Management
Detection Posture Management (DPM) is the practice of continuously measuring, evaluating, and improving an organization’s overall ability to detect relevant threats and attacks in their systems and environments. DPM provides security teams with an understanding of what they are currently able to detect and what they are unable to detect and, just as importantly, leverages detection engineering practices to remediate any gaps or misconfigurations in order to maximize the coverage, health, and fidelity of their SIEM detection rules.
Key Elements of Detection Posture Management
Detection Posture Management can be broken down into two separate, but related categories – Assess and Improve.
Assess Your Detection Posture
In order to evaluate your Detection Posture you must first be able to assess, or measure, where things currently stand. This process begins by looking at your existing tools and understanding the coverage and health of the detection rules an organization currently has in place. Think of this as being able to answer the question – How prepared are we to detect the next attack?
Detection Coverage
Detection coverage refers to the measurement of what adversary tactics and techniques your detection rules cover, and just as importantly what gaps or malicious activity are you currently not capable of detecting. It is important to be able to map coverage for all of the detection rules you have deployed in your environment, including out-of-the-box as well as any and all custom detections your team has developed over time based on their detailed understanding of your network and organization.
In order to evaluate and visualize coverage, the industry standard MITRE ATT&CK is the perfect framework to gain a comprehensive view. ATT&CK v15 now includes 235 adversary techniques and can be used as a catalog or dictionary of everything seen in the wild in terms of how attackers can target organizations. But MITRE ATT&CK coverage should not be mapped in a binary fashion, it is important to measure the “depth” of detection coverage. This can be achieved by mapping each detection to a specific security layer – such as endpoint, network, email, cloud, containers, and IAM – and then enumerating the number of distinct layers covered for a given technique.
The CardinalOps Detection Posture Management platform uses specialized, ML-based analytics and feature extraction to map your detections to the most appropriate MITRE ATT&CK technique and sub-technique, producing a heatmap and coverage score that’s continuously updated whenever you add detections or the ATT&CK framework gets updated. The heatmap and metrics can easily be filtered based on selected variables including APT groups, ATT&CK matrices, security layers (endpoint, network, IAM, cloud, etc.), and whether you want to examine covered or uncovered techniques.
Detection Health
Detection health refers to the quality and effectiveness of existing detection rules. In short, it is a measurement of whether your existing rules are working properly and would fire as intended or if something is “broken” and preventing this.
Broken rules, or rules that would not fire an alert, are often caused by common issues such as misconfigured data sources, missing fields, and parsing errors. This commonly occurs due to ongoing changes in the IT infrastructure, vendor log format changes, and logical or accidental errors in writing a rule.
Finding broken rules in your production environment can be difficult and easy to overlook – it is easy to assume that no alerts firing is a sign that this particular activity is not taking place instead of it being a false negative or misconfiguration.
But make no mistake, this is a significant issue for security teams of all maturity levels. In fact, findings from our recent 4th Annual State of SIEM Detection Risk Report showed that 18% of all SIEM rules were broken, which means nearly 1 out of every 5 detection rules would never fire. This leads to a false sense of security because your CISO and SecOps team think they’re protected — but then are surprised when your Red Team (or worse, an adversary) finds a hidden gap in your defenses and exploits it.
The CardinalOps platform uses specialized analytics to continuously analyze all your rules to ensure they have all required prerequisites to fire (log data, field values, etc.), automatically notifying you of any broken or misconfigured rules.
Improve Your Detection Posture
Once an organization has achieved visibility and awareness of their current detection capabilities, they can now have a more clearly defined path to improve their detection posture by closing gaps, reducing threat exposure and risk, and strengthening their cyber defense. Think of this as being able to answer the question – What can we do today to ensure that we detect and prevent tomorrow’s attack?
Prioritize and Manage Detection Content
Assessing your current detection posture allows you to be more intentional about how you develop and manage detection content for your organization. With a greater awareness of your unique environment and capabilities, you can now prioritize detection rules and content based on critical areas, starting by asking questions such as:
- How is our detection posture aligning to our organization’s business priorities?
- What crown jewel assets do we have that need to be protected at all costs?
- Which industry sectors affect our organization or our supply chain?
- What threat actors or APT groups are relevant to our organization based on geography, industry, motivation, etc.?
- Where do we currently have gaps in our detection posture?
- What tactics and techniques are we currently unable to detect?
- Are we missing data sources that would improve our coverage in high-priority areas?
Implement New Detections to Increase Coverage
Once you’ve identified your top priorities – such as specific APT groups, tactics and techniques, or log source types – it’s time to start eliminating any coverage gaps. Developing and implementing new detections in these areas should be aimed at increasing your detection coverage while aligning to your business and security goals.
With the CardinalOps platform, security teams will receive curated, high-fidelity detections to close any gaps. Rules are delivered deployment-ready, meaning they’re in the native query language of your existing SIEM and have been pre-validated, auto-tuned, and auto-customized to your unique environment, including your data sources, naming conventions, and indexes. The platform makes it easy to quickly review, test, and push new rules into your SIEM with the click of a button (via its native API). Plus, you gain access to a searchable rule catalog containing thousands of rules – covering hundreds of diverse data sources – including for the latest high-profile threats and vulnerabilities.
As you add new detections to your environment, the MITRE ATT&CK framework can again be leveraged to not only map your existing coverage, but to be used as a baseline for showing your improvement over time. With the CardinalOps platform, security teams can validate detection posture and demonstrate continuous improvement to leadership and auditors.
Threat intelligence can also be used to initiate more advanced detection engineering practices. With CardinalOps, security teams can operationalize TTP-level threat intelligence from vendors like CrowdStrike and Google/Mandiant, and turn reports into actionable detection content to keep pace with threats and attacker trends in near real-time. The CardinalOps platform also leverages a catalog of open-source intelligence (OSINT) that aggregates public reports and articles with the latest threat intelligence that can be operationalized into detection insights and content for increasing coverage for your unique environment.
Optimize Detection Health and Fidelity
Despite often being overlooked or deprioritized by detection engineering and security teams, making sure that the rules you have in place are working and properly configured can be just as critical to improving your detection posture as the development of new rules.
Identify and Fix Broken Rules
Once broken rules have been identified, it is important to understand why a rule is misconfigured and is no longer firing. Having this level of understanding will allow you to fix errors, carry out updates, and implement new detections for remediation.
With the CardinalOps platform, you will not only be made aware of existing broken rules, but you will be provided specific details on why a particular rule is misconfigured and will even be delivered remediated rules that you can review, test, and instantly deploy into your SIEM. Being able to quickly identify and take action on broken rules can save teams countless hours of testing, simulation, validation, and engineering while ensuring that your internal team catches any potential gaps or blindspots before an adversary does.
Analyze and Tune Noisy Rules
The only thing as bad as a rule that doesn’t fire when it should, is a rule that fires when it shouldn’t. It’s like the boy who cried ‘wolf’ – noisy detections lead to alert fatigue which results in complacency on the SOC team. In fact, researchers found that 20-30% of all alerts are simply ignored or not investigated in a timely manner. Noisy rules also give adversaries an easy path to exploit weaknesses in your defenses.
CardinalOps addresses the challenge of alert fatigue by analyzing all incidents created by the noisiest rules in your SIEM. To isolate the likely root cause of the problem, it looks for patterns and pinpoints specific field/value pairs that are responsible for triggering most of the alerts. It then provides recommendations on how to tune the rules using exclusions derived from the statistical analysis. The end result? A meaningful reduction in alert volume and alert fatigue – without eliminating alerts that are most likely to be true positives.
The benefits? Higher productivity, greater agility, and cost avoidance from a reduced need to hire additional personnel. Plus happier staff members that are less likely to leave because they can now spend their time on more interesting activities such as threat hunting and researching new and novel attack techniques.