Tel Aviv- and Boston-based CardinalOps has extended its detection posture management capability with MITRE ATT&CK Security Layers.
MITRE [email protected] has become the de facto standard source for measuring a company’s detection capabilities against primary attacks and attackers. ATT&CK contains more than 500 techniques and sub-techniques used by threat groups.
The principle is simple. If defenders can detect these techniques occurring in their networks, they can detect the presence of the attacker. But an effective realization is less simple given the quantity of ATT&CK techniques and the volume of alerts coming from detection systems.
CardinalOps’ working premise is that efficient and effective detection posture management against MITRE ATT&CK techniques can only be achieved with the help of automation. Its platform automatically measures detection rules used within SIEM/XDRs (including Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle SIEM, CrowdStrike Falcon LogScale, and Sumo Logic) against the techniques listed in ATT&CK. The process can improve the rule set while accurately measuring and allowing improvement to the detection posture.
The firm has now extended its platform with the addition of MITRE ATT&CK Security Layers. “Security Layers adds an additional dimension to ATT&CK coverage for the first time because it examines the ‘depth’ of coverage,” explains Phil Neray, VP of cyber defense strategy at CardinalOps.. Traditional ways of measuring MITRE ATT&CK coverage in SIEM/XDR platforms simply compile the number of detection rules for a given ATT&CK technique without considering the attack surface.
“Security Layers,” he continued, “enables you to implement ‘detection-in-depth’ by adding up the number of distinct security layers in your attack surface – endpoint, network, cloud, email, IAM, etcetera — that are covered for a given technique.”
In the traditional approach, having five detection rules just for the endpoint layer counts the same as having five detection rules with each one covering a different layer. “Security teams,” added Neray, “want to know that they are covering multiple layers in their attack surface rather than bunching all their detection rules on just one or two layers like the endpoint and network layers, since this leads to gaps that attackers can exploit at other layers like cloud and IAM.”
Security Layers also allows defenders to link their coverage to preferred business outcomes by identifying blind spots related to crown-jewel assets such as their most sensitive applications and data. “For some companies like financial services firms,” he continued, “it can be their cloud assets, whereas for other companies such as law firms it might be their email systems. Security Layers enables organizations to proactively prioritize the development of new detection rules based on the crown jewel assets and the adversary techniques that are most important to them.”
The result, suggests CardinalOps, is the combination of a ‘detection-in-depth’ concept to the basic requirement for ‘defense-in-depth’ cybersecurity. “What’s new,” said Neray, “is the concept of looking for critical coverage gaps based on how many layers of your attack surface are not covered by existing detection rules.”
CardinalOps was founded in 2020 in Tel Aviv by Michael Mumcuoglu (CEO). The firm raised $17.5 million in a Series A funding round led by Viola Ventures in March 2022 – bringing the total raised to $24 million.
Related: MITRE Adds D3FEND Countermeasures to ATT&CK Framework
Related: CISA Issues MITRE ATT&CK Mapping Guide for Threat Intelligence Analysts
Related: ATT&CK v9 Introduces Containers, Google Workspace

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.
More from Kevin Townsend
- Threat Actor Abuses SuperMailer for Large-scale Phishing Campaign
- Quantum Decryption Brought Closer by Topological Qubits
- IBM Delivers Roadmap for Transition to Quantum-safe Cryptography
- CISO Conversations: HP and Dell CISOs Discuss the Role of the Multi-National Security Chief
- Court Rules in Favor of Merck in $1.4 Billion Insurance Claim Over NotPetya Cyberattack
- Open Banking: A Perfect Storm for Security and Privacy?
- Apiiro Launches Application Attack Surface Exploration Tool
- Phylum Adds Open Policy Agent to Open Source Analysis Engine
Latest News
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Amazon Settles Ring Customer Spying Complaint
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
