Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

CardinalOps Extends MITRE ATT&CK-based Detection Posture Management

Tel Aviv- and Boston-based CardinalOps has extended its detection posture management capability with MITRE ATT&CK Security Layers.

Tel Aviv- and Boston-based CardinalOps has extended its detection posture management capability with MITRE ATT&CK Security Layers.

MITRE ATT@CK has become the de facto standard source for measuring a company’s detection capabilities against primary attacks and attackers. ATT&CK contains more than 500 techniques and sub-techniques used by threat groups.

The principle is simple. If defenders can detect these techniques occurring in their networks, they can detect the presence of the attacker. But an effective realization is less simple given the quantity of ATT&CK techniques and the volume of alerts coming from detection systems. 

CardinalOps’ working premise is that efficient and effective detection posture management against MITRE ATT&CK techniques can only be achieved with the help of automation. Its platform automatically measures detection rules used within SIEM/XDRs (including Splunk, Microsoft Sentinel, IBM QRadar, Google Chronicle SIEM, CrowdStrike Falcon LogScale, and Sumo Logic) against the techniques listed in ATT&CK. The process can improve the rule set while accurately measuring and allowing improvement to the detection posture.

The firm has now extended its platform with the addition of MITRE ATT&CK Security Layers. “Security Layers adds an additional dimension to ATT&CK coverage for the first time because it examines the ‘depth’ of coverage,” explains Phil Neray, VP of cyber defense strategy at CardinalOps.. Traditional ways of measuring MITRE ATT&CK coverage in SIEM/XDR platforms simply compile the number of detection rules for a given ATT&CK technique without considering the attack surface.

“Security Layers,” he continued, “enables you to implement ‘detection-in-depth’ by adding up the number of distinct security layers in your attack surface – endpoint, network, cloud, email, IAM, etcetera — that are covered for a given technique.”

CardinalOps MITRE ATT&CK Security Layers

In the traditional approach, having five detection rules just for the endpoint layer counts the same as having five detection rules with each one covering a different layer. “Security teams,” added Neray, “want to know that they are covering multiple layers in their attack surface rather than bunching all their detection rules on just one or two layers like the endpoint and network layers, since this leads to gaps that attackers can exploit at other layers like cloud and IAM.”

Security Layers also allows defenders to link their coverage to preferred business outcomes by identifying blind spots related to crown-jewel assets such as their most sensitive applications and data. “For some companies like financial services firms,” he continued, “it can be their cloud assets, whereas for other companies such as law firms it might be their email systems. Security Layers enables organizations to proactively prioritize the development of new detection rules based on the crown jewel assets and the adversary techniques that are most important to them.”

The result, suggests CardinalOps, is the combination of a ‘detection-in-depth’ concept to the basic requirement for ‘defense-in-depth’ cybersecurity. “What’s new,” said Neray, “is the concept of looking for critical coverage gaps based on how many layers of your attack surface are not covered by existing detection rules.”

Advertisement. Scroll to continue reading.

CardinalOps was founded in 2020 in Tel Aviv by Michael Mumcuoglu (CEO). The firm raised $17.5 million in a Series A funding round led by Viola Ventures in March 2022 – bringing the total raised to $24 million.

Related: MITRE Adds D3FEND Countermeasures to ATT&CK Framework

Related: CISA Issues MITRE ATT&CK Mapping Guide for Threat Intelligence Analysts

Related: ATT&CK v9 Introduces Containers, Google Workspace

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.