In our post "MITRE ATT&CK + Cysiv, A Match Made for Gap Detection" we launched a new feature designed to identify coverage for MITRE's framework of Techniques Tactics and Procedures (TTPs) commonly used by adversaries. This feature lets you understand your current coverage and simulate changes to the coverage with additional sources.
Now we turn our attention to the power that this coverage provides. You see, SIEMs haven't historically been good at detecting attacks that bypass traditional layers of defense in depth. Last week SC magazine shared findings of a recent study that found existing SIEM solution had detection for only 16% of MITRE ATT&CK TTPs.
That is very limited coverage, which the article chalks up to the long standing SIEMs not being designed for detection of TTPs. With the MITRE ATT&CK framework's role as a global repository of attack methodologies use by threat actors, coverage is a key part of ensuring visibility of ever more complex attacks, and leaving this to the security solutions alone isn't ideal.
Cysiv Command, our cloud-native, next-gen SIEM platform, which forms the foundation for Cysiv SOC-as-a-Service, was created with a focus on deeper telemetry and advanced detections, which allows us to spot TTPs across a wide range of sources. In fact, when we look at our coverage, we have one or more sources of detecting over 177 TTPs.
That is 86% of the TTPs detailed by MITRE ATT&CK!
While we agree with the SC article that some of the TTPs are not detectable by logs, many are, and previous generation SIEMs are simply not up to the challenge. These TTPs range across solutions from network to SaaS… cloud to campus… but many of the TTPs can be best spotted on endpoints. For that we need deeper telemetry either from our freely available collector or from deep visibility option provided by EDR solutions like Carbon Black, Crowdstrike, Sentinel One, Trend Micro, and others.
We use the deep telemetry to spot TTPs that may have been missed by the defense in depth layers. We also have the benefit of tying together information from the EDR solution with network, SaaS, and other events.
MITRE ATT&CK is only one part of assessing risk. You also have to look at coverage, asset discovery, external risk, vulnerability management, defense in depth, and other ways to look at maturity of your cyber security practice. However, TTP coverage is an important part of ensuring your organization is prepared for advanced and evasive attacks.
If you haven't already, I encourage you to watch the video to see in practice how Cysiv lets you assess and simulate your coverage.