The MITRE ATT&CK framework provides a taxonomy of adversarial TTPs. Cysiv SOC-as-a-Service leverages it through its platform, to help answer three important questions for clients:
Onboarding Prioritization
What data sources should be ingested for broad, or specific, technique coverage?
Gap Analysis
Where are potential blind spots that adversaries can exploit to gain access?
Coverage Planning
What happens to MITRE ATT&CK coverage if other data sources are added?
The dashboard profiles over 200 Techniques across the 14 Tactic categories. Until a data source is selected, each of them appears grey.
One Data Source: With the addition of firewall telemetry (e.g., Juniper), Cysiv is able to now detect 33 of the ~213 techniques (green) as part of its SOC-as-a-Service.
Two Data Sources: With EDR telemetry (e.g., Crowdstrike) added to firewall data, Cysiv is able to now detect 62 of the ~213 techniques (green).
Three Data Sources: Windows Sysmon and Events + EDR + Firewall = 158 of the ~213 techniques.
Four Data Sources: Google Workspace + Windows Sysmon and Events + EDR + Firewall = 160 of the ~213 techniques.
Are you able to detect and respond to the most common TTPs?
Cysiv experts have a deep understanding of the detection value of different data sources, which is critical to ensuring the effectiveness and efficiency of modern threat detection and response.