We have been collectively saying in our industry for the last 15-20 years that a layered approach to your security stack is a “best practice,” but as with all best practices, these are ideals rather than reality for so many charged with protecting their organizations. The vast majority of CISOs are saddled with legacy operating systems and applications, along with a lack of funding.
For many of those in the more mature sectors who struggle less with resources, such as financial and government, this ideal state has been achieved by buying a large number of feature products for each layer. Then, add more and more people to each layer with the hope that they can effectively coordinate their layers to protect, detect, respond and recover from attacks.
While this strategy has provided a small level of success, it’s not sustainable and definitely not an option for the remaining 90% of companies with resource challenges. Further complicating the issue is the growing scope and scale of attacks today that are successfully targeting the seams between these layers.
There are many reasons why we are in this overloaded place, drowning in alerts and logs. But, there is one cause that we can point to that has become especially problematic to the design and operations of security programs – the focus on the “kill chain.”
This focus can be effective to simplify and explain the progression of an attack through the different layers. However, it doesn’t adequately address the reality of the non-linear nature of attacks. It also misses the incredible importance of identifying tactics, techniques, and tools used by global threat actor groups today.
(Que the MITRE ATT&CK plug)
Until now. ATT&CK “…is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” ATT&CK enables network defenders and cyber threat intelligence analysts to collaborate through an open community to continuously identify tactics, techniques and tools used by 90+ global threat actor groups to improve their protection and detection.
Other innovative trends that work hand in hand with ATT&CK is the move to XDR from EDR. In the same way that the kill chain has become an outdated concept, so has the notion that EDR is sufficient to speed up detection and response by solely using the endpoint. ATT&CK gives you the full picture of the threat, and XDR coordinates protection against the full picture of that threat.
While the endpoint is still critical, there are vast numbers of malicious artifacts that are siloed or missed at the network, cloud, and gateway. XDR fills in those gaps.
Do you think the evolution of EDR to XDR will meet many of challenges we are seeing today? Tweet us your thoughts at @TrendMicro.