2nd Edition

Tracking the trends and news for IT and IT Security

Paul Davis

Live ATT&CK based Visibility Map with Observability & SMAP Framework

Live ATT&CK based Visibility Map with Observability & SMAP Framework
Medium – Kaviarasan Ak
This blog discusses the integration of CTID’s SMAP framework with an observability platform to improve the security operations center’s (SOC) visibility and detection capabilities.
The author highlights the challenges faced by SOCs in understanding the visibility of their infrastructure and proposes a solution through real-time visibility provided by the integration.
The blog explains the observability pipeline and its importance in collecting, reducing, enriching, normalizing, and routing data from any source to any destination.
The author also introduces the Sensor Mapping to Attack (SMAP) framework, which assists security operations teams and leaders in understanding which tools, capabilities, and events can help detect real-world adversary TTPs in their environments.
The author then describes an architecture where data sources feed into an observability platform, which serves as the primary entry point for all data and provides a single source of truth for insights into the infrastructure.
However, the author acknowledges the challenges of querying the platform, including human errors and the need for tool-specific knowledge, and proposes an integrated plugin that can construct the visibility matrix for the SOC.
The author provides scenarios to demonstrate the integration of the SMAP framework with the observability data pipeline, showing how the MITRE ATT&CK matrix can be dynamically populated based on incoming data and how the shape of the matrix can change with the addition of new data sources.
The author also discusses how the integration can assess the visibility and quality of ingested logs, providing insights into detection capabilities.
The author acknowledges some caveats, including the need for log analysis and a robust detection engineering lifecycle to deploy use cases based on the intelligence presented on the dashboard.
The author also notes that the challenge of coverage and timeliness of ingested logs still persists.
In conclusion, the author believes that the integration of frameworks like CTID’s SMAP with the observability data pipeline can significantly benefit detection engineers, integration engineering, security analysts, and incident responders, providing a dashboard that every SOC engineer and management desires.
The author welcomes discussions and feedback on the topic.
Link: https://medium.com/@kaviarasan_ak/live-att-ck-based-visibility-map-with-observability-smap-framework-a5dda682678c

Categories:

Tags: