Signal the ATT&CK: Part 2

05 July 2018

Using orchestration and automation to enhance EDR capabilities, and to reduce ‘alert fatigue’

Earlier this year, we released part 1 of our ‘Signal the ATT&CK’ article, where we presented how we are incorporating the adversary knowledge within the MITRE ATT&CK™ matrix to enhance our threat hunting techniques within the Tanium platform, in part using a Threat Response feature known as Signals.

Part 2 is now live, in which we explore security orchestration and automation (collectively referred to as orchestration) and its use in enhancing the efficiency of our Endpoint Detection and Response (EDR) capability. We achieve this by streamlining and automating slow, manual tasks and transforming them into repeatable, scalable processes.

The orchestration workflows we have developed in Apache NiFi address two main behaviours and pain-points that will resonate with many security teams:

  1. Alert overload - Commonly referred to as ‘alert fatigue’, this is where analysts are inundated with detections. Ultimately, this leads to an increase in operational risk due to detections being overlooked; and,
  2. Frustration of manual enrichment - Having to manually lookup indicators against threat intelligence datasets, and manually pull related endpoint artefacts.

By setting our approach, we demonstrate how orchestration acts as a layer of connective tissue within our threat detection ecosystem, allowing us to automate the flow of data between systems and execute decisions. We also hope to demonstrate how you can improve your organisation’s endpoint threat detection capability.

For more information on how we can help your organisation, please contact Paul Bottomley and Wietze Beukema.

Paul Bottomley

Paul Bottomley | Endpoint Threat Detection and Response Lead
Profile | Email | +44 (0)7808 799134

 

More articles by Paul Bottomley

Wietze

Wietze Beukema | Endpoint Threat Detection and Response Analyst
Profile | Email | +44 (0)7850 908221

 

More articles by Wietze Beukema

Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.