“Yet another framework, yet another set of terminologies…”
Join us as we discuss cyber security databases and the effectiveness of the MITRE framework:
- Lee Harris, MSSP & Cloud Pak for Security Sales Leader, EMEA, IBM
- Dr Alex Tarter, Chief Cyber Consultant & CTO, Thales
- James Todd, CTO – BT Security, BT
- Andy Grzes, CTA, Smarttech
Once we do that, moving on to the next question. This is for Andy and Alex. I’ll start with you, Andy. How valuable is the MITRE ATT&C framework as news and organisation? And how you categorise what is important to you? What other mechanisms to you use to determine your tech landscape?
Yeah actually an interesting thing about the MITRE ATT&C framework, I think. When it came out originally, and we started talking about it. It’s not just, well yet another net framework to talk about. And yet another new set of terminology to learn, and there will be lots of fluff. Actually it was not. It turned out to be one of the greatest tools for me, and my organisation and previous organisation, to work with.
Because all the frameworks that we have. And if you went through the pain of trying to get answers, you learn all about those different frameworks. And they all have something in common. But none of them is covering what is essential. And MITRE does exactly that for me. We have teams, and people in our team, that actually do analysis and everything. And then they talk to me, they can relate back to the framework.
And say like, hey I identified here, here, and here problems for this customer. So I can just go back and look straight away in it. And I know exactly, OK, where are we? In which area, pre, post. Is it something about out indications? And so it makes it much easier for us to identify what kind of use cases do we need to apply. We talked about the modernization of SOC and SIEM. So the original MSSP was a large tool to most customers. We want to be like our colleagues here on the panel. Be more proactive.
So how do I build a proper run book, and the proper use cases, and communicate to the customer what is needed. And why their policies and processes are not working. And mapping this out on MITRE makes it so much easier. Because I can, technically speaking, print a huge wallpaper out. And make a green, or red, and a grey stamp. And by highlighting the reds and the grays, I tell you, OK green is good dear customer.
We don’t have to worry about it. You’re in a good place. Red means you have incidents, and you didn’t have the right tools, process in place. Grey, are you using those things? Is there something missing, or is it just something that you don’t need? And that helps us prioritising, talking to our customers, understanding our customers, and mapping them out. In all parts of our business. From pen testing, to SOC and incidents response services. Including suite hunting and so on. And making clear, this is where you’re at, that’s where you’re at, and how we go about this in the future.
Thank you. Alex, over to you.
Yeah I completely agree with Andy I think one of the best things about MITRE is it provides a way of communicating. A way so that everybody can communicate on the same page about the same topics effectively and efficiently. So I we’re not sometimes missing each other. So I completely agree. From sharing threat intelligence, tracking to attack behaviour, and forming a threat hunting. It provides us a really good comprehensive framework.
So for instance, one of the things we love to do, it is our SOC service is a constantly evolving. Our security objectives and detection objectives are constantly changing and evolving. And so over time we track, how often do we see the changes in certain tactics and techniques? And is that because the attackers modus operandi is changing? Or is it something that we’ve done, and either we were not necessarily blind to it before, but not picking up.
Or are we now starting to see stuff? And as Andy pointed out, you definitely want to use it with a customer to sort of sit down and say, look. Based on your probes, based on the information you’re providing to us, here is where we are strong. Here’s where we can see a lot, which can detect a lot. And here is actually where we’re blind. And we need to focus our resources a little bit better to be able to accomplish that.
And one other fun way we do it, is we have a cyber range down in Wales. And so we use the MITRE ATT&C framework to really describe different attack scenarios. And then carry them out and see, the red versus blue team, see how good we are. At both detecting, but also responding, to different attack patterns. So we use it as sort of a training tool as well. But overall, it’s a great way of communicating with various different parties and speaking the same language.
Great, thank you Alex.