Aligned with the MITRE ATT&CK framework, security teams can now use AttackIQ scenarios to test their controls against NIST 800-53 safely, at scale, and in a production environment
SANTA CLARA, Calif., December 15, 2020 – AttackIQ®, the leading independent vendor of Breach and Attack Simulation (BAS) systems, today announced that its Security Optimization Platform can test the NIST 800-53 family of security controls against the MITRE ATT&CK framework, measuring security control effectiveness and providing security teams with real data about NIST 800-53 compliance. AttackIQ is building on the work of MITRE Engenuity’s Center for Threat-Informed Defense, which today released an important body of research mapping the MITRE ATT&CK matrix to the NIST 800-53 family of security controls. As a result, security leaders can now align the known threat behaviors of ATT&CK to measure and test security effectiveness against NIST 800-53. AttackIQ uses this research to provide organizations with increased certainty about their compliance effectiveness with NIST 800-53.
“The Center was created to accelerate innovation in threat-informed defense across the global cybersecurity community,” said Richard Struse, Director of the Center for Threat-Informed Defense. “Our members saw the clear value to the cybersecurity community in aligning ATT&CK to security control framework such as NIST 800-53 and we’re pleased to make these mappings freely-available.”
The NIST 800-53 family of security controls has become a global standard for security control regulation in a wide range of organizations. It is a catalog of security and privacy controls for federal IT systems originally published in 2005; in 2012, the Obama Administration simplified the NIST 800-53 family as the NIST Cybersecurity Framework. The Center for Threat-Informed Defense recognized that mapping ATT&CK to NIST 800-53 would create a baseline that organizations can use to evaluate their security posture.
AttackIQ leverages research from the Center for Threat-Informed Defense for its customers and for the broader cybersecurity community. “Our close partnership with MITRE and the Center for Threat-Informed Defense has allowed us to stay informed of emerging best practices in cybersecurity,” said Brett Galloway, CEO of AttackIQ. “This research helps organizations close the loop between ATT&CK and NIST 800-53. We are glad to support the Center in its research and to bring its research findings to bear for our customers through the Security Optimization Platform.”
New AttackIQ Security Optimization Platform Capabilities
AttackIQ is a founding Research Partner of the Center for Threat-Informed Defense, and AttackIQ’s Security Optimization Platform deploys ATT&CK-aligned scenarios against an organization’s NIST 800-53 security controls to validate control effectiveness. Red, blue and white teams each play a part in compliance mapping and enforcement, and the Security Optimization Platform helps each team perform its roles and responsibilities. With real data about security control performance, cybersecurity teams can show their leadership and boards how effective they are in meeting the NIST requirements, moving beyond simple compliance to a measurable improvement in their overall security posture.
New AttackIQ Academy Course & CISO Guide to NIST Security Control Compliance
In conjunction with the release of the Center’s research, AttackIQ is introducing a new AttackIQ Academy course on aligning MITRE ATT&CK to NIST 800-53. The new course is called “Uniting Threat and Risk Management with NIST 800-53 & MITRE ATT&CK” and educates the broader community about how to increase cybersecurity effectiveness and improve NIST compliance, shifting security teams from a fortress mentality to a strategic focus on countering known threats under ATT&CK. By focusing on known threats and deploying scenarios against NIST controls, security teams can improve their cybersecurity posture and compliance effectiveness. In addition to the course, AttackIQ has also created a CISO’s Guide to NIST Security Control Compliance, to help security teams improve their cyberdefense posture.