Security Optimization Journey Blueprint
Phase 1: Automated Security Validation
Gain immediate value from the AttackIQ Security Optimization Platform by deploying phase 1 on its own or as a part of the full four phases of your security optimization strategy. In this phase, you deploy technical Solutions into the parts of your organization that are best equipped to run adversary emulations against your security program.
Phase 1 focuses on foundational disciplines in adopting a threat-informed defense, ATT&CK content consumption, and the basics of automated security validation.
Phase 1 focuses on three Solutions: automated testing (using red, blue, and purple teams); security control validations of the security pipeline, commercial vendors, and open-source solutions; and managed security service provider (MSSP) assessments at the proof of concept phase and throughout the contract lifecycle. These practices deliver clear business value and provide a foundation for threat-informed defense that you can mature over time as the company gathers data from the Security Optimization Platform.
Expected outcomes of this phase include an improved, pervasive, continuous scaled testing program and a means to find and close security gaps.
Security teams use AttackIQ to test and audit their security controls to ensure that work as they should. Blue and red teams use AttackIQ’s library of adversary emulations to exercise and validate specific security controls, building on the MITRE ATT&CK and AttackIQ library with new threat intelligence from the outside or that the security team generates itself. The automated platform helps red teams to be more efficient. They can run automated testing operations at scale and benefit from the rich performance data that scaled automation brings. In a resource constrained environment, the AttackIQ Security Optimization Platform allows you to run a red-team exercise in a light, affordable way to both improve effectiveness and reallocate scarce red-team resources to more challenging problems. It also makes the blue team more efficient. Team members can better test security controls using adversary emulation as opposed to a manual process.
Finally, the AttackIQ Security Optimization Platform enables purple teaming. Purple teams focus on the overarching threat landscape, they understand their security technologies, and they understand their organization and its operational attributes and can collaborate across red and blue teams. Purple team doctrine ensures that organizations optimize their cybersecurity readiness continuously. The combination of MITRE ATT&CK, the Security Optimization Platform, and purple teaming as an delivers a threat-informed defense and an overall increase in effectiveness.
How do you begin? As you begin to use the Security Optimization Platform, the first step is to orient yourself. Set your security goals, identify stakeholders, and define rules of engagement across the organization for who will play what role. The second step is to plan your work. Set a specific scope for the work, assign responsibilities to security personnel, and identify scenarios to deploy against your security controls.
Third is to begin to execute the process of testing your security controls. Quantity your security controls, then deploy the platform into your enterprise and collect results by running adversary emulation plans against your assets. Fourth, you analyze the data that the platform returns. You interpret the data within the context of your operations and make decisions about the security controls that are underperforming or gaps that have been revealed.
Now you take the fifth step and remediate your security gaps by fixing misconfigurations or user errors and by identifying gaps for potential investment. The sixth step, before making any further decisions, is to validate your testing results. Run tests again to validate that your remediation worked. Step seven is to reflect and automate your operations. You capture the lessons you learned in the first test process and implement a continuous validation strategy.
Security Control Validation
Security Pipeline Validation. Your security operations team needs confidence that they can see and respond to an event efficiently, effectively, and in a timely manner. Using the AttackIQ Security Optimization Platform, your team can assess all of the security technology sensors within your organization, including event logs, network security controls, and the SIEM to ensure that the technology works as it should. Whether you are just building a security program or choosing a new commercial security vendor for your security needs, the Attack platform is critical to evaluating competing security technologies and determining which ones best meet your requirements.
Commercial Security Evaluations. In the market for a new security control? Use the AttackIQ Security Optimization Platform during the vendor proof of concept testing to get performance data from competing tools, so you can determine which one best meets your security, regulatory, and compliance requirements. It’s also an insightful way to compare the effectiveness of commercial versus open-source security solutions.
Managed Security Service Provider Validations
Use the AttackIQ Security Optimization Platform to assess the capabilities of Managed Security Service Providers in the pre-sales stage, as you are about to enter into a contract with an MSSP. Validate that an MSSP works as intended either in the proof concept phase or to test a contracted MSSP from the outside through a red-team. Better performance insights help you decide where to enhance protections, whether to increase or decrease spending, and whether to continue with the MSSP over time. The MSSP can also collect data from the platform about its own performance to improve effectiveness and close gaps.