In this blog post, Marie Singleton and Pascal Reymond outline the onboarding process and core ideas behind Threat Navigator, Kudelski Security’s technology that enables clients to understand, visualize – and remediate – their security visibility & threat detection gaps. Delivered as standard for all clients of our Managed Detection and Response platform, Threat Navigator aligns closely with the MITRE ATT&CK Framework.
See how Threat Navigator helps you cover your MITRE ATT&CK gaps
There’s an old expression – based very loosely on Socrates – that says: “You don’t know what you don’t know”. In the security world, this adage has been adapted to “you don’t know what you can’t see” and a whole industry has been built around helping organizations gain true visibility into their threat landscape. The focus is on helping them understand what they should be looking at (their security visibility priorities) and whether they have the technology set up to enable that or not (the gaps in their visibility).
Get this right and you get security posture right. Easier said than done. Trying to obtain this visibility in a way that is both easy and consumable is no easy task.
Kudelski Security’s Threat Navigator aims to help clients by answering this difficult challenge.
Engagements with clients will usually go through different steps, starting with determining the clients’ coverage (or lack of coverage) and up through the final step to determining how to close the priority gaps.
Step one: Determine your overall coverage…or lack of coverage
Our reference to visualize the coverage will be the MITRE ATT&CK Framework. Using this framework, your coverage will be demonstrated by which techniques you have visibility and detection capability against. The techniques you can cover are determined by:
- The technology you are using (EDR, SIEM, …)
- The detection rule capability of the technology
- The data sources that can help trigger those detection rules
- Other qualitative factors are taken into consideration such as the detection rule quality (false positive rate, …), ability to investigate, …
Any coverage gaps are marked by a cross in the Threat Navigator
Step Two: Determine what your security priorities are
To answer this question, we need to consider the client context and, in particular, what are the potential techniques that Threat Actors might use against you. Some of the information can be calculated such as:
- The client’s industry vertical
- The Threat Actors known to target this vertical
- The Techniques used by those threat actors
- Other factors taken into consideration are based on the client’s full context – more on this a bit later
In this example, the prioritized technique is highlighted in blue (while the non-prioritized technique is grey).
Once you have compiled your coverage and your priorities, you have a full overview of your priority gaps (each card represents a MITRE Tactic and each circle an individual MITRE Technique).
The Threat Navigator shows the client coverage and focuses on priority gaps in an easily consumable, high-level view.
So, the problem is solved?
Well, that would be too easy, right?
This initial outcome already provides you with a good first idea of your priorities, but not the full picture yet. There are still a few answers that are missing, which leads to the next step: deciding what gaps you should prioritize.
Step three: Determine what coverage gaps you should prioritize
There are different approaches to prioritizing your coverage gaps. The approach we have taken with the Threat Navigator is to show a priority based on the number of Threat Actors using a particular technique. Although other approaches might also work, this is an interesting and quantitative method to represent the priority in an easily consumable way.
When you land on the coverage page, the Threat Navigator will show you your top 5 gaps as well as a Threat Coverage score.
What about the remaining security coverage gaps?
As mentioned earlier, Threat Navigator will show you the top 5 gaps on the landing page. However, you will still have the ability to review the full list of remaining gaps in the “Recommended Actions” section.
In this section, the “Open” tab will show you all your potential gaps based on the internal calculation made; however, this method might overlook some client specificity. This is why we provide the user with the ability to make some decisions such as:
- Prioritize a technique: A technique gap might be low on the list, but for the user, it might be of particular importance, so we allow a user to prioritize a technique to ensure they always have an eye on it.
- Dismiss a technique: On the other hand, a technique might not be relevant for the client (for any number of different reasons), which is why we’ve built a workflow to allow the user to “dismiss” a technique while providing additional information on this decision. In future reporting, the reason for dismissal will always be noted for reference.
What if the information is not accurate?
The coverage, the gaps, and the priority are all determined by the processed client data and the implemented logic… but what if the information is not complete or accurate?
Although we aim to provide the best coverage and gap information possible, there are still a few ways that the data might not be fully representative of the client’s situation, such as:
- The client may have other security tools, not managed by Kudelski Security, which might cover some gaps
- The client may decide that a particular gap is covered (or not covered) and, therefore, want to show a refined representation of its security posture
- The client may think that some Threat Actors are under or overrepresented
So, how do we solve that?
This is probably one of our favorite features in the Threat Navigator: Client-Modified Coverage.
Clients can easily switch from the Kudelski Security gap calculation to their modified gap calculation, making the Threat Navigator not a vendor-specific tool, but a true client tool.
Let’s review what you can modify:
- Any technique (and sub-technique) can be easily overridden by editing the coverage status. In doing so, the user can add a comment to explain the rationale (which will be stored in reporting). Other users will be able to see who modified the technique when it was modified, and what the reasoning behind the decision was.
- Let’s say that you have a data source that is not activated in the Threat Navigator (maybe it’s managed by another vendor or Kudelski Security just doesn’t have the information). You can simply edit any data source that will adapt your coverage.
Threat actors & vertical(s)
- What if you operate in more than one industry vertical and you believe that some Threat Actors are targeting you in particular? The Threat Navigator allows you to change those parameters and review how it modifies your gaps.
Step Four – What should I do with the information I have? How, practically, do I close the gaps?
Now that you have defined the best representation of your gaps, there are a few things you can do.
The first thing you can do is download your coverage (in CSV or ATT&CK Navigator format) to manipulate the data in your system the way you want.
An advantage of the CSV download is that it will provide you with all the additional details you may need (such as why a technique has been marked as covered/not covered, by whom, and when).
The second thing you can do – and arguably the most important thing – is understand how you can cover those gaps. To answer this question, it’s important to recognize the different scenarios that can arise:
- A data source is missing.
- This should be your number one focus. Is there any data source that you have that is currently not used to cover those gaps? Threat Navigator helps you determine those potential data sources for each technique.
- There is a technology limitation.
- It may happen that some of the technologies may have a limitation in their coverage capabilities. It may be such that a rule is active for technology A but not for technology B. Our detection team does its best to bridge a technology gap, but it could happen.
- No rule exists to efficiently cover a technology.
- This is the least preferred scenario, but it is possible that no data source and/or rules are currently available to cover a technique. The next phase of our Threat Navigator aims to compile all client data to efficiently highlight what are the most common gaps and ways to cover them efficiently.
Where do we go from here?
At Kudelski Security, we are particularly excited by the value Threat Navigator will bring our clients. An innovative, dynamic approach to visualizing your threat coverage gaps drives us all forward to a more secure future.
Request the Threat Navigator demo and see for yourself!
- What You Can’t See: Visualizing and Addressing MITRE ATT&CK Coverage Gaps with Threat Navigator - April 11, 2023
- “I’m a New Security Leader and My Business Has Been Breached. What Next?” An Eight-Step Guide to Managing a Cyber-Attack for the First Time. - February 7, 2023
- Our top cybersecurity predictions for 2023 - January 10, 2023