Inspired by MITRE ATT&CK, the good folks at Push Security have taken a pass at enumerating attack techniques specific to Software-as-a-Service (SaaS) applications.
ATT&CK is a great and robust framework, and I love to see it adapted to capture techniques and tactics for different types of systems.
Your SIEM is only as valuable as you have time to ask it questions.
Do you have time to identify and ask the right questions? And most importantly, do you have time to sift through the results to find answers?
August 22, 2024
Prevention is just detection with an action at the end.
-Casey Smith (subTee)
In security operations, or any harm prevention discipline, speed is really important. The faster you can find the bad thing, the better your chances of rolling over a proverbial speed bump vs. hitting a brick wall.
But speed can work against you: Move too fast, and you run a very real risk of responding decisively to the wrong things. False positives are never ideal, but can be made far worse when you take disruptive action on them.
A couple of the concepts I’d take away from this article:
I’ve made 100 variations of Sounil Yu’s venerable Cyber Defense Matrix for workshops, presentations, and planning over the years. Here’s the Google Slides template that I use to save time. May it save you time as well.
On traditional platforms—such as Windows, macOS, or Linux—knowing who is performing a given activity is useful. However, we can identify an overwhelming percentage of suspicious or malicious activity in the absence of this context.
For example, some software, behaviors, command lines, and changes should be investigated irrespective of identity. We can find a lot of bad things with no identity context at all.
On modern platforms—such as SaaS, IaaS, and PaaS—identity plays a critical role in threat detection and response, thus we describe it as identity threat detection and response, or ITDR. Nothing happens outside of the context of an identity. We can find some bad things without identity context, but virtually all behaviors or changes must be contextualized, baselined, and ultimately investigated in the context of an identity.
To make a weak analogy: On traditional platforms, the process is the data source upon which most detections can be built. On modern platforms, the construct of a process does not exist. On modern platforms, a given identity’s session is the process.
And if you believe that identity is indeed foundational to threat detection on all modern platforms, there are a handful of things that are probably also true: