Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Planning and Deploying Security Automation Leveraging MITRE ATT&CK and SHIELD with Microsoft Sentinel

Deploying security automation is hard if the criteria for success is beyond the scope of ticketing workflow. But the barrier of automation deployment has never been lower with the advent of so many Security Orchestration, Automation, and Response (SOAR) platforms now available to select from in the market and how attractive purchasing automation in a box (or in the cloud) is.

However, what isn't emphasized with SOAR is the importance of mastery in understanding framework such as Business Process Management (BPM), supply chain process models, and incident response playbooks. Trustwave has taken steps to help clients accelerate the time to value of building an effective plan and successfully moving organizations closer to the goal of automating their security program. A large part of our success is an approach that effectively ties together MITRE'S ATT&CK and SHIELD frameworks with Microsoft Sentinel.

These benefits create a system that relieves operations of the labor-intensive task of pulling together MITRE ATT&CK and SHIELD data, to help them better understand how to defend against specific attacker techniques, per David Broggy, a principal cyber architect at Trustwave.

"We are building SOAR solutions around ATT&CK and SHIELD, essentially automating defensive procedures for Security Operations Centers (SOCs) that otherwise can be a very heavy manual process," Broggy said.

For the uninitiated, MITRE ATT&CK is a framework containing hundreds of adversarial techniques compiled by MITRE, while SHIELD is a framework of about 33 defensive measures that a defender can use to counter the threats contained in ATT&CK. Trustwave's cyber automation approach essentially deciphers what attack tool is being used by the threat actor, finds the best defense available in SHIELD and recommends a course of action for the security team relevant to the business.

To help clients accelerate the time to value of MITRE's defense frameworks, Broggy has created a SOAR application to connect all the correlations within Microsoft Sentinel and map them to a MITRE ATT&CK or SHIELD technique. Once we know the technique, we can map how to defend against it using MITRE SHIELD.

Deploying and sustaining security processes and incident response (IR) automation is time-consuming which is compounded by the fact that many security staff continue to lack the capacity to handle existing responsibilities. David helps lead Trustwave services in accelerating the adoption and realizing the benefits of the MITRE frameworks and SOAR process automation.

The Winning Combination of MITRE ATT&CK & SHIELD and Microsoft Sentinel

Broggy described the Accelerator Program as "Trustwave mapping the MITRE ATT&CK techniques to the MITRE SHIELD defender techniques and their sub-categories of opportunities, use cases and procedures."

The key is using Microsoft Sentinel's Security Information and Event Management (SIEM) and SOAR capabilities to do the heavy lifting of mapping the attack and defensive scenarios maintained by MITRE instead of having security analysts spending time sorting through the MITRE Matrices, he said.

"The whole intent of using MITRE is to be able to understand your enemy, and then to know how to defend against your enemy," said Broggy.

Once Trustwave's solution maps the offensive characteristics of the attack and possible defensive measures, it hands a security team a plan for how to defend their organization. 

"The key reason for using MITRE is so we can understand what the adversaries are doing and how to defend against them. Microsoft Sentinel is simply a tool in the framework. It uses a SIEM to detect what the adversaries are doing. And it's not just SIEM that MITRE is looking at," Broggy said. "MITRE uses your entire cybersecurity environment -- all the security tools to help you detect deception and defend against those adversaries."

Ingredients to a Successful Deployment and Adoption

Just for a bit of background, MITRE ATT&CK, or Adversarial Tactics, Techniques, and Common Knowledge is a knowledge base of cyber adversary behavior and taxonomy for adversarial actions across their lifecycle. ATT&CK has several parts: Pre- ATT&CK, which focuses on reconnaissance and infrastructure setup; ATT&CK for Enterprise, which covers behavior against enterprise IT networks and cloud; and ATT&CK for mobile, which focuses on behavior against mobile devices.

SHIELD is an active defense knowledge base MITRE is developing based on 10 years of adversary engagement experience the organization has gathered and analyzed. This knowledge spans the range from high-level, CISO ready considerations of opportunities and objectives to practitioner-friendly discussions of the Tactics, Techniques, and Procedures (TTPs) available to defenders.

The third piece of the puzzle, Microsoft Sentinel, is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution designed to make it easier for a defender to deal with a higher volume of increasingly sophisticated attacks.

Another element MITRE is bringing in that may play a larger role in Trustwave's solution in the future, is MITRE Engage. MITRE describes Engage as "a framework for discussing and planning adversary engagement, deception, and denial activities." Engage uses adversary behavior that has been observed in the wild and then use that knowledge to develop defensive measures. ENGAGE will eventually replace SHIELD.

Discover how we're helping organizations like yours extract the full value and capabilities of Microsoft Security: Trustwave Services for Microsoft


David Broggy is a Principal cyber architect at Trustwave focusing on Cloud(AWS, Azure, GCP),SIEM, SOAR, CASB, Zero Trust, Purple Teaming, EDR, ATT&CK and Database Auditing. I also specialize in several third-party products: Splunk, QRadar, Microsoft Sentinel, Netskope and PAN XSOAR & XDR. My active certifications include Azure Admin (AZ103), Azure Security Admin (AZ500) and CISSP.

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo