Should I buy an EDR, PAM, or DLP? How do I know?

The information security space is awash in point technology solutions. If you’ve been to the RSA conference (when we ventured out to such places, pre-pandemic), you know how dense and vast the vendor exhibit halls can seem – it’s hard to know what Company A does, and how it’s different than Companies B thru ZZZ.

Most importantly, as a defender, how does one choose where to spend a limited security budget when faced with this sea of choices? Marketers observe that too many choices and similarity of products can be debilitating; we face this issue in security where even experienced practitioners find it difficult to understand the rapid technological evolution and the trade-offs in play.

When clear objectives, goals, and decision-making criteria are not present, people often make buying decisions based on less scientific considerations: what they perceive “everyone else” is buying, unsubstantiated “gut feelings,” pre-existing relationships with vendors or sales individuals, or even who invites them to the best parties or nominates them for the most coveted industry awards.

From “Ghostbusters” to a Mature Science

The practice of information security is maturing rapidly. This transition to more scientific approaches to prioritizing security investments is becoming the standard to justify value. Security practitioners must embrace these mature approaches to strategic defense planning and resource allocation.

The most significant area of maturation in our field is an increased understanding of our adversaries and tailoring our defenses to how attackers’ function. Defenders often complain that they’re “fighting ghosts” because basic situational awareness is so difficult in the cyber domain. Napoleon could look at the battlefield and determine if he was under attack, by whom, and if he was winning or losing. Yet such basic situational awareness evades us in the cyber domain making tactical defense - let alone strategic planning months and years in advance –extremely difficult. The attackers enjoy persistent structural advantages, and the defenders rely on unscientific, “gut feel” judgements.

Lockheed Martin’s Cyber Kill Chain™, widely publicized circa 2010, is a usable framework to help understand the basic progression an attacker will use when attacking an IT infrastructure. The Cyber Kill Chain approach emphasizes detection and disruption early in the attacker’s progression and while the philosophical approach is valid, practitioners often find it difficult translate theory into practice.

In 2015 MITRE released the first ATT&CK model which added technical specificity to the high level concepts present in the Cyber Kill Chain. It’s worth noting that ATT&CK was invented as a framework for describing both attacker and defender activities in a cyber range in a consistent nomenclature; this tactical origin and high level of technical specify makes ATT&CK extremely useful for defenders. To use the sports analogy, ATT&CK is the other team’s playbook.

Using ATT&CK for Strategic Defense Planning (The CDTRV of ATT&CK)

At its core, ATT&CK is an organized list of everything an attacker can attempt on your organization. Of course, this is a long and growing list of techniques that aren’t just limited to technical exploits, but most importantly it's finite. Armed with such a framework, you can match-up your defensive investments with attacker techniques.  

A modern defense is organized around MITRE ATT&CK techniques. For each technique, a defender will provide:

  • C: Controls relevant to the specific technique. Controls inhibit the attacker’s ability to successfully exploit the technique, increase the cost to the attacker of exploiting the technique, and/or increase the ability for the defender to detect the attacker’s use of the technique.

  • D: Detections/alerts that trigger when an attacker uses that technique. Detections must be specific to attacker technique, time-definite, and highly accurate (low false negative and false positive). The more specific and highly tailored to specific attacker techniques the detections are, the better they will perform.

  • T: Timing requirements for that specific technique (Time to Detect, Time to Respond). Thinking defense is impervious for infinite time is a fundamental defender mistake; like a fire, attackers must be detected and responded to on a reliable timeframe.

  • R: Response Runbook to trigger when the technique is detected. Detecting the attacker does not eliminate the threat, the defenders must take the correct actions within the determined timeframe. Only then is the threat neutralized.
  • V: Validation requirements and procedures. The modern, highly dynamic IT environment operates within a highly dynamic threat environment. Security will never be set-and-forget; it requires a constant loop of validation and tuning as components of the environment change.

Mapping existing controls to ATT&CK techniques will intersect the “coverage” of controls with respect to actual attacker techniques, pragmatically. The defender will further prioritize coverage based on specific threat actors of interest, specific valuable “crown jewel” assets, etc. The results will unveil gaps requiring additional controls coverage – and thus additional investments in personnel, processes, and/or tools.

Should I buy an EDR, PAM, DLP, or XYZ? Mapping your controls to ATT&CK techniques will provide the robust and defensible answer based on the threats your IT systems face.