How Tanium and the MITRE ATT&CK Framework Empower Federal Decision Makers to Manage and Prioritize Risk in Today’s Complex Environments

5.20.2020 | Colby Proffitt

The origin of the MITRE ATT&CK Framework

The ever-increasing volume of cyberattacks can be overwhelming for those responsible for keeping their organizations secure. No organization has both infinite budget and infinite personnel to support cybersecurity demands but instead must make tradeoffs between capability, personnel and budget. In 2013, in an effort to address these challenges and solve problems for a safer world by bringing communities together to develop more effective cybersecurity, MITRE started ATT&CK—a reference detailing tactics and techniques commonly used by attackers during network intrusions. The MITRE ATT&CK Framework created a common way for organizations to view cyberattack risks and more easily prioritize their defenses to have the maximum impact on reducing those risks.

Since inception, the ATT&CK framework has evolved into a massive public knowledge base leveraged by both government and industry to classify attacks in a consistent manner, compare and contrast one attack to another, determine how an organization’s network was compromised, and ultimately better defend against future attacks.

ATT&CK and managing technology risks in federal security

The ATT&CK framework is an incredibly valuable asset for federal security teams, and it can prove even more useful when combined with the Tanium Platform to identify vulnerabilities, measure and prioritize endpoint risk and execute changes to improve risk posture across the network enterprise.

In today’s environment, managing technology risks means having instant insight into the current state of your technology with actionable measurement to know how you’re doing. Reduction should be continuous with the power to eliminate (or mitigate) high priority risks, right now. While many organizations leverage some combination of security controls to accomplish this, their effectiveness can diminish over time because of account misconfigurations or other network changes. As such, the identification, deployment and configuration of the desired controls must be aggressively managed to maintain effectiveness and prevent drift. Tanium’s ability to monitor endpoints in real-time and detect changes to security controls helps organizations ensure that their cyber defenses are operating at maximum effectiveness at all times – and, by leveraging the Tanium Platform, organizations can spot and remediate issues with the desired security controls in a timely and automated manner.

Monitoring and remediating an organization’s security controls is only the start of using the MITRE ATT&CK Framework for stronger cyber defense. The next step is to enable your cyber defenders to quickly and easily spot suspicious behavior and take remediating action to minimize the impacts of any breaches. Using Tanium, cyber defenders can spot potentially suspicious behavior, research it and pivot to take action quickly. Both detection and remediation for many common suspicious behaviors can be automated, enabling cyber defenders to shift focus to more critical priorities.

As organizations use the ATT&CK framework to create stronger cyber defenses, they need a way to validate the security decisions they’ve made and the impact of the mitigating actions taken. Used together, Tanium and the ATT&CK framework can help organizations identify which security controls are in place and correctly configured – a critical step to reduce the risk of a successful cyberattack. It is necessary but not sufficient – organizations must combine effective security controls with real-time threat hunting to achieve the highest levels of risk reduction.

Decision makers require a critical understanding of their organization’s network – what’s on it, what’s already compromised, what’s at risk and how the assets still at risk compare to one another in terms of overall impact to the mission.

With many federal networks having thousands of endpoints, it’s critical that leadership is empowered to prioritize the biggest risks and assign resources and funding for mitigation and remediation efforts as quickly as possible. Apart from the visibility and control needed to score and prioritize risks, organizations can either fall into a state of inaction, or they attempt a significant manual undertaking to address as many of the risks as possible, largely based on guesswork.
By leveraging the Tanium Platform in addition to the MITRE ATT&CK Framework, federal organizations can gain the controls necessary to not only identify, assess and prioritize risks, but take action and measure the effectiveness of their mitigations.

Guidance for CIOs, CISOs and executive leadership

Whether your organization is grappling with the latest zero-day vulnerability, trying to find gaps in your security program, or seeking the signal amid the noise of your countless security tools, using Tanium with the ATT&CK framework can alleviate many of the common problems and headaches CIOs and CISOs often face.

  • Has technology or network complexity inhibited your ability to effectively manage risk?
  • Do you have limited security personnel resources or skill gaps?
  • Does your team struggle to identify a single source of truth from your suite of security tools?
  • Do your existing tools provide conflicting information?
  • Are you less than 100% certain that you have visibility into every single asset on your network?
  • Are you making critical security and business decisions based on outdated, incomplete or inaccurate data?
  • Do you have a plan to handle the expected explosive growth in endpoints in the coming 2-3 years?

If you answered yes to any of these questions, Tanium can help you leverage the MITRE ATT&CK Framework to holistically achieve transformational risk reduction across your organization. Using the Tanium Platform, organizations can bridge the gap between IT Operations and Security and gain consistent, reliable data and instant visibility for real-time, powerful remediation.

How Tanium and the MITRE ATT&CK Framework can help your organization

Tanium gives the world’s largest enterprises and government organizations the unique power to secure, control and manage millions of endpoints across the enterprise. Tanium Modules help solve operations and security use cases, and are key capabilities applicable to implementing information security fundamentals.

  • Tanium’s Asset and Comply modules provide an inventory of hardware, software, configuration and vulnerability information enabling better risk-based decisions.
  • Tanium Discover finds, tracks and assesses vulnerability of unmanaged, rogue and non-traditional devices on the network. Knowing what devices are on the network and bringing them under management to the extent possible is critical to securing the environment.
  • Tanium Patch and Deploy facilitates rapid distribution and application of the latest operating system patches and third-party software updates across multiple platforms and includes reporting that provides visibility into the state of patch deployments. And, it does this in real time, taking only minutes, not days. Rapidly and effectively deploying patches and updates is critical to narrowing the window of exploitation of vulnerable systems.
  • Tanium’s Integrity Monitor can notify organizations when changes are made to critical system files. Just as with all Tanium modules, this can be accomplished in real time.
  • Tanium Protect allows you to build, manage and quickly enact endpoint protection policies that include firewall, USB device control, data-at-rest encryption with key escrow and even AV management.
  • Tanium Threat Response provides four fundamental capabilities:
    • Layered detections to suspicious or malicious activity
    • Rapid containment of compromised endpoints
    • Deep host investigative capabilities
    • Real-time mitigation and remediation

These capabilities facilitate rapid discovery and response to computer intrusions allowing organizations to contain and limit the damage attackers may cause.

When using Tanium with the MITRE ATT&CK Framework, it is important to first implement the fundamentals of a good information security program and have awareness of the specific techniques that are a threat within your network environment. There is no single solution for all the techniques in MITRE ATT&CK, rather each of Tanium’s Modules contributes to a holistic approach helping to protect, detect, investigate and mitigate network intrusions.

With the unparalleled speed, scale and simplicity of Tanium, Security and IT Operations teams now have extensive and accurate information on the state of endpoints at all times to more effectively protect against modern day threats and realize new levels of cost efficiency in IT operations.

Interested in seeing Tanium in action? Schedule a one-to-one demo today or attend one of our upcoming events.