Prescriptive Adoption Motion - Cyber frameworks
A cybersecurity framework provides a common language and set of standards for security leaders across countries and industries to better understand their security postures and those of their vendors. With a framework in place, it becomes much easier for security teams to define the processes and procedures that your organization must take to assess, monitor, and mitigate cybersecurity risk in their business.
Splunk Enterprise Security uses four of the most commonly used cybersecurity frameworks out-of-the-box, and provides the flexibility to add many more through customization. Cyber framework data is utilized through annotations, which you can use to enrich your correlation search results with security framework mappings from the framework of your choice. You can then have that information displayed in additional fields to provide further context in incidents.
The benefits of using a security framework include:
- Time savings. With a framework, you can easily map where you are on your cybersecurity journey and identify gaps so you can have clear, actionable conversations with stakeholders at your organization. If you know where you are versus where you need to be, then it makes your job easier.
- Universally applicable content. For example, irrespective of the industry and country you are in, frameworks share specific actions to take with specific items like data, regardless of the type.
- Community driven and consensus-based guidance and experiences. Frameworks are developed through partnerships among multiple persons of varying backgrounds and experiences, from different roles, industries and regions of the world.
- Consistency in interpreting security needs. Without a framework, there is a risk that your stakeholders across the company - each responsible for some aspect of cybersecurity - interpret requirements differently, causing errors and unforeseen gaps in execution.
- A common security language. Frameworks are useful tools to explain in a common language what you are doing in security to non-security people in your organization.
Aim and strategy
Splunk customers who implement cybersecurity frameworks into their search and investigation process gain better insights into the threats that appear. They can make more actionable and timely decisions on how to respond to them. Additionally, cybersecurity frameworks provide tried and true best practices that can help you maintain and keep compliance with today's heavily regulated environments.
MITRE’s ATT&CK framework, now deeply integrated in Splunk Enterprise Security, has been gaining steady adoption from the security community because it organizes the steps attackers take to infiltrate your network, compromise hosts, escalate privileges, move laterally without detection, and exfiltrate data. Detection, investigation, and response platforms like Splunk Enterprise Security that map detection signals to the MITRE ATT&CK framework can help analysts better and more quickly identify adversary behavior and mitigation steps. This can significantly improve threat mean time to detection (MTTD) and mean time to response (MTTR). Understanding how your environment aligns with the MITRE ATT&CK framework allows you to know where you stand and where you need to increase coverage through the right data sources and visibility.
Common use cases
- Increasing alert fidelity, understanding the scope of the threat
- Increasing coverage of MITRE ATT&CK and other frameworks to understand detection gaps
- Threat hunting
- Maturing your proactive approach to security operations
- Cyber threat Intelligence enhancement
- Guided incident response
User roles
Role | Responsibilities |
---|---|
Lead Security Analyst |
Defining security use cases and analyst workflow, content strategy |
Splunk Admin / Splunk Enterprise Security Admin | Configuration changes, app installs, index creation, permissions changes |
Information Security Management |
Change approvals and project sponsorship |
Preparation
1. Prerequisites
1.1 Understand and identify which frameworks are right for your deployment.
MITRE is a non-profit, federally funded cybersecurity-focused research and development center. MITRE started by documenting common cyberattack tactics, techniques, and procedures (TTPs) used against Windows enterprise networks. MITRE ATT&CK then became the baseline acting as a common language for offensive and defensive researchers. MITRE Enterprise has 14 tactics commonly used when malicious actors set up advanced persistent threats (APTs) within a corporate ecosystem, and several hundred techniques and sub-techniques to help you gain a deep understanding of the methods of attack. MITRE ATT&CK has quickly become the go-to framework for detection and response.
The Cyber Kill Chain is an adaptation of the US military’s kill chain. Originally developed by Lockheed Martin in 2011, the Cyber Kill Chain outlines the various stages of several common cyberattacks and, by extension, the points at which the information security team can prevent, detect or intercept attackers. The Cyber Kill Chain is intended to defend against sophisticated cyberattacks, also known as advanced persistent threats (APTs), in which adversaries spend significant time surveilling and planning an attack. Most commonly these attacks involve a combination of malware, ransomware, trojans, spoofing, and social engineering techniques to carry out their plan.
There are 7 phases to the Cyber Kill Chain:
Phase 1: Reconnaissance
Phase 2: Weaponization
Phase 3: Delivery
Phase 4: Exploitation
Phase 5: Installation
Phase 6: Command and Control
Phase 7: Actions on Objective
Center for Internet Security (CIS 20)
The CIS Controls framework lists twenty mission-critical controls across three categories:
- Basic
- Foundational
- Organizational
It then goes further to define three implementation groups:
- Implementation Group 1 is for organizations with limited resources and cybersecurity expertise.
- Implementation Group 2 is for organizations with moderate resources and cybersecurity expertise.
- Implementation Group 3 is for mature organizations with significant resources and cybersecurity expertise.
Under each of the 20 controls, the CIS Controls framework provides a list of sub-controls, color-coded to indicate which implementation group should be using them.
NIST is a US non-regulatory government agency that sets standards across the physical sciences. Originally intended for critical infrastructure owners and operators, NIST Cybersecurity Framework (CSF 800-53) can be used by any organization. Many companies outside of the critical infrastructure industry also use the CSF, especially if they need to meet other US federal data protection requirements.
1.2 Identify and analyze correlation rules
While Splunk provides many newer Splunk Enterprise Security correlation rules with framework annotations, your environment may contain legacy or custom rules to which framework annotations can be added to enrich the results of correlation searches by adding context.
1.3 Document goals and outcomes
Establish goals and focus on those as you integrate your framework, along with devising metrics or means to measure success. For each goal you set, plan the actions or detailed steps needed to perform the work done, measure progress completed, and assign owners to each action for tracking. After you establish and kick off a project plan, make sure you track progress, provide regular status updates to stakeholders, and work through any roadblocks you may encounter.
2. Recommended training
3. Resources
- Professional Services
- On-Demand Services (ODS)
- Assigned Expert (AE)
- Self-Service
- Getting started with MITRE ATT&CK in Enterprise Security and Security Essentials - Why and how to get started with MITRE ATT&CK in Splunk ES
- MITRE ATT&CK - the complete guide
4. Considerations
Not every business has identical cybersecurity needs. There are many frameworks, and none is billed as a mandatory set of guidelines. Frameworks are developed for specific purposes and often overlap numerous industries and compliance areas, so their application in your business may look different from that of your peers. The framework you chose to implement helps you identify where your business needs to improve and the steps that must be taken to make those improvements a reality.
Implementation guide
Implementation of annotations is a straightforward process within Splunk Enterprise Security. It is the process of collecting the right information beforehand that will help you add proper cybersecurity framework annotations to your correlation rules.
1.0 Splunk Enterprise Security
2.0 Splunk Security Essentials
3.0 Using frameworks with Splunk SOAR
Frameworks such as MITRE ATT&CK are geared towards detection and response and generally apply within Splunk SOAR to playbook actions. Those actions focus on responding to correlation detections that are mapped to MITRE tactics and techniques. An example of this is the Risk Notable Playbook pack, which can help map actions and tagging to indicators that are part of an investigation.
Additional frameworks, such as NIST, are utilized within workbooks to help layout phases and tasks to be followed as part of guiding SOC processes.
Success measurement
When implementing this guidance, you should see improvements in the following:
- Percent of enabled searches using MITRE ATT&CK annotations
- Percent of enabled searches using other framework annotations
- Reduction in notables by using the attribution based approach