You're reading from Aligning Security Operations with the MITRE ATT&CK Framework Level up your security operations center for better security

Product type Paperback

Published in May 2023

Publisher Packt

ISBN-13 9781804614266

Length 192 pages

Edition 1st Edition

Concepts

Cybersecurity

Author (1):

Rebecca Blair

View More author details

Table of Contents (18) Chapters

Preface

1. Part 1 – The Basics: SOC and ATT&CK, Two Worlds in a Delicate Balance

2. Chapter 1: SOC Basics – Structure, Personnel, Coverage, and Tools FREE CHAPTER

3. Chapter 2: Analyzing Your Environment for Potential Pitfalls

4. Chapter 3: Reviewing Different Threat Models

5. Chapter 4: What Is the ATT&CK Framework?

6. Part 2 – Detection Improvements and Alignment with ATT&CK

7. Chapter 5: A Deep Dive into the ATT&CK Framework

8. Chapter 6: Strategies to Map to ATT&CK

9. Chapter 7: Common Mistakes with Implementation

10. Chapter 8: Return on Investment Detections

11. Part 3 – Continuous Improvement and Innovation

12. Chapter 9: What Happens After an Alert is Triggered?

13. Chapter 10: Validating Any Mappings and Detections

14. Chapter 11: Implementing ATT&CK in All Parts of Your SOC

15. Chapter 12: What’s Next? Areas for Innovation in Your SOC

16. Index

Why subscribe?

17. Other Books You May Enjoy

Discussing common coverage gaps and security shortfalls

Security shortfalls and coverage gaps are similar to risk, in that they will always happen. The key is to find a way to work around the gaps and mitigate the situation as much as possible to help your organization mature. Additionally, we’ll hear from an industry security practitioner on their experience and where their most common gaps are.

The most common gap I have seen is a lack of coverage due to a lack of logs being ingested. Security teams are in an odd position where they typically want to ingest as many logs as possible to have as much visibility as possible, even though you might not need all the logs all the time. In fact, most times, it’ll be cost-prohibitive to ingest all your logs into a SIEM tool such as Splunk or QRadar, so you’ll either have to prioritize what logs are ingested or have to use multiple different screens and tools, which makes it harder to correlate data. One way around this...