Back to blog results

11월 2, 2023 By Christopher Beier

Enhance your cloud security with MITRE ATT&CK and Sumo Logic Cloud SIEM

Mitre Att&ck

As cloud applications and services gain prominence amongst organizations, adversaries are evolving their toolset to target these cloud networks. The surge in remote work and teleconferencing presents unprecedented opportunities for nefarious activities. Enter the MITRE ATT&CK Framework, also known as a MITRE ATT&CK Matrix—a treasure trove for defending cloud infrastructure and on-premises infrastructure against the newest adversary tactics, techniques, and procedures (TTPs). Security teams leveraging this framework are better equipped to counter MITRE ATT&CK tactics and cyber threats and adapt to the ever-changing cyber landscape.

Demystifying MITRE ATT&CK

MITRE ATT&CK stands for Adversarial Tactics, Techniques, and common Knowledge. It's a curated knowledge base that categorizes and describes the series of actions an adversary might take after gaining access to a computer network. This knowledge is the culmination of extensive real-world observations and is shared in a format that your security team and security professionals alike can easily understand and apply.

The MITRE ATT&CK framework isn't just a collection of abstract concepts; it represents actionable threat intelligence. Here are a few reasons why it's so respected:

  • Detail-oriented: The framework doesn't just list out TTPs. It provides detailed explanations, real-world examples, and potential mitigation strategies and detection methods for each technique.
  • Evolving nature: The cyber landscape is ever-changing. MITRE ATT&CK is not static; it's continuously updated to reflect new findings, ensuring that security professionals always have the most current information at their fingertips.
  • Universal applicability: The framework caters to small-scale businesses, large enterprises, and government entities. Its organized structure and comprehensive coverage make it an excellent resource for enhancing any organization's security posture.
Demystifying MITRE ATT&CK

Content evolution of Sumo Logic’s Cloud SIEM

MITRE's vast repository is foundational for developing Sumo Logic’s Cloud SIEM content. Our approach is twofold:

  • Gap analysis: We assess techniques, identifying those that require enriched coverage based on the available log data.
  • Frequency of technique usage: Gleaning feedback from diverse sources, like Sumo Logic Special Operations, our customer base, field teams, and the insights from our Cloud SIEM solution, we identify which techniques adversaries commonly deploy.

To maintain a clear overview of our coverage and real-world technique utilization, all our rules are meticulously aligned with MITRE. Additionally, customers can seamlessly tag their custom rules with specific MITRE ATT&CK techniques, enabling a more structured and comprehensive approach to threat detection and response.

Visualizing threats with MITRE ATT&CK Coverage Explorer

The MITRE ATT&CK™ Coverage Explorer by Sumo Logic is a strategic cybersecurity tool providing a comprehensive view of adversary tactics, techniques, and procedures (TTPs) covered by rules in the Cloud SIEM system. By mapping your detection capabilities to this matrix, you can identify areas of strength, uncover gaps in your defenses, and prioritize enhancements based on the evolving threat landscape. Often presented as a heat map, Coverage Explorer offers a color-coded representation of coverage levels, providing security teams with an at-a-glance understanding of their readiness against potential adversary behaviors. This visual tool powers informed decision-making, facilitating a proactive approach to cyber defense.

Visualizing threats with MITRE ATT&CK Coverage Explorer

This dynamic page allows users to assess threat detection capabilities in three ways:

  • Recent activity - Shows coverage for your organization based on signals received over the last 180 days.
  • All community activity - Determine what coverage you're missing compared to other customers using Cloud SIEM.
  • Theoretical coverage - Shows coverage for your organization if all data ingested worked perfectly and all enabled rules generated at least one Signal. This view can help you determine what custom rules would be most valuable to implement 

Visualizations, filtering options, and export features empower security practitioners to optimize rule effectiveness, evaluate data sources, and strategically align defenses with the industry-standard MITRE ATT&CK framework.

Explore Sumo Logic’s Cloud SIEM solution

Sumo Logic empowers SOC teams to better defend against cyber threats and modernize security operations with Cloud SIEM, a cloud-native SIEM solution that provides holistic visibility into your organization’s security posture. Automatically surface the actionable insights your analysts need to secure your organization’s cloud journey, manage the changing attack surfaces and bring innovation to your SOC.

We invite you to explore this overview for a deeper dive into our Cloud SIEM offering. Witness our solution in action — watch this video.

Complete visibility for DevSecOps

Reduce downtime and move from reactive to proactive monitoring.

Sumo Logic cloud-native SaaS analytics

Build, run, and secure modern applications and cloud infrastructures.

Start free trial

Christopher Beier

Principal Product Marketing Manager

Christopher has spent the past 25 years dedicated to work in cybersecurity. He's a US Navy veteran who did IT work in submarines.

From his home in Forest Grove, OR, he enjoys flying stunt kites, college football (Go Ducks!), and watching his kids' swim meets.

More posts by Christopher Beier.

People who read this also enjoyed