{"id":105165,"date":"2022-01-27T10:00:00","date_gmt":"2022-01-27T18:00:00","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?p=105165"},"modified":"2023-05-15T23:05:01","modified_gmt":"2023-05-16T06:05:01","slug":"measure-the-effectiveness-of-your-microsoft-security-with-attackiq","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2022\/01\/27\/measure-the-effectiveness-of-your-microsoft-security-with-attackiq\/","title":{"rendered":"Measure the effectiveness of your Microsoft security with AttackIQ"},"content":{"rendered":"\n

This blog post is part of the Microsoft Intelligent Security Association guest blog series<\/a>. Learn more about MISA<\/a>.<\/em><\/p>\n\n\n\n

To improve an organization\u2019s cybersecurity readiness, you need to test that your detection and prevention technologies work as intended and that your security program is performing as best it can. Research from a Poneman Institute survey found that amongst over 500 information technology and security leaders across sectors, 53 percent said they were uncertain about the effectiveness and performance of their cybersecurity capabilities.1<\/sup> The reason? Even\u202fthe most advanced security controls fail\u202fdue to human error and configuration drift,\u202fand when they do, they fail silently. They need to be tested continuously to ensure performance.\u202fBy analogy, even\u202fthe best sports teams in the world need to exercise and prepare\u202ftheir defenses for attacks. If they don’t train, they atrophy. To ensure readiness, everyone needs to prepare for known threats.<\/p>\n\n\n\n

Measuring\u202fsecurity\u202feffectiveness using MITRE ATT&CK\u00ae<\/h2>\n\n\n\n

The\u202fgood news is that the MITRE ATT&CK framework provides\u202fcyber defenders\u202fwith known tactics, techniques, and behaviors that adversaries use to conduct an attack.\u202fToday, Microsoft and\u202fAttackIQ are\u202fworking together, including through the\u202fMicrosoft Evaluation Lab<\/a>, to automate testing using MITRE ATT&CK and a threat-informed defense. AttackIQ is a part of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors and managed security service providers that have integrated their solutions to better defend against a world of increasing threats.\u202fMISA helps break down silos between security organizations to build better-combined solutions and improve the world\u2019s cybersecurity posture.<\/p>\n\n\n\n

AttackIQ enables Microsoft customers to test their use of Microsoft Defender for Endpoint<\/a>, Azure native cloud security controls<\/a>, and Microsoft Sentinel<\/a>, running adversary emulations against the security program to generate detailed data that the team can use. With granular performance data, the customer can make informed decisions about people, processes, and technology, and elevate the security program\u2019s overall performance.<\/p>\n\n\n\n

Let\u2019s look at some of the ways the two companies work together.<\/p>\n\n\n\n

Emulating the adversary to test Microsoft Defender for Endpoint<\/h3>\n\n\n\n

To validate cybersecurity readiness,\u202fAttackIQ\u202fintegrates with Microsoft Defender for Endpoint<\/a> to emulate cyberattacks with realism and specificity. It does so at scale and continuously, testing Microsoft Defender for Endpoint\u2019s machine learning and AI-enabled technologies\u202fto generate granular data about security program performance.\u202f <\/p>\n\n\n\n

Testing Microsoft Azure and Microsoft Sentinel<\/h3>\n\n\n\n

In addition to testing Microsoft Defender for Endpoint,\u202fthe\u202fAttackIQ\u202f Security Optimization Platform\u202fruns assessments and scenarios against\u202fthe native cloud controls in\u202fMicrosoft Azure<\/a>, leveraging research\u202f<\/strong>from MITRE\u202fEngenuity\u2019s Center for Threat-Informed Defense<\/a> that maps the native security controls in Azure to MITRE ATT&CK.\u202fAttackIQ has built assessments to measure the effectiveness of native cloud controls.\u202fIn addition to Azure\u2019s native controls, AttackIQ is integrated with Microsoft Sentinel<\/a>, enabling Microsoft Sentinel users to test their detection pipeline and fine-tune security processes across their organization. <\/p>\n\n\n\n

Generating actionable performance data<\/h3>\n\n\n\n

Security teams can schedule assessments to run against Microsoft Defender for Endpoint\u202fand Microsoft Azure\u202fas frequently as needed. Based on continuous testing, the\u202fAttackIQ Security Optimization Platform generates\u202fpoint-in-time and longitudinal\u202fdata about security control\u202fperformance, giving teams a sense of the program\u2019s overall readiness. <\/p>\n\n\n\n

Aligning MITRE ATT&CK with Microsoft<\/h3>\n\n\n\n

AttackIQ\u202fbrings a deep alignment with MITRE ATT&CK to its automated security control validation for Microsoft\u2019s security capabilities, leveraging a deep scenario library of tactics, techniques, and sub-techniques to validate security program performance.\u202f <\/p>\n\n\n\n

AttackIQ scenarios<\/h2>\n\n\n\n

Below is an image of an AttackIQ interface scenario that provides a basic function check of Microsoft Defender for Endpoint. Within the AttackIQ Security Optimization Platform, users can select this scenario out of a range of scenarios within the platform to validate the effectiveness of Microsoft Defender for Endpoint. From there, the user can assign the scenario to run against Microsoft Defender for Endpoint to validate its effectiveness through their infrastructure.<\/p>\n\n\n\n

\"AttackIQ<\/figure>\n\n\n\n

After running the scenario, the AttackIQ Security Optimization Platform shows results of how well Microsoft Defender for Endpoint performed in its prevention and detection functions, tipping the customer\u2019s security team to any configuration challenges or other issues that may need attention.<\/p>\n\n\n\n

The AttackIQ Security Optimization Platform also includes scenarios for testing Azure blog storage accounts, as the below image shows.<\/p>\n\n\n\n

\"The<\/figure>\n\n\n\n
<\/div>\n\n\n\n
\"AttackIQ<\/figure>\n\n\n\n

Beyond atomic tests of how well Microsoft Defender for Endpoint works in detecting and preventing an attacker\u2019s tactics, techniques, and procedures (TTPs), AttackIQ\u2019s Anatomic Engine chains together TTPs, aligned to the MITRE ATT&CK framework, in a realistic and comprehensive adversary attack flow to run a range of adversary TTPs against an organization. AttackIQ\u2019s Anatomic Engine is designed to test advanced AI and machine learning-enabled defense capabilities like those within Microsoft Defender for Endpoint, Microsoft Azure, and Microsoft Sentinel, emulating the adversary with specificity and realism every step of the way.<\/p>\n\n\n\n

\"How<\/figure>\n\n\n\n

Once tests have been conducted, AttackIQ generates reports from a single point in time, or longitudinally over a period of time, to show how a security control or set of security controls have performed against the MITRE ATT&CK-aligned scenarios and attack flows that AttackIQ has built and run. The below illustrative diagrams show how AttackIQ generates performance data for detection and prevention failures and successes for a security control.<\/p>\n\n\n\n

\"How<\/figure>\n\n\n\n
\"Bar<\/figure>\n\n\n\n

The benefits of automated testing extend beyond single point-in-time analysis.\u202fThe\u202fdetection and prevention results can be aggregated longitudinally to show program performance over time. With real performance data, teams can identify control failures and gaps in the organization\u2019s defensive posture, make adjustments or investments\u202fto improve performance and investigate\u202funseen,\u202funderlying issues that may be impacting operations.\u202f <\/p>\n\n\n\n

Human performance evaluation<\/h2>\n\n\n\n

Why is this important?\u202fIt is not just about testing technology.\u202fAll our technologies are run by human teams. Human factors,\u202ftherefore,\u202fplay a key role in security program performance, and the process of\u202fdiscovering the issues that are impacting a security team\u202frequires\u202fdeeper investigation than simple\u202facts of\u202fconfiguration management.\u202fBut if you don\u2019t test your controls, you will never know if you\u2019re having a problem.<\/p>\n\n\n\n

Consider the example of a large AttackIQ healthcare customer. Automated testing revealed a security control failure in the customer\u2019s defense capabilities, and on further investigation, they learned that it was due to a lapse in a managed security service provider (MSSP) contract. The security leader investigated the issue and discovered that his large security team faced a problem with attrition due to discrepancies in pay scales. His next call was to the head of human resources to talk about raising salaries. The technology, in this case, was not the problem: the issue was one of pay, not technology management.\u202fThe process of continuous security validation revealed underlying issues in human resources that had a negative impact on the team\u2019s ability to use an advanced technology effectively.<\/p>\n\n\n\n

A comprehensive partnership<\/h2>\n\n\n\n

Security controls falter for a range of reasons, and continuous testing helps reveal areas of weakness and strength in a customer\u2019s security program. Microsoft and AttackIQ are helping make cyberspace safe and secure by\u202fvalidating Microsoft\u2019s\u202fsecurity\u202ftechnologies\u202fthrough automated testing, underpinned by the MITRE ATT&CK framework. By emulating the adversary with realism and specificity every\u202fstep of the way, AttackIQ helps Microsoft customers achieve their highest return on investment from the company\u2019s security products. <\/p>\n\n\n\n

About AttackIQ<\/h2>\n\n\n\n

AttackIQ, a leading independent vendor of breach and attack simulation solutions, built the industry\u2019s first Security Optimization Platform for continuous security control validation and improving security program effectiveness and efficiency. AttackIQ is trusted by leading organizations worldwide to identify security improvements and verify that cyber defenses work as expected, aligned with the MITRE ATT&CK framework. The company is committed to giving back to the cybersecurity community through its free AttackIQ Academy, open Preactive Security Exchange, and partnership with MITRE Engenuity\u2019s Center for Threat Informed Defense<\/a>. For more information, visit their website<\/a>. You can also follow AttackIQ on Twitter<\/a>, LinkedIn<\/a>, and YouTube<\/a>. <\/p>\n\n\n\n

Learn more<\/h2>\n\n\n\n