Review Maturity Score

Problem: Most security operations organizations use the MITRE ATT&CK Framework to get an understanding of what types of adversary behavior they need to detect for, including the underlying data to support those detections. This is important because failing to do so can leave major visibility gaps, weakening security posture. The problem is that assessing this is very difficult and time consuming, involving a lot of manual mapping and tracking in a spreadsheet, if at all. And as the environment changes and the threats evolve, it is nearly impossible to keep this assessment updated.

Anvilogic Solution: Anvilogic provides a platform for continuous assessment of an organization’s security posture measured against the MITRE ATT&CK Framework. We give you a platform for setting priorities specific to your organization, and then baselining your existing data feeds and technique coverage. On an ongoing basis, as you use Anvilogic to deploy detections and connect to your data platforms, it will automatically keep an updated assessment of your data feeds and technique coverage, showing you where you are strong as well as highlighting your most critical gaps in data and detection coverage, giving you a framework for improvement.

Now that we’ve set our organization-specific priorities, we can see how our existing data feeds and detections measure up to the standards we need to achieve, and where we can improve with the most impact. This type of continuous assessment and improvement framework is available in Anvilogic through our Maturity Score functionality.

From the main navigation on the left, hover over and click on “Maturity Score”

You will see an overall maturity score here, as well as Contributing Scores based on Feed, Detection, and Productivity. Note that you will not see much change over time in this test drive environment, and that productive score will only become relevant in an environment connected to your production data stores, as in a full Anvilogic pilot.

You can set a custom date range for the maturity score history by clicking the calendar icon in the upper left corner of the chart. Expanding this out to a wide range will enable you to see some of the changes to the environment that have impacted the score by also scrolling down to see details for the time period.

Scroll back to the top and Click on the Feed Score under contributing scores. This will give you details on how the feed score is derived and how to improve it.

Note that the circle chart on the left indicates where you have coverage and where you lack coverage based on your custom prioritized data categories. Click on the darkened part of the circle or the number above the “Add Missing Feeds” label to see the data feeds you are missing, which provides customers with a framework for prioritizing the onboarding of their most critically needed feeds.

You can also click on the number above the “Enhance Feed Quality” label to view data feeds where the quality is below the “good” threshold.

Click on one of the numbers in the “Data Feeds” column to see a list of data feeds in that category which should include at least 1 data feed with quality that is not “good.” Click on the name of a data feed to see how Anvilogic can help you assess the quality of your data feeds and the dimensions on which data quality is measured. Cancel out when done.

Navigate back to the main maturity score view by clicking the main navigation on the left, hovering over and clicking on “Maturity Score.” This will bring up the main maturity score view as before. Now click on the detection score near the top to bring up the detection score detail view.

From here you can see how many of your prioritized MITRE ATT&CK techniques and sub-techniques you have deployed detections for (including legacy detections as well as detections deployed through the Anvilogic platform), as well as where you high, medium and low priority technique gaps are. In the Technique Coverage section, click the slider under Recommendations and set it to “On” and then scroll down a bit. You will see a filterable matrix of techniques with a star icon indicating ones where there are recommendations. You can hover over any square in the matrix and see the current coverage state.

The green color of a square represents the depth of coverage. As you hover over a square you can see how many rules you have deployed for that technique and its sub-techniques, as well as how many rules are recommended. Click on the highlighted “X rules recommended” for one of the squares with a star to see how easy it is to find detections you can deploy to have an immediate impact on your technique coverage. This will take you to a filtered view of the armory showing rules you can deploy right now that will cover that technique.