min read
Jun 28, 2023

Mapping SaaS Security Alerts to MITRE ATT&CK

DoControl's SaaS Security Platform (SSP) has incorporated MITRE ATT&CK® Matrix for Enterprise (SaaS Matrix) into its alerting, enhancing incident detection and response for SaaS-related events. For the uninformed, the MITRE ATT&CK framework is widely recognized for tracking adversaries' tactics and techniques throughout different stages of the attack chain. Security teams can determine how attackers gained access, the methods employed, and potential next steps. By leveraging the framework, organizations can better differentiate between their risk appetite and their risk tolerance.

There’s a common misconception that “risk is bad” – it's not bad, it's actually good. Not knowing what your risk is, is bad. It is standard practice for security practitioners to put in place the right controls, test them, and provide the appropriate assurances. By mapping SaaS-related alerts to MITRE ATT&CK, our customers can gain a stronger understanding of the alert's context, impact, and phase, enabling them to strengthen defenses against future attacks – and better understand their risk. This framework is a great way to map out the necessary controls, and from there teams can test and provide assurance to validate the controls in place are meeting their core objectives and coverages. 

Accelerated Incident Response

Adopting the MITRE ATT&CK framework enables organizations to establish a common understanding and comprehension of potential cyber threats. This facilitates effective communication and coordination among team IT and security teams when discussing potential high risk events such as data exfiltration or lateral movement. As a technology vendor in a market that is strained for IT/security professionals, it is our obligation to streamline processes, and make things as easy as possible for users to be effective in their role. By aligning specific tactics under these MITRE categories, teams can collaborate more efficiently in mitigating threats faster, and preventing known threats in a more automated fashion

By aligning our alerts to MITRE, DoControl now provides the necessary insights into the techniques and tactics most likely to be employed by attackers, as well as their expected behaviors. Our alerts extend across initial access, reconnaissance, collection, exfiltration, credential access, and persistence. Attack techniques that we capture include valid accounts, credentials, data from information repositories, transfer data to cloud accounts, unsecured credentials, and valid accounts.

DoControl's SaaS Security Platform (SSP) alert coverage for MITRE ATT&CK tactics and techniques.

All of this information is readily accessible from within the DoControl console where investigations can be performed, as well as be able to fed into another tool (i.e. SIEM/SOAR) for centralized management of all threats throughout the IT/cloud estate. Within the alert dashboard, you can now filter alerts based on specific MITRE ATT&CK tactics or techniques. This allows for a clearer view of attack vectors and enables quicker response times while you are already conducting your investigation. More importantly, DoControl’s Security Workflows can be established based on the alerts that come through, allowing security teams to improve their security posture by addressing specific MITRE ATT&CK techniques and tactics that become present within their environment. 

Comprehensive Threat Detection across SaaS Environment

These enhancements further strengthen DoControl's existing threat detection and response capabilities. Our industry leading SaaS Security Platform (SSP) includes built-in alerts tailored to specific SaaS applications and services, such as detecting abnormal user access to a large number of records in various business-critical apps (i.e. Google Drive). DoControl also provides pre-built alerts that span the entire SaaS ecosystem, such as identifying 3rd party contractors accessing data after prolonged periods of inactivity. In addition, you can create custom alerts to suit your specific needs. DoControl’s alerts will enable your security teams to get closer to the events and activities that present material risk to your business.

Gilad has a love affair with SaaS applications that began at his time at Walkme, where he led the Insights group's data analysis activities, serving thousands of B2B clients. He enjoys writing complex queries and developing an expertise in both SaaS usage and automation and complex data schemas, with billions of weekly events flowing in.

Prior to that he was part of several data-science teams: at Woo.io, building a high scale job-matching service for technologists and prior to that at Clearforest (today Refinitiv), a Tel-Aviv data-science and NLP hub serving the financial industry.

DoControl allows him to combine two of his core interests: SaaS events & data security while he says it’s an added bonus getting to work with a super bright and driven group of people.

In his spare time he enjoys jazz concerts and records, playing the piano and spending time with his two kids.

Get updates to your inbox

Our latest tips, insights, and news