Ending the Era of Security Control Failure

Introduction: How to become a peak performing team

Test and train like the best

After decades of spending on cybersecurity teams and technologies, from next-generation firewalls to the Department of Defense’s Cyber Mission Force, the entire industry is transitioning away from a period of hyper-focus on investment and towards a focus on outcomes and metrics in security effectiveness. This transition was driven by two distinct events: the escalating threat in cyberspace, from the Russian government’s intrusions into critical infrastructure to ransomware attacks on civil infrastructure, and the second but related feeling that the investments made over the last decade were failing to stop intruders. Even as security teams invested in the people and technologies required to stop breaches, intruders kept breaking through.

The Verizon Data Breach Investigation team in 2018 found that most breaches in cyberspace should have been stopped by existing security controls but weren’t. We knew this trend was occurring but didn’t have verifiable data about security program performance. To understand the degree of security effectiveness within our customer base, we anonymized customer data from our cloud platform in 2021 to identify the top MITRE ATT&CK techniques that succeeded against endpoint detection and response (EDR) security controls. We chose EDR for two reasons: it is the most broadly adopted control across the industry, and AttackIQ has a history of developing scenario content to emulate the adversary, aligned to the MITRE ATT&CK framework, to test EDR controls. We then examined a list of top MITRE ATT& CK techniques that break past our customers detection capabilities.

The findings from our study are that on average, the EDR controls in our customers’ environments only stopped the top seven adversary techniques 39 percent of the time in 2021. This high degree of failure is not the fault of security providers, as their controls stop the top techniques in our laboratory environment. Nor is it the fault of our customers, who are some of the most advanced cybersecurity teams in the world. The problem is embedded in the system itself…