Every day, as new threats emerge across news headlines, Avertium’s customers come to us, asking, “Are we protected?”
Although that might seem like a simple question to answer, it is not. Why?
Because good threat detection – whether XDR, MDR, EDR, or SIEM-based – provides an informed view of a business by looking at all points of vulnerability from the perspective of an attacker, as well as the tactics and techniques the attacker might use against the business.
In other words, applying the same defensive processes across even two different companies – each with their own tool sets, data processes, and coverage needs – is not a simple, “copy and paste.” This is the primary challenge that all MSSPs face when trying to scale security across their client base.
These challenges have given rise to the concept of Detection-as-Code (DaC).
Related Reading: XDR: Tech Stack, Service, Process, or All Three?
In short, detection-as-code (DAC) brings together threat detection with the tried-and-true software development lifecycle with the goal of breaking down the barriers to scaling security operations.
Similar to the software development lifecycle, detection-as-code uses coding to streamline a once-manual process, enabling greater efficiency across the security operations center (SOC). For example, a detection-as-code development process might include the following steps:
Identify a threat or suspicious behavior
Recreate that threat and begin developing hypotheses around how to automate defenses around this threat
Test the code’s effectiveness against the threat
Tune as needed
Deploy into a staging or sandboxed environment to further validate its effectiveness
Tune again, as needed
Deploy into SIEM or EDR tool.
Maintain the production code, refine and even decommission no-longer-required code
When done right, leveraging software development best practices to engineer detections and automate responses yields higher quality detections with lower false positive rates. But developing quality detections requires time, resources, and advanced operators – challenges that all organizations – especially MSSPs – face.
That’s why Avertium recently partnered with SnapAttack – a platform that rolls threat intelligence, adversary emulation, detection engineering, threat hunting, and purple teaming into a single, detection-as-code platform.
With this partnership, Avertium will have enhanced detection-as-code capabilities, bringing even more robust threat detection via content packs that accelerate security at scale within its existing Fusion MXDR offering.
Related Reading: What is Security Orchestration, Automation, and Response (SOAR)?
Avertium’s approach has always been centered around attacking the chaos of the threat landscape with context – the context of your business and context of the threat landscape.
With SnapAttack, Avertium’s detection engineers will be able to build, test, validate, and assemble high-fidelity detections into custom content packs ready to deploy in any query language across any technology estate.
In other words, we will be able to confidently answer the question “Are we protected?” up to 98% faster than other MSSPs or in-house SOCs.
Related Reading: In-House SOC or MSSP?
This investment will drive better outcomes for our customers. Here’s how:
#1 - More robust coverage via detection-as-code using the tools you already own, and the teams you already have.
Through a systematic, thorough, and flexible approach, Avertium’s investment in detection-as-code will enable customers to get more from their existing tools by creating structure where it may not have been before. With this stronger foundation of best practices, security is better positioned to scale more seamlessly.
#2 - Greater velocity when mobilizing defenses.
A typical threat hunt can take days or even weeks to complete. But by partnering with SnapAttack, Avertium is able to cut that lengthy process down to just a few hours, reducing the time spent developing a quality detection by up to 98%. The importance of this cannot be overstated - because when a new threat emerges, every second counts.
#3 - Reduce alert fatigue and thus, reduce risk.
Alert fatigue is a very real problem in any SOC. When analysts are under the constant barrage of false positive alerts, security teams get bogged down and overwhelmed, which leads to an alert backlog. That then increases the risk of SOC and IR teams missing a critical alert. With Avertium’s content packs powered by SnapAttack, the highest confidence detections have less than a 5% false positive rate, meaning SOCs can reduce their alert fatigue and focus on proactive cybersecurity, ultimately reducing organizational risk.
#4 - Measurably enhanced coverage and confidence in security posture.
Because SnapAttack maps threats to the industry standard MITRE ATT&CK framework, it simplifies the process of understanding coverage gaps and prioritizing remediation to defend against the most critical threats within a customer environment. Avertium will be able to measure our clients’ coverage gaps instantly, break the kill chain earlier, and defend against unobserved or future variations of any attack.
#5 - Lastly, Avertium’s Fusion MXDR customers will enjoy all of these benefits at no cost.
At Avertium, we have a steadfast commitment to achieving proactive cybersecurity and aligning our clients under industry best practices. That is why SnapAttack-enabled our content packs are included for all Fusion MXDR customers.
Related Webinar Replay: Scaling Remediation in the Face of Competing Priorities
By bringing offensive tradecraft into the defensive process, Avertium is taking one of many steps forward on the journey towards enabling proactive cybersecurity for each and every one of the clients we serve.
This is only the beginning of a long-term push Avertium is making to help our customers show no weakness in the face of an ever-evolving threat landscape. Our content packs will offer more comprehensive coverage and shorten the time it takes to get from “Are we protected?” to “Yes, we’re protected.”
If you’re interested in becoming a Fusion MXDR customer, contact us to learn more.