Signal the ATT&CK: Part 2

Using orchestration and automation to enhance EDR capabilities, and to reduce ‘alert fatigue’

Earlier this year, we released part 1 of our ‘Signal the ATT&CK’ article, where we presented how we are incorporating the adversary knowledge within the MITRE ATT&CK™ matrix to enhance our threat hunting techniques within the Tanium platform, in part using a Threat Response feature known as Signals.

Part 2 is now live, in which we explore security orchestration and automation (collectively referred to as orchestration) and its use in enhancing the efficiency of our Endpoint Detection and Response (EDR) capability. We achieve this by streamlining and automating slow, manual tasks and transforming them into repeatable, scalable processes.

The orchestration workflows we have developed in Apache NiFi address two main behaviours and pain-points that will resonate with many security teams:

  1. Alert overload – Commonly referred to as ‘alert fatigue’, this is where analysts are inundated with detections. Ultimately, this leads to an increase in operational risk due to detections being overlooked; and,
  2. Frustration of manual enrichment – Having to manually lookup indicators against threat intelligence datasets, and manually pull related endpoint artefacts.

By setting our approach, we demonstrate how orchestration acts as a layer of connective tissue within our threat detection ecosystem, allowing us to automate the flow of data between systems and execute decisions. We also hope to demonstrate how you can improve your organisation’s endpoint threat detection capability.

For more information on how we can help your organisation, please contact Paul Bottomley and Wietze Beukema.

Paul Bottomley

Paul Bottomley | Endpoint Threat Detection and Response Lead
Profile | Email | +44 (0)7808 799134


More articles by Paul Bottomley


Wietze Beukema | Endpoint Threat Detection and Response Analyst
Profile | Email | +44 (0)7850 908221


More articles by Wietze Beukema

Share this post

Share on facebook
Share on linkedin
Share on print
Share on email

Subscribe to our Monthly Cyber Security Digest

Get monthly content to keep you up to date on the latest news and tips