Preview Mode Links will not work in preview mode

Defense in Depth

Aug 8, 2019

All images and links for this episode can be found on CISO Series (

Is the ATT&CK Matrix the best model to build resiliency in your security team? What is the best way to take advantage of the ATT&CK framework and how do you square away conflicting data coming in from your tools. What can you trust and not trust? And is the disparity of results the fault of the tool, the user, or neither?

Check out this post and this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the creator of CISO Series and Allan Alford (@AllanAlfordinTX). Our sponsored guest for this episode is Ian McShane (@ianmcshane), VP, product marketing, Endgame.

Thanks to this week’s podcast sponsor, Endgame


Endgame makes endpoint protection as simple as anti-virus. Their converged endpoint security platform is transforming security programs - their people, processes and technology - with the most powerful endpoint protection and simplest user experience, ensuring analysts of any skill level can stop targeted attacks before damage and loss. To learn more visit

On this episode of Defense in Depth, you'll learn:

  • ATT&CK Matrix should be used both strategically and tactically.
  • Use it strategically to understand gaps in your security program.
  • As for tactics, it's great for blue team exercises. When you're being attacked, it helps you understand what's going to happen next.
  • You can use ATT&CK framework even on 0 day viruses. It allows you to focus on the techniques in an attack rather that the specifics of an attack.
  • When you're being attacked, be wary of getting conflicting information from your tools.
  • If you have a tool that's constantly producing noise, you have two options: either fix it or dump it.
  • The reason two seemingly similar tools are producing different results is because they're taking different paths. Once you understand the paths you'll understand the variances.
  • The goal would be for industry standardization or maybe even a third party to come in and act as middleware to offer standardization. Is that even possible?