Just like pilots, who have to complete a rigorous set of safety checks before every departure, security teams should also routinely evaluate security controls to help keep their organization safe. The Advanced Environmental Drift Analysis feature in the Mandiant Security Validation solution can help.
A quick primer for AEDA.
The Advanced Environmental Drift Analysis feature is designed to schedule attack simulations at predefined intervals targeting specific security controls where an expected “known good” response has already been determined. This predetermined response is best determined using the Effectiveness Validation process when onboarding Security Validation. This process addresses security control telemetry visibility and effectiveness. The response may include a logging event, a response to the simulation (allow or block), and an alert from a SIEM that received the forwarded log from the security control.
Instead of asking “can my plane fly safely,”, the question is: “Are all my security controls and the networks they support working nominally?” Today, SIEM and SOAR are commonplace in the SOC and their effectiveness depends on multiple security controls feeding them accurate and timely data. Therefore, this is a question most often asked by security operations personnel that are interested in maturing their operational processes. The answer to this question can be found by executing attack simulations designed to elicit a single security control detection / response or possibly a SIEM or SOAR alert or response based on a playbook that requires a series or combination of security control alerts. Once the expected detections and responses are verified, these attack simulations can be converted into AEDA monitors that run on a regular schedule and alert the SOC team if a “good” expected outcome deviates. The benefit of running AEDA monitors on a recurring schedule empowers the Security Validation operators to run more advanced actions. When all the baseline AEDA monitors are working as expected, the Security Validation operator can have a high level of assurance that the security controls are working as expected and the results of any advanced attack simulation are likely to be true positive results. Or, to put it another way, the plane has passed the preflight checklist and is expected to be safe to fly. Additionally, AEDA monitors also can inform the SOC team when a security control has drifted away from a known good or safe state, empowering the SOC to respond quickly and address any security drift before it becomes a serious issue.
AEDA monitors do not have to be complex attack simulations, rather starting with simple actions like European Institute for Computer Antivirus Research (EICAR) simulations or utilizing vendor test actions that can assess all the core functions of the security control. If the security controls are not able to perform basic functions, there can be no high expectation that those same security controls can detect advanced threat actor activity. More advanced attack simulations can be added later to address specific IOC concerns if required. If this concept is new or you have not utilized AEDA as a pre-flight checklist, begin by using AEDA monitors utilizing basic or benign attack simulations like EICAR to build that pre-flight checklist. Before you know it you will be able to do more advanced techniques like a barrel roll!
To learn more about AEDA or EVP, please refer to the documentation on the Mandiant Advantage documentation portal.
https://docs.mandiant.com/home/msv-monitors-advanced-environmental-drift-analysis-aeda