I think we all know that pilots have a rigorous set of checks to complete before they take off in their plane. They are mainly safety checks to ensure that the plane can take off and land safely. The Advanced Environmental Drift Analysis module (AEDA) in the Mandiant Security Validation platform can be used similarly to ensure that the security control ecosystem can perform its core functions of protecting data assets.
A Quick Primer for AEDA.
The Advanced Environmental Drift Analysis module is designed to schedule attack simulations at predefined intervals targeting specific security controls where an expected “known good” response has already been determined. This predetermined response is best determined using the Effectiveness Validation process when onboarding MSV. This process addresses security control telemetry visibility and effectiveness. The response may include a logging event, a response to the simulation (allow or block), and an alert from a SIEM that received the forwarded log from the security control.
Instead of asking “can my plane fly safely”, the question is: “Are all my security controls and the networks they support working nominally?” Today SIEM and SOAR are commonplace in the SOC and their effectiveness depends on multiple security controls feeding them accurate and timely data. Therefore, this is a question most often asked by security operations personnel that are interested in maturing their operational processes. The answer to this question can be accomplished by executing attack simulations designed to elicit a single security control detection / response or possibly a SIEM or SOAR alert or response based on a playbook that requires a series or combination of security control alerts. Once the expected detection(s) and responses are verified, these attack simulations can be converted into AEDA monitors that run on a regular schedule and alert the SOC team if a “good” expected outcome deviates. The benefit of running AEDA monitors on a recurring schedule empowers the MSV operators to run more advanced actions. When all the baseline AEDA monitors are working as expected, the MSV operator can have a high level of assurance that the security controls are working as expected and the results of any advanced attack simulation are likely to be true positive results. Or to put it another way, the plane has passed the pre-flight checklist and is expected to be safe to fly. Additionally, AEDA monitors also can inform the SOC team when a security control has drifted away from a known good or safe state, empowering the SOC to respond quickly and address any security drift before it becomes a serious issue.
AEDA monitors do not have to be complex attack simulations, rather starting with simple actions like EICAR simulations or utilizing vendor test actions that can assess all the core functions of the security control. If the security controls are not able to perform basic functions, there can be no high expectation that those same security controls can detect advanced threat actor activity. More advanced attack simulations can be added later to address specific IOC concerns if required. If this concept is new or you have not utilized AEDA as a pre-flight checklist, begin by using AEDA monitors utilizing basic or benign attack simulations like EICAR to begin building that pre-flight checklist. Before you know it you will be able to do more advanced techniques like a barrel roll!
To learn more about AEDA or EVP, please refer to the documentation on the Mandiant Advantage documentation portal: AEDA introduction , EVP Overview