By Rodman Ramezanian
Enterprise Cloud Security Advisor, Skyhigh Security


As the ancient military strategist, Sun Tzu, famously said: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

Skyhigh Cloud Access Security Broker (CASB), the multi-cloud security platform for enterprises, includes MITRE ATT&CK into the workflow for SOC analysts to investigate cloud threats and security managers to defend against future attacks with precision.

Most enterprises use over 1,500 cloud services, generating millions of events, from login, to file share, to download and an infinite number of actions meant for productivity yet exploited by adversaries. Until now, hunting for adversary activity within that haystack has been an arduous effort, with so much noise that many data breaches have gone unnoticed until it is too late.

Skyhigh Security Service Edge (SSE), which includes Skyhigh CASB, takes a multi-layered approach to cloud threat investigation that can speed your time to detect adversary activity in your cloud services, identify gaps, and implement targeted changes to your policy and configuration.

First, the haystack of events is processed continuously against a baseline of known good behavior by User and Entity Behavior Analytics (UEBA) to identify the anomalies and actual threats in your environment, assessing behavior across multiple services and accounts.

Events processed by UEBA determined to be a compromised account

This takes your investigation process down to a manageable quantity of incidents. With this release, those incidents are now in the same language as the rest of the SOC – MITRE ATT&CK. Each cloud security incident is mapped to ATT&CK tactics and techniques, showing you adversary activity currently being executed in your environment.

Multi-cloud MITRE ATT&CK view of adversary activity in Skyhigh Cloud Access Security Broker (CASB)

You have three views within Skyhigh CASB:

  • Retrospective: viewing all adversary techniques that have already occurred in your environment
  • Proactive: viewing attacks in progress, that you can take action to stop
  • Full kill-chain: viewing a combination of incidents, anomalies, threats, and vulnerabilities into a holistic string of infractions.

Multiple teams in your organization benefit from this addition to Skyhigh Security Service Edge (SSE):

  • SecOps Teams Advance from Reactive to Proactive: Skyhigh CASB allows analysts to visualize not only executed threats in the ATT&CK framework, but also potential attacks they can stop across multiple Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) environments
  • SecOps Teams Break Silos: SecOps teams can now bring pre-filtered cloud security incidents into their Security Information Event Management (SIEM)/Security Orchestration, Automation and Response (SOAR) platforms via API, mapped to the same ATT&CK framework they use for endpoint and network threat investigation
  • Security Managers Defend with Precision: Skyhigh CASB takes Cloud Security Posture Management (CSPM) to a new level, providing security managers with cloud service configuration recommendations for SaaS, PaaS and IaaS environments, which address specific ATT&CK adversary techniques

Many SecOps teams leverage repeatable processes and frameworks such as ATT&CK to mitigate risk and respond to threats to their endpoints and networks, but so far cloud threats and vulnerabilities have presented an unfamiliar paradigm. By translating cloud threats and vulnerabilities into the common language of ATT&CK, Skyhigh CASB allows security teams to extend their processes and runbooks to the cloud, understand and pre-emptively respond to cloud vulnerabilities and improve enterprise security.

Learn more about Skyhigh SSE.