- See The Difference
- What is Zero Trust The strategy on which Zscaler was built
- How Zscaler Delivers Zero Trust A platform that enforces policy based on context
- Zero Trust Resources Learn its principles, benefits, strategies
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Customer Success Stories Hear first-hand transformation stories
- Analyst Recognition Industry experts weigh in on Zscaler
- See the Zscaler Cloud in Action Traffic processed, malware blocked, and more
- Experience the Difference Get started with zero trust
![Zscaler transformation]( "Zscaler transformation")
See how the Zero Trust Exchange can help you leverage cloud, mobility, AI, IoT, and OT technologies to become more agile and reduce risk
- Products & Solutions
- Secure Your Users Provide users with seamless, secure, reliable access to applications and data. Secure Your Workloads Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud. Secure Your OT and IoT Provide zero trust connectivity for OT and IoT devices and secure remote access to OT systems.
- Products Transform your organization with 100% cloud-native services
- Solutions Propel your business with zero trust solutions that secure and connect your resources
![Zscaler workplace enablement]( "Zscaler workplace enablement")
Make hybrid work possibleGet StartedSecure work from anywhere, protect data, and deliver the best experience possible for users
- Industries Our ecosystem of zero trust partners
- Partner Integrations Simplified deployment and management
![Zscaler industry partners]( "Zscaler industry partners")
Secure your ServiceNow DeploymentGet StartedIt’s time to protect your ServiceNow data better and respond to security incidents quicker
- Platform
- Platform Overview Unified platform for transformation
- Capabilities Integrated services, infinitely scalable
![Zscaler transformation]( "Zscaler transformation")
Accelerate your transformationLearn MoreProtect and empower your business by leveraging the platform, process and people skills to accelerate your zero trust initiatives
![Gartner Report]( "Gartner Report")
Gartner Magic Quadrant LeaderRead ReportZscaler: A Leader in the Gartner® Magic Quadrant™ for Security Service Edge (SSE) New Positioned Highest in the Ability to Execute
- Resources
- Content Library Explore topics that will inform your journey
- Blog Perspectives from technology and transformation leaders
- Security Assessment Toolkit Analyze your environment to see where you could be exposed
- Webinars and Demos A first-hand look into important topics
- Executive Insights App Security insights at your fingertips
- Ransomware ROI Calculator Assess the ROI of ransomware risk reduction
- Training and Certifications Engaging learning experiences, live training, and certifications
- Customer Success Center Quickly connect to resources to accelerate your transformation
- Customer Success Stories Hear first-hand transformation stories
![Customer success center]( "Customer success center")
- Security & Threat Analytics Threat dashboards, cloud activity, IoT, and more
- Security Advisories News about security events and protections
- Vulnerability Disclosure Program Webinars, training, demos, and more
- Trust Portal Zscaler cloud status and advisories
![Zscaler resources]( "Zscaler resources")
- Company
- About Zscaler How it began, where it’s going
- Leadership Meet our management team
- Investor Relations News, stock information, and quarterly reports
- Compliance Our adherence to rigorous standards
- ESG Our Environmental, Social, and Governance approach
- Events Upcoming opportunities to meet with Zscaler
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Media Center News, blogs, events, photos, logos, and other brand assets
- News and Press Zscaler in the news
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
- Partner Portal Tools and resources for Zscaler partners
- Summit Partner Program Collaborating to ensure customer success
- System Integrators Helping joint customers become cloud-first companies
- Service Providers Delivering an integrated platform of services
- Technology Deep integrations simplify cloud migration
- Partner Inquiry Become a Zscaler partner
![Careet at Zscaler]( "Careet at Zscaler")
Zscaler CareersApply NowJoin a recognized leader in Zero trust to help organization transform securely
-
Zscaler Cloud Platform
Active Defense with MITRE Engage
Everything you need to know about the industry’s leading framework for operationalizing active defense, deception, and adversary engagement.
Background
In the cybersecurity world, MITRE is perhaps best known for ATT&CK, a free knowledge base of adversary tactics and techniques that have been extracted from real-world observations. The framework has gained global adoption. Security teams around the world measure the efficacy of their threat detection programs by their ability to detect techniques documented in MITRE ATT&CK.
However, ATT&CK has largely been a reactive knowledge base—detailing techniques that adversaries are likely to use at a given stage of the attack, and how to detect them. We don’t use the word ‘reactive’ here in a negative sense. There’s no problem with using reactive strategies. If anything, MITRE ATT&CK has created the foundational framework for understanding attack techniques and creating a game plan to deal with them.
However, adding active defense to your security playbook, in addition to reactive strategies, opens up new opportunities for security teams to take action more quickly, effectively, and with greater confidence in high-pressure scenarios such as a breach.
Enter MITRE Shield
MITRE had been using deception-based active defense to defend its network for over a decade. In August 2020, the organization consolidated its techniques into a new knowledge base focused on active defense and launched Shield.
Much like ATT&CK, Shield was also a collection of techniques. But instead of taking an attacker’s view of how networks are penetrated and breached, Shield took the defender’s view of what can be done actively to derisk an environment by planting traps (decoys) and intercepting attacks instead of reacting to adversaries when they’re moving laterally.
By virtue of how Shield was organized (a collection of techniques), it was heavily catered to practitioners. However, technical feedback from the community revealed that security teams needed something that could help them understand, strategize, and plan active defense operations before they could dive head-first into techniques.
Evolving into MITRE Engage
The MITRE team went back to the drawing board and streamlined Shield into a new framework that could help cyber practitioners, leaders, and vendors plan and implement adversary engagement, deception, and denial activities. The new framework is called Engage and was beta launched in Aug 2021.
What has changed?
While MITRE Shield was a technique-heavy and execution-focused framework, Engage adds the much-needed layers of planning and analysis by bookending deception techniques with activities that can help defenders define the scope of their active defense operations and use the threat intelligence gathered to inform threat models and refine deception operations.
The framework is divided into three parts:
- Row 1 - Goals: What do you want to achieve? Do you want to expose adversaries, do you want to misdirect them once they are in your network, or do you want to elicit certain actions so that you can understand their motivations and goals?
- Row 2 - Approaches: What will you do to achieve the goals of your active defense/adversary engagement program? Do you want to detect adversaries or prevent them from moving any further?
- Row 3 onwards - Activities: These are the different options you have under each approach. You can use one or more or combine several to meet the strategic goals defined under the ‘Prepare’ column.
What does this mean for defenders?
You can learn more about how MITRE Engage differs from Shield here, but here’s an overview of how the changes help you:
- Provides the security community with a shared vocabulary that can help standardize the foundational thinking around active defense, deception, and adversary engagement.
- Provides a framework for running end-to-end active defense programs that encompass planning, operations, and analysis.
- Organizes activities under approaches to enable security teams to prioritize active defense techniques based on their maturity level and bandwidth.
Operationalizing MITRE Engage
Most security teams are heavily focused on prevention. More mature teams bend toward threat detection. While MITRE Engage will make it easier for teams to adopt active defense, it can be a little overwhelming at first.
Defenders can pick and choose from the different activities based on their appetite and then grow from there.
A great place to start is building detection capabilities. Threat detection is a difficult problem to solve because of the volume of alerts generated in a typical environment. Even after regular tuning, a quarter of all alerts are false positives.
Taking an active defense approach by using decoys to detect threats solves two problems:
- Easy to get started: While traditional threat detection approaches take months to be fully operational and effective, deception-based threat detection can be operationalized in a matter of days.
- Low false positives: Decoy assets are deployed in a manner that makes them invisible to the legitimate user. Any interaction with a decoy, therefore, is a high confidence indicator of a breach. Security teams can prioritize deception alerts to begin investigation and trigger orchestration.
Deception provides a variety of approaches for threat detection. Here are a few:
- Perimeter deception: Internet-facing decoys that heuristically detect pre-breach threats that are specifically targeting your organization.
- Application deception: Server system decoys that host services like SSH servers, databases, file shares, and more.
- Endpoint deception: A minefield for your endpoints. Includes decoy files, decoy credentials, decoy processes, etc.
- Active Directory deception: Fake users in active directory that detect enumeration activity and malicious access.
- Cloud deception: Decoys web servers, databases, file servers, etc. that detect lateral movement in your cloud environments.
- Email deception: Email decoys that intercept attackers attempting to mount social engineering or spear-phishing attacks.
Zscaler Deception delivers 99% of the capabilities covered in MITRE Engage. If you want to get started with deception, augment your threat detection program, or fully operationalize MITRE Engage, download this white paper to learn how you can use Zscaler Deception to implement all the active defense activities without doing any manual work.
We’re also hosting a webinar with, Dr. Stanley Barr, MITRE’s capability area lead for cyber denial, deception, and adversary engagement, and Bill Hill, CISO, MITRE where we’ll address the following questions:
- What are cyber deception and adversary engagement?
- What is MITRE Engage?
- How does deception fit into a zero-trust architecture?
- How do you integrate deception into your security toolkit?
- What does deception look like in action?
If you want to learn more about active defense, deception, and adversary engagement from the folks who invented the framework, this webinar is a great place to do so. Register here.
Get the latest Zscaler blog updates in your inbox
Subscription confirmed. More of the latest from Zscaler, coming your way soon!
By submitting the form, you are agreeing to our privacy policy.