Understanding the MITRE ATT&CK Framework and Evaluations – Part 2

Capture Client delivers capabilities that are underscored by the ATT&CK framework. Here’s how CISOs can leverage these capabilities to define and implement their security strategy.

(Note: In Part 1, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check it out here if you haven’t already.)

With attacks rising almost across the board, ensuring your security posture is up to date has never been more critical. But as a CISO, navigating through various cybersecurity vendors’ positions can be a real challenge. How can you know that you’re actually getting what you’re paying for? Here are a few critical pointers:

  • Be wary of excessive misses, delays and config changes: Vendors that have lots of delays are getting credit for detections using means typically outside of the tool’s normal workflow — which means your people will have to do the same thing. Vendors with lots of config changes felt the need to modify their detection capabilities in the middle of the test. Try to understand whether these changes are understandable or if the test was being gamed.
  • Be wary of high Telemetry numbers and low Techniques numbers: Vendors that trumpet their big Telemetry numbers without many Techniques have a tool that does not automate the correlation of events. This means your people will have to do it manually or that there may be significant delays and inaccuracy in connecting the dots. Delays here lead to delays in response, and that leads to more risk.
  • Be wary of vendors that invent their own scoring systems: We’ve seen many vendors obfuscating poor results with statistics and numbers that make them look good but are complete nonsense. Stats like “Context per alert” and “100% Detection” (when a closer look shows there clearly were missed detections) are silly. Read the fine print.

Capture Client and the MITRE ATT&CK Framework

SonicWall’s Capture Client is powered by SentinelOne, which delivers best-in-class autonomous endpoint protection with next-gen antivirus, EDR (endpoint detection and response), and Deep Visibility. SentinelOne has been a participant in the MITRE ATT&CK Evaluations since 2018 and was a top performer in the 2022 Evaluations (emulating Wizard Spider and Sandworm threat groups). Here is a quick summary of how SentinelOne leads in protection against the attacks better than any other vendor.

  1. Autonomous Protection Instantly Stops and Remediates Attacks
    Security teams demand technology that matches the rapid pace at which adversaries operate. MITRE Protection determines the vendor’s ability to rapidly analyze detections and execute automated remediation to protect systems.
    Delivered 100% Protection: (9 of 9 MITRE ATT&CK tests)
    Source: www.sentinelone.com
  2. The Most Useful Detections are Analytic Detections
    Analytic detections are contextual detections that are built from a broader data set and are a combination of technique plus tactic detections.
    Delivered 100% Detection: (19 of 19 attack steps)
    Delivered 99% – Highest Analytic Coverage: (108 of 109 detections)
    Source: www.sentinelone.com
  3. Detection Delays Undermine Cybersecurity Effectiveness
    Time plays a critical factor whether you’re detecting or neutralizing an attack. Organizations that want to reduce exposure need to have real-time detections and automated remediation as part of their security program.
    Delivered 100% Real-time (0 Delays)

    Source: www.sentinelone.com
  4. Visibility Ensures That No Threats Go Undetected
    Visibility is the building block of EDR and is a core metric across MITRE Engenuity results. In order to understand what’s going on in the enterprise as well as accurately threat hunt, cybersecurity technology needs to create a visibility aperture. The data needs to be accurate and provide an end-to-end view of what happened, where it happened, and who did the happening regardless of device connectivity or type.

Conclusion

The MITRE Engenuity ATT&CK Evaluations continue to push the security industry forward, bringing much-needed visibility and independent testing to the EDR space. As a security leader or practitioner, it’s important to move beyond just the numbers game to look holistically at which vendors can provide high visibility and high-quality detections while reducing the burden on your security team. CISOs will find these product-centric tenets to be compatible with the spirit of MITRE Engenuity’s objectives:

  1. EDR Visibility and Coverage Are Table Stakes: The foundation of a superior EDR solution lies in its ability to consume and correlate data economically and at scale by harnessing the power of the cloud. Every piece of pertinent data should be captured — with few to no misses — to provide breadth of visibility for the SecOps team. Data, specifically capturing all events, is the building block of EDR and should be considered table stakes and a key MITRE Engenuity metric.
  2. Machine-Built Context and Correlation Is Indispensable: Correlation is the process of building relationships among atomic data points. Preferably, correlation is performed by machines and at machine speed, so an analyst doesn’t have to waste precious time manually stitching data together. Furthermore, this correlation should be accessible in its original context for long periods of time in case it’s needed.
  3. Console Alert Consolidation Is Critical: “More signal, less noise” is a challenge for the SOC and modern IR teams who face information overload. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, ensure that the solution automatically groups data points into consolidated alerts. Ideally, a solution can correlate related activity into unified alerts to provide campaign-level insight. This reduces manual effort, helps with alert fatigue and significantly lowers the skillset barrier of responding to alerts. All of this leads to better outcomes for the SOC in the form of shorter containment times and an overall reduction in response times.

For a first-hand look at how Capture Client delivers best-in-class protection and detection, click here for a free trial.

Suroop Chandran
Senior Product Manager | SonicWall
Suroop leads product management for the SonicWall Capture Client and SonicWall Web Application Firewall products and is the subject matter expert on reporting, alerting and dashboarding for the SonicWall Capture Security Center. With over 12 years of cybersecurity experience, Suroop has played multiple roles from being a security analyst in a SOC to building SOCs for Fortune 500 companies, to helping regional and global MSSPs develop their own SOC services.
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply