(Note: In Part 1, we explained the MITRE ATT&CK framework and how security products are evaluated for detection efficacy and efficiency. Check it out here if you haven’t already.)
With attacks rising almost across the board, ensuring your security posture is up to date has never been more critical. But as a CISO, navigating through various cybersecurity vendors’ positions can be a real challenge. How can you know that you’re actually getting what you’re paying for? Here are a few critical pointers:
- Be wary of excessive misses, delays and config changes: Vendors that have lots of delays are getting credit for detections using means typically outside of the tool’s normal workflow — which means your people will have to do the same thing. Vendors with lots of config changes felt the need to modify their detection capabilities in the middle of the test. Try to understand whether these changes are understandable or if the test was being gamed.
- Be wary of high Telemetry numbers and low Techniques numbers: Vendors that trumpet their big Telemetry numbers without many Techniques have a tool that does not automate the correlation of events. This means your people will have to do it manually or that there may be significant delays and inaccuracy in connecting the dots. Delays here lead to delays in response, and that leads to more risk.
- Be wary of vendors that invent their own scoring systems: We’ve seen many vendors obfuscating poor results with statistics and numbers that make them look good but are complete nonsense. Stats like “Context per alert” and “100% Detection” (when a closer look shows there clearly were missed detections) are silly. Read the fine print.
Capture Client and the MITRE ATT&CK Framework
SonicWall’s Capture Client is powered by SentinelOne, which delivers best-in-class autonomous endpoint protection with next-gen antivirus, EDR (endpoint detection and response), and Deep Visibility. SentinelOne has been a participant in the MITRE ATT&CK Evaluations since 2018 and was a top performer in the 2022 Evaluations (emulating Wizard Spider and Sandworm threat groups). Here is a quick summary of how SentinelOne leads in protection against the attacks better than any other vendor.
- Autonomous Protection Instantly Stops and Remediates Attacks
Security teams demand technology that matches the rapid pace at which adversaries operate. MITRE Protection determines the vendor’s ability to rapidly analyze detections and execute automated remediation to protect systems.
Delivered 100% Protection: (9 of 9 MITRE ATT&CK tests)
- The Most Useful Detections are Analytic Detections
Analytic detections are contextual detections that are built from a broader data set and are a combination of technique plus tactic detections.
Delivered 100% Detection: (19 of 19 attack steps)
- Detection Delays Undermine Cybersecurity Effectiveness
Time plays a critical factor whether you’re detecting or neutralizing an attack. Organizations that want to reduce exposure need to have real-time detections and automated remediation as part of their security program.
Delivered 100% Real-time (0 Delays)
- Visibility Ensures That No Threats Go Undetected
Visibility is the building block of EDR and is a core metric across MITRE Engenuity results. In order to understand what’s going on in the enterprise as well as accurately threat hunt, cybersecurity technology needs to create a visibility aperture. The data needs to be accurate and provide an end-to-end view of what happened, where it happened, and who did the happening regardless of device connectivity or type.
The MITRE Engenuity ATT&CK Evaluations continue to push the security industry forward, bringing much-needed visibility and independent testing to the EDR space. As a security leader or practitioner, it’s important to move beyond just the numbers game to look holistically at which vendors can provide high visibility and high-quality detections while reducing the burden on your security team. CISOs will find these product-centric tenets to be compatible with the spirit of MITRE Engenuity’s objectives:
- EDR Visibility and Coverage Are Table Stakes: The foundation of a superior EDR solution lies in its ability to consume and correlate data economically and at scale by harnessing the power of the cloud. Every piece of pertinent data should be captured — with few to no misses — to provide breadth of visibility for the SecOps team. Data, specifically capturing all events, is the building block of EDR and should be considered table stakes and a key MITRE Engenuity metric.
- Machine-Built Context and Correlation Is Indispensable: Correlation is the process of building relationships among atomic data points. Preferably, correlation is performed by machines and at machine speed, so an analyst doesn’t have to waste precious time manually stitching data together. Furthermore, this correlation should be accessible in its original context for long periods of time in case it’s needed.
- Console Alert Consolidation Is Critical: “More signal, less noise” is a challenge for the SOC and modern IR teams who face information overload. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, ensure that the solution automatically groups data points into consolidated alerts. Ideally, a solution can correlate related activity into unified alerts to provide campaign-level insight. This reduces manual effort, helps with alert fatigue and significantly lowers the skillset barrier of responding to alerts. All of this leads to better outcomes for the SOC in the form of shorter containment times and an overall reduction in response times.
For a first-hand look at how Capture Client delivers best-in-class protection and detection, click here for a free trial.