When you’re looking at protecting your company, choosing the right EDR platform is difficult for many reasons. One of these is that you don’t always know where to find the hard facts: with EDR platforms competing against one another, analyses and ratings aren’t always black and white. However, there is one company who is able to tell it like it is with each and every EDR platform they rate — and that’s MITRE.
MITRE is a leading authority of advanced technology and the threats that lie just beyond that sphere. As a not-for-profit company, their guidance has aided the federal government in technical and engineering decisions, from developing the first large-scale computer to now testing cybersecurity solutions with transparency and fairness — telling you exactly what works about each solution and how good it’ll be at protecting you.
Choosing the right EDR platform is difficult for any user, because many of them do the job well, but competitive analysis and other factors get in the way of the simple truth. That’s why MITRE developed the ATT&CK evaluation. ATT&CK is designed to measure a platform’s ability to address known adversary behavior — in other words, to detect and react to cyber threats. They’re always coming up with new methodologies and types of evaluation to identify which tools are capable of keeping you safe: but the best part is, this is not a competitive evaluation. There’s no rating or score that compares each product with the others — it’s just the facts about each one’s performance, and by simulating real-world threats with each platform, ATT&CK results are able to show you which platforms are best for you and your company.
MITRE ATT&CK EDR Leaders for 2020
In every ATT&CK evaluation, the measured results include Detection Count, Analytic Coverage (how often a detection provided additional context, such as threat technique), Telemetry Coverage (how often detections occurred with minimal processing), and Visibility (how often a detection was made). You can find out more about the 2020 evaluation and the process behind this testing among the MITRE participants for Carabanak+FIN7. The leaders in the 2020 evaluations include SentinelOne, Crowdstrike, and Microsoft, and while each one has proven its effectiveness against advanced threats, there are differences between each one — including that only one of the MITRE ATT&CK results showed no missed detections.
Of all the participants that were evaluated in the MITRE ATT&CK results for the 2020 advanced threat detection, there was only one that achieved 100% in terms of Visibility. That EDR platform was SentinelOne’s Singularity, and much of the substeps where detections were made had been done with telemetry, meaning that very little processing was needed to perform these detections. With the lessons learned from MITRE in previous years, it’s clear that SentinelOne has the ability to act on and improve weaknesses — and with 2020 proving this platform’s leadership in cybersecurity, that remains the case.
CrowdStrike came closest to SentinelOne when it comes to Telemetry Coverage and Visibility, but with Analytic Coverage very far behind (with less than half of the substeps’ detections capable of producing threat context), its use in identifying types of detected threats is less considerable. However, it’s still high in Visibility, meaning that CrowdStrike was able to identify about 87% of the threats present in the evaluation.
While its Visibility wasn’t as high as CrowdStrike (by about one percent), Microsoft is a software giant that knows its way around threat detection, and to prove that, Microsoft’s evaluation resulted in a higher Detection Count than either of the other EDR leaders, finding or announcing a threat over 350 times during the entire test. With a significantly higher Analytic Coverage than CrowdStrike, Microsoft’s overall performance was a lot closer to that of SentinelOne — despite the 86% measure of Visibility.
A Framework For More Than Compliance
Between the visibility of threats, the use of analytics to further identify those threats, and the way that threat detection can be automated or performed with little to no configuration, EDR platforms have a lot of factors to consider in terms of evaluation. That’s also what makes them hard to choose from, despite these facts also helping you find what’s right for you. You may be looking for a platform that does have a higher Analytic Coverage, or one that detects all tested threats. Whatever the case, these metrics from the MITRE ATT&CK framework are there to help you make that choice, despite how complicated they can often seem to users.
But there are other parts of the MITRE ATT&CK framework that can be used to improve other areas of cybersecurity. More than just compliance and reaction to threats that appear, you can adopt the MITRE ATT&CK framework to inform what parts of your own cybersecurity defense plan need the most attention overall. You can take on the performance stats of whichever platform you’re using and let those inform your approach to threat detection and response, including how you analyze and identify threat behaviors, how you automate detection, and how you flag these potential threats for your network and users.
More than that, though, MITRE and the ATT&CK evaluations have another use: they serve as a public, open-source tool to gather the latest intelligence on cyber threats of all kinds. By staying abreast of possible issues in a landscape of continuous updates, you’ll be giving yourself and your company the best possible solution to threat detection — rather than simply relying on the responsive detection abilities of the platform you have in place. You’ll be keeping yourself protected by staying informed, as well as by using an EDR solution you’ve determined is right for you.