Capture Client delivers capabilities that are underscored by the ATT&CK framework. Here’s how CISOs can leverage these capabilities to define and implement their security strategy.
With attacks rising almost across the board, ensuring your security posture is up to date has never been more critical. But as a CISO, navigating through various cybersecurity vendors’ positions can be a real challenge. How can you know that you’re actually getting what you’re paying for? Here are a few critical pointers:
Be wary of excessive misses, delays and config changes: Vendors that have lots of delays are getting credit for detections using means typically outside of the tool’s normal workflow — which means your people will have to do the same thing. Vendors with lots of config changes felt the need to modify their detection capabilities in the middle of the test. Try to understand whether these changes are understandable or if the test was being gamed.
Be wary of high Telemetry numbers and low Techniques numbers: Vendors that trumpet their big Telemetry numbers without many Techniques have a tool that does not automate the correlation of events. This means your people will have to do it manually or that there may be significant delays and inaccuracy in connecting the dots. Delays here lead to delays in response, and that leads to more risk.
Be wary of vendors that invent their own scoring systems: We’ve seen many vendors obfuscating poor results with statistics and numbers that make them look good but are complete nonsense. Stats like “Context per alert” and “100% Detection” (when a closer look shows there clearly were missed detections) are silly. Read the fine print.
Capture Client and the MITRE ATT&CK Framework
SonicWall’s Capture Client is powered by SentinelOne, which delivers best-in-class autonomous endpoint protection with next-gen antivirus, EDR (endpoint detection and response), and Deep Visibility. SentinelOne has been a participant in the MITRE ATT&CK Evaluations since 2018 and was a top performer in the 2022 Evaluations (emulating Wizard Spider and Sandworm threat groups). Here is a quick summary of how SentinelOne leads in protection against the attacks better than any other vendor.
Autonomous Protection Instantly Stops and Remediates Attacks
Security teams demand technology that matches the rapid pace at which adversaries operate. MITRE Protection determines the vendor’s ability to rapidly analyze detections and execute automated remediation to protect systems.
The Most Useful Detections are Analytic Detections
Analytic detections are contextual detections that are built from a broader data set and are a combination of technique plus tactic detections.
Detection Delays Undermine Cybersecurity Effectiveness
Time plays a critical factor whether you’re detecting or neutralizing an attack. Organizations that want to reduce exposure need to have real-time detections and automated remediation as part of their security program.
Visibility Ensures That No Threats Go Undetected
Visibility is the building block of EDR and is a core metric across MITRE Engenuity results. In order to understand what’s going on in the enterprise as well as accurately threat hunt, cybersecurity technology needs to create a visibility aperture. The data needs to be accurate and provide an end-to-end view of what happened, where it happened, and who did the happening regardless of device connectivity or type.
Conclusion
The MITRE Engenuity ATT&CK Evaluations continue to push the security industry forward, bringing much-needed visibility and independent testing to the EDR space. As a security leader or practitioner, it’s important to move beyond just the numbers game to look holistically at which vendors can provide high visibility and high-quality detections while reducing the burden on your security team.
Para el ver artículo original: https://blog.sonicwall.com/en-us/2022/05/understanding-the-mitre-attck-framework-and-evaluations-part-2/
Últimos Artículos
