The highly anticipated results of MITRE Engenuity’s ATT&CK R3 Evaluations are now available. The third round of evaluations tested 29 Endpoint Detection & Response products against emulated FIN7 and Carbanak threat tactics and techniques. Together these threat actors have resulted in the theft of more than $1 billion targeting financial services and hospitality businesses over the past five years. Smart organizations are actively adopting the MITRE ATT&CK framework to better understand their cyber risk posture and the critical capabilities needed for comprehensive cyberthreat detection.
OpenText EnCase Endpoint Security performed perfectly in the top tier with 100% detection across the following tactics: execution, persistence, lateral movement and exfiltration. The third round of ATT&CK Evaluations included 20 steps covering 10 ATT&CK tactics from initial access to exfiltration. The ability to effectively detect persistence techniques enables organizations to identify how adversaries are attempting to gain access to systems during interruption events that could cut off their access mid-attack.
“The MITRE Engenuity ATT&CK Evaluations are invaluable in providing the objective insights customers require to choose the right solution for their specific needs. For organizations requiring EDR to provide not just rapid detection, but also empower rapid response, EnCase Endpoint Security leads the pack.” Anthony Di Bello, VP, Strategic Development
Visibility into threats
The increase in frequency of attacks has accelerated the need for EDR solutions to provide artifact level detail and full visibility. OpenText EnCase Endpoint Security produces more artifact level detail on average when compared to many of the products tested. Having 360° visibility into the attack reduces the risk of attackers going undetected. Endpoint telemetry helps provide a more complete picture of an attack. Without it, security teams may lack awareness of when and how they are being compromised. Leading EDR solutions can use telemetry detection to accelerate incident response by giving security teams the power to detect and act swiftly.
98% of OpenText EnCase Endpoint Security detections included a telemetry detection.
Not only is the ability to detect a threat important, but the way in which these detections are presented is a key factor when evaluating EDR providers. MITRE Engenuity includes screenshots of results for every step and sub step and offers a helpful vendor comparison tool.
Human cyber security teams don’t always have the capacity to manually detect, monitor and defend against the latest cyber threats in the time required. There can also be delays when EDR providers rely on collecting telemetry into a central location for interrogation as opposed to having an active agent on the Endpoint. Performing detections directly on the endpoint reduces the time it takes to identify a threat. OpenText EnCase Endpoint Security recorded more than 99% of the detections in real-time. When a breach occurs and time is of the essence, EDR software must detect threats in real-time and present notifications in an easy-to-read interface for the fastest response.
Example of a telemetry hit
The same telemetry hit in OpenText EnCase Endpoint Security
It is important to note that these evaluations restricted the use of managed service teams to detect threats. This exclusion highlights the difference between vendors that rely heavily on teams of people to detect threats compared to those providers that use active agents on the endpoint and have it built into their technology.
OpenText EnCase Endpoint Security recorded more than 99% of the detections in real-time.
Configuration and Flexibility
The increase in sophisticated attacks means that configuration changes, or detection rule updates, are often required on the fly. During the ATT&CK Evaluation configuration changes were allowed and OpenText detection engineering delivered more than 50 new rules overnight. OpenText increased its’ efficacy over the course of the evaluation more than any other vendor by leveraging the flexibility and power of EnCase Endpoint Security. Users can add new rules, update configurations, and add additional data sources to handle the latest attack tactics and techniques through a simple to use rule-builder interface. EnCase Endpoint Security enables customers to easily configure and adapt it for their own requirements.
Following the ATT&CK Evaluations, the updated configuration changes were added into the next release cycle. The latest release of OpenText EnCase Endpoint Security CE 21.2 continues to build upon these learnings and includes additional upgrades and configurations. As an example of one area of improvement, after running the latest release through the evaluation criteria again we saw nearly a 100% improvement in Discovery phase detection.
Author: Alexis Robbins, Senior Product Marketing Manager