Using Attack Simulations to Improve Visibility with Endpoint SecurityATT&CK Evaluations Show How Secure Endpoints Protect Against Advanced Threats
How do you know if your endpoint security is actually effective at mitigating threats?
One of the best ways to assess the efficacy of endpoint security technology is by using the MITRE Engenuity ATT&CK Evaluations, which simulate techniques used by threat actors against enterprise cybersecurity products. Twenty-nine vendors, including Cisco, participated in the third round of ATT&CK Evaluations, which was released on April 20.
The latest ATT&CK Evaluations simulated the activities of the notorious FIN7 and Carbanak threat groups, which are responsible for the theft of over $1 billion in the last five years. The attack techniques leveraged by FIN7 and Carbanak are very sophisticated and not easily detected, which is why the two groups have been successful.
Using ATT&CK Evaluations to test endpoint security against those attack vectors allows security vendors to see how well their platforms perform against simulated attacks. It also provide vendors with insights they can use to optimize technologies and further improve security outcomes. The evaluations also help users of an endpoint security platform feel confident about its protection capabilities.
How Endpoint Security Is Evaluated
The ATT&CK Evaluations are not an abstract assessment in which different technologies are simply ranked based on listed features in a diagram.
They follow a robust emulation and testing methodology that checks to see if a given technology passes a set of challenging tests. Passing the tests indicates success in terms of protection. The third-round evaluations included 174 tests, based on real-world activities from FIN7 and Carbanak.
Since focusing on detection of a particular threat isn't enough, the ATT&CK Evaluations assess attacker techniques and whether a platform provides visibility and protection against them.
For example, both FIN7 and Carbanak make extensive use of lateral movement across a network. Among the participating vendors, Cisco Secure Endpoint scored well in its ability to see the techniques that FIN7 and Carbanak used to be able to gain access and then to escalate privilege and execute actions.
For endpoint security to truly be effective against advanced threat adversaries, it's critical to have full visibility. The earlier in the attack kill chain that an incident can be prevented from happening, the better it is for the customer.
Beyond Visibility - Evaluating the Ability to Stop Attacks
The ATT&CK Evaluations also revealed how complex detection and response can become when visibility isn't properly optimized. Being able to see everything could lead to generating lots of alerts, but that doesn't automatically stop attacks. It just means there are more alerts to sift through.
In some cases, products in the third round of evaluations generated more than 20,000 events from just one test on one endpoint, which is unmanageable. In a production environment that deploys thousands of endpoints, millions of events would be generated, and that detection rule would be disabled immediately.
What really matters to organizations is the ability to stop an attack from happening. Given the time and resource constraints that most organizations have today, it's important that endpoint security doesn't add more time, but rather helps to optimize time usage.
Getting a high score on the ATT&CK Evaluations demonstrates capabilities, but there are nuances to consider beyond just a high score. Being able to block threats with less human intervention and lower false positives and to reduce the complexity of managing endpoint security are all critically important. So is usability. If you can't use a tool, it doesn't matter how well-rated it is.
Evaluating endpoint security is also about more than just the endpoint.
Endpoint security today is no longer an isolated silo. It is a critical control point for broader security efforts such as SASE, zero trust and XDR as well as remote work efforts. Endpoints are the "last mile." They provide the ability to get visibility right down to where code actually executes on a system.
When evaluating endpoint security, having a platform that can work well with SASE, zero trust and XDR will not just provide more secure endpoints, but a more secure enterprise as well.