Cutting through the noise: what the MITRE ATT&CK evaluation reveals about SentinelOne’s Managed Security Services
S?ren H?eberg Holm
Cyber Security, XDR, EDR, MDR, Cloud Security, SIEM-Datalake // Cloud is not a destination -> It's part of your future tool box
MITRE Engenuity ATT&CK Evaluations are a crucial way to put the world’s leading Managed Security Service providers through their paces by testing them against the most sophisticated current threats.
So, what does their recent evaluation reveal about SentinelOne’s security platform?
As we’ll see in this newsletter, cyber defenders must look carefully at performance in these evaluations.
It’s important to see beyond simple metrics like Mean-Time-To-Detect (MTTD) and Alert Volume to understand what makes an MDR truly effective.
Facing the most serious threats in today’s landscape
In each MITRE Engenuity ATT&CK? evaluation, a Managed Security Service (MSS) provider is pitted against some of the most challenging threats.
These include OilRig, menuPass and ALPHV BlackCat, among others.
Each evaluation gives a detailed breakdown of performance with key metrics like Mean-Time-To-Detect (MTTD), Alert Volume (Console Alerts + Email Alerts), Detections (and their Actionability), and the Enrichment of Reports.
In the most recent evaluation, SentinelOne achieved:
But what does this mean, and how does this compare to a genuine attack situation?
Understanding the real-world implications
Organizations today are facing a growing volume of highly sophisticated threats, including well-funded state-sponsored groups.
Defending from these is a 24/7 activity, so many turn to professional Managed Security Service (MSS) and Managed Detection and Response (MDR) services to protect their digital assets.
It’s essential that a cybersecurity platform can provide full visibility and detect threats as quickly as possible.
But this must also be balanced against the need to reduce the excess noise of non-priority alerts that can lead to alert fatigue.
Simulated attacks vs. the real thing
Evaluations like the MITRE Engenuity ATT&CK? are very valuable, as these can give a clear picture of how a platform performs under a simulated attack scenario.
However, when interpreting these metrics, context is everything.
A simulated attack isn’t the same thing as a real-life situation. For example, a generally positive metric like a high alert volume doesn’t necessarily indicate effectiveness in a genuine attack scenario.
Instead, metrics like Noise-to-Signal ratio and Atomic detections vs. Correlated detections matter much more in real-life situations.
These help to show when a cybersecurity platform can correctly prioritize serious threats over those that have little impact, if any.
领英推荐
Facing state-sponsored attacks
This year’s evaluation demonstrated the critical importance of speed, visibility, and reduced noise when dealing with the most serious of threats.
SentinelOne’s Singularity Platform and Vigilance MDR + DFIR services were pitted against a simulated attack from menuPass (G0045) and an ALPHV/BlackCat ransomware affiliate.
These groups are some of the most prolific state-sponsored attackers, carrying out exfiltration and ransomware attacks that target intellectual property and critical business infrastructure.
ALPHV/BlackCat, in particular, is a serious ransomware threat that can show remarkable flexibility and cross-platform attack capabilities.
So, when you’re facing threats like these, you can’t afford to be distracted.
Reducing the noise
Security teams routinely deal with more than 1000 alerts or incidents each day. This kind of volume is too much, and more than half of these alerts go uninvestigated.
Security teams need visibility, but too much leads to information paralysis and alert fatigue – potentially giving attackers enough time to gain persistence and cause damage.
So, how does SentinelOne work to empower cyber defenders with the right threat intelligence?
100% visibility isn’t always a good thing. When you’re facing thousands of alerts or incidents, you only want to be able to see the things that really matter.
For this reason, SentinelOne uses automation and AI to ensure that information is filtered and contextualized before it lands in front of your security team.
By combining machine and human intelligence, MDR ensures 24/7 detection, investigation, and mitigation. Each incident is documented regarding scope, impact, and comes with recommended next steps for the customer.
This ensures that only the most critical incidents are escalated for attention, and analysts can stay focused on true priorities.
Using this approach, SentinelOne’s MDR team fully resolves more than 99% of all threats without requiring an escalation to the customer.
Staying ahead in the cybersecurity arms race
Our approach at SentinelOne is always to prioritize protection from real-world threats. Instead of striving to attain the highest volume of alerts or maximum visibility, our AI-powered Singularity Platform gives our global team of MDR analysts the power to cut through excess noise.
It means that cyber defenders can take the most impactful mitigation actions and prevent attacks.
This combination of machine and human intelligence is also what gives us the edge in MITRE Engenuity ATT&CK? evaluations of real-world scenarios.
These evaluations are critical for organizations to assess if a MSS or MDR provider can meet their needs, by autonomously detecting and preventing threats and achieving total protection of its digital assets.
For this reason, we recommend taking unbiased, third-party evaluations like MITRE Engenuity ATT&CK? very seriously. These can help an organization determine which provider is the best fit for them.
See the full details of SentinelOne’s performance in MITRE Engenuity ATT&CK? evaluations here.
At SentinelOne, we constantly monitor the latest trends and tactics, so we can keep one step ahead and keep your critical systems running. Our platform uses its own dedicated AI to hunt for threats and to detect attacks using advanced behavioural analysis. Want to know more? Feel free to book a meeting in my agenda!