Endpoint Security

MITRE ATT&CK Evaluation Demonstrates the Power of the VMware Carbon Black Cloud

MITRE has released the results for its latest endpoint detection and response (EDR) product evaluation using its now industry-standard open methodology, the ATT&CK® framework.

This year’s results further demonstrate why VMware Carbon Black, now a two-time participant, is a top choice of security and IT professionals. It showcases how customers can detect sophisticated nation-state attacks quickly and with industry-leading analytics that enable rapid response.

The VMware Carbon Black Cloud clearly demonstrated the capabilities our customers need:

  • Essential visibility into each stage of the attack as it unfolds
  • Automated context in the console to speed analyst conclusions and response
  • Correlation of Red Team tactics and techniques every step of the way making it easy to understand attacker impact
  • Zero configuration changes or product tweaks needed to detect these suspicious activities

This evaluation represents one of the industry’s best efforts to put EDR products to the test, simulating real-world scenarios and articulating how detections occur in each product. This latest MITRE evaluation emulated an attack by the APT29 threat group, a nation-state actor distinguished by its commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. This is no run-of-the-mill threat, and a product’s ability to provide maximum detection to expose every step of the attack is crucial to rapid response.

This year, MITRE evaluated the VMware Carbon Black Cloud platform as a whole, representing the first evaluation of its kind. These results proved the value of using a single, lightweight agent and unified console to give our customers:

  • Behavioral prevention to block malware and unwanted behaviors
  • Continuous event capture with seamless event correlation to reveal stealthy activity
  • Device interrogation to capture forensics and residual traces
  • A world-class 24/7 managed detection service that identifies what automated defenses alone may miss

We’re building our cloud-native endpoint security platform with our customers’ standardization on MITRE in mind. It’s our goal to arm security professionals with all the context they need, right where they need it. We’ve infused MITRE ATT&CK directly into our cloud console to ease identification of nation-state threats via:

Behavioral EDR tactic, technique, and procedure (TTP) correlation

Our behavioral EDR is built to identify behaviors and clearly correlate suspicious activity. This minimizes alert fatigue and facilitates easy root cause analysis.

Embedded MITRE Technique ID tagging

Our console provides tags for MITRE technique IDs as part of the alert with links back to the MITRE ATT&CK knowledgebase for more information about the adversary behavior being analyzed.

Out-of-the-box MITRE ATT&CK threat feed

The VMware Carbon Black Threat Analysis Unit (TAU) has designed an ATT&CK Framework threat feed that customers can leverage to aid their threat hunting.

Continuous and unbiased recording of endpoint telemetry, including fileless attack techniques

Our granular telemetry includes AMSI visibility with an out-of-the-box AMSI threat intelligence feed to easily uncover obfuscated malicious code.

The VMware Carbon Black Cloud makes it possible for security teams everywhere to gain unparalleled visibility into the behavior of even sophisticated nation-state adversaries. We continue to develop a platform that tilts the advantage away from the attacker and back in favor of the defender. We would like to thank everyone at MITRE for the work they do creating a common language for all security professionals to more easily outsmart attackers.

For more information about using the VMware Carbon Black Cloud with the MITRE ATT&CK framework, check out our interactive MITRE ATT&CK Workbook.

For complete evaluation results, you can review the data published on the MITRE website.