Last year, MITRE added Protection evaluations in addition to its Detection tests. While the detection tests are aimed at endpoint detection and response (EDR)<\/a> tools, protection tests favor endpoint protection platforms (EPP)<\/a>, which are somewhat like traditional antivirus software<\/a>, except with the greater sophistication that enterprise IT security requires. EDR and EPP tools have been merging over the years, yet they retain distinct functions.<\/p>\n While the MITRE tests are unique in the depth of security information they provide to both buyers and vendors, they come with a number of caveats, as both MITRE and security vendors have noted.<\/p>\n So while the MITRE tests give buyers more data than they might otherwise have, they’re still encouraged to do their own research and testing, just as vendors will use the results to improve security defenses.<\/p>\n But just as vendors spin the results to their advantage, we too will parse the data to try to put some shape to it – with the caveat that you really need to make sure that any security tool you buy is the right one for your environment. There’s no substitute for your own evaluation in your own environment.<\/p>\n Also read: Top Endpoint Detection & Response (EDR) Solutions<\/a><\/p>\n An earlier draft of this article relied on the methodology that Cynet had used to analyze the results (more on that in a moment). But after a couple of objections to that approach from readers, we’re returning to the simple and straightforward methodology<\/a> we used last year, where we quantified protection and detection test results and averaged the two.<\/p>\n Of the 30 vendors who took part in the MITRE evaluations, 22 did both the Detection and Protection evaluations, so we’ll separate them from the Detection only group. And the data is publicly available<\/a>, so anyone can access it and analyze it, which we would encourage you to do.<\/p>\n There were 9 broad tests in the Protection evaluation and 109 steps in the Detection evaluation, but those numbers dropped to 8 and 90, respectively, for vendors who didn’t participate in the Linux tests.<\/p>\n The 9 Protection tests also included 109 attack techniques. Cynet scored those tests<\/a> based on how early in the attack path the threat was stopped. That’s an important way to look at the data, but the problem was it wound up scoring some vendors who eventually stopped a threat lower than some who missed it entirely. A rough example: A vendor who stopped one threat on the first step but missed another one entirely might score higher than a vendor who stopped both attacks on, say, the 5th step.<\/p>\n In a statement to eSecurity Planet<\/em>, Cynet CTO Aviad Hasnis defended the company’s approach. “The early you stop an attacker – the more efficient you are as a vendor to prevent additional malicious activities from taking place. Think about a malware that steals credentials. If you stop the malware when it is dropped on the computer, nothing bad actually happens. Alternatively, if you stop it at a later stage, your credentials will already be stolen. This is exactly what MITRE tested<\/span>.”<\/p>\n Perhaps there’s a way to scale the results to include both the depth of penetration and the broader stop\/no stop score, but again, we encourage all who are interested in the tests to examine the MITRE data<\/a> themselves.<\/p>\n Twelve of the 22 vendors stopped all the Protection tests they faced, a promising showing for cybersecurity in general.<\/p>\n Seven of the vendors stopped all 9 of the Protection tests, including the one Linux test: Cybereason, SentinelOne, Cynet, Palo Alto Networks, CrowdStrike, Microsoft, and BlackBerry Cylance.<\/p>\n Another four vendors stopped all 8 Windows attack tests while skipping the Linux test: McAfee (now combined with FireEye as Trellix<\/a>), Fortinet, VMware Carbon Black, and Deep Instinct. Trend Micro stopped 8 attacks, and the 9th was prevented from executing by a detection rule.<\/p>\n Below are the broad results for the vendors that participated in both the Detection and Protection evaluations:<\/p>\n\n
Analyzing the Results<\/h2>\n
Good Results for Cybersecurity<\/h2>\n
![\"MITRE](\"https:\/\/www.esecurityplanet.com\/wp-content\/uploads\/2022\/04\/Mitre-detect-only-1-106x300.png\")