As security practitioners we struggle with what products we should buy and how we can cut through the marketing to figure out what products do. As the community have recognized the need to find adversaries post-compromise, a multitude of Endpoint Detection and Response (EDR) products have popped up on the market, but consumers have had limited information to try to help them decide which is right for them.
To help fill this gap, MITRE conducted impartial evaluations of vendor capabilities in an effort to increase transparency and drive the EDR market forward. Using the common lexicon of the ATT&CK knowledge base, MITRE used a purple-teaming approach to evaluate vendor capabilities. In November 2018, we publicly released our methodology and results showing detection capabilities for 90 ATT&CK-based procedures derived from real threat intelligence. This talk will explain the approach the MITRE team used as well as the challenges we faced in articulating how detections happen. The presenter will explain how you can use our publicly-available methodology and results to make decisions about products as well as perform your own evaluations.