Untainted By Design: How Our MITRE ATT&CK Results Demonstrate the Resilience of Carbon Black

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

I started my career in cybersecurity 10 years ago as a Technical Operations Officer in the US Intelligence Community, where I had a first-hand view into the most sophisticated ongoing cyber operations in the world. One thing was always clear: attackers always found ways to stay a step ahead of the defenders. This is why Carbon Black’s approach to continuous recording of unfiltered data is so key.

As the Senior Product Manager for CB ThreatHunter, I’m also ecstatic about our recent MITRE ATT&CK results and how they demonstrate the power of our approach. Carbon Black outperformed all other EDR solutions in the test. Our detections had no delays, and required no human analysts from a vendor to read data, write queries and fire alerts. But one aspect of the evaluation that’s particularly important is what MITRE called tainted detection results — and the fact that Carbon Black had none of them.

Tainted Detections Are More Brittle Than Untainted

One area of the MITRE ATT&CK evaluation that generated a lot of confusion is the term “tainted” detections. What exactly does that mean? And is it a good thing or bad thing for the user?

It’s very simple — tainted detections are more brittle than untainted detections. MITRE defines these tainted detections in their methodology as when a solution “detects the activity based on previously identified suspicious/malicious behavior that is related to or ‘tainted by’ the detection.” If the attacker changes their initial approach even slightly, later detections may not happen and there is no guarantee that the critical telemetry will be recorded. MITRE’s lead engineer for the evaluations program clarified this on Twitter.

Tainted Detections Are Unpredictable and Frustrating

It’s that unpredictability that frustrates actual users. They’re relying on these tools to give them information, and they need consistency with regards to what data they have access to. Otherwise, the product leaves them high-and-dry when management comes asking for answers that they don’t have. The more detections that are tainted, the more brittle the solution is overall, meaning the attacker is one tweak away from detection evasion.

Untainted Detections Means Attackers Can’t Hide

We achieved zero tainted results in the MITRE test because of our unfiltered approach to data collection. We don’t make a determination as to whether an event is good or bad when we collect it from the endpoint. That decision isn’t dependent on a prior detection having already happened — meaning that even as attackers change techniques, we’ll still capture telemetry and detect the threat. Attackers can’t hide because we are monitoring every action on the endpoint — good or bad.

Untainted Detections with Correlated Alerts = the Most Resilient EDR

The power of Carbon Black has always been our ability to gather all this unfiltered endpoint data, but then correlate events and prioritize alerts so that users can clearly see what activities are related to each other and can easily address incidents and hunt for threats. Security professionals deciphering the MITRE results need to consider how resilient the detection methodology is, along with how well alerts are correlated and prioritized. With Carbon Black, you get the best of both worlds: untainted detections and intuitive event correlation.

PLUS, Our Results Had No Delays and No Humans In The Loop

It’s also important to note the other powerful attributes of Carbon Black that were demonstrated in the MITRE ATT&CK evaluation:

  • Zero delayed detections — alerts were triggered in real time without delay
  • Zero humans in the loop — we don’t require you to have humans analysts on the back end, because our technology is strong enough to do the job for you.

 

Along with zero tainted detections, these results clearly show why we outperformed all other EDR solutions in the test.

This powerful combination of unfiltered data and real time insights is exactly what customers continue to expect from us. With our recent announcement of the general availability of CB ThreatHunter on the PSC and the release of our MITRE ATT&CK Threat Feed, Carbon Black continues to rapidly innovate on our approach to endpoint security, paving the way for security professionals to see more attacks and stop more attacks, untainted and in real time.

The post Untainted By Design: How Our MITRE ATT&CK Results Demonstrate the Resilience of Carbon Black appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
150 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel