SentinelOne Achieves 100% Protection and Detection in the 2023 MITRE Engenuity ATT&CK® Evaluations: Enterprise

For the fourth straight year, SentinelOne Singularity Platform has consistently proven its industry-leading detection and protection capabilities in MITRE’s ATT&CK Enterprise Evaluation, scoring:

  • 100% Protection – blocked 13 out of 13 protection steps
  • 100% Detection – detected 18 of 18 detection steps
  • 100% Real-time – zero delayed detections
  • 100% Realistic – zero configuration changes
  • 96% Visibility into attack sub-steps

This year’s Evaluation focused on the adversary Turla, a Russia-based threat group known for deploying sophisticated proprietary tools and malware. Turla has infected victims in over 45 countries, spanning a range of critical industries and infrastructure since 2004.

Turla is equally adept at targeting Linux and Windows infrastructure. They are flexible, employing open-source and in-house developed malware, blending a carefully designed toolkit to evade detection and target victims of all sizes and industries. Read more about Turla and the MITRE Evaluation methodology, here.

Complete Detection and Protection, in Real Time

Our job is to protect every enterprise, no matter their size or industry. The SentinelOne Singularity Platform successfully detected and blocked at every step within the Evaluation, highlighting our abilities to protect against complex and evasive threats such as Turla.

Our approach to this year’s MITRE Evaluation reflects our philosophy on protection – that speed and autonomous operation are critical. Complex attacks can move from initial access to credential compromise, lateral movement, data encryption, and extortion in a matter of minutes. There is no time for waiting on human analysts, sandbox results, or manual workflows. There is no chance for a re-try in the real world as there is in compartmentalized tests.

Our product provides autonomous and comprehensive protection with zero delays. Unlike many participants in this test, you will see no delayed-modifiers in our results. This means that protection is automatic out of the box, and data is available in real-time. Speed matters.

We also tested with no configuration changes. MITRE provides vendors with an opportunity to re-test any step. Usually, this means entirely new data sources or detection logic were brought in by the vendor, only after they know exactly what MITRE is doing.

There are no second chances in the real world: a ransomware adversary will not let you bolster your security during an attack. When evaluating enterprise security solutions for real-world deployment, it is prudent to study a vendor’s performance without delays and configurations. You will not find any modifiers or changes in our results.

The Importance of Visibility

Understanding and visualizing the killchain and its timeline is important for a number of reasons. First, analysts have the ability to see an attack in its entirety, combining alerts and individual events into a single, comprehensive view of the incident, no matter where the data came from. Secondly, having a view into the affected assets means security professionals can ensure complete eviction of the adversary. Ransomware victims are often targeted again, therefore total removal of infected assets is imperative in mitigating lie-in-wait threats.

While some vendors might detect events and alerts, these are often visualized and displayed by the hundreds, thousands, or even hundreds-of-thousands in some cases. Sorting endless alerts makes investigation challenging and delays response time. SentinelOne’s patented Storyline technology automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents. This prioritized view reduces alert fatigue and ensures rapid, complete remediation.

Such deep context into incidents also empowers analysts with the corner-stone for threat hunting across all organizational data, enriching and enhancing investigations with telemetry from any third-party source. These insights afford a comprehensive view across the enterprise, and an opportunity to be proactive and improve security posture.

The Most Important Test is the Real World

While it’s important to evaluate technology, particularly in an area as high-stakes as cybersecurity, there is no test like that of the real world. SentinelOne is proud to undertake the MITRE ATT&CK Evaluation and excel using the exact agent, platform, and features that our customers trust us to protect them with every day. The Singularity Platform detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations, or bolt-on features.

Interpreting the MITRE Evaluation Results

As described above, we approached this test bringing the most realistic and relevant solution, one a customer could employ in the real world. MITRE organizes detections according to each substep. Each substep has a single detection category that represents the highest level of context provided to the analyst across all detections for that substep. For reference, the context provided by each detection category increases from left to right, with Technique being the highest context within the detection category diagram. “None” means no data was made available that satisfies the detection criteria, so fewer “nones” means greater visibility (Read more about the MITRE criteria here).

Below are our results across the 18 steps we were able to participate in without delayed and/or configuration change modifiers.

The charts below show how CrowdStrike and Microsoft fared in real-time across the same 18 Steps without performing after-the-fact configuration changes and without factoring in delayed detections. SentinelOne performs significantly better in overall visibility with fewer “nones” and outstanding performance in analytic detections.

For a fair comparison, we have removed Step 19 data, which is listed as “N/A” for SentinelOne with the footnote “due to extenuating circumstances, this step was not collected during evaluation.” Despite all best efforts, an issue occurred during the final testing day where the test environment related to our product made it impossible for MITRE to gather accurate initial execution data according to their procedures.

Protect Everything | All the Time

We are grateful for the opportunity to participate in the 2023 MITRE ATT&CK Evaluation. SentinelOne is committed to innovation and delivering solutions to keep our customers safe. The Singularity Platform is the first AI platform to provide enterprise-wide visibility and protection, bringing all your data together in a unified Data Lake to eliminate risk and protect the future.

To learn about how SentinelOne can help protect your organization, contact us or request a free demo.