Tendency Micro’s Top Ten MITRE Assessment Considerations

The introduction of the particular MITRE ATT& CK assessments is a welcomed addition to the particular third-party testing arena. The particular ATT& CK framework, as well as the evaluations in particular, have long gone such a long way in helping move forward the security industry as a whole, as well as the individual security products offering the market.

The insight gained from these evaluations is extremely useful.   But let’ s admit, for everyone other than those steeped in the evaluation, it can be hard to understand. The data is valuable, but thick. There are multiple ways to go through the data and even more ways to translate and present the results (as no doubt you’ ve currently come to realize after reading through all the vendor blogs plus industry articles! ) We’ve been looking at the data for the past 7 days since it published, and still convey more to examine over the coming times and weeks.

The more we all assess the information, the better the story becomes, so we wished to share with you Trend Micro’ h 10 key takeaways for the results:

  1. Looking at the results from the first run of the assessment is important:
  • Trend Micro ranked very first in initial overall recognition . We are the leader within detections based on initial item configurations. This evaluation allowed vendors to make product changes after a first run from the test to boost detection prices on a re-test. The MITRE results show the final results all things considered product changes. If you evaluate what the product could identify as originally provided, there were the best detection coverage one of the pool of 21 suppliers.
  • This is important to think about because product adjustments may differ in significance and may or even may not be immediately available in vendors’ current product. We furthermore believe it is easier to do better, knowing what the attacker was performing – in the real world, clients don’ t get a 2nd try against an attack.
  • Having said that, we as well took advantage of the retest opportunity since it allows us to determine product improvements, but our own overall detections were therefore high, that even eliminating those associated with a configuration alter, we still ranked 1st overall.

  • And so no one considers we are just spinning… with out making any kind of exclusions towards the data at all, and just taking MITRE results in their whole, Trend Micro had the 2nd highest detection rate, along with 91+% detection coverage.

  1. There is a structure in the type of main detections – Techniques is most important
  • There is an organic hierarchy in the value of the various types of main detections.
    • A general detection shows that something was considered suspicious but it was not designated to a specific tactic or even technique.
    • The detection on tactic indicates the detection can be related to a tactical goal (e. g. credential access).
    • Finally, a recognition on technique means the particular detection can be attributed to a certain adversarial action (e. gary the gadget guy. credential dumping).
  • We have solid detection on techniques, that is a better detection measure. Using the individual MITRE technique determined, the associated tactic could be determined, as typically, you can find only a handful of tactics that could apply to a specific technique. When you compare results, you can see that suppliers had lower tactic detections on the whole, demonstrating a general acceptance of where the priority ought to lie.
  • Similarly, the fact that we had lower common detections compared to technique detections is a positive. General detections are typically associated with a signature; therefore, this proves that we have the reliance on AV.
  • It is also important to remember that we did well within telemetry which gives security experts access to the type and level of visibility they need in order to into detailed attacker exercise across assets.


  1. Let’ s not forget about the usefulness and need for blocking!
  • This MITRE assessment did not test for a product’ s ability to block/protect through an attack, but rather exclusively discusses how effective a product are at detecting an event that has occurred, so there is no measure of avoidance efficacy included.
  • This is significant for Pattern, as our philosophy would be to block and prevent as much as you are able to so customers have much less to clean up/mitigate.
  1. We need to look through over the Windows
  • This evaluation looked at Home windows endpoints and servers just; it did not look at Linux for example , where of course Development has a great deal of strength within capability.
  • All of us look forward to the expansion from the operating systems in scope. Mitre has already announced that the next circular will include a linux program.



  1. The assessment shows where our method going
  • All of us believe the first priority with this evaluation is the main detections (for example, detecting upon techniques as discussed above). Correlation falls into the changer detection category, which discusses what happens above and beyond an initial recognition.
  • We are pleased with our main detections, and find out great opportunity to boost our own correlation capabilities with Tendency Micro XDR, which we’ve been investing in heavily and is essentially of the capabilities we will be providing in product to clients as of late June 2020.
  • This evaluation failed to assess our correlation throughout email security; so there is certainly correlation value we can provide to customers beyond what exactly is represented here.
  1. This evaluation is definitely helping us make our own product better
  • The insight this assessment has provided us has been priceless and has helped us recognize areas for improvement and have initiate product up-dates as a result.
  • Too, having a product with a “ detection only” mode choice helps augment the SOC intel, so our involvement in this evaluation has allowed us to make our item even more flexible to set up; and therefore, a more powerful device for the SOC.
  • While some vendors try to utilize it against us, our additional detections after config modify show that we can adjust to the changing threat scenery quickly when needed.
  1. MITRE is more compared to evaluation
  • As the evaluation is important, it is important to identify MITRE ATT& CK being an important knowledge base which the security industry can each align and contribute to.
  • Having a common vocabulary and framework to better describe how adversaries behave, what exactly they are trying to do, and how they may be trying to do it, makes the whole industry more powerful.
  • Among the many things we perform with or around MITRE, Trend has and is constantly on the contribute new techniques to the particular framework matrices and is using it within our products making use of ATT& CK as a typical language for alerts plus detection descriptions, and for looking parameters.
  1. It is hard not to obtain confused by the fud!
    • MITRE does not score, rank or even provide side by side comparison associated with products, so unlike various other tests or industry expert reports, there is no set of “ leaders” identified.
    • As this evaluation assesses several factors, there are many different ways to look at, interpret and present the final results (as we did within this blog).
    • It is important that individual organizations be familiar with framework, the evaluation, and many importantly what their own focal points and needs are, because the only way to map the outcomes to the individual use situations.
    • Look to your own vendors to help explain the outcomes, in the context that makes feeling for you. It should be our obligation to help educate, not take advantage of.
%d bloggers like this: