Professional Documents
Culture Documents
MITRE Engenuity Attck Competitive Talking Points
MITRE Engenuity Attck Competitive Talking Points
MITRE Engenuity Attck Competitive Talking Points
• DETECTION COUNT = each observable can generate several/many alerts, hence not unique
• ANALYTICS COVERAGE = what exactly happened with breakdown info. Example: Powershell does screen capture = technique
• TELEMETRY COVERAGE = Alert that something happened. Example: Powershell calls bitblt
• VISIBILITY = average of analytics and telemetry coverage. Meaning even if only one of the two (analytics or telemetry generated alert – it
counts in “Visibility”
• CONCLUSION: the unique measurement of the real ability is Analytics and Telemetry. We aggregated the result .
MITRE ATT&CK DETECTION EVENTS
No event
data to show
This evaluation focuses on the EDR (Endpoint Detection & Response) component and Check Point did much better than perceived by the
leaders in this industry. (can anyone say CrowdStrike?)
SentinelOne
95%
Trend Micro
Check Point
90%
ESET Palo Alto
Carbon Black Cybereason
Telemetry
Cylance
75%
Sophos 70%
Fortinet
FireEye
65%
Cisco
60%
55%
20% 30% 40% 50% 60% 70% 80% 90% 100%
30
26
22
18
15
14
Check Point Trend Micro Palo Alto Cybereason SentinelOne FireEye Microsoft Symantec Crowdstrike
Series 1
https://mitre.checkpoint.com/
Few Examples Of
Useful
Comparisons In
MITRE Page
https://attackevals.mitreengenuity.org/participant_comparison.html
Example
NONE
NONE
Technique totally
missed by McAfee.
Detected and
described by Check
Point
THANK YOU