Why MITRE matters to SMBs

Why MITRE matters to SMBs

Running a small- to medium-sized business (SMB) requires expertise in everything, from marketing and sales to management and hiring, but in the ever-expanding list of executive responsibilities, one particular item demands attention: Cybersecurity.

Cyberattacks can—and have—shuttered entire businesses. Cyberattacks can ruin reputations. Cyberattacks can lock up your workforce, grind revenue to a halt, send clients and customers looking for alternatives, and cost millions of dollars in recovery.

Running an SMB today, then, requires effective cybersecurity. But cybersecurity vendors don’t make it easy. Every few months another vendor promises the best, fastest, and most effective protection, appending new, three-letter acronyms to features that may not appropriately serve your business, or may require a level of time and resources that your business can’t afford.

For SMBs, one particular third-party evaluation can help clear up some of the clutter. The MITRE ATT&CK Evaluation, run by cybersecurity researchers at MITRE Engenuity, analyzes the performance of dozens of cybersecurity vendors against known, real-world attacks, testing their capabilities not against theoretical damage, but actual harm.

According to the researchers at MITRE:

“While organizations know that robust security solutions are imperative, determining what’s best is no easy feat. There is often a disconnect between security solution providers and their users, particularly related to how these solutions address real-world threats.

Our mission is to bridge this gap by enabling users to better understand and defend against known adversary behaviors through a transparent evaluation process and publicly available results – leading to a safer world for all.”

Though the MITRE ATT&CK results are not quick to comprehend—after all, MITRE does not rank or select any “winners” or “losers” in its testing—they are important to understand. MITRE results can reveal which vendors can best prevent incoming cyberattacks, which can provide high visibility into current problems, and which can detail the most information about those problems.

Crucially, MITRE results can detail which cybersecurity vendor will offer your business the most effective “out-of-the-box” experience, protecting your business from cyberattacks while requiring less daily input from you and your team.

Here’s what the MITRE researchers evaluate in their testing and why it matters to your SMB.

Protection

“Protection” is a term that describes whether a cybersecurity product can prevent an attack before it even reaches your computers or systems. Protection is the first line of defense for any business and its significance cannot be overstated. Preventing an attack is always preferrable to responding quickly to an attack after it has happened.

The MITRE ATT&CK Evaluation does not require its participants to be tested on their protection capabilities. In the most recent testing by MITRE, 22 out of 30 vendors entered the protection test. Just 10, including Malwarebytes, scored 100 percent on protection.

While no cybersecurity product can stop every single cyberthreat in existence—it just isn’t possible as cybercriminals constantly advance their tactics—a good cybersecurity product will still rank highly on MITRE’s protection analysis.

Visibility and alert quality

Cyberattacks do not happen in seconds. Instead, cybercriminals can plan their attacks for days or even weeks, brute-forcing their way into an insecure Remote Desktop Protocol port or simply tricking an employee into opening a malicious email attachment which then allows them to gain remote control of a machine, where they will then spread laterally through a network, deploying dangerous hacking tools along the way, until they launch a massive attack that can derail any business.

Any decent cybersecurity product should be able to flag any malicious or suspicious behavior happening on a network and deliver related warnings to the end-user. This capability to see potential attacks as they’re happening and then signal those attacks to users is called “Visibility,” and MITRE tests this in its own evaluations. The Visibility score reflects the number of dangerous steps that a cybersecurity solution caught and sent warnings about during a simulated attack.

Visibility is just one half of a cybersecurity response, though. The other half is “Alert quality.”

As we explained in our previous articledescribing the most recent MITRE ATT&CK Evaluation results:

“Not every alert is equal. Some provide far more detailed information that can be acted upon by security teams, while other alerts only notify a security team of a problem. In the MITRE ATT&CK evaluation results, alerts are given three tiers of specificity, from least to most specific—General, Tactic, and Technique.

Techniques are the types of alerts that empower security teams to solve problems faster. Going beyond a basic description of what happened, a Technique alert will explain the surrounding context. That can include what threat actors are trying to accomplish with a malicious script.”

Cybersecurity products that achieved both high Visibility and Alert Quality in the most recent MITRE testing can equip SMBs with the support they need: A product that will not only tell you when something is wrong, but also what, specifically, is happening, and what the outcome could be.

Malwarebytes detected  83 out of 90 steps involved in the MITRE ATT&CK Evaluation—a rate of 92 percent—and of those 83 alerts, 82 were Technique alerts.

“Out-of-the-box” experience

The reality that many SMBs face is that they do not have the time or the budget for an in-house security team or even a single devoted security hire. But that shouldn’t mean that these same SMBs are left vulnerable to cyberattacks. What they need most is a cybersecurity product that works seemingly “out of the box,” which could approach a level of “set it and forget it” ease.

The MITRE ATT&CK Evaluation does not incorporate any of this rhetoric in its testing, but there is a way to interpret MITRE results that takes into account just how engaged a business must be to achieve solid cybersecurity.

Here, we have to explain “configuration changes.” Configuration changes are settings that a cybersecurity vendor can change while MITRE is actually analyzing that vendor’s product. These configuration changes reflect the real-world use of cybersecurity products by some enterprise companies—changes in what a product notifies its end-users about that may help catch emerging threats as they evolve every few weeks.

But, as we wrote before, such configuration changes are not universally applied by businesses everywhere, and in fact, these changes could lead to adverse results:

“Importantly, these customers may actually lose some value if they try to implement the same types of configuration changes that MITRE Engenuity allows, as these changes will likely produce a greater quantity of alerts, leaving these customers to spend more time deciphering the importance of these alerts and how to respond. This adversely affects the visibility and alert quality components as customers spend time sifting through a potentially significant number of additional, low-quality alerts in order to determine priority actions. A productivity loss no organization—big or small—is willing to accept.”

Configuration changes can be a powerful tool specifically for the businesses that have the resources to implement them responsibly and nimbly. But for the countless number of businesses that would not realistically take advantage of these settings, any cybersecurity product worth its cost should provide efficient and effective cybersecurity with zero configuration changes made during the MITRE ATT&CK Evaluation.

Malwarebytes is one of the few cybersecurity vendors that achieved its results with zero configuration changes. For a full breakdown on how Malwarebytes ranks with this frame of analysis, read our full blog here.

Understanding MITRE for your SMB

The MITRE ATT&CK Evaluation can be overwhelming to understand at first glance, but interpreting the results is worth the effort. By looking at what products can offer your business effective cybersecurity while respecting your limited resources, you can better protect your business for the future.

ABOUT THE AUTHOR