For the fourth straight year, SentinelOne Singularity Platform has consistently proven its industry-leading detection and protection capabilities in MITRE’s ATT&CK Enterprise Evaluation, scoring:

  • 100% Protection – blocked 13 out of 13 protection steps
  • 100% Detection – detected 18 of 18 detection steps
  • 100% Real-time – zero delayed detections
  • 100% Realistic – zero configuration changes
  • 96% Visibility into attack sub-steps

The Evaluation focused on the adversary Turla, a Russia-based threat group known for deploying sophisticated proprietary tools and malware. Turla has infected victims in over 45 countries, spanning a range of critical industries and infrastructure since 2004.

Turla is equally adept at targeting Linux and Windows infrastructure. They are flexible, employing open-source and in-house developed malware, blending a carefully designed toolkit to evade detection and target victims of all sizes and industries.


Complete Detection and Protection, in Real Time

The SentinelOne Singularity Platform successfully detected and blocked at every step within the Evaluation, highlighting its ability to protect against complex and evasive threats such as Turla.

The SentinelOne approach to the MITRE Evaluation reflects their philosophy on protection – that speed and autonomous operation are critical. Complex attacks can move from initial access to credential compromise, lateral movement, data encryption, and extortion in a matter of minutes. There is no time for waiting on human analysts, sandbox results, or manual workflows. There is no chance for a re-try in the real world as there is in compartmentalised tests.

SentinelOne provides autonomous and comprehensive protection with zero delays. Unlike many participants in this test, you will see no delayed-modifiers in the results. This means that protection is automatic out of the box, and data is available in real-time. Speed matters.

They also tested with no configuration changes. MITRE provides vendors with an opportunity to re-test any step. Usually, this means entirely new data sources or detection logic were brought in by the vendor, only after they know exactly what MITRE is doing.

There are no second chances in the real world: a ransomware adversary will not let you bolster your security during an attack. When evaluating enterprise security solutions for real-world deployment, it is prudent to study a vendor’s performance without delays and configurations. You will not find any modifiers or changes in our results.


The Importance of Visibility

Understanding and visualising the killchain and its timeline is important for a number of reasons. First, analysts have the ability to see an attack in its entirety, combining alerts and individual events into a single, comprehensive view of the incident, no matter where the data came from. Secondly, having a view into the affected assets means security professionals can ensure complete eviction of the adversary. Ransomware victims are often targeted again, therefore total removal of infected assets is imperative in mitigating lie-in-wait threats.

While some vendors might detect events and alerts, these are often visualised and displayed by the hundreds, thousands, or even hundreds-of-thousands in some cases. Sorting endless alerts makes investigation challenging and delays response time. SentinelOne’s patented Storyline technology automatically stitches together related alerts, providing analysts with a full view of detections across all covered attack vectors correlated into several incidents. This prioritised view reduces alert fatigue and ensures rapid, complete remediation.

Such deep context into incidents also empowers analysts with the corner-stone for threat hunting across all organisational data, enriching and enhancing investigations with telemetry from any third-party source. These insights afford a comprehensive view across the enterprise, and an opportunity to be proactive and improve security posture.


The Most Important Test is the Real World

While it’s important to evaluate technology, particularly in an area as high-stakes as cybersecurity, there is no test like that of the real world. SentinelOne undertook the MITRE ATT&CK Evaluation and excel using the exact agent, platform, and features that their customers use to protect them with every day. The Singularity Platform detected and blocked every phase of the Turla attack with zero delays and no unrealistic reconfigurations, or bolt-on features.

Interpreting the MITRE Evaluation Results

SentinelOne approached this test bringing the most realistic and relevant solution, one a customer could employ in the real world. MITRE organises detections according to each substep. Each substep has a single detection category that represents the highest level of context provided to the analyst across all detections for that substep. For reference, the context provided by each detection category increases from left to right, with Technique being the highest context within the detection category diagram. “None” means no data was made available that satisfies the detection criteria, so fewer “nones” means greater visibility.

Below are the results across the 18 steps SentinelOne were able to participate in without delayed and/or configuration change modifiers.
The charts below show how CrowdStrike and Microsoft fared in real-time across the same 18 Steps without performing after-the-fact configuration changes and without factoring in delayed detections. SentinelOne performs significantly better in overall visibility with fewer “nones” and outstanding performance in analytic detections.

For a fair comparison, we have removed Step 19 data, which is listed as “N/A” for SentinelOne with the footnote “due to extenuating circumstances, this step was not collected during evaluation.” Despite all best efforts, an issue occurred during the final testing day where the test environment related to the SentinelOne product made it impossible for MITRE to gather accurate initial execution data according to their procedures.


Protect Everything | All the Time

SentinelOne is committed to innovation and delivering solutions to keep their customers safe. The Singularity Platform is the first AI platform to provide enterprise-wide visibility and protection, bringing all your data together in a unified Data Lake to eliminate risk and protect the future.
To learn about how SentinelOne can help protect your organisation, please contact us.