MITRE Evaluation Detection & Response: Workload vs. End-user Computing

Blog Author
Ganesh Pai

September was quite a month in the world of Detection and Response. MITRE released the results of the 2023 MITRE Engenuity ATT&CK Evaluations. While all participants had their own interpretation of the results, this year's evaluations highlighted  the need for behavioral detections and the merit of having a sensor on the runtime.


In addition to the results matrix, the most notable aspect of our coverage is our unified platform for XDR and CNAPP, our universal sensors (endpoint, agent-based, and agentless) and connectors (cloud/saas), and coverage for end-user computing (macOS, Windows) and workload computing (Linux/Container/K8s).


This is an aspect that I’d like to highlight, as in the world of modern defenders, the following is key:


  • Visibility from laptop to code to cloud

  • Behavioral detection on workload, end-user computing, and cloud/SaaS services


As crucial as end-user computing is, workload computing is where the crown jewels of most organizations are. They are increasingly going into the cloud due to rapid digital transformation, and it would be great to have similar evaluations for workloads and cloud infrastructure.


In the recent past, due to operational challenges in the workload computing arena, operators have been confined to accepting prescriptive (misconfigurations, audit, vulns) outcomes visible from cloud providers’ static storage snapshots. Uptycs provides an agentless solution to address this operational challenge. However, relying primarily on this agentless approach in the context of workloads (Linux/Containers) leaves a big gaping hole in coverage and controls. To address this gap, our universal sensor operates in agentless and agent-based modes, providing vulnerabilities and threats (behavioral) coverage to reduce overall risk.


This is where MITRE evaluation results exemplify the need for behavioral detection and the merit of having a sensor on the runtime. This is the heart of the agent vs. agentless debate, and it would be great to have MITRE evaluate and present the gap between the approaches for workload computing.


In addition to tactics, techniques, and procedures (TTPs), having MITRE evaluations for anomalous and outlier activity detection would be helpful. In the context of workload and cloud computing, there is abundant telemetry available for applying statistical, machine learning, and outlier detection techniques. If MITRE can synthesize some of these behaviors for evaluation, it’d add another useful consideration for defenders.


Otherwise, operators would be left with non-standard means to evaluate the efficacy of agentless controls in the cloud, which, while providing a lot of data, are highly prescriptive (CIS, NVDB, etc.) and of limited value for threat operations.


Feel free to share your thoughts here…. I would love to know your thoughts on how MITRE can improve evaluations of workload and cloud computing.


LinkedIn Poll