Skip to content

This project implements a methodology for evaluating EDR solutions according to our Threat Hunting model

License

Notifications You must be signed in to change notification settings

blackarrowsec/EDR-Evaluation-Methodology

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
 
 
 
 
 
 

Repository files navigation

EDR-Evaluation-Methodology

Important

The methodology is NOT inteneded to evaluate the EDR products but how suitable they are for a service of proactive Threat Hunting like ours.

Nowadays Threat Hunting is a very popular term on the InfoSec community. However, there is not a consensus in the definition of this role. When it comes to our Threat Hunting model, we start everyday by assuming the hypothesis that all of our clients have been compromised somehow. From that point, we use our knowledge to query the telemetry available in the EDR solutions to refute that hypothesis. It is only when we have deemed every match as a false positive that we discard the compromise hypothesis.

EDR solutions are the weapon of choice in our model of Threat Hunting. We also aim to be agnostic to the technology and capable of integrating our service in heterogeneous client environments. Hence, it is a must for us to know the solutions that can handle our Threat Hunting model, the ones that can not, and the evolution of both groups over time. This project implements an ad hoc methodology for evaluating EDR solutions according to our Threat Hunting model.

This is an alive project, and it will be updated as we perform new evaluations and revisit old solutions to check for improvements.

Latest evaluations results

The graphics below showcase the results of the last homologation evaluations, presented in a visual and executive way. For more details about the results, please refer the full evaluations in the Excel sheets:

Last updated: 26/11/24

CrowdStrike [2024]

Palo Alto Cortex [2024]

Microsoft Defender for Endpoint [2024]

SentinelOne [2024]

Sophos [2024]

TrendMicro [2024]

Authors

Julio J. Estévez-Pereira ([email protected])
Alberto Terceiro Plumed ([email protected])

Colaborators

Anxo Otero Dans
Julián E. Erbojo Cossio
Sergio Alfaro Alfaro
Luis Ruiz Mayorga

References

License

All the documents included in this project are licensed under the terms of the Apache 2.0 license.

About

This project implements a methodology for evaluating EDR solutions according to our Threat Hunting model

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published