Important
The methodology is NOT inteneded to evaluate the EDR products but how suitable they are for a service of proactive Threat Hunting like ours.
Nowadays Threat Hunting is a very popular term on the InfoSec community. However, there is not a consensus in the definition of this role. When it comes to our Threat Hunting model, we start everyday by assuming the hypothesis that all of our clients have been compromised somehow. From that point, we use our knowledge to query the telemetry available in the EDR solutions to refute that hypothesis. It is only when we have deemed every match as a false positive that we discard the compromise hypothesis.
EDR solutions are the weapon of choice in our model of Threat Hunting. We also aim to be agnostic to the technology and capable of integrating our service in heterogeneous client environments. Hence, it is a must for us to know the solutions that can handle our Threat Hunting model, the ones that can not, and the evolution of both groups over time. This project implements an ad hoc methodology for evaluating EDR solutions according to our Threat Hunting model.
This is an alive project, and it will be updated as we perform new evaluations and revisit old solutions to check for improvements.
The graphics below showcase the results of the last homologation evaluations, presented in a visual and executive way. For more details about the results, please refer the full evaluations in the Excel sheets:
Last updated: 26/11/24
Julio J. Estévez-Pereira ([email protected])
Alberto Terceiro Plumed ([email protected])
Anxo Otero Dans
Julián E. Erbojo Cossio
Sergio Alfaro Alfaro
Luis Ruiz Mayorga
- https://attackevals.mitre-engenuity.org/results/enterprise
- https://detect.fyi/edr-telemetry-project-a-comprehensive-comparison-d5ed1745384b
All the documents included in this project are licensed under the terms of the Apache 2.0 license.