{"id":19929,"date":"2022-08-18T07:00:03","date_gmt":"2022-08-18T11:00:03","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/kedr-selabs-test-2022\/19929\/"},"modified":"2022-08-18T17:27:59","modified_gmt":"2022-08-18T13:27:59","slug":"kedr-selabs-test-2022","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/kedr-selabs-test-2022\/19929\/","title":{"rendered":"Independent testing of EDR solutions"},"content":{"rendered":"<p>The best way to prove the effectiveness of a security solution is to test it in conditions that are as real-world as possible, using typical tactics and techniques of targeted attacks. Kaspersky regularly participates in such tests and sits pretty at the <a href=\"https:\/\/www.kaspersky.com\/top3\" target=\"_blank\" rel=\"noopener nofollow\">top of the ratings<\/a>.<\/p>\n<p>The results of a recent test\u00a0\u2014 <a href=\"https:\/\/selabs.uk\/reports\/enterprise-advanced-security-edr-2022-q2-detection\/\" target=\"_blank\" rel=\"nofollow noopener\">Enterprise Advanced Security (EDR)<\/a><u>: Enterprise 2022 Q2 \u2013 DETECTION<\/u>\u00a0\u2014 were revealed in an <a href=\"https:\/\/selabs.uk\/\" target=\"_blank\" rel=\"nofollow noopener\">SE Labs<\/a><u>\u2018<\/u> report. The British company has been putting the security solutions of major vendors through their paces for several years now. In this latest test, our business product <em>Kaspersky Endpoint Detection and Response Expert<\/em> achieved an absolute 100% score in targeted attack detection and was awarded the highest possible rating \u2013 AAA.<\/p>\n<p>This is not SE Labs\u2019 first analysis of our products for protecting corporate infrastructure against sophisticated threats. The company previously ran its Breach Response Test (which we took part in in <a href=\"https:\/\/selabs.uk\/reports\/breach-response-test-kaspersky-anti-targeted-attack-platform\/\" target=\"_blank\" rel=\"nofollow noopener\">2019<\/a>). In <a href=\"https:\/\/selabs.uk\/reports\/enterprise-advanced-security-edr-kaspersky-2021-q4\/\" target=\"_blank\" rel=\"nofollow noopener\">2021<\/a>, our product was tested in their Advanced Security Test (EDR). Since then, the testing methodology has been tweaked, and the test itself has been divided into two parts: Detection and Protection. This time, SE Labs studied how effective security solutions are at <em>detecting<\/em> malicious activity. Besides Kaspersky EDR Expert, four other products took part in the test: Broadcom Symantec, CrowdStrike, BlackBerry, and another, anonymous, solution.<\/p>\n<h2>Grading system<\/h2>\n<p>The testing was made up of several checks, but to get a feel for the results, it will suffice to look at the <strong>Total Accuracy Ratings<\/strong>. This basically shows how well each solution detected attacks at different stages, and whether it pestered the user with false positives. For even greater visual clarity, the participating solutions were assigned an award: from AAA (for products with a high Total Accuracy Rating) to D (for the least effective solutions). As mentioned, our solution got a 100% result and an AAA rating.<\/p>\n<p>The Total Accuracy Ratings consist of scores in two categories:<\/p>\n<ul>\n<li>Detection Accuracy: this takes into account the success of detecting each significant stage of an attack.<\/li>\n<li>Legitimate Software Rating: the fewer the false positives generated by the product, the higher the score.<\/li>\n<\/ul>\n<p>There\u2019s one other key indicator: Attacks Detected. This is the percentage of attacks detected by the solution during at least one of the stages, giving the infosec team a chance to respond to the incident.<\/p>\n<h2>How we were tested<\/h2>\n<p>Ideally, testing should reveal how the solution would behave during a real attack. With that in mind, SE Labs tried to make the test environment as life-like as possible. First, it wasn\u2019t the developers who configured the security solutions for the test, but SE Labs\u2019 own testers, who received instructions from the vendor \u2013 as clients\u2019 infosec teams usually do. Second, the tests were carried out across the entire attack chain \u2013 from first contact to data theft or some other outcome. Third, the tests were based on the attack methods of four real and active APT groups:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.theregister.com\/2022\/05\/18\/wizard-spider-ransomware-conti\/\" target=\"_blank\" rel=\"nofollow noopener\">Wizard Spider<\/a>, which targets corporations, banks and even hospitals. Among its tools is the banking Trojan <a href=\"https:\/\/www.kaspersky.com\/blog\/trickbot-new-tricks\/42622\/\" target=\"_blank\" rel=\"noopener nofollow\">Trickbot<\/a>.<\/li>\n<li><a href=\"https:\/\/www.welivesecurity.com\/2022\/03\/21\/sandworm-tale-disruption-told-anew\/\" target=\"_blank\" rel=\"nofollow noopener\">Sandworm<\/a>, which primarily targets government agencies and is infamous for its <a href=\"https:\/\/securelist.com\/expetrpetyanotpetya-is-a-wiper-not-ransomware\/78902\/\" target=\"_blank\" rel=\"noopener\">NotPetya<\/a> malware, which masqueraded as ransomware, but in fact destroyed victims\u2019 data beyond recovery.\n<\/li><li><a href=\"https:\/\/www.kaspersky.com\/blog\/lazarus-defi-wallet-backdoor\/44138\/\" target=\"_blank\" rel=\"noopener nofollow\">Lazarus<\/a>, which became widely known after the large-scale attack on Sony Pictures in November 2014. Having previously focused on the banking sector, the group has recently set its sights on crypto-exchanges.<\/li>\n<li><a href=\"https:\/\/www.fox-it.com\/media\/kadlze5c\/201912_report_operation_wocao.pdf\" target=\"_blank\" rel=\"nofollow noopener\">Operation Wocao<\/a>, which targets government agencies, service providers, energy and tech companies, and the healthcare sector.<\/li>\n<\/ul>\n<h3>Threat detection tests<\/h3>\n<p>In the Detection Accuracy test, SE Labs studied how effectively security solutions detect threats. This involved carrying out 17 complex attacks based on four real-world attacks by Wizard Spider, Sandworm, Lazarus Group, and Operation Wocao actors, in which four significant stages were highlighted, each of which consisted of one or more interconnected steps:<\/p>\n<ul>\n<li>Delivery\/Execution<\/li>\n<li>Action<\/li>\n<li>Privilege Escalation\/Action<\/li>\n<li><a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/lateral-movement\/\" target=\"_blank\" rel=\"noopener\">Lateral Movement<\/a>\/Action<\/li>\n<\/ul>\n<p>The test logic does not require the solution to detect all events at any particular stage of the attack; it is enough to identify at least one of them. For example, if the product failed to notice how the payload got onto the device, but detected an attempt to run it, it successfully passed the first stage.<\/p>\n<p><strong>Delivery\/Execution.<\/strong> This stage tested the solution\u2019s capacity to detect an attack in its infancy: at the time of delivery\u00a0\u2014 for example, of a phishing e-mail or malicious link\u00a0\u2014 and execution of the dangerous code. In real conditions, the attack is usually stopped there, since the security solution simply doesn\u2019t allow the malware to go any further. But for the purposes of the test, the attack chain was continued to see how the solution would cope with the next stages.<\/p>\n<p><strong>Action.<\/strong> Here, the researchers studied the solution\u2019s behavior when attackers have already gained access to the endpoint. It was required to detect an illegitimate action by the software.<\/p>\n<p><strong>Privilege Escalation\/Action.<\/strong> In a successful attack, the intruder attempts to gain more privileges in the system and cause even more damage. If the security solution monitors such events or the privilege escalation process itself, it\u2019s awarded extra points.<\/p>\n<p><strong>Lateral Movement\/Action.<\/strong> Having penetrated the endpoint, the attacker can try to infect other devices on the corporate network. This is known as lateral movement. The testers checked whether the security solutions detected attempts at such movement or any actions made possible as a consequence of it.<\/p>\n<p>Kaspersky EDR Expert scored 100% in this segment; that is, not a single stage of any attack went unnoticed.<\/p>\n<h3>Legitimate Software Ratings<\/h3>\n<p>Good protection has to not only reliably repel threats, but also not prevent the user from using safe services. For this, the researchers introduced a separate score: the higher it was, the less often the solution mistakenly flagged legitimate websites or programs \u2013 especially popular ones \u2013 as dangerous.<\/p>\n<p>Once again, Kaspersky EDR Expert got 100%.<\/p>\n<h2>Test results<\/h2>\n<p>Based on all the test results, <a href=\"https:\/\/me-en.kaspersky.com\/enterprise-security\/endpoint-detection-response-edr?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">Kaspersky Endpoint Detection and Response Expert<\/a> was awarded the highest available rating: AAA. Three other products earned the same rating: Broadcom Symantec Endpoint Security and Cloud Workload Protection, CrowdStrike Falcon, and the anonymous solution. However, only we and Broadcom Symantec achieved a 100% score in the Total Accuracy Ratings.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>SE Labs awarded Kaspersky EDR its highest rating in independent tests based on real world attacks.<\/p>\n","protected":false},"author":2706,"featured_media":19930,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1916,7],"tags":[2294,1199,1655,600],"class_list":{"0":"post-19929","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-enterprise","9":"category-products","10":"tag-edr","11":"tag-independent-tests","12":"tag-se-labs","13":"tag-tests"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/kedr-selabs-test-2022\/19929\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/kedr-selabs-test-2022\/24463\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/kedr-selabs-test-2022\/26907\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/kedr-selabs-test-2022\/24821\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/kedr-selabs-test-2022\/25192\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/kedr-selabs-test-2022\/27520\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/kedr-selabs-test-2022\/27172\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/kedr-selabs-test-2022\/33872\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/kedr-selabs-test-2022\/10941\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/kedr-selabs-test-2022\/45160\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/kedr-selabs-test-2022\/19304\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/kedr-selabs-test-2022\/19911\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/kedr-selabs-test-2022\/29172\/"},{"hreflang":"nl","url":"https:\/\/www.kaspersky.nl\/blog\/kedr-selabs-test-2022\/28424\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/kedr-selabs-test-2022\/25366\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/kedr-selabs-test-2022\/30868\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/kedr-selabs-test-2022\/30576\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/independent-tests\/","name":"independent tests"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19929","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=19929"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19929\/revisions"}],"predecessor-version":[{"id":19931,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/19929\/revisions\/19931"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/19930"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=19929"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=19929"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=19929"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}