Qualys Achieves 100% Major Step Detection in the 2024 MITRE ATT&CK Evaluations, Enterprise
Last updated on: December 12, 2024
Table of Contents
- How Qualys Transformed from Risk Leader to EDR Powerhouse
- Qualys Performance: Leading the Pack
- Low False Positives: The Key to Effective EDR
- Why is MITRE ATT&CK Important?
- Qualys Endpoint Detection & Response: A Market-Leading Solution
- More Than Detection: A Holistic Approach to Risk Management
- Advanced Ransomware Mitigation: A Safety Net Against the Worst-Case Scenario
- Conclusion
How Qualys Transformed from Risk Leader to EDR Powerhouse
In today’s rapidly evolving threat landscape, ransomware continues to dominate as one of the most significant cybersecurity challenges. To help organizations evaluate their defenses against these sophisticated threats, the MITRE ATT&CK Evaluations provide a transparent, real-world assessment of security solutions.
The 2024 evaluation focused on two of the most notorious ransomware families—LockBit and Cl0P covering Windows and Linux platforms. Here’s a comprehensive look at what this means for organizations and how the Qualys platform stands apart in addressing modern cybersecurity risks.
Qualys Performance: Leading the Pack
Qualys achieved remarkable results in the 2024 MITRE ATT&CK Evaluations for Enterprise:
- 100% Major Step Detection: Qualys successfully detected all major steps across LockBit (8 steps) and Cl0P (4 steps) simulations.
- High Step Detection Rates: Identified 18 out of 19 sub steps for Cl0P (94.7%) and 36 out of 40 sub steps for LockBit (90%).
- Low False Positive Rate: With just 1 false positive, Qualys was among the most accurate vendors in distinguishing real threats from benign activity.
- Unique Techniques Detected: Qualys identified 38 out of 41 unique techniques used in the tests.
In addition to detection tests, Qualys participated in protection tests for the first time, achieving a 50% blocking rate in Windows/Linux environments. This result highlights Qualys growing focus on proactive threat prevention.
Low False Positives: The Key to Effective EDR
While high detection rates are important, they mean little if accompanied by excessive false positives (FPs). A solution with a high FP rate creates noise that overwhelms security teams, leading to alert fatigue and missing genuine threats. This is why MITRE’s introduction of false positive testing was so critical— and why Qualys’ low FP rate of just 1 FP across both scenarios is such a standout achievement.
Some vendors may achieve high detection scores but at the cost of generating FP rates as high as 50% or more—rendering their solutions impractical in real-world environments.
Qualys’ ability to maintain high accuracy while minimizing false positives ensures that security teams can focus on real threats without being bogged down by unnecessary alerts. This balance between detection and precision is what makes Qualys EDR truly effective.
Why is MITRE ATT&CK Important?
MITRE ATT&CK Evaluations are critical for both vendors and organizations because they:
- Simulate Real-World Threats: They replicate sophisticated attack techniques used by actual adversaries, providing a realistic benchmark for security solutions.
- Provide Objective Insights: As an independent evaluation, MITRE offers unbiased results that help organizations make informed decisions about their security investments.
- Highlight Strengths and Gaps: By testing detection and protection capabilities across various attack stages, the evaluations reveal how well solutions can address complex threats.
- Set Industry Standards: The results serve as a benchmark for comparing the performance of different cybersecurity tools.
These evaluations are invaluable for organizations in understanding how their chosen tools will perform under real-world conditions.
Qualys Endpoint Detection & Response: A Market-Leading Solution
Qualys’ exceptional performance in the 2024 MITRE ATT&CK Evaluations: Enterprise, particularly the 100% major step detection and remarkably low false positive rate, firmly establishes its EDR solution as a top-tier player in the endpoint security market. This achievement is particularly significant as it demonstrates Qualys’ ability to compete with—and often outperform—traditional EDR-focused vendors. The evaluation results prove that Qualys EDR’s capabilities go far beyond basic endpoint protection, offering sophisticated threat detection, advanced behavioral analysis, and comprehensive response capabilities.
For the market, this sends a clear message: Qualys has successfully transformed from being perceived as “just” a vulnerability management provider to becoming a formidable force in many additional areas like endpoint security. The company’s ability to detect complex ransomware operations like LockBit and Cl0P with such high accuracy while maintaining one of the lowest false positive rates in the industry validates its position as a comprehensive security platform provider.
This performance tells customers, analysts, and competitors that Qualys’ EDR solution isn’t just an add-on to its vulnerability management platform—it’s a market-leading security solution capable of defending against the most sophisticated threats in today’s landscape.
More Than Detection: A Holistic Approach to Risk Management
Qualys’ success in the MITRE evaluation is not just about detecting ransomware—it reflects its ability to prevent attacks before they occur and mitigate their impact if they do. The Qualys TruRisk platform integrates External Attack Surface Management (EASM), Vulnerability Management, Patch Management, and Ransomware Mitigation into a unified solution that addresses risk holistically.
External Attack Surface Management (EASM)
Ransomware groups like LockBit and Cl0P often exploit exposed assets such as vulnerable VPNs, RDP endpoints, or file transfer servers. Qualys EASM continuously scans for these risks, identifying exposed systems like MOVEit Transfer servers or Citrix NetScaler appliances before attackers can exploit them. By proactively monitoring the attack surface, Qualys helps organizations close vulnerabilities that ransomware groups rely on for initial access.
Vulnerability Management
The Qualys platform prioritizes vulnerabilities based on real-world threat intelligence, ensuring organizations focus on the risks most likely to be exploited by ransomware groups. For example, vulnerabilities like CVE-2023-34362 (MOVEit Transfer) and CVE-2023-4966 (Citrix Bleed), both targeted by LockBit and Cl0P, are flagged for immediate remediation. This targeted approach ensures critical weaknesses are addressed before attackers can weaponize them.
Patch Management
Timely patching is critical in preventing ransomware attacks. Qualys automates this process by deploying patches for vulnerabilities like CVE-2023-27350 (PaperCut) across affected systems. Its platform ensures patches are applied quickly and validated for effectiveness, reducing the window of exposure to ransomware campaigns.
Advanced Ransomware Mitigation: A Safety Net Against the Worst-Case Scenario
Even with proactive defenses, ransomware attacks can still succeed in encrypting files.
This is where the Qualys Ransomware Mitigation feature shines. During the MITRE evaluation, Qualys demonstrated its ability to recover hundreds of encrypted files in real time by monitoring file entropy—a key indicator of ransomware activity. When encryption was detected, Qualys created temporary in-memory backups of affected files and restored them after blocking the attack.
Conclusion
The 2024 MITRE ATT&CK Evaluations: Enterprise highlights not only the sophistication of modern ransomware threats but also the importance of choosing a security solution that can rise to the challenge. By offering proactive prevention, rapid recovery capabilities, and comprehensive threat detection, Qualys provides organizations with unmatched protection against today’s most dangerous adversaries.