NSS labs just released their Breach Detection Systems Report found HERE. The purpose for this report is based on the concept that there is a need for security solutions that extend beyond defense measures found in common security products such as Anti-Virus and IPS network appliances. NSS labs have developed a name for the feature designed to stop advanced threats known as having “Breach Detection” capabilities. Its pretty much technology you would implement as a last layer in the event a threat breaches your firewall, AV and network security defenses.
NSS labs defined features for Breach Detection as having solid management, response for identified threats, reporting options, and the following capabilities regarding catching threats.
- Malware identification (signatures, heuristics, or both)
- Network traffic analysis (flow monitoring, content analysis or both)
- Sandboxing that allows for modeling internal systems (workstations and servers).
- Browser emulation
- Domain reputation to identify malicious domains
After using real malware, exploit testing, social exploits and other means, the NSS labs team came up with a value map shown below. This identifies products offering Breach Detection capabilities and how well they stood up to NSS lab’s testing.
Three vendors were able to stop close to 99% of the threats followed by Fidelis stopping a little less. What is crazy is the drastic drop of effectiveness for AhnLab and FireEye. FireEye’s response was direct criticism of the NSS report found HERE, which NSS labs has answered back HERE. Others found at the top of the report such as Fortiet (HERE) and Cisco (HERE) are happily promoting the findings.
Regardless of those questioning the research, the overall study is interesting and very important for the security industry. My personal feeling is we need more 3rd party testing such as the work done by NSS labs to keep vendors honest regarding promised protection. There are many occasions products fail due to premature releases or false feature promises caused by business decisions vendors make that trump investing in developing quality products. When products fail, venders sometimes blame the breach on customer configuration, missing updates or a million reasons to shield the blame from their product. Its hard to cut through the marketing smog and identify a true best of breed solution without having the lab, manpower and time to evaluate it yourself or leverage reports such as these. Hats off to NSS labs for this research.