By Jason Pappalexis
My February blog on the evolution of NSS Labs’ advanced endpoint protection (AEP) group testing discussed how the 2017 AEP Group Test produced defendable data for enterprises to use during product selection and examined what enterprises look for during product selection.
AEP vendors have captured the attention of the enterprise with some pretty bold claims about their products. Claims about detection, threat visibility, update frequency, and resource use have forced IT security teams to expand the scope of their proof of concept (PoC) testing as they attempt to measure these claims.
AEP Market: New Vendors, New Focus
The AEP market contains many players, each of which has a slightly different take on what advanced endpoint protection entails. While many products claim similar security effectiveness, they differ considerably with regard to ancillary features. These features directly impact a product's capability, purpose, and thus value.
Vendors claim to have raised the bar for endpoint protection product performance and enterprises should respond with more rigorous PoC success criteria and tighter evaluation periods.
The good news is that there are many products to choose from—and this is also the problem.
Results from NSS Labs’ 2018 AEP Group Test (v2.0 Test Methodology) will be released this week. Here at NSS, we are excited about the insight these results will provide for enterprises in the midst of down-selecting products prior to PoC. The test data will save time for those enterprises that do not have the resources to fully vet products, and it will provide additional information for those enterprises that do.
If your enterprise has not yet reached the PoC stage, make sure you fully understand the motivation for change. Additionally, since management console workflow and threat visibility functionality vary widely among products, make sure you allot enough time to evaluate these capabilities carefully.
Start building success criteria on day one
The first step in your product selection process should be to gather details on your environment’s requirements. This information will define your project’s success criteria, and it will help you build an accurate and defendable RFI/RFP that clearly differentiates between products.
Consider the following during your evaluation of AEP products:
Forensic information requirements
Threat hunting requirements
Single-agent/single-management console or multi-agent/multi-management console considerations
Management console feature, workflow requirements, deployment requirements
Ancillary security capability requirements (HIPS, FIM, device control, DLP, etc.)
Security effectiveness metrics typically become more relevant during the later stages of the evaluation process (as you move closer to a PoC). During the early stages of product selection, it is safe to assume that the product you will select will provide protection that most closely aligns with your tolerance for risk. However, as with many things, there is a balance; if you start down-selecting AEP products based on security effectiveness too early, you may find yourself forced to make compromises on other features.
AEP Product Use
In the 2017 NSS Labs Cloud Security Study, 93.6% of respondents indicated that they deploy endpoint security products (EPP, AEP, EDR) at their organizations, and 27.2% of respondents indicated that they use AEP products. This number will continue to grow as the line blurs between EPP, AEP, and EDR products.
It’s not too early to think about management console workflow and threat visibility requirements
The products in the recent NSS Labs AEP Group Test displayed a broad range of management console workflow styles and capabilities. All meet the operational definition of AEP but have widely differing functionality and threat visibility. While management console workflow maturity does not necessarily correlate with a product’s security efficacy, it can impact policy creation and deployment significantly and should be considered carefully.
Threat visibility is a large differentiator among AEP products. While all AEP products should provide forensics, capabilities vary greatly, and not all offer the extensive forensics required by some incident response (IR) teams, such as source and callback IPs, file information, file hash, threat severity, and threat lateral motion. Additionally, attack response efforts by some IR teams require even more specialized functionality such as threat investigation workflows, endpoint queries, and more. You may not require all of this functionality, but if you do, you’ll have a limited number of products to choose from (or you’ll need a separate agent). For this reason, we recommend you determine your need for forensic information as early as possible.
AEP products have traditional drivers for change
The endpoint security market is in the midst of a renaissance that is being driven by the seemingly endless development of advanced threats and the enterprise’s need to detect them.
An enterprise’s decision to switch endpoint products is based on its need to reduce threat-associated costs and lower organizational risk. Common drivers for change include low detection rates (usually seen as an increase in trouble tickets and in time to remediate or discover a breach) or the need to improve protection against a specific threat category such as ransomware. The motivation for change may also result from a lack of satisfaction with the vendor support currently provided or the need to meet a new use case, including newer operating systems or devices. Requirements for incident resolution differ from those for basic protection and alert investigation, and they can also be motivators for change.
Finding the product that works best for your environment involves prioritizing a myriad of requirements; building a targeted RFI/RFP; evaluating product efficacy capabilities; and evaluating the product in a PoC. Is the process easy? No, but enterprises that take the time to evaluate their strategic needs are more likely to succeed in the long term.
Jason Pappalexis (@jsnppp) is managing director of the NSS Labs Enterprise Architecture Research Group (EARG), whose charter is to help enterprises solve security challenges. He has worked with endpoint protection products for more than 18 years and has held roles in the IT security industry that include administration, architecture, field engineering, and product testing.
The results of the 2018 NSS Labs AEP Group Test will be released at the 2018 RSA Conference. The 2018 AEP Product Selection Series will be released in Q2 and also in Q3. This series will provide strategic, tactical, and operational guidance for AEP product purchasing decisions through analysis of the capabilities within current AEP products. You can view all AEP related reports and research documents in the NSS Labs Research Library.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.