By Jason Pappalexis
NSS’ 2017 Advanced Endpoint Protection Group Test (AEP Test Methodology v1.0) subjected endpoint products to a variety of threats in order to validate claims of technological differentiation. An industry first, the test produced defendable data that enterprises could use to answer questions such as, “Should I switch to an AEP product?”, and if so, “Is the switch urgent?”.
Endpoint protection continues to evolve, and in their efforts to understand the differences between the products in this space, enterprises are looking more closely at threat detection capabilities, use cases, and costs. For this reason, v2.0 of NSS’ AEP Test Methodology expands the scope of malware, exploits, blended threats (combinations of threats), false positives, and evasions (techniques used to bypass detection) against which products are tested. Additionally, the costs associated with threats bypassing these products are investigated in considerable detail.
It’s not a question of whether AEP products should be implemented, but rather it is a question of what the enterprise use cases are for these products and what the ramifications are when ill-suited products are chosen. This makes selecting an AEP product one of today’s more complex security purchasing challenges.
What to Look for During Product Selection
Every enterprise is unique, and so each organization must prioritize its own requirements when choosing an endpoint product. While some organizations prioritize visibility (relying on incident response teams to remove infections), others focus on impact to user productivity or frequency of signature downloads. Other considerations may be cost, stability and reliability, or security effectiveness—though interestingly, many organizations treat security effectiveness as an early selection filter, looking for a minimum competence (say, 95% effectiveness or above) and then focusing on features as differentiators. This is an efficient way to approach product selection.
Organizations looking to purchase AEP products must take many factors into consideration, including:
Interoperability (data sharing)
Impact to productivity
Visibility into threats and systems
Operating system support
Remediation and rollback functionality
Stability and reliability
Environment requirements (such as SQL database, etc.)
Cost (agent cost per seat, central management system, etc.)
Additional features (device control, host intrusion prevention, etc.)
Each of these factors have subcomponents. For example, security effectiveness considerations include protection and detection before and after threats execute as well as firewall and file system monitoring capabilities. Enterprises must understand how effective a control is both offline and online, as well as how effective it is at detecting threats that are known and unknown, including malware, exploits, blended threats, and evasions. The list goes on.
When it comes to understanding the true costs of a security control, many organizations don’t look further than purchase and maintenance costs. However, ancillary expenses (which NSS refers to as threat-associated costs) can add considerably to overall cost. The NSS Labs total cost of ownership (TCO) model relies on two core assumptions: without security, compromises and incidents will occur, and operational overhead will increase as compromises are remediated. With security, compromises and incidents will occur less often, which means the operational burden should be reduced. For more information on TCO calculations, see the recent 2017 NSS Labs Breach Prevention Systems TCO Comparative Report.
Looking to the Future
In the battle to protect data from threats and reduce risk, enterprises require endpoint products with advanced capabilities. However, while AEP products deliver these, no product is a panacea. All threat vectors must be adequately protected—a chain is only as strong as its weakest link. To manage risk effectively, enterprises must invest the necessary time and resources in order to understand not only their unique environment needs but also the true costs of deploying different controls.
Jason Pappalexis is managing director of the NSS Labs Enterprise Architecture Research Group (EARG), whose charter is to help enterprises solve security challenges. He has worked with endpoint protection products for more than 18 years and has held roles in the IT security industry that include administration, architecture, field engineering, and product testing.
The results of our most recent AEP Group Test will be released at the 2018 RSA Conference. You can obtain a copy of the AEP 2.0 Group Test Methodology from our research library. The methodology describes how NSS will evaluate AEP products to provide an objective and fair assessment of the technology.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.