By Jason Pappalexis
In 1957, science fiction author Robert A. Heinlein published The Door Into Summer, a story about suspended animation, time travel, patent law, and a cat. The protagonist is an inventor who is forced into a 30-year sleep by his business partners so they can steal his valuable patents. Once he’s awake, the protagonist uncovers the deception and travels back in time to 1970, where he is able to foil his antagonists’ plans. It’s a classic example of Heinlein’s work, with fast-paced dialog, a compelling plot, and a view into the future as perceived by authors in the mid-twentieth century.
Two underlying themes of the story are compromise and visibility—compromise, in that one often has to choose between two outcomes, neither of which is ideal; and visibility, in that with hindsight, obstacles are much more easily navigated.
This is not unlike the challenges that come with products deployed within IT security architectures. There is a long-recognized trade-off between security and business continuity. There is the hypothetical goal of a completely secure system, 100% protected from threats and data misuse; all files are scanned, data in motion and data at rest is encrypted, browsing is secured, applications are controlled, file system changes are tracked, memory space is inspected, identities are validated with multi-factor authentication, etc. But this (still hypothetical) fully protected system is often restrictive and, unfortunately, difficult to use. Most security practitioners accommodate this dichotomy by carefully balancing visibility and usability with the cost of security (see more in this blog on endpoint visibility).
Advanced endpoint protection (AEP) products offer a mix of capabilities designed to support modern requirements for security effectiveness, threat visibility, and system visibility. NSS Labs’ clients often downselect endpoint security product candidates based on advanced threat protection capabilities—for example, resistance to layered evasions, fileless malware, and ransomware.
However, as stated in the NSS Labs AEP Test Methodology v3.0, “current products and techniques are generally unable to stop even the least capable of the advanced threats, let alone the truly determined advanced persistent threat.” This can make product selection choices easier, but in some cases can also make it more difficult; for example, what if a product ticks the boxes for all requirements except security effectiveness? For this reason, we often work with our clients to prioritize and weight their requirements to enable an easier and more defendable decision.
We are observing a trend in which enterprises acknowledge that they cannot easily verify artificial intelligence (AI) or machine learning (ML) engine technologies, and so instead they create lab-based proofs of concept (PoCs) focused on measurable capabilities such as manageability, interoperability, agent anti-tampering, and threat event reporting (visibility into threats and systems; i.e., data available through the console, API, and logs). This includes exploring ancillary features such as firewall, data at rest encryption, data loss prevention, and device control (all of which are reportedly in use by respondents to the 2018 NSS Labs Network Security Study). Enterprises can then tally the scores from the features they have observed firsthand, add in effectiveness scoring (obtained either internally or from a third party), and gain a strong idea of which product will fit their needs.
Visibility, effectiveness, and usability go hand in hand. The endpoint security product space must continue to evolve in order to match the needs of the enterprise, including higher detection capabilities and the provision of an appropriate level of forensic data. NSS is looking forward to further evaluating the product space and reporting on differences that will help enterprise security teams understand which products will best fit their environments.
It would be nice to time travel 30 years into the future and see how cyberthreats have evolved in order to better guide today’s product roadmap. Unfortunately, we have to let this technology play out in its own due time.
NSS Labs has published a series of Intelligence Briefs on security controls in the US enterprise. The NSS Labs 2019 Intelligence Brief on Advanced Endpoint Protection (AEP) offers visibility into current enterprise requirements for the technology. The paper will be available to subscribers in our research library.
NSS Labs Test results using the AEP Test Methodology v3.0 released earlier this week.