As socially engineered malware (SEM) becomes more and more complex, endpoint protection (EPP) products increasingly depend on cloud-based reputation systems to protect users. Both Internet Explorer and Chrome use cloud-based reputation systems to protect users from SEM. Application reputation technologies are ubiquitous among EPP products, and EPP products collect significantly more telemetry data from their user base than do browsers. Application reputation technologies by definition are much more proactive than blacklisting techniques – if they are well designed. Browsers and EPP products use similar cloud-based application Browsing for an EPP Solution reputation approaches, but EPP products are able to use telemetry from installed products. Which application reputation approach is more effective? Should we consider the differences of the cloud-based security approaches when attempting to select the most effective combination of EPP product and browser?
With Internet Explorer posting nearly perfect SEM protection scores, download protection from the EPP product will be less important than phishing protection. Alternatively, when a browser that posts a high phishing protection score but a low SEM protection score is used, the reliance upon EPP for SEM protection increases.
Typically, protection against exploits and evasions of exploit detection are the most important metrics to consider when evaluating the security performance of EPP products.
The Enterprise EPP Comparative Analysis – Socially Engineered Malware provides security professionals with EPP product metrics for the SEM protection that is provided on download, prior to relying on host-based protection. Host-based execution metrics are aggregated every seven days (for the previous week), but they do not indicate the point at which protection occurred. Tested products will offer far better protection when execution blocking is performed in real-time, but the quality of proactive cloud-based technologies is the focus of this test.
In 2014, NSS will increase its EPP testing. The protection metrics for cloud-and client-based protection will be reported, and detailed information on the different types of protection that occur will be provided. Increasing the frequency of EPP testing will allow security professionals to identify current trends in EPP performance.
Follow me on Twitter (@randyab) to keep informed as new research is released.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.