Introducing the Breach Prevention System
NSS is tapped into both the enterprise and the vendor side of the security equation, which gives us a unique perspective on the industry. Over the last 20 years, the cat-and-mouse game of threat actor vs. security protection has spurred innovation and technology advancement across much of the digital economy.
Several years ago NSS defined the breach detection systems (BDS) segment, click here.
Since then, BDS have successfully identified countless infections that would otherwise go unnoticed, saving enterprises millions and millions of dollars. However, when discussing BDS, we hear one question repeatedly: “If a BDS can detect a breach, why can’t it block it?”
So, over the past few years, security vendors have put a lot of time, money, and effort into developing a BDS product that can go inline. In order to do so, there were likely some compromises made, particularly with regard to the requirements for detecting vs. prevent a breach. NSS is defining this new technology category as breach prevention systems (BPS). Given the stringent requirements for an inline device, it is highly unlikely that BPS will replace BDS since to replace BDS with BPS will likely mean losing visibility into those attacks that cannot be blocked but are being detected today by a BDS.
NSS is pleased to announce our first test methodology for BPS, with our first group test initiating in early 2017.
NSS believes organizations will continue to deploy BDS as a complement to BPS, since BDS does not block and therefore can be tuned to a more sensitive detection role than a BPS, which will be generally be more conservatively deployed to ensure avoidance of false positive events (and thus, blocks).
So, what distinguishes a BPS from other protection technologies? A BPS feeds off data (evidence) that it either gathers itself or that it is fed by a variety of sources, including endpoint agents, SIEM, a cloud system, or a BDS/sandbox solution. The BPS uses this data to determine whether an activity is malicious, and then, if the attack is found to be malicious, to yield a conviction event. The BPS aggregates the data (e.g., indicators of attack (IoAs), indicators of compromise (IoCs), or other evidence of suspected malicious activity) and provides it to an engine, which analyzes the data and determines whether a conviction event is warranted. If conviction is warranted, a prevention activity occurs (e.g., a session is dropped, an IP address is blocked, a client is disconnected).
Over the next few years, we expect breach prevention adoption to surpass that of both breach detection and intrusion prevention, as it is adopted by large, medium, and even small enterprises. It’s going to be an exciting space to watch, and NSS will be here to help enterprises decide which solution is best for their environment.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.