NSS Labs Announces Industry's First Breach Prevention System Group Test Results

AUSTIN, Texas – December 13, 2017 – NSS Labs, Inc., a global leader and trusted source for independent fact-based cybersecurity guidance, today announced the results of its Breach Prevention Systems (BPS) Group Test. Recent breaches along with the proliferation of unknown or advanced threats have demonstrated that attackers are able to bypass conventional endpoint and perimeter-based security solutions. The Ponemon Institute’s 2017 Cost of Data Breach Study estimates that the average total cost of a data breach is $3.62 million. The goal of a breach prevention system is to take appropriate action against a threat before it results in a breach.

A breach prevention system leverages multiple modern technologies such as cloud and on-premises sandboxing, emulation, and machine learning in conjunction with traditional deep inspection and/or access control blocking technologies such as next generation firewalls (NGFWs) and next generation intrusion prevention systems (NGIPS) that act as enforcement points. In addition, most BPS have integrated endpoint technology, which enables them to block attacks that would not otherwise be seen by a network device.

NSS Labs predicts that breach prevention systems will augment or replace NGFWs and NGIPS as superior protection technologies. Large, medium, and even small businesses will see value in deploying breach prevention systems.

For NSS Labs’ first BPS Group Test, both new and existing evasion techniques were leveraged with threats sourced from NSS Labs’ continuous test harness. Evasions are used to circumvent security controls. All solutions tested failed to block at least one evasion. Even a single evasion miss is a concern since that evasion technique can be used for other potential attacks.

Five products from market-leading security vendors were tested for security effectiveness, performance, and total cost of ownership (TCO). Of these, four solutions were rated as Recommended and one solution received a Caution rating.

Key findings from the test:

  • All tested solutions missed at least one evasion. 
  • 132 evasion techniques were utilized in the 2017 BPS Group Test.
  • Overall Security Effectiveness ranged from 25.0% to 99.2%; three of the five solutions tested achieved a Security Effectiveness rating greater than 90%.
  • TCO per Protected Mbps ranged from US$14 to US$414, with most tested solutions costing less than US$80 per protected Mbps.

“Integrated Breach Prevention Systems are fast becoming the preferred approach to securing the enterprise network,” said Jason Brvenik, Chief Technology Officer at NSS Labs. “Enterprises need different approaches that not only help to detect attacks but can also help prevent them from occurring in the first place. The 2017 BPS Group Test results provide enterprises with critical insights as they seek new approaches to strengthen their security controls.”   

The following products were tested:

  • Check Point Software Technologies 15600 Next Generation Threat Prevention & Sandblast (NGTX) Appliance R77.30
  • Cisco FirePOWER 8350 v6.1.0.1 with Cisco AMP v5.1.12.10483
  • Fortinet Advanced Threat Protection (FortiSandbox Cloud with FortiGate 600D v5.6.1, FortiMail Virtual Appliance v5.4.0 and FortiClient ATP Agent v5.6.1.1112)
  • Juniper Networks SRX1500 v15.1X49-D90.7 with Sky ATP
  • Palo Alto Networks PA-5220 PAN-OS 8.0.3-h4 with Traps v4.1.0.28239

NSS Labs is committed to providing empirical data and objective group test results that enable organizations to make educated decisions about purchasing and optimizing security infrastructure products and services. As with all NSS Labs group tests, there is no fee for participation, and the test methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results. Click here for more information about our group test policies.

Click here for more information on this test and the test methodology used, or to purchase the individual Test Reports. Click here to download the Security Value Map, which provides a graphic comparison of Security Effectiveness and TCO across the tested products.

Additional Resources: