NSS Labs Announces Results of 2018 Endpoint Detection and Response Group Test

Three Products Receive Recommended Rating; One Product Receives Caution Rating

AUSTIN, Texas – November 14, 2018 – NSS Labs, Inc., a global leader and trusted source for independent, fact-based cybersecurity guidance, today announced the results of its 2018 Endpoint Detection and Response (EDR) Group Test. Four products from market-leading security vendors were examined to help enterprises understand the merits of products in the market and identify capabilities that are best suited to meet their use case.

EDR products provide the critical information incident response teams need to conduct forensic investigations. Properly utilizing an EDR product requires an expert team of security forensic specialists. Forensics are particularly important for some enterprises, which is why EDR products that focus on forensic investigation and continuous monitoring remain in demand. In the 2018 NSS Labs Network Security Study, 89.4% of the US enterprises surveyed indicated the use of some forensic features on their endpoint products.1 NSS Labs' testing of forensic reporting capabilities in EDR products included application programming interface (API) calls, data exfiltration, file system, network traffic, registry, and system and data integrity.

For organizations that are constantly under attack, an EDR product can save time and money. NSS Labs recommends that organizations that are likely to be the target of advanced persistent threats (APTs) deploy an EDR product. This is especially true for organizations deemed to be critical infrastructure. NSS Labs also recommends deploying EDR products strategically on systems with access to critical information and systems in the data path that can be used to gain entry to (or exfiltrate) a network.

An EDR product provides visibility into the behavior of endpoints so that forensic security analysts and forensic teams have the information they need to investigate suspicious activity. Continuous monitoring of the endpoint, detection of anomalous activity, and supplying forensic detail to empower incident response are core features of an EDR product. In theory, an endpoint protection platform (EPP)/antivirus (AV) product blocks attacks while an EDR product detects the attacks that were not blocked. Using this approach, incident response investigations can focus on what happened and whether any data was compromised or lost.

This first iteration of NSS Labs' EDR Group Test introduced real-world cyberattack scenarios to determine how effective products were at detecting, logging, and reporting on the following threats:

  • Blended threats, which leverage exploiting multiple vulnerabilities, such as spear phishing, infected peripherals, and sophisticated antivirus evasion techniques, to infect the endpoint device
  • Techniques and tactics from common APTs


Key Takeaways:

  • EDR products are developed with different philosophies and capabilities. Some are designed to identify threats pre-execution, others contain technology that lends itself to identification of threats during execution, and still others may excel at identifying attacks post-execution.
     
  • Most EDR products have a mix of detection capabilities that enable detection pre-execution, during execution, and post-execution. However, this does not preclude the possibility of some performing better in one area than another, and these relative strengths and weaknesses are important to consider when evaluating which EDR product is right for an organization.
     
  • An EDR product’s ability to correctly identify and allow benign content (for example, legitimate application traffic, files, and documents) is as important as its ability to detect malicious content. And, after the product detects malicious or anomalous behavior, it should support follow-on investigation, incident response, and remediation efforts.
     
  • Measurement of an EDR product’s forensic reporting capabilities should include how well the product captures specific information about the malicious activities of a threat and how accurately it logs this information. Reporting should include threat types, techniques used, and information such as destination IP, potential command-and-control, or outbound connections attempted.

The 2018 NSS Labs EDR Group Test:

  • Used over 100 victim machines per product
  • Included more than 275 attacks, which included 21 unique evasion samples
  • Involved hundreds of discrete malware samples used by threat actors in current hacking campaigns
  • Used typical attack vectors such as web and email, leveraging numerous common document and application types
  • Collected and analyzed more than 20,000 classifications, investigations, events and associated forensic artifacts

"Implementing an EDR product can be very complex and there are several factors enterprises must consider to determine the best protection and value for their organization's needs," said Jason Brvenik, Chief Technology Officer at NSS Labs. "The NSS Labs 2018 EDR Group Test highlights the relative strengths and weaknesses of the EDR products tested. We encourage organizations to examine our findings for insights regarding security effectiveness and operating cost as they evaluate which EDR is right for their enterprise."  

The following products were tested:

  • Arc4dia SNOW Self-Managed v12.18.0
  • CounterTack+GoSecure Endpoint Protection Platform v5.8.4
  • Cybereason Deep Detect v18.0
  • RSA NetWitness Endpoint v4.4.0.0

Unverified Products:

  • Carbon Black
  • Cisco
  • Crowdstrike
  • FireEye
  • McAfee
  • Symantec

As with all NSS Labs group tests, there is no fee for participation, and the test methodology is available in the public domain to provide transparency and to help enterprises understand the factors behind test results. Click here for more information about our group test policies.

Additional Resources: 

2018 NSS Labs Network Security Study