Breach Detection Systems: Test Methodology 1.5

Report Overview

Conventional endpoint AV solutions provide inadequate exploit protection, and traditional network security solutions are trivial to evade when it comes to client-side exploits, the favorite attack vector of threat actors perpetrating targeted persistent attacks (TPA) or APT.

To regain the upper hand against current attacks, enterprises must in turn evolve their network defenses to provide a different kind of protection, one that NSS Labs is calling “breach detection.” The products in this new market are referred to as “breach detection systems” (BDS).

Through constant analysis of suspicious code and identification of communications with malicious hosts, breach detection solutions are capable of providing enhanced detection of advanced malware, zero-day and targeted attacks that could bypass defenses like next-generation firewalls (NGFW), intrusion preventions systems (IPS), intrusion detection systems (IDS), antivirus / endpoint protection (including host IPS), and secure web gateways (SWG). Because of latency issues involved in this type of scanning, BDS typically operate out of band, in detection mode (similar to IDS), implementing multiple techniques to analyze and report on malicious traffic. For this reason, BDS could also be considered a next-generation IDS (NGIDS) product.

About This Test Methodology and Report

NSS Labs’ test reports are designed to address the challenges faced by IT professionals in selecting and managing security products. The scope of this particular report includes:

  • Security effectiveness
  • Performance and stability
  • Management
  • Total cost of ownership (TCO)

As organizations come to rely on breach detection technology to determine the success of targeted persistent attacks (TPA), the stability and reliability of monitoring devices is imperative. Therefore, regardless of any new deep inspection capabilities, a significant requirement of any breach detection technology is that it must be as stable, as reliable, as fast, and as flexible as the existing network that it is protecting.
Based on the needs identified in NSS Labs’ research, the following capabilities are considered essential in any breach detection device:

  • Centralized management of multiple devices
  • Breach detection capabilities using one or more of the following methods:
    • Malware identification (signatures, heuristics, or both)
    • Network traffic analysis (flow monitoring, content analysis or both)
    • Sandboxing that allows for modeling internal systems (workstations and servers).
    • Browser emulation
    • Domain reputation to identify malicious domains
  • Response mechanism (alerting, session termination, etc).
  • Reporting
Go to top