ENTERPRISE EPP COMPARATIVE ANALYSIS

Similar documents
ENTERPRISE EPP COMPARATIVE REPORT

Evolutions in Browser Security

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

Internet Advertising: Is Your Browser Putting You at Risk?

BROWSER SECURITY COMPARATIVE ANALYSIS

DATA CENTER IPS COMPARATIVE ANALYSIS

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

CORPORATE AV / EPP COMPARATIVE ANALYSIS

DATA CENTER IPS COMPARATIVE ANALYSIS

SSL Performance Problems

DATA CENTER IPS COMPARATIVE ANALYSIS

An Old Dog Had Better Learn Some New Tricks

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Breach Found. Did It Hurt?

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

How to Protect against the Threat of Spearphishing Attacks

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

Mobile App Containers: Product Or Feature?

TEST METHODOLOGY. Endpoint Protection Evasion and Exploit. v4.0

Multiple Drivers For Cyber Security Insurance

Trend Micro Endpoint Comparative Report Performed by AV Test.org

How To Sell Security Products To A Network Security Company

The CISO s Guide to the Importance of Testing Security Devices

CONSUMER ANTI-MALWARE PRODUCTS

WEB BROWSER SECURITY SOCIALLY-ENGINEERED MALWARE PROTECTION COMPARATIVE TEST RESULTS

CORPORATE AV / EPP COMPARATIVE ANALYSIS

How To Create A Firewall Security Value Map (Svm) 2013 Nss Labs, Inc.

Streamlining Web and Security

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

SPEAR PHISHING AN ENTRY POINT FOR APTS

Types of cyber-attacks. And how to prevent them

Best Practices in Deploying Anti-Malware for Best Performance

Windows Updates vs. Web Threats

Simphony v2 Antivirus Recommendations

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

WEB APPLICATION FIREWALL PRODUCT ANALYSIS

INDEPENDENT VALIDATION OF FORTINET SOLUTIONS. NSS Labs Real-World Group Tests

Trend Micro OfficeScan 10.5 Release

Securing Endpoints without a Security Expert

Why Is DDoS Prevention a Challenge?

Symantec Advanced Threat Protection: Network

INSIDE. Management Process. Symantec Corporation TM. Best Practices Roles & Responsibilities. Vulnerabilities versus Exposures.

Endpoint Business Products Testing Report. Performed by AV-Test GmbH

Achieve Deeper Network Security

ACHILLES CERTIFICATION. SIS Module SLS 1508

Anti-Virus Comparative

Phishing Scams Security Update Best Practices for General User

The Hillstone and Trend Micro Joint Solution

Anti-Virus Comparative

Anti-Virus Comparative

TEST METHODOLOGY. Web Application Firewall. v6.2

Endpoint Security Solutions Comparative Analysis Report

NTT R&D s anti-malware technologies

Fighting Advanced Threats

Closing the Antivirus Protection Gap

The Business Case for Security Information Management

Security Analytics Engine 1.0. Help Desk User Guide

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

Protecting the Infrastructure: Symantec Web Gateway

Sophistication of attacks will keep improving, especially APT and zero-day exploits

Security Industry Market Share Analysis

ALDR: A New Metric for Measuring Effective Layering of Defenses

User's Guide. Copyright 2012 Bitdefender

Anti-Virus Comparative

Microsoft Security Intelligence Report volume 7 (January through June 2009)

Copy Tool For Dynamics CRM 2013

User Documentation Web Traffic Security. University of Stavanger

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

Cyber Advanced Warning System

Security Industry Market Share Analysis

Getting Ahead of Malware

Achieve Deeper Network Security and Application Control

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

IT Security Cost Reduction

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

TEST METHODOLOGY. Secure Web Gateway (SWG) v1.5.1

Introducing IBM s Advanced Threat Protection Platform

Terms of Use & Privacy Policy

ELECTRONIC SIGNATURE AGREEMENT

Anti-Virus Comparative

Anti Phishing Test July 2013

Trend Micro OfficeScan Best Practice Guide for Malware

Enterprise Anti-Virus Protection

BlackBerry Enterprise Server Express for IBM Domino. October 7, 2014 Version: 5.0 Service Pack: 4. Compatibility Matrix

Correlation and Phishing

Proactive Rootkit Protection Comparison Test

Software- Defined Networking: Beyond The Hype, And A Dose Of Reality

HP Network Protector SDN Application Release Notes

AntiVirus. Administrator Guide

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

TEST METHODOLOGY. Hypervisors For x86 Virtualization. v1.0

SPEAR PHISHING UNDERSTANDING THE THREAT

Quick Heal Exchange Protection 4.0

Contact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:

43% Figure 1: Targeted Attack Campaign Diagram

Next-Generation Firewalls: Critical to SMB Network Security

isheriff CLOUD SECURITY

Enterprise Anti-Virus Protection

Transcription:

ENTERPRISE EPP COMPARATIVE ANALYSIS Socially Engineered Malware Randy Abrams, Jayendra Pathak, Ahmed Garhy Tested Products Fortinet Fortigate 100D Management station Forticlient- 5.0.7.333 McAfee VirusScan Enterprise and AntiSpyware Enterprise VirusScan Enterprise 8.8.0.975, McAfee Agent 4.8.0.641, Host Intrusion Prevention 8.0.0.2482, Site Advisor Enterprise Plus 3.5.0.724, Solidcore 6.1.1.1.369 Symantec Endpoint Protection Version 12.1.3001.165 Trend Micro OfficeScan Version 10.6.5300 Service pack 3 Bitdefender Endpoint Security by Bitdefender Version 5.1.10.283 Environment Operating System: Windows 7 Enterprise Service Pack 1 32- bit with Windows Defender disabled Internet Explorer 10.0.9200.16660 with Smart Screen Filter disabled

Overview Social engineering is one of the most effective and widely used components of cyber attacks against enterprises and individuals. Cybercriminals utilize various social engineering tactics to deceive users into downloading and executing malware such as fake antivirus, fake utilities, fake upgrades to the operating system or applications, and trojanized applications. Endpoint protection (EPP) products are a critical layer of defense against such attacks. Both web browsers and EPP products utilize blacklisting, whitelisting, and application reputation systems to prevent socially engineered malware from being downloaded. If malware is successfully downloaded, the EPP product has two additional chances to eliminate the threat before it can infect the target. EPP can block the threat as soon as it writes to the temporary Internet files directory or download directory, or the malware can be blocked when executed; however, the percentage of times an EPP product blocks on execution versus on download is extremely small. NSS Labs performs comparative tests of EPP products for three of the most relevant type of attacks: Socially engineered malware (SEM) protection Exploit protection Phishing protection This group test verified the ability of EPP products to block socially engineered malware attacks. Socially engineered malware may be delivered using scare tactics such as false reports of systems problems; misinformation, such as reporting that a program requires an update to be installed; or as a phishing attack with a payload of malicious software. Offers of free software are another tactic used to deceive users into installing malware. EPP products must provide robust defenses against SEM. Figure 1 depicts the average block rate for each of the tested products over a period of 7 days. McAfee 100% Symantec 98% Trend Micro 98% Bitdefender 94% Fortinet 92% 86% 88% 90% 92% 94% 96% 98% 100% Figure 1 Average Block Rate on Download for Socially Engineered Malware In this EPP SEM test, McAfee VirusScan Enterprise achieved an average download block rate of 100%, with all of the SEM blocked on download. Symantec Endpoint Protection on average blocked 98.1% of the SEM on download. Trend Micro OfficeScan placed third with 98.0% of the SEM blocked on download. Bitdefender Endpoint Security blocked 93.8% of the SEM. Fortinet Fortigate 100D achieved a 91.6% block rate. 2

Figure 2 depicts the combined download and execute block rates for each of the tested products after 7 days. McAfee 100.00% 0.00% Symantec 98.80% 1.20% Bitdefender 99.60% 0.20% For`net 99.40% 0.40% Trend Micro 98.00% 1.61% 50% 55% 60% 65% 70% 75% 80% 85% 90% 95% 100% Block Rate On Download Block Rate On Execu`on Figure 2 Combined Block Rate for Socially Engineered Malware After 7 Days This graph represents the combined block- on- download and block- on- execute protection each vendor provided at the end of 7 days of testing. McAfee VirusScan Enterprise achieved a combined block rate of 100%, with all of the SEM blocked on download. Symantec Endpoint Protection blocked 100% of the SEM, with 98.8% blocked on download and 1.2% blocked upon attempted execution. Bitdefender Endpoint Security blocked 99.8% of the SEM, with 99.6% blocked on download and 0.2% blocked on attempted execution. Fortinet Fortigate 100D achieved a 99.8% block rate, with 99.4% blocked on download and 0.4% blocked on execution. Trend Micro OfficeScan had the highest ratio of execution to download blocking. NSS Labs Findings Enterprises face a higher level of risk from phishing than from SEM. The bulk of the protection EPP products provide against SEM occurs on download prior to the point of execution. In the 7 day block- on- download average, McAfee VirusScan Enterprise blocked 100% of the SEM, Symantec Endpoint Protection blocked 98.1%, Trend Micro OfficeScan blocked 98.0%, BitDefender Endpoint Security blocked 93.8%, and Fortinet Fortigate 100D blocked 91.6%. McAfee VirusScan added protection for new threats in 31 seconds on average, providing a 12x time- to- block advantage over the competition in addition to blocking 100% of the SEM. When combining SEM block- on- download and block- on- execution capabilities after 7 days, all products achieved security effectiveness scores in excess of 99%, with Symantec Endpoint Protection achieving 100%. 3

NSS Labs Recommendations Utilize NSS tests for phishing protections, exploit and evasion protection, and SEM protection when considering selection of an EPP product. Use corporate security policy, secure machine configuration, and access to a helpdesk for end users in order to reduce the threat of SEM. Enterprises using the bring your own device (BYOD) model should take into account potentially increased vulnerability to SEM. 4

Table of Contents Environment... 1 Overview... 2 NSS Labs Findings... 3 NSS Labs Recommendations... 4 Analysis... 6 Consistency of Protection... 6 Histogram of Protection... 7 Time Is of the Essence... 8 SEM Protection as a Selection Criterion... 8 Education Increases the Effectiveness of Technology... 8 Contact Information... 10 Table of Figures Figure 1 Average Block Rate on Download for Socially Engineered Malware... 2 Figure 2 Combined Block Rate for Socially Engineered Malware After 7 Days... 3 Figure 3 Socially Engineered Malware Protection Over Time... 7 Figure 4 Malware Response Histogram... 7 Figure 5 Average Time to Add Protection... 8 5

Analysis Between December 15, 2013 and January 19, 2014, NSS performed a comprehensive test of EPP SEM protection on five enterprise EPP offerings. These results are based on empirical data gathered by NSS during 36 days of continuous testing. EPP products were tested an average of 218 times per day. Every six hours, new URLs were added, and unreachable URLs were removed. A total of 497 unique samples of SEM were used during the test. Both browsers and EPP products provide protection against phishing and SEM. The choice of an EPP product based on protection against SEM is often less relevant in the enterprise space than in the consumer space. Within enterprise environments, SEM is often deflected by policies and technologies that prevent the installation of software, as well as by ready access to a helpdesk to assist less sophisticated users in avoiding the traps set by would be attackers. Malware attacks that use scare tactics to deceive users into installing fake antivirus are particularly ineffective in such environments. Employees may be at heightened risk of SEM attacks when enterprises choose the BYOD model, since employees that work on home computers lack the SEM protection that is inherent in the enterprise environment. There is significant overlap in both phishing and SEM protection between browsers and EPP products. This allows enterprises to choose browsers and EPP products that combine to provide high rates of protection. 1 Consistency of Protection During the course of a SEM test, it is common for a product to block a threat on download at one moment in time and then miss the same threat at some later point. Figure 3 demonstrates the consistency of download protection across time. Here, McAfee VirusScan Enterprise shows an exceptional level of consistency, while Symantec Endpoint Protection and Trend Micro OfficeScan demonstrate levels of consistency that provide for high average SEM download protection scores. Although blocking on execution can improve the actual protection rates, there will still be some fluctuations in the consistency of protection. 1 Evolutions in Browser Security. NSS Labs. https://www.nsslabs.com/reports/evolutions- browser- security 6

100% 95% 90% 85% 80% Bitdefender Fortinet McAfee Symantec Trend Micro 75% 70% 65% Figure 3 Socially Engineered Malware Protection Over Time Histogram of Protection 100% 98% 96% 94% Coverage % 92% 90% 88% 86% 84% 82% 80% 0-hr 1d 2d 3d 4d 5d 6d 7d 7d+Execution Total Bitdefender 88.5% 97.6% 99.4% 99.4% 99.4% 99.4% 99.4% 99.4% 99.6% 99.6% Fortinet 88.5% 98.0% 99.4% 99.4% 99.4% 99.4% 99.4% 99.4% 99.8% 99.8% Symantec 97.4% 98.2% 98.8% 98.8% 98.8% 98.8% 98.8% 98.8% 100.0% 100.0% McAfee 99.8% 100.0% 100.0% 100.0% 100.0% 100.0% 100.0% 100.0% 100.0% 100.0% Trend Micro 92.8% 97.4% 98.0% 98.0% 98.0% 98.0% 98.0% 98.0% 99.6% 99.6% Figure 4 Malware Response Histogram The malware response histogram in figure 4 displays the critical zero- hour download block rate for SEM. At the end of 7 days, the download and execution block rates are combined. Both McAfee VirusScan Enterprise and Symantec Endpoint Protection achieved 100% protection scores by the end of day 7. All of the vendors had reached their maximum posted download protection scores by the end of day 2. However, the block- on- execute metrics were only collected at the end of day 7. The one- week totals are empirical total protection effectiveness scores, but these scores do not indicate the actual zero- hour combined protection rate. Despite starting 5 percentage points lower than the average, Bitdefender Endpoint Security finished in second place, and Fortinet Fortigate 100D finished in a tie for third place, with over 99% total protection scores. Bitdefender Endpoint Security and Fortinet Fortigate 100D perform so closely that their lines in the histogram are virtually identical. 7

Time Is of the Essence Product McAfee VirusScan Enterprise Symantec Endpoint Protection Trend Micro OfficeScan Fortinet Fortigate 100D Bitdefender Endpoint Security Average Hours 0.01 0.25 0.60 1.32 2.20 0.87 Figure 5 Average Time to Add Protection The same SEM often moves rapidly to new URLS as existing malicious URLs are discovered and blocked. The faster an EPP product provides protection against SEM, the faster protection is provided against all malicious URLs containing the SEM. With a 31- second average time to add protection as shown in figure 5, McAfee s VirusScan Enterprise SEM protection leads in effectiveness, consistency, and time to react. Symantec s Endpoint Protection average time of 15 minutes to add detection for new SEM combined with a 100% average SEM protection rate is also a good result. Trend Micro OfficeScan required an average of 31 minutes to add protection for SEM while providing 99.6% combined average protection for SEM. These performance levels put each of these products on the short list of EPP products to consider. SEM Protection as a Selection Criterion Historically, Safari and Firefox have achieved higher protection scores against phishing attempts, with a faster response time than EPP products. These browsers offer extremely low levels of protection against SEM, however. Internet Explorer (IE) offers exceptional SEM protection with acceptable phishing protection. Chrome provides good protection against SEM, but, similar to IE, it trails Firefox and Safari in phishing protection. 2 EPP protection against SEM is augmented by the protection offered by browsers such as IE and Chrome. Enterprises using these browsers should consider EPP solutions with superior phishing protection or should use additional anti- phishing products. Trend Micro has scored exceptionally well at phishing protection and provides very high SEM protection. Education Increases the Effectiveness of Technology Phishing attacks and SEM attacks will continue to evade technology- based defenses at least some of the time. Both SEM and phishing are social engineering attacks; enterprises that train employees to identify social engineering attacks will be most able to repel such attacks. Technology rarely solves social problems, but education augments 2 Evolutions in Browser Security. NSS Labs. https://www.nsslabs.com/reports/evolutions- browser- security 8

technological solutions. The most effective EPP product is the one that is used in conjunction with employees that can recognize social engineering. 9

Test Methodology Security Stack: Test Methodology v1.5 A copy of the test methodology is available on the NSS Labs website at www.nsslabs.com. Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This and other related documents available at: www.nsslabs.com. To receive a licensed copy or report misuse, please contact NSS Labs at +1 (512) 961-5300 or sales@nsslabs.com 2014 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information