NSS Labs recently evaluated 20 Advanced Endpoint Protection (AEP) solutions, and the results raise a big red flag over their inability to block unknown threats.
NSS classifies an AEP product as one that employs techniques such as machine learning, pattern recognition or predictive algorithms to detect and block malware and to contain suspicious activities. Some also provide users with greater visibility into suspicious activities. However, this does not appear to translate into acceptable effectiveness against unknown threats.
NSS subjected each product to thorough testing based on its Advanced Endpoint Protection (AEP) Test Methodology v2.0. Each was configured in a deployment mode designed to mimic an enterprise environment, then evaluated on its ability to detect, prevent and continuously monitor threats.
NSS has posted its Advanced Endpoint Protection (AEP) Security Value Map that groups all 20 vendors into four different quadrants (Recommended, Security Recommended, Neutral and Caution) on its website, and has also made each of its detailed reports on all 20 vendors available for purchase here.
Some vendors who earned the Recommended rating have made their reports available at no cost, and at first glance, they look impressive. However, pay attention to the unknown threats category and you will notice that the results are quite alarming. We encourage you review these reports for yourself.
Full reports were made available for free by the following vendors (search for them on Google):
- Palo Alto Networks
According to AV-Test.org, almost 120 million new malware samples were submitted in 2017. Even at a 99.9% detection rate, this would leave 120,000 undetected threats, and this is just for known file-based malware.
This does not mean that you should not implement an advanced endpoint solution, or rip out your current antivirus (AV) solution. It’s always a good idea to block known viruses that try to slip past your security perimeter, and many regulatory, governance and compliance regulations still mandate that you deploy AV.
The NSS test results prove that you need to adopt a multi-layered defense approach to endpoint security. That requires not just looking for what is bad, but also leveraging a complementary solution such as Nyotron’s PARANOID that focuses on a finite set of good behaviors, to proactively keep up with the ever-increasing volume of new, never-seen-before and fileless malware threats.
PARANOID is based on a Positive Security model that understands a finite set of legitimate system sequences at the OS system call level. When activity sequence does not follow a normative path, PARANOID prevents it from executing, no matter what vector or method an attacker is attempting to leverage.
Additionally, PARANOID tends to have fewer false positives than security solutions that are powered by artificial intelligence (AI) or machine learning (ML). They are typically trained on known malware samples, meaning that they have trouble recognizing brand new attacks, not to mention fileless malware.