Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Thursday, 17 October 2019

Breach Response Test: Kaspersky Anti Targeted Attack Platform

Testing anti-breach products needs the full chain of attack.

Kaspersky Lab should be congratulated, not only for engaging with this new and challenging test, but for submitting a product that performed so strongly against attacks that closely replicate advanced, nation-state level threats.

Its endpoint detection and response offering, Kaspersky Anti Targeted Attack Platform, is one of the very first to face our brand new Breach Response Test and it detected all of the attacks, while protecting against the vast majority of them.

Report now online.

This Breach Response Test is a new kind of test. We believe that the testing behind this report used the largest range of relevant threats in any publicly available test and that the analysis of how the products tested work is the most in-depth.

We go into some detail in the report (on page 9) about how threats work in a chain of stages because this is a really important and possibly unique feature of the Breach Response Test. It’s crucial to copy attackers' techniques in full when assessing security products.

A computer breach causes some kind of damage, whether that involves deleting or encrypting files on a computer system; stealing data that damages a company’s ability to compete; or stealing personal data for use in fraud. The possibilities and combinations are endless, but ultimately damage has to be done. Cyber criminals don’t usually hack systems out of simple idle curiosity.

This is an important detail frequently overlooked in security testing, which often examines a product or service’s ability to stop certain stages of attack, but not the full chain of events that run from the initiation of an attack through to a successful completion of the attacker’s prime goal.

Testers should not assume that certain approaches to protection are better than others. If a security company makes the world’s best behavioural detection system but a test pays attention only to URL blocking technologies then the product will fail the test, while in reality customers who use it would be protected.

It is common for us to see a product appear to fail, and allow malware to run, even to the point where we obtain a remote connection to the target. However, when we try to take control of that system we may be blocked from doing so. A tester that sees the connection open might wrongly conclude that the product has failed. It is only by running through the entire attack process that it is possible to assess a product’s full abilities.

This is why sometimes, what seems like a bad result, might actually be a good one! In some test cases the product, on the face of it, failed to protect the system but in-depth testing showed that an attacker would not have been able to achieve any useful goals, despite what appeared to be a failure in protection. Testing using the full attack chain is crucial for accurate results.

In this test the results show that Kaspersky Anti Targeted Attack Platform performed exceptionally well in real-life situations. It lost some points because it allowed a very few threats to compromise the system and, in other cases, harmful traces of attacks were left on the system, but in almost all cases the threats were blocked at the earliest stages of the attack.

This test was conducted against Kaspersky Anti Targeted Attack Platform v.2.0, which was the current version at the beginning of 2019. The current version at the time of writing was v.3.6 and v.3.7 is expected later this year.

SE Labs does not predict future performance on past performance. We verify the full attack chain and observe the products' responses to any attempts of doing harm.

This report is available for free from our website.

If you have any questions, we're here to help on Twitter and Facebook.


Friday, 4 October 2019

Anti-malware is just one part of the picture

Beefing up security advice with facts

Latest reports now online for enterprise, small business and home users.

At SE Labs we spend our time testing things that are supposed to protect you but we also understand that securing your business, or your home network, is never as simple as installing one or more security products.

The risks are many and varied, but the ways to mitigate them are often most successful with a good dose of common sense as well as the appropriate technology. You just need to think things through carefully and make sensible decisions.

Fortunately, there are some schemes out there to help you through the process. In the UK small businesses might consider the Cyber Essentials certification, which helps you address the most common computer security threats.

The five technical controls involve securing internet connections; using security devices and software; controlling access to data and services; using protection from viruses and other malware; and keeping devices and software updated. All good advice and worth following, whether or not you want to achieve certification in the UK.

However, while the advice is good it not very specific. For example, you should install anti-virus software but neither the documentation nor the consultants you talk to will tell you to choose a good product. Any anti-virus will do, it seems!

A more international option is ISO 27001, which is a Standard covering information security management systems. Completely over-the-top for home users and small businesses, but ideal for enterprises and smaller companies that work with sensitive data, this certification puts IT security into a central role in the way an organisation operates. It doesn’t specify what sort of anti-virus, firewalls and other systems should be used, but it leads you to research further and consider the risks when choosing security solutions.

So, while testing is not the be-all and end-all of choosing a good security system, it can definitely help. The testing behind this report is conducted in the most thorough and transparent way and the results are used by consultancies and large businesses around the world to help with purchasing decisions. This free report gives you an insight into the sort of advice that these large organisations follow when building a good security system.

-

If you spot a detail in this report that you don’t understand, or would like to discuss, please contact us via our Twitter or Facebook accounts.

SE Labs uses current threat intelligence to make our tests as realistic as possible. To learn more about how we test, how we define 'threat intelligence' and how we use it to improve our tests please visit our website and follow us on Twitter.

This test report was funded by post-test consultation services provided by SE Labs to security vendors. Vendors of all products included in this report were able to request early access to results and the ability to dispute details for free. SE Labs has submitted the testing process behind this report for compliance with the AMTSO Testing Protocol Standard v1.1. To verify its compliance please check the AMTSO reference link at the bottom of page three of this report or here.

UPDATE (17th October 2019): The tests were found to be compliant with AMTSO's Standard.

Our latest reports, for enterprisesmall business and home users are now available for free from our website. Please download them and follow us on Twitter and/or Facebook to receive updates and future reports.

Tuesday, 1 October 2019

Breach Response Test: Symantec Endpoint Security Complete

Testing anti-breach products needs the full chain of attack.

Symantec's endpoint detection and response offering, Symantec Endpoint Security Complete, is the first to face our brand new Breach Response Test.

Report now online.

This Breach Response Test is a new kind of test. We believe that the testing behind this report used the largest range of relevant threats in any publicly available test and that the analysis of how the products tested work is the most in-depth.

We go into some detail in the report (on page 9) about how threats work in a chain of stages because this is a really important and possibly unique feature of the Breach Response Test. It’s crucial to copy attackers' techniques in full when assessing security products.

A computer breach causes some kind of damage, whether that involves deleting or encrypting files on a computer system; stealing data that damages a company’s ability to compete; or stealing personal data for use in fraud. The possibilities and combinations are endless, but ultimately damage has to be done. Cyber criminals don’t usually hack systems out of simple idle curiosity.

This is an important detail frequently overlooked in security testing, which often examines a product or service’s ability to stop certain stages of attack, but not the full chain of events that run from the initiation of an attack through to a successful completion of the attacker’s prime goal.

Testers should not assume that certain approaches to protection are better than others. If a security company makes the world’s best behavioural detection system but a test pays attention only to URL blocking technologies then the product will fail the test, while in reality customers who use it would be protected.

It is common for us to see a product appear to fail, and allow malware to run, even to the point where we obtain a remote connection to the target. However, when we try to take control of that system we may be blocked from doing so. A tester that sees the connection open might wrongly conclude that the product has failed. It is only by running through the entire attack process that it is possible to assess a product’s full abilities.

This report is available for free from our website.

If you have any questions, we're here to help on Twitter and Facebook.