Special Edition is the blog for security testing business SE Labs. It explains how we test security products, reports on the internet threats we find and provides security tips for businesses, other organisations and home users.

Tuesday, 1 October 2019

Breach Response Test: Symantec Endpoint Security Complete

Testing anti-breach products needs the full chain of attack.

Symantec's endpoint detection and response offering, Symantec Endpoint Security Complete, is the first to face our brand new Breach Response Test.

Report now online.

This Breach Response Test is a new kind of test. We believe that the testing behind this report used the largest range of relevant threats in any publicly available test and that the analysis of how the products tested work is the most in-depth.

We go into some detail in the report (on page 9) about how threats work in a chain of stages because this is a really important and possibly unique feature of the Breach Response Test. It’s crucial to copy attackers' techniques in full when assessing security products.

A computer breach causes some kind of damage, whether that involves deleting or encrypting files on a computer system; stealing data that damages a company’s ability to compete; or stealing personal data for use in fraud. The possibilities and combinations are endless, but ultimately damage has to be done. Cyber criminals don’t usually hack systems out of simple idle curiosity.

This is an important detail frequently overlooked in security testing, which often examines a product or service’s ability to stop certain stages of attack, but not the full chain of events that run from the initiation of an attack through to a successful completion of the attacker’s prime goal.

Testers should not assume that certain approaches to protection are better than others. If a security company makes the world’s best behavioural detection system but a test pays attention only to URL blocking technologies then the product will fail the test, while in reality customers who use it would be protected.

It is common for us to see a product appear to fail, and allow malware to run, even to the point where we obtain a remote connection to the target. However, when we try to take control of that system we may be blocked from doing so. A tester that sees the connection open might wrongly conclude that the product has failed. It is only by running through the entire attack process that it is possible to assess a product’s full abilities.

This report is available for free from our website.

If you have any questions, we're here to help on Twitter and Facebook.

No comments:

Post a Comment