Testing anti-breach products needs the full chain of attack.
Kaspersky Lab should be congratulated, not only for engaging with this new and challenging test, but for submitting a product that performed so strongly against attacks that closely replicate advanced, nation-state level threats.
Its endpoint detection and response offering, Kaspersky Anti Targeted Attack Platform, is one of the very first to face our brand new Breach Response Test and it detected all of the attacks, while protecting against the vast majority of them.
Report now online.
This Breach Response Test is a new kind of test. We believe that the testing behind this report used the largest range of relevant threats in any publicly available test and that the analysis of how the products tested work is the most in-depth.
We go into some detail in the report (on page 9) about how threats work in a chain of stages because this is a really important and possibly unique feature of the Breach Response Test. It’s crucial to copy attackers’ techniques in full when assessing security products.
A computer breach causes some kind of damage, whether that involves deleting or encrypting files on a computer system; stealing data that damages a company’s ability to compete; or stealing personal data for use in fraud. The possibilities and combinations are endless, but ultimately damage has to be done. Cyber criminals don’t usually hack systems out of simple idle curiosity.
This is an important detail frequently overlooked in security testing, which often examines a product or service’s ability to stop certain stages of attack, but not the full chain of events that run from the initiation of an attack through to a successful completion of the attacker’s prime goal.
Testers should not assume that certain approaches to protection are better than others. If a security company makes the world’s best behavioural detection system but a test pays attention only to URL blocking technologies then the product will fail the test, while in reality customers who use it would be protected.
It is common for us to see a product appear to fail, and allow malware to run, even to the point where we obtain a remote connection to the target. However, when we try to take control of that system we may be blocked from doing so. A tester that sees the connection open might wrongly conclude that the product has failed. It is only by running through the entire attack process that it is possible to assess a product’s full abilities.
This is why sometimes, what seems like a bad result, might actually be a good one! In some test cases the product, on the face of it, failed to protect the system but in-depth testing showed that an attacker would not have been able to achieve any useful goals, despite what appeared to be a failure in protection. Testing using the full attack chain is crucial for accurate results.
In this test the results show that Kaspersky Anti Targeted Attack Platform performed exceptionally well in real-life situations. It lost some points because it allowed a very few threats to compromise the system and, in other cases, harmful traces of attacks were left on the system, but in almost all cases the threats were blocked at the earliest stages of the attack.
This test was conducted against Kaspersky Anti Targeted Attack Platform v.2.0, which was the current version at the beginning of 2019. The current version at the time of writing was v.3.6 and v.3.7 is expected later this year.
SE Labs does not predict future performance on past performance. We verify the full attack chain and observe the products’ responses to any attempts of doing harm.
This report is available for free from our website.