Blog

EPP Vendors Exhibit Strong Web Reputation and Anti-malware Capabilities

November 5, 2015

THE RESULTS OF NSS’ 2015 ENTERPRISE EPP SOCIALLY ENGINEERED MALWARE GROUP TEST ARE IN

NSS Labs research and testing has shown that malware is on the rise and organizations are even more at risk. In fact, according to the 2015 Verizon Data Breach Incident Report five malware events occur every second within an organization.

Most malware is filtered and remediated by the layers of network-based defense that organizations deploy, such as next generation firewalls, network intrusion prevention systems, web application firewalls and breach detection systems. However, even with these layers of security in place, malware is still making it through to the end user. This means endpoint protection (EPP) products truly are the last line of defense before infection.

One of the reasons why attackers succeed and effect successful compromise is because they are able to deceive end users into downloading and/or installing malicious software programs or applications while visiting websites and URLs. This type of attack is known as socially engineered malware (SEM). Most SEM originates from external threat actors. They use commonplace threat actions such as Rootkit and Backdoor to compromise organizations across all market verticals.

It is imperative that enterprise EPP vendors protect organizations from compromises resulting from SEM. In order to evaluate the SEM-blocking capabilities of major EPP vendors, NSS recently conducted the 2015 Enterprise EPP Socially Engineered Malware group test based on the NSS Labs Security Stack Methodology v1.5.

Key findings from the test include:

  • 8 of the 11 vendors tested averaged more than a 98% block rate and three achieved a 100% block rate. Consistency of protection (where the same threat Is blocked each time it is introduced into the test harness during the test) is one of the key metrics that organizations should consider when evaluating EPP products.
  • 80% of products tested demonstrated excellent web malware reputation capabilities, which allowed them to take action on a threat immediately on access or upon download, rather than at the time the malware is executed. This is a significant improvement over previous years and indicates that vendors are improving their reputation capabilities, thereby eliminating threats and protecting users in the very early stages of a compromise.
  • Only 4 of the 11 vendors tested were able to add instantaneous protection against new threats. For the remaining vendors, the average time to add protection ranged from 3 to 77 minutes. The average time to add protection against new threats is a critical metric to consider when evaluating EPP products. This is because attackers can dynamically host SEM on new URLs and websites, making protection against already blacklisted URLs and websites insufficient.
  • 70% of the vendors tested achieved their maximum block rate within the first 48 hours of SEM being introduced in the test harness. 50% of these vendors recorded their maximum protection at zero hour, which gives them the advantage in enterprise deployments where frequent client-based updates are not an issue.
  • Almost all of the vendors participating in this test demonstrated strong anti-malware capabilities integrated either on the endpoint or in the cloud infrastructure.

For more on this group test, download the NSS Labs 2015 Enterprise EPP Socially Engineered Malware Comparative Report.