NSS Labs has been testing cybersecurity products and publishing the results for a long time. Our customers are consumers of cybersecurity technology and services: individuals, businesses, and governments. About 10 years ago we introduced a research and advisory service at the request of customers. They wanted to leverage our core technical knowledge and benefit from educated opinions informed over years of testing the world’s cybersecurity products. That research and advisory service enabled NSS Labs to get closer to customers and better understand their needs and the challenges they face. And so, we started recommending and cautioning the use of various products.
Well, 10 years is a long time; technology has changed. Nowadays a consumer no longer buys a static product. Most cybersecurity products rely on some form of cloud services that provide ongoing protection. And so, consumers are buying a product plus a commitment from a vendor (supplier) for ongoing protection in the future.
This prompted us to question what else had changed? Well, as it happens, a lot has changed. Most notably, the cybersecurity skills shortage combined with the constant breaches has led to an arms race where both attackers and defenders are up leveling their capabilities, making it harder to evaluate products. And while NSS Recommended is a recognized industry standard, we felt we could do more…
After much deliberation we found the answer in the form of a new product ratings system. A product rating is a forecast, an educated opinion about a product’s capacity to meet its obligations to consumers over time. Product ratings inform consumers—enhancing transparency and enabling them to focus on considerations that are most critical to their organizations.
The first set of product ratings addresses products in the endpoint protection market and for those of you following our publication schedule, you know that we began posting these reports in late February. Subscribers can now view a Comparative Report on how this group of products handled malware, exploits, handcrafted attacks and more. As a service to the community, we are also providing an overview of the Ratings Actions for free.
We anticipate issuing ratings actions for Web Browsers, Software Defined Wide Area Network (SD-WAN), Secure Access Service Edge (SASE), Enterprise Firewalls, Cloud Network Firewalls and other coverage areas.
|NSS LABS RATINGS|
|AAA||A product rated ‘AAA’ has the highest rating assigned by NSS Labs. The product’s capacity to meet its commitments to consumers is extremely strong.|
|AA||A product rated ‘AA’ differs from the highest-rated products only to a small degree. The product’s capacity to meet its commitments to consumers is very strong.|
|A||A product rated ‘A’ is somewhat more susceptible to sophisticated attacks than higher-rated categories. However, the product’s capacity to meet its commitments to consumers is still strong.|
|BBB||A product rated ‘BBB’ exhibits adequate protection parameters. However, sophisticated or previously unseen attacks are more likely to negatively impact the product’s capacity to meet its commitments to consumers.|
|A product rated ‘BB,’ ‘B,’ ‘CCC,’ ‘CC,’ and ‘C’ is regarded as having significant risk characteristics. ‘BB’ indicates the least degree of risk and ‘C’ the highest. While such products will likely have some specialized capability and protective characteristics, these may be outweighed by large uncertainties or major exposure to adverse conditions.|
|BB||A product rated ‘BB’ is less susceptible to allowing a compromise than products that have received higher-risk ratings. However, the product faces major technical limitations, which could be exposed by threats that would lead to its inability to meet its commitments to consumers.|
|B||A product rated ‘B’ is more susceptible to allowing a compromise than products rated ‘BB’; however, it currently has the capacity to meet its commitments to consumers. Adverse threat conditions will likely expose the product’s technical limitations and expose its inability to meet its commitments to consumers.|
|CCC||A product rated ‘CCC’ is currently susceptible to allowing a compromise and is dependent upon favorable threat conditions for it to meet its commitments to consumers. In the event of adverse threat conditions, the product is not likely to have the capacity to meet its commitments to consumers.|
|CC||A product rated ‘CC’ is currently highly susceptible to allowing a compromise. The ‘CC’ rating is used when a failure has not yet occurred but NSS Labs considers a breach a virtual certainty, regardless of the anticipated time to breach.|
|C||A product rated ‘C’ is currently highly susceptible to allowing a compromise. The product is expected to fail to prevent a breach and to not have useful forensic information compared with products that are rated higher.|
|D||A product rated ‘D’ is actively being breached by known threats and is unable to protect consumers. For non-specialized products, the ‘D’ rating category is used when protecting a consumer is unattainable without a major technical overhaul. Unless NSS Labs believes that such technical fixes will be made within a stated grace period (often 30-90 calendar days), the ‘D’ rating also is an indicator that it is a virtual certainty that existing customers using the product have already experienced a breach—whether they know it or not—and should take immediate action.|