When malicious software has slipped past a company’s anti-virus end-point agent along with its next-generation firewall and any other forms of protection, it becomes the responsibility of the breach detection system (BDS) to save the day. Unfortunately, most companies have yet to implement a BDS, although it has become one of the fastest growing markets.
“They’re the backstop, the net that catches things that have gotten past all existing controls,” says Mike Spanbauer, vice president of research at NSS Labs, which independently tests security products. “That’s why BDS products command premium prices and why the market buzz and attention around the systems is as high as it is.”
NSS Labs, based in Austin, Texas, recently released the results from testing nine leading BDS vendors. In addition to ranking the vendors according to their various strengths, the testing and research company found that the market for the product is growing at nearly 35 percent annually; over $700 million at the end of 2014 and anticipated to climb to $3 billion by 2019. Mr. Spanbauer said estimates place Fortune 500 penetration at somewhere been 20 percent and 25 percent.
BDS vendors claim their products accurately detect and rate the severity of malicious elements, whether they breach the enterprise’s network firewall, or enter via email or a web download. The ability to detect malicious software has become ever more challenging, since cyber attacks have become extremely cunning. Email incursions, for example, often employ details that seemingly only the recipient would know, prompting him or her to click a link an inadvertently introduce the malicious software into the enterprise’s network.
“Attacks are growing ever more sophisticated. We see this technology segment as a crucial element in the security toolkit for any-size enterprise,” Mr. Spanbauer says. He adds BDS is particularly important for financial companies as well as companies that are essential to the financial and economic infrastructure, to protect transactions as well as internal records. Mr. Spanbauer calls BDS a “mandatory” expense because without it forensics to determine how the breach occurred takes too long.
“These systems allow an organization to find not only a breach but also potentially take action in real-time, while the breach is still evolving,” Mr. Spanbauer says, adding, “It’s the difference between being a headline and being upset somebody got through your controls.”
At the heart of every attack, in whatever form it might take, is an “exploit,” which is the core program that ultimately takes advantage of a vulnerability within an application. NSS Labs tested for the exploits, which are numerous but still fewer in number than the various malware and other forms of attack in which they are used. It also tested for “evasions,” or methods of evading common anti-malware products as well as BDS.
NSS Labs found only one BDS vendor caught all the attacks, Cisco Systems, but because its product was the second most expensive, it received a neutral rating. Fidelis Cybersecurity also received a neutral rating; its security effectiveness, at 80.7 percent, was significantly lower than Cisco’s 99.2 percent, but its value (the total cost of ownership per megabytes per second) was measured at only half, at $116. Three other vendors received an NSS Labs Security Effectiveness score in the upper 90 percent.
Five vendors received overall ratings over “recommended”: Blue Coat Systems, Check Point Software Technologies, Fortinet, Lastline and Trend Micro. Each had varying combinations of security effectiveness and value, with Blue Coat’s value calculated as low as $50 compared to Check Point’s $181. FireEye, which received a “caution” rating, had a value of $541 and security effectiveness of 51.8 percent.
The average security effectiveness rating was 86.5 percent, while the average value was $184.4.
Numerous corporate household names as well as major government agencies have succumbed to cyber attacks over the last year or two. Mr. Spanbauer says they most likely did not use a BDS, or if they did it was likely an early generation platform. He adds that NSS Labs’ most recent test was significantly more demanding compared to the first one, whose results were released in April 2014. Nevertheless, five of the vendors achieved security effectiveness above 85 percent.
“The takeaway is that we’re seeing considerable improvement. The tests were considerably more difficult, and a lot of vendors did very well,” Mr. Spanbauer says.
All of the solutions tested possessed a network appliances device, in which BDS application sits in the enterprise’s network. Of the BDS product’s tested, only Cisco Systems’ BDS uses both a network appliance and end-point-only technology, where the anti-malware software sits in each of the client’s PCs. Some solutions apply end-point-only technology, but none of those were tested.
“The benefit of the appliance approach is you don’t have the end-point component to manage as well, but you give up that extra security visibility that accompanies sitting on the end point itself. So there are merits to both approaches,” Mr. Spanbauer says.
Mr. Spanbauer said BDS are appropriate for midsize and larger organizations, but they’re not cheap. They generally start at $100,000, on top of the company’s other security investments, and jump quickly in price depending on the size and complexity of the organization. In addition, the annual premium to cover standard maintenance and upgrades is typically between 25 percent and 30 percent of that amount, “an enormous annual premium relative to other technologies in this sector,” Mr. Spanbauer says, in part because developments are happening so quickly from an engineering perspective.