Which are the most capable breach prevention systems?

NSS Labs released its Analysis of Breach Prevention Systems (BPS) – solution suites, involving endpoint, network, sandbox, cloud, and other integrated protections.

Vendors have been claiming for years that if enterprises purchase their entire suite, they will see better results. Enterprises asked NSS Labs if this was true as many perform technology proofs-of-concept (PoCs), but few have the resources to test a multilayer defense with so many integrated protections.

NSS Labs’ Analysis of Breach Prevention Systems is the outcome of testing Next Generation Firewalls (NGFWs), Next Generation Intrusion Prevention Systems (NGIPS), Breach Detection Systems (BDS), and Advanced Endpoint Protection (AEP) products over the past year. All tests permitted the use of cloud capabilities such as reputation systems, sandboxing, emulation, machine learning, etc.

Research and testing

NSS Labs found that:

• Some vendors are having more success developing integrated/coordinated technical solutions than others. Enterprises relying on marketing material have had varying experiences—not all vendors are as truthful as others. It is important to validate claims.
• Many organizations purchase endpoint, network, cloud, and forensic security technologies at different points in time. This process can hinder selection and deployment of coordinated security solutions.
• Despite the number of vendors in the cybersecurity space, few provide credible protection from multiple attack vectors across all defensive layers.
• Evasions are still a challenge for all vendors; however, agile development processes seem to be enabling rapid remediation when evasions are identified.
• Vendor claims to protect vulnerabilities (regardless of the exploit specifics) are largely dependent on the nature of the vulnerability and whether it lends itself to such protection. Test results found all products had room for improvement when confronted with unknown variants of known exploits.

“This is the first time that NSS Labs has published a comparison of technology suites,” said Jason Brvenik, CEO at NSS Labs. “Attackers are compromising organizations seemingly at will. Protection solutions need to improve, and as we see in this analysis, several vendors are stepping up,” added Brvenik.

Each product may fall into one of four categories based on its rating in the SVM: Recommended, Security Recommended, Neutral, or Caution. The following were rated as Recommended based on comparative scores for overall Security Effectiveness and TCO per Protected Mbps:

• Check Point Software Technologies 15600 Next Generation Threat Prevention Appliance R80.20 + Endpoint Security E80.82
• Check Point Software Technologies 6500 Security Gateway R80.20 & Check Point SandBlast Agent Next Generation AV E80.82.1
• Fortinet FortiGate 500E v6.0.3 + FortiClient v6.0.3.6219 + 3 + FortiSandbox v3.0.2 (AWS BYOL)
• Fortinet FortiGate 500E v6.0.4 build 0231 & Fortinet FortiClient v6.0.3
• Fortinet FortiGate 500E v5.6.4GA build 7892 & Fortinet FortiClient v6.0.3
• Fortinet FortiGate 3000D v5.6.4GA build 7892 & Fortinet FortiClient v6.0.3
• Palo Alto Networks PA-5220 PAN-OS 8.1.2 + Traps v5.0.5.2072
• Palo Alto Networks PA-5220 PAN-OS 8.1.6-h2 & Palo Alto Networks Traps 5.0.6.6513
• Palo Alto Networks PA-5220 PAN-OS 8.1.2 & Palo Alto Networks Traps 5.0.6.6513
• Sophos XG 750 Firewall SFOS v17.5 & Sophos Intercept X Advanced v2.0.10
• Trend Micro TippingPoint 8200TX Appliance v5.1.0.49751 + Deep Discovery Analyzer v6.1.0.114 + OfficeScan v12.0.5024
• Trend Micro TippingPoint 8400TX v5.1.0.4965 & Trend Micro Smart Protection for Endpoints v12.0.5024.