CORPORATE AV / EPP COMPARATIVE ANALYSIS Exploit Protection

CORPORATE AV / EPP COMPARATIVE ANALYSIS Exploit Protection

CORPORATE AV / EPP COMPARATIVE ANALYSIS Exploit Protection 2013 – Randy Abrams, Dipti Ghimire, Joshua Smith Tested Vendors AVG, ESET, F-Secure, Kaspersky, McAfee, Microsoft, Norman, Panda, Sophos, Symantec, Trend Micro NSS Labs Corporate AV/EPP Comparative Analysis- Exploit Protection Overview Endpoint Protection Products (EPP) are designed to protect against a broad spectrum of threats. Products originally developed to detect self-replicating code (viruses and worms) have added protection against adware, spyware, rootkits, bootkits, phishing attacks, and exploits, in addition to providing firewall capabilities and more. The ability to block exploits is one of the most significant tasks required of EPP products. When a new vulnerability is exploited, not only can malware, known or unknown, be silently installed, criminals can take over the exploited computer manually, thereby evading signatures and heuristics designed to detect malicious code. If an EPP can block an exploit, it has effectively blocked any and all malware that the exploit may attempt to execute or install. The ability to catch the payload an exploit delivers has value but provides far less protection than blocking the exploit itself. Exploit kits such as Blackhole have essentially made the mass exploitation of websites a low cost franchise operation with a low buy-in and an immediate lucrative return. Software such as Oracle’s Java, Adobe’s Flash and Reader/Acrobat, in addition to web browsers, keep a fresh supply of exploitable vulnerabilities available even as old exploits continue to plague consumers and corporations alike. The exploitation of vulnerabilities in common software programs enables attackers to breach networks, steal intellectual property, hijack email and social network accounts, and engaging in several other types cybercrimes. NSS vulnerability research reveals that the number of reported vulnerabilities rose significantly in 2012 and the vulnerability landscape is going through significant transformations1. Enterprises have several tools to help prevent the exploitation of vulnerabilities. Patching is one of the most important defenses. However many corporations fail to patch all of the applications on their desktops and often are slow to deploy the most current software versions. Intrusion prevention systems (IPS), and in some scenarios next generation firewalls (NGFW), can provide a valuable line of defense against exploits for enterprises. NSS provides extensive comparative testing for IPS and NGFW products. The use of current web browsers is another line of defense. The most widely used browsers have added features such as reputation systems and application blocking to help defend against the exploitation of vulnerabilities. The use of endpoint protection products, colloquially known as antivirus, is also a common defense. NSS tested 11 popular enterprise EPP products to measure their effectiveness in protecting Windows computers against exploits. All of the exploits used during this test have been publicly available for months (and sometimes years) prior to the test, and have also been observed in use on the Internet. Enterprises, especially those employing the BYOD model, that seek protection from exploit driven attacks against desktop PCs and laptops should closely examine results from this test. 1 https://www.nsslabs.com/reports/vulnerability-threat-trends © 2013 NSS Labs, Inc. All rights reserved. 2 NSS Labs Corporate AV/EPP Comparative Analysis- Exploit Protection McAfee 97% Kaspersky 92% Symantec 91% Sophos 88% AVG 79% F-Secure 76% Trend 73% ESET 71% Microso 65% Norman 47% Panda 41% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Figure 1 - Combined Block Rates (including alternate vectors) Figure 1 combines 203 exploit download and payload execution tests with 30 alternate vector attacks to provide the overall exploit protection rate for the tested EPP products. Key Findings: • With a few notable exceptions, endpoint products are not providing adequate protection from exploits. • Enterprise EPP products differ up to 53% in effectiveness at blocking exploits, with protection levels varying between 44% and 97% • Keeping AV software up-to-date does not yield adequate protection against exploits, as evidenced by gaps in coverage for vulnerabilities found to be several years old. • Java is a significant attack vector © 2013 NSS Labs, Inc. All rights reserved. 3 NSS Labs Corporate AV/EPP Comparative Analysis- Exploit Protection Table of Contents Analysis .................................................................................................................................. 5 Test Background – Threat Landscape ........................................................................................................... 5 Stages of Protection ..................................................................................................................................... 6 How This Test Was Conducted ..................................................................................................................... 7 Protection From Exploits Across Protocols .................................................................................................. 7 Exploit Blocking Results ................................................................................................................................ 8 Alternative Attack Vectors ......................................................................................................................... 11 Test Methodology ................................................................................................................. 12 The Tested Products ................................................................................................................................... 12 Client Host Description ............................................................................................................................... 13 The Vulnerabilities ...................................................................................................................................... 13 Appendix A: Definitions ........................................................................................................ 15 Vulnerability ............................................................................................................................................... 15 Exploit ......................................................................................................................................................... 15 Payload ....................................................................................................................................................... 15 Contact Information .............................................................................................................. 16 Table of Figures Figure 1 - Combined Block Rates (including alternate vectors) .................................................................... 3 Figure 2 - How a desktop/laptop computer is exploited ............................................................................... 5 Figure 3 - HTTP vs. HTTPS block rates ........................................................................................................... 8 Figure 4 - Non- IE6 Overall Exploit Block Rate .............................................................................................. 9 Figure 5 - IE6 Overall Block Rate ................................................................................................................. 10 Figure 6 - Overall Exploit Block Rate ........................................................................................................... 10 © 2013 NSS Labs, Inc. All rights reserved. 4 NSS Labs Corporate AV/EPP Comparative Analysis- Exploit Protection Analysis The results of NSS’ in-depth testing of 41 individual exploits and over 200 attack scenarios revealed significant differences in the defensive capabilities of 11 leading endpoint protection solutions. Results are provided for exploits that require Internet Explorer 6 and those that do not. Given that many enterprises are forced to support IE6 because of legacy applications, this capability may be a determining factor in selecting an EPP product. Excluding exploits requiring IE6, the average block rate was 77%, with the weakest product blocking 44% and the best product blocking 98% of the attacks. For exploits requiring IE6 to execute, the average blocking ability was 65%, with the weakest performer blocking 20% of the attacks and the top products blocking 100% of the attacks. Enterprises rely on endpoint security products to help provide a virtual shield against exploits. The number of potentially vulnerable applications that need to be patched taxes the resources of most IT departments and may allow vulnerabilities to persist longer than they ordinarily might on a consumer computer. NSS testing shows that the majority of EPP products fail to block some of the most widely used and dangerous exploits from recent years. Given the importance and growing prevalence of this class of threat, NSS recommends that enterprises give appropriate weight to the quality of exploit prevention technology, as well as performance and threat detection, when selecting EPP products. Test Background – Threat Landscape The layers of defense used in enterprises vary widely. The extent to which technologies such as IPS, NGFW, web and application whitelisting, thin clients, and other

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    16 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us