BREACHDETECTIONSYSTEMS:WHATARETHEYANDDOYOUNEEDONE?
NSSLabsResearchOctober7,2015
JasonPappalexis,ResearchDirector
AndrewBraunberg,ResearchVP
ThomasSkybakmoen,ResearchVP
Slide2
Agenda
• BDSDefiniJon• Market• ArchitecturalOverview• TesJng• Methodology• Results
• ProductMaturity• BDS:WorththeInvestment?• Q&A
Slide3
BDSDefinedThreeKeyCharacteris.cs
1. Aproductorservicedeployedoutofband2. VarietyofdynamicdetecJontechniques
• Lookingforpreviouslyunknownand/orhighlytargetedmaliciouscontent
3. IdenJtyindicatorsofcompromisesthatalerttoanexisJngbreach
MalwareidenJficaJon(signatures,heurisJcs,or
both)
Networktrafficanalysis(flowmonitoring,
contentanalysis,orboth)
Sandboxingthatmodelsinternal
systems(workstaJonsandservers)
BrowseremulaJon
ReputaJon
DynamicDetec.onTechniques
Slide4
StateoftheMarket(CY2014)
• MarketSize• $714Min2014• $1.1Bin2015(NSSest.)
• Currentbuyers• LargeEnterprisemadeup85%ofsalesin2014
• Evolvingmarketrequirements
FireEye49%
Others24%
Fidelis15%
PaloAltoNetworks
7%
BlueCoat5%
Slide5
ThreeKeyMarketDrivers
1. Securityeffec.veness• BestchanceofdetecJngazeroday
2. TimetoDetec.on• “Malwareresearchteaminabox”working24/7/365
3. ImprovedForensics• “SmokingGun”enablespromptandaccurateincidentresponse
Slide6
• Deploymentop.ons• Complexity• Protocolsupport• EndpointversusNetwork• Dynamicanalysis• Sandboxes,emulaJon,virtualizaJon• OSsupport(sandboxes)
Architecture&Deployment
Slide7
World’sLeadingSecurityTestingFacility
LargestlivetesJngharnessintheworld
3TbpsrealworldtraffictesJngcapacity
RichestmulJ-vendortestinfrastructure
$30Milliondatacenterinvestment
Network,endpointandcloudtestexperJse
2MillionHrsaccumulatedtest
experience
Slide8
SecurityEffectivenessTesting
Exploits EvasionsMalware Stability&Reliability• Social• Drive-By
• HTTP• Email(IMAP/SMTP)
• SMB
• Packers• Compressors• VirtualMachine• Sandbox• HTMLObfuscaJon
• LayeredEvasions
• DetecJonunderExtendedAiack
• ProtocolFuzzingAndMutaJon
• PersistenceofData
Data from BDS 2.0 Group Test
Slide9
PerformanceTesting
UDP HTTPCapacityMaxCapacity RealWorldTrafficMixes• 64to1514BytePackets
• MaxconcurrentTCPconnecJons
• MaxTCPconnecJonspersecond
• MaxHTTPconnecJonspersecond
• NoTransacJonDelays
• WithTransacJonDelays
• EnterprisePerimeter• EducaJon
Data from BDS 2.0 Group Test
Slide10
GroupTestResults• Security
• SecurityEffecJveness51.8%to99.2%
• AverageSecurityEffecJvenessRaJng86.8%
• EvasioneffecJveness87.1%to100%
Data from BDS 2.0 Group Test
• Performance• Throughput750Mbpsto4.583Gbps
• TotalCostofOwnership• 3YearTCOrangedfrom$68,922to$448,793• Average3yearTCOwas$277,349
Slide11
BDS:WorththeInvestmenttoYou?
• Architecturallycomplex• OnenrequiremulJpledevicestoscandiversetraffictypes
• PerformanceissueswilleventuallydrivemanyBDS’stothecloud• Notdesignedtoperformatlinerate• Sandboxlifecyclemanagement• Sandboxevasions• Totalcostofownership• Agents• Requireadultsupervision
Nosecurityproductiswithoutlimita3ons
Slide12
In-DepthResearch
• MarketAnalysis
• BuyersGuide
• CompanyReports
TechnicalBriefs
TestReports
ComparaJvesReports• SecurityValueMap
• TCO• Security• Performance
ProductTestReports