Wednesday, May 23, 2012

CISSP CPE6: NSS Labs - Consistency in Security Effectiveness

length: 01:00:00

Webinar with Sourcefire in regards the NSS IPS group test 2012

Dave Stuart,  marketing Sourcefire
Bob Walder  Chief Research officer, NSS Labs
Jason Brvenik VP, Security Strategy, Sourcefire

NSS: security research  analysis company, subscription to unlimited access to in depth tests..
Provide information that business need to be secure.
Independent ! NOT vendor founded!

Why perform test?
NSS the only one with in house testing facilities..
Right size not the same as throughput...
Effective protection?
Idea to see how devices perform in the real world
The bad guys are always one step ahead.. the good guys are always playing catching up..

% detection?
Protect better S2C or C2S?
Which application more covered?

6.2 IPS methodology
The methodology has been revised, largest and most comprehensive test ever..
1500 live exploits & evasions (this is just subset from the thousands of exploits) -not traffic replay
300 new exploit 75 new evasions
Connection dynamic & their real-world impact
All new management criteria & analysis - important point
All new device stability testing (extensive fuzzing test, leaking...)
3 year TCO & value calculation. (not only the purchase price, sensor, mgt, support, signature updates, man hours)
Effective security of the device.
Performance of the device.

If vendor perform consistently year after year - meaning that that vendor has keep on improving the product!!!
We talk to customer which product they want to see..
The test is quite challenging - not all vendor are willing to participate.

Does this product meet my needs?
Protect assets? Performance? scale?
What is the true TCO?
Do claim match reality
What questions should I ask? What catch rate is so low? Will session ramp up?
Giving much more data to potential buyers

Comparative analysis report:
Product improvement / maintained / degraded?
Should upgrade to the latest version?
Should consider another solution?
Are critical assets protected?
Which vendor are consistent? Which vendor shine brightly for brief year then fade...

Security value map:
Quadrant: Security - Value - Rating
Q1          +         +      recommended
Q1          -         +      neutral
Q3          -         -      caution
Q4          +         -      neutral

Buying security product is not like buying car... requires consistently improving performance & effectiveness.
Security evolve : larger attack surface & new attack vectors

4 key k

Real word IPS throughput
Concurrent connection

Source firewall NSS2012 result:
98.9& overall protection NSS result!
99% C2S
98% S2C
100% resistance to evasion
No attack leakage
the best overall protection of any vendor to date...

170% rated performance..
Design to perform, scalability , protection

Sourcefire          8260     8250      8120
Protection        98.9%      98.9%     98.9%

Real world
IPS throughput    34Gbps     17Gbps    3.4Gbps

connection        60M        30M       15M

TCO/Mbps          $15        $19       $34

These are pretty impressive awesome result.
Rating well beyond what it was rated
We don’t believe that you have to make choice between security & performance
We believe if you make the investment you can achieve what you need.

Testing not completed in 2012...

8250 15Gbps
8260 34Gbps
8270 51Gbps* - three stack - does not require external device
8290 64Gbps* - four stack - does not require external device
-fail safe mode no need external tap / bypass kit.
Sourcefire - creator of snort... ClamAv razorback

Omar's question:
can vendor somehow cheat the tests? (like making more aggressive signatures but might cause false positive?)
this happens.. but NSS will detect cheaters...

Labels: ,


Post a Comment

Subscribe to Post Comments [Atom]

<< Home