Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/19/2019
10:00 AM
Brian Monkman
Brian Monkman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike

Why apples-to-apples performance tests are the only way to accurately gauge the impact of network security products and solutions.

When a company is researching options for network security tools, it needs to be able to weigh a number of factors, including cost, effectiveness, compatibility, integration with current or third-party tools and platforms, and — perhaps most important — impact on network performance. To evaluate all options, however, there has to be some way to compare different solutions accurately. The recent legal conflict between CrowdStrike and NSS Labs illustrates why it is such a challenge for organizations to evaluate different vendors and products.

NSS Labs and CrowdStrike announced in late May that after two years, they had reached a confidential settlement to end their legal battle. CrowdStrike initially sued NSS Labs in February 2017 over negative test results that were published in an NSS Labs endpoint protection report. NSS Labs gave the CrowdStrike Falcon platform a "Caution" rating. CrowdStrike, however, maintained that the test was faulty. In late 2018, NSS Labs fought back with a lawsuit of its own against CrowdStrike, Symantec, ESET, and the Anti-Malware Testing Standards Organization (AMTSO), claiming that the vendors and AMTSO conspired to prevent NSS Labs from testing their products.

Following the settlement, NSS Labs retracted its 2017 assessment of CrowdStrike's Falcon platform and issued a corrective statement, saying that "NSS's testing of the CrowdStrike Falcon platform was incomplete and the product was not properly configured with prevention capabilities enabled. In addition to the results having already been acknowledged as partially incomplete, we now acknowledge they are not accurate and confirm that they do not meet our standards for publication."

The CrowdStrike-NSS altercation is only one legal battle between a testing lab and a vendor. The NSS Labs lawsuit against Symantec, ESET, and AMTSO is still ongoing, even in the wake of the settlement with CrowdStrike, and it is likely that similar lawsuits are in the pipeline.

What's Wrong with Network Security Testing
The situation involving NSS Labs and CrowdStrike is a perfect example of what's wrong with network security testing. In a Dark Reading column earlier this year, I described network security testing as the Wild West, noting that proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out.

The fact that NSS Labs retracted its rating of CrowdStrike's Falcon platform highlights one of the primary issues with closed or proprietary network security testing standards. Without visibility into the testing protocols and standards used, there is no way for organizations to objectively determine whether an NSS Labs assessment is right or wrong.

The flip side of the coin is that closed and proprietary testing standards also create the potential for vendors to game the system or gain an advantage over rival companies. Vendors frequently impose conditions on how their products can be tested and demand that testing labs design environments and tests that focus on areas in which the product excels, minimizing scenarios in which the product does not perform well.

In the end, however, whether the testing lab makes a mistake or misconfigures the product, or whether the vendor influences the testing unfairly to make its product look better, the result is that the testing can't be trusted. And untrustworthy testing is useless when organizations are trying to compare various products to make a purchasing decision.

The Importance of Open Security Testing Standards
Testing labs don't want to be in the position of trying to negotiate with vendors for the privilege of testing their products, nor do they want to cave to demands that make those products look better. Vendors don't want to have their products tested in scenarios that don't pit them against rivals on an even playing field. Customers don't want test results that can't be trusted, or assessments with questionable accuracy that can't be verified because the testing methodology is proprietary. The answer is to adopt open network security testing standards.

NetSecOPEN (like AMTSO, a vendor-led organization) was formed in 2017 to address issues and challenges related to the current proprietary testing environment. We believe that the network and security industries must go beyond simply validating test results and, instead, establish new tests that are open, transparent, and created through a cooperative, collaborative effort. Ultimately, apples-to-apples performance tests that accurately portray the effectiveness and impact of network security products on network performance are essential, and the result of such testing is a win-win-win for testing labs, vendors, and — most of all — customers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brian Monkman is executive director of NetSecOPEN, a nonprofit, membership-driven organization with a goal of developing open standards for testing network security products. A 25-year network security veteran, he has extensive experience in technical support, sales ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/19/2019 | 3:44:30 PM
Collaboration with the vendor is key
We believe that the network and security industries must go beyond simply validating test results and, instead, establish new tests that are open, transparent, and created through a cooperative, collaborative effort. 

I believe this section is the most import aspect of testing - collaboration. By collaborating with the testing teams and the OEM, we can alleviate some of the misconfigurations associated with the test.

T
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/19/2019 | 2:24:44 PM
Re: Agreed bt don't trust
Gartner - I have never liked their power as well, a bunch of Greenwich CT young pups running stupid Magic Quadrant campaigns that have no bearing in the real world.  Snotty types. 
username007
50%
50%
username007,
User Rank: Strategist
7/19/2019 | 2:16:06 PM
Agreed bt don't trust
As outlined in this article it is necessary for secuity "things" to be open and transparent. Hiding behind proprietary testing methods diminishes the value of those results. To make this more fun the author of this post included a link to a resource that is a redirect from mimecast over to the site claiming to be more transparent. Yay for being hypocrytical. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...