Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

7/19/2019
10:00 AM
Brian Monkman
Brian Monkman
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike

Why apples-to-apples performance tests are the only way to accurately gauge the impact of network security products and solutions.

When a company is researching options for network security tools, it needs to be able to weigh a number of factors, including cost, effectiveness, compatibility, integration with current or third-party tools and platforms, and — perhaps most important — impact on network performance. To evaluate all options, however, there has to be some way to compare different solutions accurately. The recent legal conflict between CrowdStrike and NSS Labs illustrates why it is such a challenge for organizations to evaluate different vendors and products.

NSS Labs and CrowdStrike announced in late May that after two years, they had reached a confidential settlement to end their legal battle. CrowdStrike initially sued NSS Labs in February 2017 over negative test results that were published in an NSS Labs endpoint protection report. NSS Labs gave the CrowdStrike Falcon platform a "Caution" rating. CrowdStrike, however, maintained that the test was faulty. In late 2018, NSS Labs fought back with a lawsuit of its own against CrowdStrike, Symantec, ESET, and the Anti-Malware Testing Standards Organization (AMTSO), claiming that the vendors and AMTSO conspired to prevent NSS Labs from testing their products.

Following the settlement, NSS Labs retracted its 2017 assessment of CrowdStrike's Falcon platform and issued a corrective statement, saying that "NSS's testing of the CrowdStrike Falcon platform was incomplete and the product was not properly configured with prevention capabilities enabled. In addition to the results having already been acknowledged as partially incomplete, we now acknowledge they are not accurate and confirm that they do not meet our standards for publication."

The CrowdStrike-NSS altercation is only one legal battle between a testing lab and a vendor. The NSS Labs lawsuit against Symantec, ESET, and AMTSO is still ongoing, even in the wake of the settlement with CrowdStrike, and it is likely that similar lawsuits are in the pipeline.

What's Wrong with Network Security Testing
The situation involving NSS Labs and CrowdStrike is a perfect example of what's wrong with network security testing. In a Dark Reading column earlier this year, I described network security testing as the Wild West, noting that proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out.

The fact that NSS Labs retracted its rating of CrowdStrike's Falcon platform highlights one of the primary issues with closed or proprietary network security testing standards. Without visibility into the testing protocols and standards used, there is no way for organizations to objectively determine whether an NSS Labs assessment is right or wrong.

The flip side of the coin is that closed and proprietary testing standards also create the potential for vendors to game the system or gain an advantage over rival companies. Vendors frequently impose conditions on how their products can be tested and demand that testing labs design environments and tests that focus on areas in which the product excels, minimizing scenarios in which the product does not perform well.

In the end, however, whether the testing lab makes a mistake or misconfigures the product, or whether the vendor influences the testing unfairly to make its product look better, the result is that the testing can't be trusted. And untrustworthy testing is useless when organizations are trying to compare various products to make a purchasing decision.

The Importance of Open Security Testing Standards
Testing labs don't want to be in the position of trying to negotiate with vendors for the privilege of testing their products, nor do they want to cave to demands that make those products look better. Vendors don't want to have their products tested in scenarios that don't pit them against rivals on an even playing field. Customers don't want test results that can't be trusted, or assessments with questionable accuracy that can't be verified because the testing methodology is proprietary. The answer is to adopt open network security testing standards.

NetSecOPEN (like AMTSO, a vendor-led organization) was formed in 2017 to address issues and challenges related to the current proprietary testing environment. We believe that the network and security industries must go beyond simply validating test results and, instead, establish new tests that are open, transparent, and created through a cooperative, collaborative effort. Ultimately, apples-to-apples performance tests that accurately portray the effectiveness and impact of network security products on network performance are essential, and the result of such testing is a win-win-win for testing labs, vendors, and — most of all — customers.

Related Content:

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Brian Monkman is executive director of NetSecOPEN, a nonprofit, membership-driven organization with a goal of developing open standards for testing network security products. A 25-year network security veteran, he has extensive experience in technical support, sales ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
tdsan
100%
0%
tdsan,
User Rank: Ninja
7/19/2019 | 3:44:30 PM
Collaboration with the vendor is key
We believe that the network and security industries must go beyond simply validating test results and, instead, establish new tests that are open, transparent, and created through a cooperative, collaborative effort. 

I believe this section is the most import aspect of testing - collaboration. By collaborating with the testing teams and the OEM, we can alleviate some of the misconfigurations associated with the test.

T
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
7/19/2019 | 2:24:44 PM
Re: Agreed bt don't trust
Gartner - I have never liked their power as well, a bunch of Greenwich CT young pups running stupid Magic Quadrant campaigns that have no bearing in the real world.  Snotty types. 
username007
50%
50%
username007,
User Rank: Strategist
7/19/2019 | 2:16:06 PM
Agreed bt don't trust
As outlined in this article it is necessary for secuity "things" to be open and transparent. Hiding behind proprietary testing methods diminishes the value of those results. To make this more fun the author of this post included a link to a resource that is a redirect from mimecast over to the site claiming to be more transparent. Yay for being hypocrytical. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
Browsers to Enforce Shorter Certificate Life Spans: What Businesses Should Know
Kelly Sheridan, Staff Editor, Dark Reading,  7/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17366
PUBLISHED: 2020-08-05
An issue was discovered in NLnet Labs Routinator 0.1.0 through 0.7.1. It allows remote attackers to bypass intended access restrictions or to cause a denial of service on dependent routing systems by strategically withholding RPKI Route Origin Authorisation ".roa" files or X509 Certificate...
CVE-2020-9036
PUBLISHED: 2020-08-05
Jeedom through 4.0.38 allows XSS.
CVE-2020-15127
PUBLISHED: 2020-08-05
In Contour ( Ingress controller for Kubernetes) before version 1.7.0, a bad actor can shut down all instances of Envoy, essentially killing the entire ingress data plane. GET requests to /shutdown on port 8090 of the Envoy pod initiate Envoy's shutdown procedure. The shutdown procedure includes flip...
CVE-2020-15132
PUBLISHED: 2020-08-05
In Sulu before versions 1.6.35, 2.0.10, and 2.1.1, when the "Forget password" feature on the login screen is used, Sulu asks the user for a username or email address. If the given string is not found, a response with a `400` error code is returned, along with a error message saying that th...
CVE-2020-7298
PUBLISHED: 2020-08-05
Unexpected behavior violation in McAfee Total Protection (MTP) prior to 16.0.R26 allows local users to turn off real time scanning via a specially crafted object making a specific function call.