Sector: Enterprise
Essential Endpoint Security Enterprise
Realistic attacks for useful results
Essential Endpoint Security for Enterprise. Keeping your organisation safe from online threats requires strong endpoint protection. It’s not just important – it’s crucial. So, it’s a good idea to regularly check how well it’s working. Essential endpoint security means checking if the security tools on devices like desktops, laptops, and mobiles do their job.
Why? Because these devices are often the target of online attacks. If they’re not protected, they can become a way for cybercriminals to get to your sensitive information.
Our reports help you choose the best home anti-malware product that can protect you from ransomware and other types of attacks.
How we test
SE Labs brings a wealth of experience to the table when it comes to testing endpoint protection. We firmly believe in the necessity of conducting these tests regularly to ensure that security vendors are consistently updating and enhancing their effectiveness. Our testing approach involves recreating real-world cyberattack situations, allowing us to assess the performance of endpoint security solutions in terms of detection, prevention, and mitigation.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
Ransomware vs. Endpoint Security
Ransomware vs. Endpoint Security – Results from the largest public ransomware test
In this report, we analyse ransomware vs. endpoint security. Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
Product factsheet:
In this report, we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Ransomware Deep Attacks
For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases, we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to
evade detection. We’ve listed the ransomware families used in Hackers vs. Targets on page 9. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through
email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
Critical Endpoint Protection
Realistic attacks for useful results
Endpoint protection is a critical component of any organisation’s cyber security strategy
And if it’s critical then you should test it. And have others run assessments too. Testing endpoint protection involves evaluating the effectiveness of the security solutions. These solutions are deployed on endpoint devices such as desktops, laptops and mobile devices. Endpoint protection testing is necessary because endpoints are often the target of cyberattacks. Endpoints can be used as a gateway to gain access to sensitive data.
Our reports help you choose the best home anti-malware product that can protect you from ransomware and other types of attack.
SE Labs has extensive experience in endpoint protection testing. We have found that it is essential to conduct these tests regularly to ensure that the security vendors are keeping them up-to-date and effective. Our testing methodology involves replicating real-world cyberattack scenarios. And then evaluating how well the endpoint security solutions perform in detecting, preventing, and mitigating those attacks.
One of the key aspects of endpoint protection testing is the use of realistic attack scenarios. Our team of experts analyses the latest threat intelligence and creates attack scenarios that closely mimic the tactics, techniques, and procedures used by real-world cybercriminals. By doing so, we can determine how well the endpoint security solutions perform in detecting and preventing these attacks.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
Content Disarm and Reconstruction (CDR)
Content Disarm and Reconstruction (CDR)
CDR tested for removal of known and unknown threats
SE Labs tested OPSWAT Deep CDR (Content Disarm and Reconstruction) against targeted attacks using file-based threats. These attacks are designed to compromise systems and penetrate target networks by hiding threats inside files that appear to be innocent.
Testers hid threats inside a variety of common file formats, such as office documents, web pages and archive files.
Content Disarm and Reconstruction (CDR) vs. hidden threats
These files were assessed by the CDR system, which attempted to remove known and unknown threats. The results show the extent to which the threat prevention system achieved that goal accurately.
Read more reports here.
Product factsheet:
CDR solutions work differently than traditional solutions
CDR security solutions take a different approach than many others. Instead of detecting threats, they pull files apart and put them back together again. The idea is that anything bad gets dropped by the wayside, and only good things can pass through.
This approach is particularly appropriate when considering the risk of man-in-the-middle attacks. You might send a useful file to a colleague, but an attacker intercepts it and adds a little extra something, like a remote access tool. When you open it, you see what you would expect, while the attacker gains access to your system.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
Cisco Secure Endpoint – DETECTION
Testing protection against fully featured attacks
SE Labs tested Cisco Secure Endpoint against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Product factsheets:
Results – Cisco Secure Endpoint (Detection)
Cisco scored a 100% Detection Accuracy Rating for detecting every element of the Turla attacks, starting from the delivery of the spear phishing attachment through to all the subsequent malicious activities in the attack chain. It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks. The product did not generate false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.
Read more of our reports here.
09/2023 - 09/2023
Enterprise Advanced Security (EDR): Cisco Secure Endpoint – PROTECTION
Cisco Secure Endpoint
Testing protection against fully featured attacks
SE Labs tested Cisco Secure Endpoint – Protection against targeted attacks based on the Turla threat. These attacks are designed to compromise systems and penetrate target networks in the same way as the advanced persistent hacking group known as Turla operates to breach systems and networks.
There are many opportunities to spot and stop attackers. Products can detect them when attackers send phishing emails to targets. Or later, when other emails contain links to malicious code. Some kick into action when malware enters the system. Others sit up and notice when the attackers exhibit bad behaviour on the network.
Ultimately you want your chosen security product to prevent a breach one way or another, but it’s more ideal to stop a threat early, rather than watch as it wreaks havoc before stopping it and trying to clean up.
Product factsheets:
Results
Cisco Secure Endpoint scored a 100% Protection Accuracy Rating for blocking every threat at the initial delivery stage. The product did not generate any false positives, meaning that it didn’t wrongly detect or hamper harmless, legitimate software.
It also prevented all of the malicious activities from running, incurring no penalties for allowing the full or partial execution of targeted attacks.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
Endpoint Detection Compared
Endpoint Detection Compared
SE Labs tested and compared a variety of Endpoint Detection and Response products against a range of hacking attacks designed to compromise systems and penetrate target networks in the same way as criminals and other attackers breach systems and networks. Full chains of attack were used, meaning that testers behaved as real attackers, probing targets using a variety of tools, techniques and vectors before attempting to gain lower-level and more powerful access. Finally, the testers/ attackers attempted to complete their missions, which might include stealing information, damaging systems and connecting to other systems on the network.
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack. While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cyber criminal behaviour and builds tests based on how bad guys try to compromise victims. The cyber security industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps.
Fortunately, the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.
Read more reports here.
How can you test and judge endpoint protection products?
Back to basics
How can you test and judge endpoint protection products?
Working out which endpoint protection product is right for your organisation requires a lot of thought.
Each product on the market has a pile of features and they don’t all do exactly the same thing. But at the very least, they should detect and stop malware threats. That should be your baseline when choosing between them. In our latest Endpoint Security (EPS) reports we test and judge endpoint protection products of many of the main brands, and we tell you how we do it.
Our reports help you choose the best home anti-malware product that can protect you from ransomware and other types of attack.
How we test endpoint protection products
Testing security technology is rarely simple. We’ve talked about online anti-virus reviews before, and how they can be too basic to help make sensible buying decisions. But we don’t have to get bogged down in details here. Let’s get back down to basics. What should endpoint protection products do and how does SE Labs test them?
- Firstly, we install different anti-malware solutions onto real PCs – the sort you have on or under your desk. Then we attack those computers using threats we’ve found on the internet and using targeted attacks that we’ve built in our lab. Fundamentally, we behave like real attackers. It’s the purest kind of test.
- Secondly, we then score products on their performance. They get points for detecting the threat and further credit if they actually stop the attack. If they prevent the attack from running at all they score top marks for ‘blocking’ the threat.
- Lastly, we introduce good emails, websites and programs to the targets. If a security product blocks those, we deduct a lot of points because they are hampering users from using their computers properly.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
Read this SE Labs assessment of world-leading endpoint security products and discover how they handle well-known threats and targeted attacks.
Endpoint Detection and Response is more than anti-virus
Understand cyber security testing with visible threat intelligence
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.
Our reports help you choose the best enterprise security products that can protect you from ransomware and other types of attack. See the value of cybersecurity testing with visible threat intelligence.
Product factsheet:
Some EDR products are designed solely to watch and inform, while others can also get involved and remove threats either as soon as they appear or after they start causing damage.
For the ‘stoppers’ we run the Enterprise Advanced Security test in Protection mode. For ‘watchers’ like SenseOn we can demonstrate effectiveness by testing in Detection Mode.
An Endpoint Detection and Response (EDR) product is more than anti-virus
In this report we look at how SenseOn handled full breach attempts. At which stages did it detect? And did it allow business as usual, or alter wrongly against legitimate applications?
The targeted attacks used in this test replicate those used by the following attack groups in the real world:
- Turla
- Ke3chang
- Threat Group-3390
- Kimsuky
Read this SE Labs assessment and discover how SenseOn handles advanced targeted attacks. Find the value in early detection systems. We also describe in detail how each of the attack groups have worked in the past and how we’ve copied their tools and techniques to create a realistic test that reflects real-world security situations.
Does it matter if your company is hacked?
And why are some businesses overconfident that they are secure?
A true story: There was a team manager, a head of IT and a chief financial officer. I asked each if they considered their network to be secure, hacked or in some other state. The ex-military team manager was supremely confident that the secure network was, as its optimistic name suggested, secure. The IT manager said, “I don’t know,” and the CFO said, “I don’t know, and does it matter?” Does it matter if your company is hacked?!
It does matter, because when businesses are compromised it affects their ability to perform their main function: to make money.
Our reports help you choose the best enterprise and SMB security products that can protect your organisation from ransomware and other types of attacks.
Email Security Services (ESS) test: Enterprise and SMB test explained
This test examined the effectiveness of five email security solutions. Microsoft Defender for Office 365 and Google Workspace Enterprise are commercial email platforms. Trellix Email Security, WithSecure Email Security and Mailcow Open Source solution are third-party ‘add-on’ services designed to provide additional security. Of the ‘add-ons’, the services from Trellix and WithSecure are commercial, while Mailcow’s is open-source.
Does it matter if your company is hacked?
There are a couple of common reasons why people don’t think their organisations will be hacked. Firstly, they think that their security is the best. Secondly, they don’t think they are a worthy target. But all businesses are targets because they are designed to make money. And if they cannot operate, they can’t perform their main function – making money.
Hackers know this and extort money from victims by stealing their data and threatening to release it to the public, exposing victims to large regulatory fines and litigation. And, of course, there’s the embarrassment factor of looking amateur. Hackers can also encrypt data on business systems, paralysing companies until they pay up.
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.