Sector: Enterprise
Five Antivirus Myths Busted
And why do we still believe them?
Anti-virus, or endpoint security plays an essential part in protecting Windows PCs. Whether you are working in the world’s largest enterprise, or using a small personal laptop, you need a last line of defence against attacks who use malicious code to steal or damage your data.
Our reports help you choose the best enterprise anti-malware product that can protect you from ransomware and other types of attacks.
Antivirus myths you shouldn’t believe
- Anti-virus slows your computer.
- Anti-virus only stops viruses.
- You must pay for great protection.
- Detection means protection.
- Updates are no longer necessary.
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
Ransomware Detection Using Hardware
Ransomware Detection Using Hardware
Computer processors get the final word when running programs. Can they judge bad code from good?
SE Labs tested Intel’s hardware approach to ransomware detection, using a wide range of ransomware attacks designed to extort victims. These attacks were realistic, using the same tactics and techniques as those used against victims in recent months.
Target systems included Windows PC both Intel vPro-based hardware and alternative AMD platforms. All were attacked in the same way by testers acting as we observe ransomware groups to behave.
Attacks used original ransomware malware, as seen in the wild during recent months, as well as more advanced variations designed to evade detection. In all cases the ransomware’s goal was to steal, encrypt and destroy sensitive data on the target systems.
Product factsheet:
Attackers can disguise malware. In the same way you might try to slip past a security guard in thick glasses and a wig, hackers can take their regular code and make it look different. There are many ways to do this, but before it can achieve its ultimate goal, malware has to run, or execute. And at that stage it drops its disguise, at least as far as the hardware it runs on is concerned. As the code runs, its intentions become clear.
And this presents an opportunity for defenders – detect malware at the very last moment, just as it reveals itself while executing. The concept of ‘security on a chip’ has been around for a long time but now Intel claims that it has introduced anti-malware to its vPro hardware platform. By monitoring code as it executes, it hopes to detect malware and inform compatible security software when it does. It claims to do this by using pattern matching, via machine learning, to spot suspicious behaviour. The goal is to have a combination of security software and hardware working together to prevent infections.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
Cyber Threat Intelligence
Annual Report 2023: Threat Intelligence for 2023
Welcome to the fourth annual report from SE Labs. This edition focuses on cyber threat intelligence.
Understanding threats is crucial when trying to defend against them. Knowing your enemy’s tactics helps clarify security planning.
We use threat intelligence when testing security products, to ensure our results are useful to companies facing real threats in the real world.
We’re sharing our insights here to help you build a strategy for success in the face of the global cyber threat.
What are the Threats?
We explore the current threats and explain why so many organisations remain vulnerable. There’s good news and bad news…
Ransomware
Learn about the very latest innovations in testing anti-ransomware security approaches.
Annual Security Awards
Our Annual Security Awards recognises security vendors that not only do well in our tests, but perform well in the real world with real customers. These awards are the only in the industry that recognise strong lab work combined with practical success.
How we work (and could work with you!)
Discover which types of tests we run and how we can work with you to improve your product or your choice of products.
DIY Email Security
Can you defend against email threats better than the security companies?
How well do the main email platforms handle threats? Is it worth paying for additional email security from a third-party specialist? Or could you create your own secure email server (DIY email security) and get top-grade protection for free?
Our reports help you choose the best enterprise security products and services.
Compare a major email platform with a third-party service and an open-source solution.
In this special, one-of-a-kind report we investigate how well one of the world’s largest email providers performs when trying to filter out harmful security threats from your email. We also assess the benefits of a well-known email security service that you can bolt onto any other email solution. And finally, we built an open-source email server running a combination of security and management tools to see how well it compared.
We wanted to answer the questions:
- Is there value to be had from specialist email security services?
- Should you run your own server?
- Can you combine your own server with a specialist service?
DIY Email Security
In this report we compare a major platform with a third-party email security service to see if it’s worth spending extra on security. We worked with both companies but neither wished to be identified in this report. We reported back to them all of the threats that they identified (and missed) and provided them with an opportunity to dispute any mistakes that they identified. This report is the result of that engagement.
Choose your reports and reviews carefully
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. Our results help vendors improve their products and buyers choose the best for their own needs.
Choose your reviews carefully
3 reasons our enterprise tests are trustworthy
This security report compares anti-malware products. Its job is to help you make informed buying decisions.
Our reports help you choose the best enterprise anti-malware product that can protect you from ransomware and other types of attack.
Product factsheets:
Three reasons our security tests are the most trustworthy
There are a few questions you should ask when you look at a security report. These are all very important but in random order here they are:
- Is the test realistic?
- Does the tester explain how they tested?
- Does the tester explain how they make money
from the report?
There are all sorts of other little details to consider, which are often things security vendors get anxious about. These include technical details relating to the testing environment and the threats used to test the products. But ultimately, as a reader, you should care most about the list above.
Choose your reviews carefully
If you see a security report that isn’t realistic and transparent treat it with extra care. For more information about fake anti-virus reviews please see our blog post on the subject. If you want to make the most informed purchase of security software choose your reviews carefully.
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
Deep and direct ransomware testing
Deep and direct ransomware testing
We tested CrowdStrike Falcon against a range of ransomware attacks designed to extort victims. These attacks were realistic, using the same tactics and techniques that were used against victims in recent months.
Target systems, protected by CrowdStrike Falcon, were attacked by testers acting in the same way as we observe ransomware groups to behave.
Attacks were initiated from the start of the attack chain, using phishing email links and attachments, as just two examples. Each attack was run from the very start to its obvious conclusion, which means attempting to steal, encrypt and destroy sensitive data on the target systems.
Product factsheet:
Enterprise Advanced Security (Ransomware): CrowdStrike Falcon
Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. On top of that, a ransom demand provides a clear, countable value to a threat. A demand for “one million dollars!” is easier to quantify than the possible leak of intellectual property to a competitor.
We have created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.
In this report we have taken two main approaches to assessing how well products can detect and protect against ransomware.
Enterprise Advanced Security (Ransomware) Tested
This detailed report looks at ransomware detection during a full network attack; and protection against known ransomware attacks and their unknown variants. We include details about the different types of ransomware attacks, including the tactics used by different criminal groups.
Enterprise Anti-Virus Testing
How hard should a security test be?
Thank you for opening this report. I hope you’ll be able to use it to get a better idea about which anti-malware products you might want to buy (or get rid of!)
Our reports help you choose the best enterprise anti-malware product that can protect you from ransomware and other types of attack.
Product factsheets:
Enterprise Anti-Virus Testing
The report starts off with a list of products, each of which win impressive-looking awards. But have you considered what those awards mean? How come there aren’t any massive losers in the list? How hard is this security test anyway?
Baseline Testing
There are lots of ways you can test products. You could prod a teddy bear and say, “well, that looks good enough,” or you could take it to pieces and analyse every component forensically for build and functional quality. “This toy looks safe, its parts are large, soft and non-toxic, and we can’t burn it easily. Plus, it’s got big, cute eyes.” This could be a baseline for cuddly toys: SAFE, with cuteness as an extra bonus.
For anti-malware products we have to consider a few different things, including the following:
- Is it really an anti-malware product? Is it at least basically functional?
- Can it determine a good quantity of common malware, without blocking lots of useful software?
- Can it stop the malware, as well as simply detecting it?
Which enterprise anti-virus?
Everyone tells you that you need it, but which one?
Which enterprise anti-virus is the best? Our reports help you choose the most appropriate enterprise anti-malware product that can protect your organisation from ransomware and other types of attack.
Choose the best enterprise anti-malware solution
Classic cybersecurity advice always includes a plea to, “install anti-virus” or “use endpoint protection software”. Journalists, bloggers and even governments hand this information out, as if it helps. Most platforms, including Microsoft Windows and Apple macOS, include anti-virus so the question then becomes, “which enterprise anti-virus?”
How do you choose?
The UK’s National Cyber Security Centre (NCSC) provides some mature and detailed advice but stops short of helping readers work out which products might be most suitable. The only time it tries to help in this respect ends in a bizarre suggestion that you might prefer a product that implements the Anti-Malware Scan Interface (AMSI). This feature is only relevant if you are developing security software yourself.
The Cybersecurity and Infrastructure Security Agency (CISA) in the US gives advice on stopping ransomware. At the bottom of the list, including useful items such as, “update and patch” and “keep your personal information safe” is the instruction to, “install antivirus software, firewalls and email filters.” Nowhere does any such organisation help you choose which is the best or most appropriate for your organisation.
When you search for, “best business anti-virus” or, worse, “best home anti-virus” you’ll see millions of links to better or lesser-known magazine websites and slightly shady reseller’s blogs. Some of the most respectable technical websites run sensible and unbiased reviews and there’s where you start to get somewhere: opinions on interfaces and prices. But how effective are these products?
Find the best reviews
The best reviewers delegate the really technical business of testing endpoint security to the professional testers. If you read their reviews you’ll see our name in there somewhere.
This is because organisations such as SE Labs spend all of their time testing security products – it’s what we specialise in. In our case we learn how the criminals behave and then copy them closely. This produces the most realistic results you can hope to see in a public security test. We also ensure that our reports are reviewed by the Anti-Malware Testing Standards Organization (AMTSO) to validate that we’ve tested fairly.
We pride ourselves on a level of transparency that elevates our work above the less open reports available. But don’t just take our word for it. This report has gone through the AMTSO certification process to ensure that we say what we’re going to do; do it; and can prove it. Our results help vendors improve their products and buyers choose the best for their own needs.
Choose the best enterprise endpoint security solution
Choose the best enterprise endpoint security solution
Welcome to the first edition of the Enterprise Advanced Security test that compares different endpoint security products directly. We look at how they handle the major threats that face all businesses, from the Global 100, down to medium enterprises. And most likely small businesses, too.
We give an overall score but also dig down into the details that your security team will care about. This report explains the different levels of coverage that these products provide.
Product factsheets:
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of
an attack.
While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Full attack chain testing
Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cybercriminal behaviour and builds tests based on how bad guys try to compromise victims.
The cybersecurity industry is familiar with the concept of the ‘attack chain’, which is the combination of those attack steps.
Fortunately the MITRE organisation has documented each step with its ATT&CK framework. While this doesn’t give an exact blueprint for realistic attacks, it does present a general structure that testers, security vendors and customers (you!) can use to run tests and understand test results.
The Enterprise Advanced Security tests that SE Labs runs are based on real attackers’ behaviour. This means we can present how we run those attacks using a MITRE ATT&CK-style format.
Endpoint Detection Compared
You can see how ATT&CK lists out the details of each attack, and how we represent the way we tested, in Appendix A: Threat Intelligence, starting on page 15. This brings two main advantages: you can have confidence that the way we test is realistic and relevant, and you’re probably already familiar with this way of illustrating cyber attacks.
EDR is more than anti-virus
An Endpoint Detection and Response (EDR) product is more than anti-virus, which is why it requires advanced testing. This means testers must behave like real attackers, following every step of an attack.
Intelligence-led testing
While it’s tempting to save time by taking shortcuts, a tester must go through an entire attack to truly understand the capabilities of EDR security products.
Each step of the attack must be realistic too. You can’t just make up what you think bad guys are doing and hope you’re right. This is why SE Labs tracks cybercriminal behaviour and builds tests based on how bad guys try to compromise victims.