Recently, NSS Labs conducted an independent verification on vendor claims of IPS accuracy and performance.  While some performed well, others did not.  In fact, certain vendors, like TippingPoint, performed so poorly that it calls into their question their dedication to the art and science of security itself.

According to an interview by Techworld with NSS Labs’ President Rick Moy, partners and customers should be more cautious than ever in placing their faith in companies who have questionable security efficacy.  “This iffy security performance contrasts with similar IPS products the company recently tested from McAfee and IBM, which both scored “in the 95 percent range” when pitted against the same family of exploits, said NSS Labs’ Rick Moy. “

Looking deeper into the results of NSS Labs’ tests, we find that TippingPoint caught less than 40% of attacks.  The resulting security, compliance, and privacy implications for their customers are certainly called into question.   According to the report summary, “the security effectiveness of the TippingPoint 10 was subpar, catching only 247 of 622 exploits (39.7%).”

Network World has also reported on this test, and tests in general.  They reported that “In a test series of 209 exploits run against it, the IPS did not score particularly well, detecting only 82 of them.”

Outstanding questions remain.  How will TippingPoint’s former claims of accuracy hold up to this scrutiny?  What are the implications for customers who think they are protected now, but may be exposed according to this test?  How do TippingPoint partners respond to this report when customers inevitably ask about it?

1. Fastest – We’ve recently released the M-series, which scales Intrusion Prevention from 100Mbps to over 10Gbps. 
2. Most Accurate – NSS Labs has awarded the M-8000 NSS Gold Certification for accuracy. 
3. General Leader – Gartner has placed us in the Leader’s quadrant for the 5th year.  It’s time to build on that success and truly redefine the space

It’s time to shake things up a bit.  We’re working on a host of new features in an upcoming release, and we’re looking to you to help us make the best product in the world even better.  In the coming months, McAfee plans to release groundbreaking new technology to help us get even farther ahead of the threat, with more visibility across the enterprise, based on feedback from our customers.  Some of the new features include:

- Targeted attack signatures developed by the opensource community (SNORT format)
- Day-0 malware protections with McAfee Artemis Technology
- Flow-based network threat analysis

Those who are familiar with the NSP know that we achieved 100% detection accuracy by focusing on protocol analysis and system vulnerabilities, across all layers of the stack, and integrating in features like Denial of Service protection, exploit detection, and comprehensive anti-evasion techniques.  You’re also probably familiar with McAfee Avert Labs, whose 350+ researchers focus on vulnerabilities and ways to protect our customers from them.

We need your help in making the world’s most secure IPS even better.  If you’re in the federal government sector, and are responsible for deploying IPS in your organization, we want to hear from you.  Send an e-mail to nsp-beta@mcafee.com or contact your sales representative to get started in the McAfee Network Security Platform beta program.

Rees

Disclaimer: The information contained in this document is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.

It’s also not surprising that enterprises continue to look for ways to simplify deployment of yet another business-critical application. For Web Security, both SaaS and appliance deployments will continue to grow at an accelerated rate while the long-standing domination of the software deployment plateaus and starts losing ground. IDC predicts appliances sales for Web Security will more than double from 2008 to 2012.

According to the IDC study, McAfee, with its McAfee Web Gateway (formerly Webwasher) and EWS solutions, is ranked #1 in market share for Web security appliances in 2008.
With great Web protection delivered in an easy-to-deploy appliance form factor, it’s easy to see why McAfee is the market share leader!

(1) IDC, Worldwide Web Security 2009-2013 Forecast and 2008 Vendor Shares: It’s All About Web 2.0 YouTwitFace, Doc # 219502, August 2009

“Surely,” I argued, “The gateway is the first line of Web security defense. It’s the most economical, the most efficient, and the most effective.” While she didn’t disagree with that, she pointed out the fly in the ointment.

“What if I’m traveling or working from home or a hot spot and not connected to the VPN? I’m still using a corporate asset and it still needs to be protected with the same policies as when I’m in the office, doesn’t it? If the company just has gateway Web security, how can it protect me?”

She’s absolutely right. This reminded me of the defense in depth topic that I recently blogged on. As we mentioned before, traditional defense in depth wisdom states that it’s best to have different vendors at the gateway and on the desktop. But it would be so inefficient to have different vendors providing gateway Web security and local device Web security, wouldn’t it? You’d have to manage multiple vendors, learn multiple admin consoles, duplicate policy rules, and contact different support desks if you had a problem.

What makes more sense is to have different types of technologies used at the gateway and on the device that back each other up and ensure that the user and his/her device is protected from any and all threats whether they’re in the office, working on a VPN from home, or at their local coffee shop.

Those multiple technologies might include anti-virus, anti-spyware, anti-malware, reputation scores, Web site reputation analysis, Web page categorization and SSL scanning. Combining these technologies from one vendor allows for consolidated reporting and tracking, common policy enforcement and simplified administration. All of which leads to lower costs and better security. Isn’t that what defense in depth is supposed to do?
* According to McAfee Avert Labs, there’s over 400% growth in 2008 of SQL injection vulnerabilities that can lead to delivering a malicious payload and over 150% growth of cross-scripting vulnerabilities that can draw users to malicious websites.

Originally borrowed from military lingo, in information security defense in depth represents the use of multiple computer security techniques to help mitigate the risk of one component of the defense being compromised or circumvented. An example could be anti-virus software installed on individual workstations when there is already virus protection on the firewalls and servers within the same environment. Different security products from multiple vendors are usually deployed to defend different potential vectors within the network, helping prevent a shortfall in any one defense leading to a wider failure; also known as a “layered approach.”

I go out and talk to customers at various industry and guest speaking engagements, and I still hear people using this basic definition. They insist that they need multiple vendors at different points in the network. And, when “state of the art” was anti-virus (as in the Wikipedia example above), sure, that made sense. Signature .dat files came out at different times and some vendors were better with some types of malware than others. So having vendor “A” at the gateway, and vendor “B” on the desktop was the smart choice.

But now? Anti-virus is still a necessity but it is no longer the first or only line of defense. There are now multitudes of technologies that are specifically designed to protect every possible door and window into the enterprise. Some of these new technologies are deployed inside the enterprise and others are global services offered by vendors. And the attackers are smarter as well … mixing and matching attack vectors so that one type of technology is insufficient to stop a threat.

Today’s defense in depth needs to focus on deploying and managing disparate technologies that are capable of catching threats that use more than one attack vector.

In my next posting, I’ll talk more about these types of technologies and the issues involved in deploying and managing them from multiple vendors.

This view suffers from the same core fallacy that seems to always accompany the bringer of a new technology. These bronze swords beat pointed sticks and almost never need sharpening, desktop computers will never need more than 64k of RAM, and spam is about to be solved.
 
A general rule of thumb for all things technology related is that nothing ever really ends, it only gets eclipsed by the next thing. People who think that DomainKeys Idenitifed Mail (DKIM) will solve all phishing just don’t remember Sender Policy Framework (SPF). Before that was Reverse DNS Lookup (RDNS). All of these technologies designed to combat spam or fix e-mail suffer from the same life-cycle: First not enough people used it because it was too hard, then half the people implemented it incorrectly and finally the technologies were circumvented by the spammers or misapplied in so many ways that the original purpose is fuzzy at best.
 
The cycle will end when people stop being creative or stop challenging themselves to think on the next meta-level of pattern recognition. That will occur when spam stops being profitable, which will occur soon after advertising stops working on people. Which will never happen.

Locking down your SMTP server so much by requiring heavy security and authentication and known senders has been around in one form or another for over a decade, the problem is that a legitimate business generally needs to communicate with new clients and businesses which it partners with, so that’s also not a solution.

It is necessary for researchers to be thinking about what the next evolution of our Internet will look like in order to stay one step ahead of the malicious netizens. Each new tool represents an exponential improvement in our ability to stop the spammers and triggers an intelligent reaction by them in order to achieve a new balance. Spam will keep us company for a long time to come.

I hope the winter weather isn’t keeping you inside too much. But just in case it is, here is something you should read, NSS recently published an IPS report that within days had over 3400 downloads.

Why is there so much interest? Unlike other “independent” testing facilities who essentially test to a vendor’s specifications using only very controlled parameters, NSS tests to their own specifications, and every vendor is subject to the same test methodology. They are considered the gold standard for independent security testing, and are relied upon by IT administrators worldwide evaluating network intrusion prevention systems.

We submitted our M-8000 – McAfee’s 10Gbps Network IPS – for NSS for certification. The results were astounding for two reasons:

1. Performance – Under real traffic conditions, the M-8000 easily surpassed the 10Gbps mark. You should embrace solutions that grow with your increasing network demands without having to incur the cost of buying several systems fronted by a load balancer and subsequently having to increase your associated operational costs.

2. Security – we achieved an unprecedented 99.4% accuracy rating with no false positives. You shouldn’t have to spend time trying to figure out if an attack is real or not and if the IPS system was able to stop it, resources are too precious in these economic times.

No other vendor has come close, in either metric. Bottom line is during tough economic times, both of these metrics help ensure you, our customers, have the most economic solution. We know that 70-80% of IT costs are related to operating and maintaining your systems. We hope that our unmatched performance and accuracy will help you be more efficient as an IT organization.

To get a copy of the report, download the PDF from the site. We also did a press release that might give you some additional context.

Rees

From my perspective, the network itself is the most prolific vulnerability. Just look around – there are Ethernet ports everywhere. By definition, they must outnumber servers and PCs. And, they are intentionally designed to connect anything that gets plugged in. At least wireless was designed with access control technology built in (how effectively it is implemented is a different question).

A typical office has 2-4 active Ethernet ports within easy reach of anyone that has physical access to the facility. In a quick survey of my office floor, about 25% of the network connectivity is in conference rooms. As with most organizations, we have robust physical access controls (guards, badges, electronic locks, etc) to limit who can get into the building.

Why then, are the prolific Ethernet ports a vulnerability? Because almost every company allows vendors and contractors to visit their buildings for meetings or work. Because employees could bring in devices from home and plug them into the network (although this may be denied by policy). Because unconfigurable and unmanagable devices like printers or fax machines get connected to the network. Each of these represents some level of risk to the unprotected Ethernet port.

McAfee’s Unified Secure Access gives IT security the ability to control who/what can plug into the network. It moves network policy enforcement out to the last 5 meters of the network. Unified Secure Access gives the administrator the ability implement network access controls based on user identity, system health, and security posture. Guest access can be restricted to non-corporate networks and contractor access can be limited to only select network resources.

Unified Secure Access provides comprehensive policy enforcement anytime anyone connects to the network. The best kept secret is, if you are already using McAfee to secure your network or systems, you’re probably closer to a solution than you think.

Virtualization is being widely deployed in enterprise environments. Enhanced security is as important in a virtual environment as it is in a physical one. Industry research indicates that there are as many as five offline virtual images for every one online image. Offline virtual images could become unpatched and out-of-date while they are inactive, therefore customers need products that automatically update and patch these offline virtual images periodically so they no longer pose a security risk.

SAP customers also need an enterprise-class security solution to secure mission-critical functions within an organization, such as human resources. For example, candidate resumes are often submitted and entered via a company Web site directly into the SAP database. These resumes could be malicious and potentially compromise the SAP solution-based environment along with the sensitive mission-critical data.

Storage has also come under increasing attacks from viruses, worms, Trojans, spyware, botnets and rootkits. Infected files must be scanned and cleaned before they ever reach the storage device. Real-time scanning for all types of files avoids propagation of infections to other parts of the environment.

We’re in a new era of attacks, demanding new solutions from security vendors.  At McAfee we’re committed to protecting environments against these new kind of attacks and continuing to stay one step ahead of the bad guys.

Denial
“We have firewalls, IDS, and SSL. We are Secure.”

Anger
“How the heck did this get so bad?!?!?”

Bargaining
“We can solve this with frameworks, developer education and some scanners.”

Depression
“We have so many websites and the code is changing all the time. Maybe if I leave now no one will notice.”

Acceptance
“I guess my job just got a lot more interesting.”