AV Comparatives Performance Test – Impact of Security Software on System Performance Report October 2015

AV Comparatives has released their Performance Test – Impact of Security Software on System Performance Report. Nineteen products were tested. Eleven products received three stars.  The top three products were in order,  Avira, Avast, and Kaspersky.   Congrats to these three!  Products tested were a combination of free and paid, antivirus, and internet security suites.  The hall of shame award for this test  goes to Fortinet and ThreatTrack; both received one star.  Windows 10 systems were used during the test.

Note that this test doesn’t test  an ability to protect against malware. For that, you would have to look at other tests by AV-Comparatives. In a tie-breaking situation between a few products that performed equally well at stopping and removing malware, the performance test could be a tiebreaker. 

To access the and download the report:  http://www.av-comparatives.org/performance-tests/ 

www.AV-Comparatives.org  used  the performance testing suite PC Mark 8 Professional, to measure system impact for the  test.

Security Predictions for 2016 or “Let the internet security prognostication begin”

It’s that time of the year, when security pundits make their security predictions and comment on trends for 2016. Of course, it would be great if the pundits who came out with predictions for 2015 came out with a report card in early 2016. 

Trying to predict the future is like trying to drive down a country road at night with no lights while looking out the back window - Peter Drucker

Consolidation in the Security Sector

Look for continued security consolidation as some of the larger vendors utilize the strategy that it is quicker and easier to buy a technology to broaden their security portfolio than to develop the technology internally. At the same time, some larger companies will sell off their (incomplete) portfolio of security products to focus on other sectors. There are rumors, for example, about SonicWall being put on the market by Dell.  Of course, FireEye rumors are making the rounds after their Q3 results.

Look for other vendors to analyze the market, do a make/buy analysis and then license missing technology from smaller, more agile, companies.  

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.” – Bruce Schneier

Bubble Will Burst on Some Newly Public Security Vendors

At some point in time, companies have to generate cash and after working through the wonders and options of tax accounting, companies have to show a bottom line profit.  Look for investors getting tired of “but we’re going after market share” and selling their stock. For others, shorting activity will increase.  An offshoot of this is that these companies will become less expensive to acquire. Happiness is positive cash flow.

Splitting (breaking?) of Humpty Dumpty. Symantec and Hewlett Packard

Symantec has retired their vision (several years old) of becoming a widely diversified company (begun by John Thompson) and is splitting/divesting into security focused Symantec, and back up and recovery, SDN, and governance focused Veritas. Hewlett Packard has split into two companies. HP Inc.   holds the printing and personal systems side of the business, selling printers, scanners, displays, personal computers (laptop, desktop, and tablets),  and the supplies and services associated with them.  Hewlett-Packard Enterprise will handle the hybrid cloud, servers, storage, converged systems, networking, management software, and the services necessary to run an enterprise.    They are both Fortune 100 companies, the latter led by Meg Whitman, and the former by Dion Weisler.  Not bad for a company that began in a garage in Palo Alto, selling to Disney.

One of these splits will work out much better than the other one.   That one being….Symantec. HP Enterprises, and HP, Inc. are still battleships.   

Life is a Breach

There will be at least one major security breach, for a number of reasons.  Some companies have still not gotten the memo about cybercriminals, thinking, “It can’t happen to us” and are being slow in their investments.  There are a number of bright cybercriminals out there. They design their own methods of attack.  They may rent use of a botnet as part of their attack strategy.  If the CIO/CEO want to maintain their title, look for full transparency, accepting the blame, laying out the groundwork to prevent this from happening again (hopefully), and protecting their customers. Classic disaster recovery procedure, often not followed.

Cybercriminals Will Broaden Their Target Base

Cybercriminals will increase the number of vertical markets they go after and the size of the typical breach will be smaller. The number of breaches (reported anyway) will decrease. From a CSO Online article - Jody Westby, CEO of Global Cyber Risk, “it is the data that makes a business attractive, not the size – especially if it is delicious data, such as lots of customer contact info, credit card data, health data, or valuable intellectual property.”  http://bit.ly/1BcYw8W

The Identity Theft Resource Center (ITRC) reported in October that there has been 606 data breaches recorded through October 13, 2015, and that more than 175 million records have been exposed.    The top 4 sectors with respects to incidents, business (39%), health care (36%), banking (10%), and government (8%) 68% of the records exposed were in the health care sector. There were over 780 data breaches in 2013.

We Will Continue to be Our Own Worst Enemy

“Companies spend millions of dollars on firewalls, encryption and secure access devices, and it’s money wasted, because none of these measures address the weakest link in the security chain.”- Kevin Mitnick

 A warning from your browser not to visit that site?  A found thumb drive?  New pictures of (fill in the name of your favorite celebrity) on the web or as an attachment to your email.  These are the internet equivalent of wet paint signs. Some people just have to check for themselves. More security aware companies will do more than have people look at a slide presentation on security and take a quiz once a year. They’ll send their own employees phishing emails, among other tactics.

The Wisdom of Crowds

James Surowiecki, in the book “The Wisdom of Crowds”, speculated that large groups of people are smarter than an elite few, no matter how brilliant–better at solving problems, fostering innovation, and coming to wise decisions. In 2016, market share of consumer AV/Malware purchases will probably still continue to be more a reflection of how many “likes” a product receives, rather than how they are reviewed by a PC Publication,  or test organizations AV-Comparatives, or AV-Test. Scary. Whom are you going to trust? Your doctor or your Facebook friends?

A  Growing use of Something Other Than Passwords

The top 20 list of passwords for 2016 may not vary greatly from 2015, look for more people to use some sort of biometrics or Multi-factor Authentication (MFA), to enhance the security of their devices. This will occur in businesses more quickly than in the consumer marketplace. According to an article in CNET at the beginning of the year, the top 10 passwords of 2014 were 123456, password, 12345, 12345678, QWERTY, 1234567890, 1234, baseball, dragon, and football. If your password looks anything like this, or is your pet’s name, change it immediately. There are a number of articles on creative ways of making up passwords or using different figures you can draw on your keyboard. At minimum, consider reading a few articles and select a method that works for you.

“Showtime” - The Government or a Large Security Vendor will take the Offensive

At some point in time, negotiations just aren’t cutting it.  Look for a concerted attack against some cybercriminals, whether they’re independent, being treated with benign neglect in their native country, or being subsidized.  This is despite any negotiations taking place with some countries on an international level. Sometimes the best defense is a good offense.  “The Darknet: Is the Government Destroying 'the Wild West of the Internet?” is a November Newsweek article that’s an interesting read. http://bit.ly/1MR5kAX

Government Takes the Lead in Sharing of Information between Security Vendors

The bragging right for many security companies is how quickly they identify and react to threats, and update their existing customers almost immediately.  They are not going to want to share this information with competitors as quickly.  Look for the government to be the driver in information sharing. One question that arises – how open will this table be for all security vendors or will it be a selective group?   “Senate passes cybersecurity information sharing bill despite privacy fears.” Washington Post, October 27. http://wapo.st/1KFbFIc   

The News of the Death of Endpoint Security Has Been Greatly Exaggerated

To paraphrase a quotation by American humorist Mark Twain.  The reliance of AV/malware products on signature files to detect threats has been declining for years. The endpoint   is the last line of defense. Technologies relying on heuristics are not the whole solution. Look for endpoints to use such techniques as artificial intelligence and machine learning, whether powered at the endpoint or in the cloud to lead the way. Despite statements by Symantec and others, do not look for AV/malware protection provided at the endpoint either installed their or involving technology in the cloud to disappear anytime soon.

Who will be Among the Top New Innovative Security Companies in 2016?

Good question.

On November 3, SINET announced their top 16 innovators (revenues under $15 million) for 2015. These companies were:  Bayshore Networks, Inc., BehavioSec, Gurucul Solutions, Lastline, Netskope, Onapsis, Inc., Palerra, Inc., PFP Cybersecurity, Pindrop Security,  QuintessenceLabs, RedOwl Analytics, Secure Islands,  SecurityScorecard, Sqrrl Data, Inc., TaaSera, Inc., Vectra Networks, Inc., You may be hearing from these companies over the course of 2016. Gartner and others will be coming out with their lists.

A mantra for 2016, “Friends don’t let their friends be mindless about security.”

CompTia Survey - 17% of people would put a found USB stick in their laptop. Ouch or fantastic?

In a  CompTia survey  written about by Softpedia in “One of the Biggest Security Risks: Naive People Connecting Lost USBs to Their PCs”,   an interesting statistic came up.  As part of the study, 200 USB sticks were left in high traffic locations in US cities.  20% (forty) were picked up and 17% were connected to people’s laptops.  According to the article, The USB sticks used in the experiment contained a text file, which included instructions asking the user to send an email to a specific address, or to click through a trackable URL.  http://bit.ly/1Mo6L9N

The reporter found the 17% figure worrisome.  I’ll take a contrarian view.

At RSA San Francisco 2013, we conducted a security survey, gathering 300 responses.  78% of those responding said that they had once found a USB and plugged it into their laptop!   68% of those surveyed had been involved in a security breach, either at home, or in their office.  http://reut.rs/1RaHiPh

While 17% is a frighteningly high number, that is a 61%% drop from what I found just two and a half years earlier!

A found USB stick is an internet equivalent of coming across  a “Wet Paint” sign. You just have to check it out yourself. We are our own worst enemies. More training is need. 

For an interesting read on the use of infected USB sticks for good, Google and read about Stuxnet, a 500-kilobyte computer worm that infected the software of at least 14 industrial sites in Iran, including a uranium-enrichment plant. 

The Pareto Principle and the Pursuit of Perfect Internet Security – a Parable

Not so long ago, a bright security professional and a firm believer of the Pareto Principle, was tasked with designing and implementing an impregnable security solution for his company’s internet. He did his research and arrived at what he thought was an accurate total cost of $4M. Just prior to striding into his manager’s office for approval, he had a quick discussion about the project with a recent new hire reporting to him about the project.

“I’d be careful,” she advised. “At my last company, we found that each major phase cost 50% more than the previous phase. We had several discussions about ‘risk profiles’ and ‘perfect protection’ before getting buy-in on deliverables and budget on a less ambitious result.” 

The bright security professional thanked her and said, “I’m quite confident in my projections and will stake my job on this project. In fact, I will bring it in under budget.”

So, the bright security professional met with his somewhat parsimonious manager, and guaranteed the results. “In fact,” he said, “the first phase of the project will get us 80% there for only $800k."  The manager said, “Fine, but go over budget on this and your next position will have you saying, ‘Would you prefer a grande or a venti latte?’” and with that, the project was approved.

At the completion of the project, how much under budget was the confident security professional?

First, the Pareto Principle is named after economist Vilfredo Pareto (1848-1923), From Investopedia, “The principle states that, for many phenomena, 20% of invested input is responsible for 80% of the results obtained. Put another way, 80% of consequences stem from 20% of the causes. Also referred to as the "80/20 rule".”

The answer is – the individual left to “pursue other opportunities” when he found himself having exhausted the budget, told his manager  that he now felt that 100% was unobtainable and that  it would cost an additional $2.5M to get to 97.5% protection.

How did this happen?

Earlier, a factor (chosen by me) added by the wise new hire was that each phase of the project was that each phase of the project was going to cost 50% more than the previous phase.

Phase 1 - $800k spent (total $800K) to reach 80% of perfection

Phase 2 - $1.2M spend (total $2M) to reach 90% of perfection

Phase 3 - $1.8M spent (total $3.8M) to reach 95% of perfection

Phase 4 – Plug pulled on project. The estimate was $2.7M (total $6.5M) to reach 97.5% of perfection and you never reach 100%

Some morals of this parable

·         100% is tough, if not impossible, to achieve

·         Know your risk profile and your company’s risk profile when working on security projects

·         Know how to make coffee drinks

AV-Comparatives File Detection Test – September 2015

Av-Comparatives prolific team of writers and testers has released their File Detection Test – September 2015. Nine products received three stars. Avira and BitDefender topped the 21 products in the test.   Their false positive rate was only 0.2%. Other companies receiving three stars, in alphabetical order, were Bullguard, Emisoft, eScan, ESET, Kaspersky, Lavasoft, and Panda.  You can download the report  to see the actual order.

ESET, Microsoft, and Panda had zero false positives The hall of shame award for this test goes to AVG Technologies with a false positive rate 32 times larger Avira and Bitdefender, at 6.5%, (139 false positives).

About the AV-Comparatives  File Detection Test

The awards for the File Detection Test were based on a combination of detection rates and false positives.   The File Detection Test assesses the ability of antivirus programs to detect malicious files on a system. It can identify malware attacks from sources other than the Internet, and it  can identify  malicious files already present on the system.

 “With more than 130000 samples in the test, AV-Comparatives uses one of the largest sample collection worldwide to provide statistically valid results”, according to AV-Comparatives’ Andreas Clementi.

ABC Award for the  File Detection Test

The ABC award (Avoids Being Compared) goes to Symantec. The File Detection Test  is one of the core tests the organization performs. Companies cannot choose which of these core tests to be in. It's all or none.  The ABC award is not part of AV-Comparatives’ test   program!

The document can be downloaded at:    

http://www.av-comparatives.org/comparatives-reviews/ 

The  file detection rate of a product is only one aspect of a complete anti-virus product. AV-Comparatives also provides a whole-product dynamic “real-world” protection test, as well as other test reports that cover different aspects/features of the products.  For those interested, you can easily do a deep dive into individual company’s historical performances on tests or sign up for the newsletter.   Check them out.  Other documents are available for download from the AV-comparatives website  (www.av-comparatives.org ) website.

Av-Comparatives – Review of IT Security Suites for Small Business – September 2015

Av-Comparatives has released their Review of IT Security Suites for Small Business   - September 2015.  The review   examines security suites suitable for a company running either the Foundation or the Enterprise edition of Microsoft Windows Server 2012 R2. The Foundation version is suitable for small companies with up to 15 users (from the Microsoft website), while the Essentials version allows an additional ten users. The report considers products for a network of up to 25 client PCs, with one file server/domain controller.

AV-Comparatives’ review covered only the essential everyday tasks needed in all networks. However some products have additional features and could be used for significantly bigger networks reviewed. Products in the Review of IT Security Suites are:

Bitdefender Endpoint GravityZone, ESET Remote Administrator, F-Secure Protection Service For Business, G Data Antivirus Business, Kaspersky Small Office Security, McAfee SaaS Endpoint Protection, Sophos Endpoint Security and Control Cloud, Symantec Endpoint Protection, and Trend Micro Worry Free Business Security Services.  Symantec! They’re here.  They are not present on many of AV-Comparatives’ reviews (companies cannot selectively opt out of a subset of core reviews; it’s all or none).

The document itself runs around 90 pages.  Each product is given a comprehensive overview.  Major categories that AV-Comparatives looked at include:

Supported OS, Documentation, Management Console (cloud based, server based, and virtual appliance) Respective endpoint protection programs for Windows and Mac OS clients, Window Server Protection Software, and Summary

All of the products received the AV-Comparatives’ Approved Business Award.

The advantages of a document like this include, the depth of comparison, the same features/functionality are looked at for each product, and the review was done by a known test organization. A company would not have the time (and for a Small Business, the expertise) to go into this depth for nine products.  Companies looking to replace their current product being used should find this report a valuable (at no charge!) resource.

For those who like to compare products on a feature grid, suffice it to say that AV-Comparatives provides a sizeable (Multiple fingers and toes! Approximately 100 rows) grid as part of the document. This document is more than adequate for you to select one product for your environment or select a short list for evaluation.

The document can be downloaded at:    

   http://www.av-comparatives.org/corporate-reviews/

The “Death of Antivirus Software is Greatly Exaggerated”, as written in an article in CSO Online (and others).  You still need protection from these threats, whether the protection is provided from software on the device or from the cloud. Greatly Exaggerated

 Av-Comparatives has a fantastic library of test documents. The site organization scores high on surveys.  Check them out.  Other documents are available for download from the AV-comparatives website (www.av-comparatives.org ) website.

 

 

AV-Comparatives Malware Removal Test – September 2015

AV-Comparatives has released the results of their AV-Comparatives Malware Removal Test for 2015. Products tested were a combination of free and paid solutions.  Sixteen products were tested. Five received three stars or the Advanced Plus award. Kaspersky topped the list. BitDefender was third and the three “A’s”, Avast, AVG Technologies and Avira, rounded out the three star recipients.

AV-Comparatives Malware Removal Test

The Malware Removal Test focused only on the malware removal/cleaning capabilities of the products. The report was written with home users in mind and not administrators or advanced users.  These individuals  may have the knowledge and tools for removal of malware on the system.  To compare products for their protection and detection capabilities, you may want to download AV-Comparatives “Real World Protection Test” and “File Detection Test”.

The ABC or “Avoids Being Compared” Award

More data and testing by an unbiased test group help   consumers make an informed decision when selecting products to secure their devices.  The number of likes on a product’s web site doesn’t cut it for security when licensing  a product.  Comparative testing also motivates companies to improve their products.  It’s disappointing when companies decline to be tested.

For the AV-Comparatives Malware Removal Test, the ABC Award or “Avoids Being Compared” Award goes to Symantec, McAfee, and Trend Micro. All three of these companies have solutions with sizeable share in the antivirus/internet security consumer marketplace.  Perhaps they will step up for the next test. McAfee and Trend Micro are usually there. Symantec? Not so much.

The Malware Removal Test  document is located at  http://www.av-comparatives.org/removal-tests/

All of AV-Comparatives’ tests can be found at www.av-comparatives.org

Cyphort vs. FireEye – FireWhy? The Breach Detection, Advanced Persistent Threat Battle

Cyphort is taking a different tact versus the others in the breach detection, Advanced Persistent Threat (APT) market with their Cyphort Advanced Threat Protection solution (claim: complete 360º APT defense!)   Cyphort positions the company as both superior to FireEye and  able to  coexist with FireEye. Getting their nose under the tent for when renewals coming up? Shortening the review cycle when renewals come up?  Coverage for areas of a company where there aren’t FireEye appliances?  Cyphort didn’t participate in the NSS Labs Breach Detection study.

    

 FireEye is the 800-pound gorilla with respect to market revenue and visibility.  The David vs. Goliath analogy won’t work since FireEye’s CEO’s first name is Dave! Cyphort’s 2014 revenue was around $14 million. FireEye’s was $426 million (this includes revenue from the Mandiant acquisition).

Cyphort claims that their solution delivers malware lateral movement detection. They define this as "the ability to combine advanced targeted attacks and Advanced Persistent Threats (APT) detection with lateral movement." They say that their product provides a  picture of the attack as it happens and the potential spread within an organization, in real-time.

The Cyphort solution is delivered as software that can be installed on general-purpose hardware, virtual machines and cloud environments. The solution consists of four core components:

Collector:  Software-based probes deployed at strategic network locations (Internet egress points, data centers, etc.)   to collect suspect objects and communication.

Core:   This is the centralized detection component of Cyphort’s solution; Cyphort Core analyzes the collected suspicious network objects and associated metadata from the Collectors 

Manager: This is a  web-based,  administrative Interface.  It enables someone to manage the distributed deployment and provides access to reports

Threat Network: This cloud service feeds global threat intelligence to the Cyphort Core for enhanced detection of current threats. It aggregates threat information across all Cyphort installations

At RSA earlier this year,  Cyphort's co-founder and Chief Strategy Officer Fengmin Gong  said, "Today, solutions must look at every stage of the cyber kill chain."  

It’s always good to have more competition. Based on press, one would think that the APT market is the exclusive domain FireEye and the other seven companies that are part of the most recent NSS Breach Detection Systems (BDS) test!

 Is FireEye Cyphort’s Friend or Foe?

On the Cyphort site at http://www.cyphort.com/products/firewhy/   there are pair of threads prospects can go down.  

For those who already have FireEye, Cyphort claims that their Cyphort Advanced Threat Protection solution can be used to address gaps in the FireEye solution.  Their pitch is that they enhance protection.

Enterprise-wide Coverage: Unprotected sites and data centers can be covered with a single global license

Enterprise-wide Deployment: Deployment in days using the virtual machine approach

No appliance proliferation:  Cyphort claims that they cover & correlate email/web/file traffic across multiple operating systems, all in one solution

The second thread is for those considering FireEye.  Cyphort claims that they are   “the clear alternative”.  They have a nice (of course, it’s selective) grid containing points of differentiation (FireEye in ( ) :

Detection: Sandbox evasion detection, Data exfiltration detection, Multi-part threat detection, Golden image sandbox for contextual detection.  (no for all four )

Coverage: Distributed/Decoupled Design for Global Deployment using collectors (Monolithic) , Hardware/Software/VM deployment  (hardware only), Integrated Web/Email threat detection for Windows and Mac OSX threats (multiple appliances needed)

Action: Risk-based Threat Prioritization , Containment Using Existing Firewall, Web Gateway and IPS Devices, Endpoint Infection Verification (no for all three)

Scale and Flexibility: Scalability, clustered design to support any load (limited by highest appliance capacity for FireEye );  IT ecosystem Integration, open API (limited); Licensing is enterprise wide by bandwidth (per appliance for FireEye)

The Radicati Group has a  APT market share and  2015-2019 APT forecast  report available for purchase ($3000)  Radicati APT-Protection-Market-2015-2019-Brochure.pdf

For those wanting another company’s view of Cyphort’s and FireEye’s offerings, LastLine has performed  their own analyses:

Lastline vs. Cyphort

Lastline vs. FireEye

Products in the Breach Detection Systems (BDS) Security Value Map™ 2015

In the August NSS Breach Detection Systems Test,  Cisco had the highest detection rate, Blue Coat the lowest TCO.  FireEye - lower left in the grid.  As mentioned earlier, Cyphort was not in this study.

Five of the eight received a recommended rating (Those on the upper right corner of the value map). Some of the companies tested have the individual reports available on their web site.  To purchase reports, see below.  For the BDS Security Value Map Graphic:

• bds-security-value-map-graphic

Participants in the NSS Breach Detection Systems  Study:

• Blue Coat Security Analytics and Blue Coat Malware Analysis Appliance
• CheckPoint 13500 Next Generation Threat Prevention Appliance with Threat Emulation Cloud Service
• Cisco Advanced Malware Protection
• Fidelis XPS Direct 1000 & Fidelis XPS Internal 1000
• FireEye EX-3400 & NX-4400
• Fortinet FortiSandbox-1000D
• Lastline Breach  Detection Platform
• Trend Micro Deep Discovery Inspector 

 Studies are available on the NSS site. Some are available for free on the participant's site.

Carly Fiorina and Her Record at HP

Presidential candidate Carly Fiorina has been taking a lot of heat and defending her record while at Hewlett-Packard ten years ago. Below are a couple of charts summarizing HP’s stock performance during those years. You can draw your own conclusions. Suffice it to say that many employees were glad that Carly Fiorina  was removed from Hewlett-Packard. Unfortunately, by the time she was gone, the “HP Way” had all but disappeared.

And in another chart:

 The sources and crisper images are below. You can also click on the images to expand them.  The analyses point out that the economy was not great during those years. Neither article gives Fiorina  an "A" for her performance, though. 

http://www.marketwatch.com/story/carly-fiorina-failed-at-h-p-but-so-has-everyone-else-2015-09-18?siteid=yhoof2

http://www.bloombergview.com/articles/2015-09-18/carly-fiorina-s-hewlett-packard-record-in-one-chart?cmpid=yhoo

AV-Comparatives Mobile Security Review – August 2015

Austria based AV-Comparatives has released their Mobile Security Review -  August 2015.  This is quite an extensive document, providing a comprehensive review of sixteen security packages running on Android.  The document runs  seventy pages. Ten of the sixteen products are free.  Almost 2400 malicious applications were used in the test.

Mobile security is crucial for both home users (who are constantly checking their mobile) as well as businesses. The BYOD camel has entered its nose into the intranet tent and it’s not going to be removed.  Mobile devices are a major weak spot for network access, as well as a place where data can be accessed. Data stored on the phone can be stolen, as well.    The Global BYOD market is expected to grow at a CAGR of 25.32% from 2014 to 2019 according to a   new market research report published on September 15.    whattech.com market research report  . These devices need to be protected.

AV-Comparatives, while giving each of the products an approved rating, nonetheless found that the there was overall a “significant overall improvement” in the standard of the products.

Four of the  products provided 100% protection:   Trend Micro with no false alarms, BitDefender,   G Data (both with three  false alarms) and Antiy (with five) rounded out the top four.

AVG Technologies  offering trailed all products tested with 98.4% protection and 4 false alarms. Just above AVG Technologies was Sophos with 99.2% protection and 0 false alarms. 

For those who are interested in a tabular deep dive comparison, the first table compares which of 75 permissions are in each of the products. No product had all of them.

The Feature List table compares the products on over forty attributes, broken down into categories including Anti-Malware, Anti-Theft, Anti-Spam, Parental Control, Authentication, Additional Features, and Support. McAfee Mobile Security lacked the fewest, missing only three.  This product drained the mobile battery a bit more than the others did.

A great deal of work went into this document. The Mobile Security Review can be found free (!) at

http: //www.av-comparatives.org/mobile-security/  .  Complete copyright and disclaimer information is contained in the document and more information about test procedures is on the website.

AVC UnDroid Analyser

AV-Comparatives (www.av-comparatives.com) has also introduced a slick malware analysis tool, the UnDroid Analyser that is free to users. It’s a static system for detecting suspected Android malware and adware and generating some statistics about it. Check it out at http://www.av-comparatives.org/avc-analyzer  .

Addendum

 View AV-Comparatives September Malware Removal Test at

Malware Removal Test - September 2015

Black Eye for FireEye - Hitting Researchers with Injunctions

Sometimes security companies can be a little too heavy handed. Or their lawyers have too much time on their hands. FireEye cleared this hurdle, recently.

Felix Wilhelm, a security researcher working for  Germany based ERNW, was going to present his findings on some vulnerabilities he had found with FireEye’s software.  He was going to present at the 44CON Cyber Security Conference (www.44con.com ) during the week of September 9.  The flaws had been fixed, by the way.

The two parties had a series of discussions regarding what could go into the report (FireEye was concerned about not exposing information on their product’s IP).  To be brief, the parties supposedly agreed on a final report around August 5.  FireEye then sent Wilhelm a cease and desist letter on August 6, obtained a court injunction on August 13 and delivered it to Wilhelm on September 2, a week before the 44Con conference.  Ultimately, Wilhelm did present his findings with some material redacted.

FireEye has a procedure for researchers   to “disclose and inform us of potential security issues”. In this case, FireEye was extremely heavy handed . Their action does little to encourage researchers to share (stifle?) at security conferences.  This comes across as “attacking the messenger”. They also attacked the messenger with  NSS Labs a couple of years ago when FireEye e came in last in a multi-company Breach Detection Systems Test. 

FireEye came in last again in a NSS Break Detection Systems Test (BDS) earlier this year. Eight companies were in the test:   Blue Coat, Check Point, Cisco, Fidelis, FireEye, Fortinet, Lastline, and Trend Micro. The test measured security effectiveness, performance, and total cost of ownership.

To obtain a copy of the Value Map:  NSS Security Value Map Graphic

To read the complete Forbes article “FireEye Scolded For Injunction Stopping Security Researcher Revealing Source Code”: Forbes - FireEye Scolded 

AVG Technologies in Play, an Alternative Look at Q3 Financial Results

The San Francisco Giants win the World Series in even numbered years.  Rumors circulate about AVG Technology being an acquisition candidate occurs in odd number years. Okay, even numbered as well. Couple that with  so-so financial results? You may want to sell, as well.  

Even before AVG went public, there were “always” rumors about them being for sale as the right price.  Companies being mentioned usually included Hewlett Packard and Cisco. Earlier this year, AVAST Software, an AVG competitor, signed a binding  agreement with CVC Capital Partners for a major investment in the company. The investment valued Avast at about $1 billion US.

Other than throwing off cash for the investors, AVG has   been something of a disappointment. The plan was to go public in early 2012  at $16 to $19.  Instead, they opened and closed around $13. AVG’s market cap, as of 11/15 is just under $1 B.

From a technology standpoint, AVG's growth has been through purchase rather than developing things in house. In September, 2014 they purchased Location Labs, a provider of security for mobile technology. http://now.avg.com/avg-solidifies-leadership-in-growing-mobile-security-market-with-acquisition-of-location-labs/

AVG  entered the mobile security market by purchasing the Israeli firm DroidSecurity in late 2010 DroidSecurity had both a free and paid prospect).  They   increased their share by quietly giving the product away on certain Huawei mobile phones in India (That  announcement appeared on the web and disappeared quickly.  Huawei was being investigated in the 2012 time frame  by the US congress for potentially posing a security threat).

In product testing (ability to stop malware), AVG has failed to be one of the leaders. In AV-Comparatives October Real World Protection tests, AVG came in 10th out of 22. In the September, "File Detection Test of Malicious Software", AVG received on star,finishing 20th out of 22.

(www.av-comparatives.org)  In the Virus Bulletin (www.virusbtn.com ) RAP (Reactive and Proactive test), they weren’t in the top 20. ( https://www.virusbtn.com/vb100/rap-index.xml)

On to the financials. AVG Technologies has their headquarters in the Netherlands. They have an office in Ireland.   Those interested can find multiple stories on the “Double Irish” or “Double Irish Dutch Sandwich”, a technique to significantly g reduce US taxes.  Just saying! Apple and a number of US companies are being creative in using this technique.

For those focused only on revenue (hello analysts), AVG’s 9 months subscription revenue and SMB revenue (less than 15% of their business), is up for the first 9 months of 2014 versus 2013. Trailing revenue, Consumer and Total Revenue, and US Revenue, all down.

For those focusing more on  the bottom line, net income, consumer income, Net Income, Consumer Income, SMB Income, and Operating Income are all down for the first 9 months of 2014.

For those focusing on cash, Net Cash provided by operations is down 35% for the first nine months of this year. The data below is from their latest Form 6-K, available on AVG's web site. 

One would have thought that the positive vibes and karma emanating from the SF Giants home ball park (ATT Park) would have rubbed off on AVG Technologies, given AVG’s US headquarters near proximity to the park. Not the case, however.  

AhnLab Faces Uphill Battle in US – An Addendum

  

This is an addendum the February blog - “AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)” http://kensek.blogspot.com/2014/02/ahnlab-faces-uphill-battle-in-us.html

If AhnLab is going to make a go of it with their Advanced Persistent Threat product, Malware Defense System (MDS), they must be doing it in incredible stealth mode.  And they must be trying to do it from Korea, where AhnLab is headquartered. 

• Their top US technology person left for a start-up early this year
• There have been no press releases added to the US web site since November 2013
• The company did appear at the Gartner Risk Security & Management Summit in June following up their appearance at RSA SF.  At RSA, they re_announced AhnLab MDS
• AhnLab had posted that they were going to appear at Black Hat Las Vegasin August.  This was removed from their web site.
• Both AhnLab and FireEye complained about an update NSS Labs issued to their 2013 Breach Detection study.  In the original, AhnLab and FireEye finished second and third respectively.  http://kensek.blogspot.com/2014/04/ahnlab-raises-issues-with-recent-nss.html   In the original update, they finished fifth and sixth respectively.  In the post complaints update, AhnLab MDS ranked sixth and FireEye fifth.  Both were far below the other four companies, SourceFire, Trend Micro, Fortinet, and Fidelis.  The updated value map is available at http://www.fortinet.com/sites/default/files/whitepapers/NSS-Labs-2014-BDS-SVM_0.pdf
• If you try to reach AhnLab at their 800 number, 800.511.Ahnlab (2465), you will receive a “you’ve reached a number that has been disconnected or is no longer in service” message.

Perhaps AhnLab is still trying to break into the US licensing Malware Defense System.  If so, they are being incredibly quiet   about it.

Gartner Magic Quadrant for Endpoint Protection Platforms- 2013

 Gartner  has  released  their 2013 Magic Quadrant for Endpoint Protection Platforms,   ID:G00247705.  Five performers are in the Leaders Quadrant.  Their approximate order in the report: McAfee, Symantec, Kaspersky, Trend Micro, and Sophos.  This is a little bit of a switch from 2012 when the order was Symantec, McAfee, Sophos, Kaspersky, and Trend Micro Microsoft, like in the 2012 report, was the only company in the Challenger portion of the grid.   Analysts for the report - Peter Firstbrook, John Girard, and Neil MacDonald.  Congrats to all in this portion of the quadrant.

Probably not so pleased with the report are Threatrack Security, Beyond Trust, and Check Point Software Technologies.  These were    the bottom three in the Niche Players portion of the quadrant.  Beyond Trust was the overall lowest in the quadrant with respect to ability to execute.  Check Point Software  slipped from the Visionary portion of the grid to this quadrant.  Not good.

McAfee continues its assimilation into Intel, who purchased them a couple of years ago.  The McAfee name will disappear and become   Intel Security.  Kaspersky continues their assault on Trend Micro. Sophos is aggressively expanding their business offerings, has revamped their channel program, http://channelnomics.com/2014/02/18/sophos-revamps-simplifies-partner-program/  remaining (and probably will remain)  a business focused security vendor.

The   Gartner Magic Quadrant for Endpoint Protection Platforms report is available for purchase on their website.  Some vendors such as Symantec have it available on their website for those who register.

Regarding the Leaders quadrant from the Gartner Magic Quadrant Endpoint report - “However, a leading vendor isn't a default choice for every buyer, and clients should not assume that they must buy only from vendors in the Leaders quadrant.  Some clients believe that Leaders are spreading their efforts too thinly and aren't pursuing clients' special needs.”

For more details on the Magic Quadrant and how it is created, read “Magic Quadrants and MarketScopes: How Gartner Evaluates Vendors within a Market”.     Sometimes a leader is not the best solution for a particular customer.  Despite that, you will see many   presentations where the vendor uses being in the Leaders quadrant   as a reason to buy from that particular vendor.  www.gartner.com

To see a blog on last year’s results - http://kensek.blogspot.com/2013/01/gartner-magic-quadrant-for-endpoint.html

ckensek on Twitter.

  

AhnLab Faces Uphill Battle in US against FireEye with AhnLab Malware Defense System (MDS)

Silver sponsorship at RSA Conference USA 2014 in San Francisco  notwithstanding,  South Korea based AhnLab may face an uphill battle achieving success in the US with AhnLab Malware Defense System (MDS).  MDS is designed to combat Advanced Persistent Threats (APTs) and Advanced Malware.  No press release has been issued, but AhnLab will also be showing AhnLab Malware Defense System   Enterprise (MDSE). This version of Malware Defense System isn’t described on AhnLab website yet. The below isn't a technical evaluation of Malware Defense System, MDS or MDSE. It's more of a business analysis. 

http://conference.ahnlab.com/conference/rsa2014/product_mdse.jsp .

For information on MDSE -  http://conference.ahnlab.com/conference/rsa2014/AhnLab_MDSE_Brochure.pdf

Why It May Be Difficult for AhnLab and AhnLab Malware Defense System (MDS) in the US

FireEye (www.fireeye.com) is the 800-pound gorilla in the industry.  They offer more form factors for their APT solutions over AhnLab Malware Defense System.  For example -   their NX series to combat web-based attacks has six flavors, supporting 50 to 40k users.  Their FX series for file protection comes in 2 sizes; up to 80k and up to 160k files per day, respectively.  The acquisition of Mandiant gives them an endpoint solution.  On Valentine’s Day, FireEye announced an Intrusion Prevention product FireEye® MVX-IPS.  Well, they pre-announced the product.  They are shooting for availability during the first half of 2014.  They promote that they have customers in over 40 countries.   

Crowded marketplace   - AhnLab is among the double handful of competitors Gartner mentions in their August paper “Five Styles of Advanced Threat Defense”.  Competitors besides FireEye include   dedicated APT vendors Lastline, Bromium, and Damballa.  Other competitors (Googling Advanced Persistent Threats) include Palo Alto Networks, Cisco, McAfee, Fidelis Security Systems, Trend Micro,  Bit9, and Tenable.  Everyone has their eye on FireEye 

Limited US Presence -   AhnLab decreased their staffing in the US at the start of the year to a handful despite having just opened their US/EMEA headquarters in the Santa Clara, CA less than two years ago.    

It takes a channel and partners - Two ways to try to   grow sales quickly are to  OEM your product and agressively develop a channel.  AhnLab devotes one  page to recruiting partners.  No Partner Portal.  No Education Portal.  FireEye has a well-developed partner program, including VARs, Value Added Distributors, System Integrators, MSSPs, and Technology Alliance Partners (over a dozen listed in their site).  FireEye’s reseller program seems “standard” with three tiers.

It takes customer support - FireEye has a multiple levels of support for their customers.  For Malware Defense System, AhnLab will have to build off a single email address they currently have for US/EMEA customers.  This suggests that support will be coming from South Korea.  Nothing about multiple levels of support.  Barracuda Networks has an amusing radio commercial asking if you want phone trees  and long distance support for your products.

It takes customers who will talk about your Advanced Persistent Threat product - It is difficult to get customers to publically talk about what security products they have on their network.  FireEye has Sallie Mae, Equifax, and the Department of Defense listed as well as a dozen anonymous case studies across a number of industries. FireEye claims that over 100 of the Fortune 500 are among their customers.

 

It takes marketing and noise - FireEye is “everywhere”.  They appear on multiple security web sites. Multiple CIO and CISO events.  Going public created a lot of visibility.  Their reports and Mandiant’s whom FireEye acquired shortly after the first of the year, get a lot of visibility.  FireEye is aggressive in issuing press releases about threats they have discovered and investigated.  They’re promoting fourteen security events (four in the US),   they’ll be at during the first half of the year.  AhnLab will be at two.  Most PR firms would consider just putting up a product description on your web site a sub-optimal way to announce a product.  That’s not the usual marketing strategy in the North America marketplace.

What AhnLab Malware Defense System May Have Going For it

NSS Breach Detection Study -   AhnLab, Fidelis Security Systems, and FireEye were the only three companies to complete a breach detection study by NSS Labs, (www.nssslabs.com ) last summer.  Fidelis put out a press release about their results, made their report available at no charge, and wrote a blog challenging FireEye to make their summary report available.  AhnLab put out a press release but hasn’t made the report available on their website.  FireEye wrote nothing.

Three types of protection in a single appliance - AhnLab promotes that they provide Web, email, and Content Security in a single appliance.  With FireEye, you would have to purchase three products.

Profits - AhnLab is one of the largest security companies in South Korea.  And profitable.  FireEye has yet to show a profit.  For 2013, Sales and Marketing expenses, by themselves, exceeded Revenue.  Profits and positive cash flow are good things for the long term.

Ultimately, prospects will have to bring the products in house and test them.  Gartner has looked at a number of companies offering a solution.  NSS Labs issued their reach study last summer and undoubtedly has another APT study going on.  www.nsslabs.com

For people visiting RSA 2014 in San Francisco http://www.rsaconference.com/events/us14  a number of the vendors offering solutions will be present.  Coffee and cookies in the AhnLab booth, at 11:30 each morning during the exhibition!  “Learn about the ultimate threat defense.  AhnLab’s announcing APTs Dead!”  (Sic) will be the topic of a talk by AhnLab executive Leo Versola on Wed. February 26 at 1:00PM in the North Expo Hall Briefing Center. Too late for a free RSA pass.

The window is closing for AhnLab and other Advance Persistent Threats vendors.  Obviously, FireEye has made it through.  AhnLab and other vendors are going to have a battle to be one of the other survivors and get share.  The press over some major attacks from cyber criminals Target Stores and over 110 million, among others during 2013  ensures  athat companies will be looking for a solution. craig kensek

twitter - ckensek

Target Data Breach – Target CEO Belatedly Starts to “Man Up”

Target and CEO Gregg Steinhafel have finally downloaded a book on crisis management and are following the script for when a company crisis occurs.   They could have begun a lot earlier after this November/December data breach occurred. Right after the breach was discovered.  They have managed to never say the phrase “Advanced Persistent Threat (APT)” in their communications. I would imagine that any company offering an APT solution has contacted them.

On January 14^th, Target ran a full page ad in a number of major US newspapers. Below are snippets of the four bullet points and my comments. These adverts do cost $$.  Earlier blogs on this topic are on www.us.ahnlab.com

1. Closed the access points that were used and removed the malware.  I should hope so!  Preferably, this was done a month ago.
2. Hired a team of data security experts to investigate how this happened.  Good.  Hopefully this happened a month ago. The internal IT department kind of messed up here.  However, most current security technology is unable to stop these kind of attacks. Hence, the number of APT solutions being offered.
3. Communicated that  guests will have zero liability for any fraudulent charges.  First, they’re customers, not guests.  A bit of a $$ olive branch. Usually, customers have a small window of  to dispute charges on debit cards and credit cards. The rules vary. They don't have unlimited liability.  But a person’s checking account could, in theory be emptied.  This communication hopefully happened right after the breach was discovered and closed.
4. Offered one year of free credit card monitoring and identify theft protection.  This should have happened weeks ago.  Target – do not auto renew this on Target debit cards. That would be tacky.

Target is now doing much of the right thing. Steinhafel even said, “Sorry”.    All the above   was late. The crisis management book would have had Steinhafel front and center right after the breach was discovered, rather than having an update section on the Target web site.  www.target.com/databreach

Demerits for Target for not being transparent early to customers. Demerits for not keeping Target employees in the trenches in the loop immediately and ongoing about this.  Target should even consider having something conspicuously posted (with copies available) at checkout lines at their stores.  The 10% additional weekend discount offered was barely an olive branch.

It now appears that even non Target customers are now getting emails from Target. These read, in part,  from one article on the topic: 

"The good news first: A Target spokeswoman has confirmed to Consumerist that the email is “an official communication,” despite it seeming like the perfect chance for hackers to strike yet again. So, whew. But when we asked where Target obtained email addresses for people who are not now and have never been customers of the retailer, the spokeswoman simply said, 'The information was obtained by Target through the normal course of our business.'" 

http://consumerist.com/2014/01/17/non-target-customers-wondering-how-target-got-contact-info-to-send-email-about-hack/

Target IT employees. Start evaluating APT solutions.

Why hasn’t Target and/or the relevant financial institutions gone out and immediately sent out replacement cards?  First, a less costly solution would be if all customers would go and change their passwords. This isn’t going to happen. The information (fortunately a lot of it encrypted) has already been stolen. Second – behind the scenes, the financial institutions and Target are probably pointing fingers at each other regarding inadequate protection.  Third – the cost of sending out replacement cards is around $10.  This could be   an up to $440 million hit in revenue to Target and/or the affected financial institutions. So, this isn’t going to happen.