Defending Against Known & Unknown Threats Jack Walsh, New Initiatives & Mobility Programs Manager

Copyright © 2016 ICSA Labs

Introducing ICSA Labs

About ICSA Labs We’re known for • Providing independent 3rd-party assurance • Security-focused certification testing • Stakeholder consortia

Founded in 1989 25 years of testing •Anti-malware products, network firewalls, etc.

ISO accredited •ISO 9001: 2008 •ISO/IEC 17025: 2005 •ISO/IEC 17065: 2012

Recent initiatives Security product testing •Advanced threat defense (ATD) •Internet of Things devices & sensors

Mobile testing •Mobile device platform security

Healthcare testing •ONC EHR, HIMSS ConCert, IHE USA

Our seal of approval

Some of our customers

The value of certification testing Buyers need an objective way to confirm that security products introduced into their organization will function as advertised, interoperate and conform to privacy & security requirements.

Vendors need a cost effective way to credibly demonstrate that their products will satisfy buyers’ needs.

Ongoing certification testing by a credible, independent third party like ICSA Labs helps satisfy the needs of both.

Defending Against Known & Unknown Threats

Enterprises are being attacked

2005 – 2010

source: www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Organizations protected & secured themselves with all the traditional standards

• anti-malware, network firewalls, intrusion prevention systems, web application firewalls, etc.

To defend against threats…

Enterprises still being breached!

2010 – 2016

Things did not improve

source: www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

Growth in security spend • Up 294% since 2006 to

$21B in 2014 (source Gartner)

What resulted? • Data breach explosion! • 614 breaches reported in

North America in 2013 • Over 91M records

disclosed

Breaches put another way

AOL

TK / TJ Maxx

Sony PSN

Heartland

eBay

Target

LexisNexis

Michael’s

Home Depot

NASDAQ American Express

Citigroup

Neiman Marcus

Snapchat

Washington Post

AT&T

TD Ameritrade

RBS Worldpay

source: https://blogs.bromium.com/2014/08/14/the-rise-and-fall-of-enterprise-security/

Why haven’t security products adequately

protected enterprises?

Known and unknown threats

1 year 25 years (Known Threats) (Unknown Threats)

• ICSA Labs “AV” Testing Program • Key Characteristics

• Wild List based testing • Threats known “in the wild”

• On access • On demand

Known malicious threat testing

25 years

More Malicious Sample Sources

ICSA Labs anti-malware testing

Enhanced & Reloaded for 2017

More Comprehensive

Testing

From:

To:

Static Signatures

Static Signatures

URL Blocking

Anomaly Detection

Behavior-Based

From:

To:

Wild List

Enterprise Samples

Wild List (Delta)

Real Time Threat List

Microsoft Prevalence

ATD Program

Wild List

The “Collection”

The “Collection”

Testing unknown malicious threats

ICSA Labs began ATD certification testing in

fall 2015

ICSA Labs added ATD-Email testing

in Q4 2016

a. Protect from ADVANCED Threats?

b. Protect from PERSISTENT Threats?

c. Protect from UNKNOWN Threats?

Advanced threat defense (ATD)

What does ATD mean anyhow?

Where does ATD occur?

a. The Endpoint b. Network perimeter c. Local Sandbox d. Sandbox in Cloud e. Cloud Analysis Cluster

A: Any or All of These!

Basis for ATD & ATD-Email testing

•Threat vectors leading to breaches

•Verizon Data Breach Investigations Report (DBIR)

3706

869

588

551

453

230

138

72

16

13

0 500 1000 1500 2000 2500 3000 3500 4000

Direct Install

Email Attachment

Web Download

Web Drive-By

Email Link

Download by Malware

Network Propagation

Remote Injection

Removable Media

Other

ATD & ATD-Email testing programs

• Does it detect 100s of new threats? • Quarterly test cycles

• Does it have minimal FPs? • Continuous testing for 3 to 5 wks

Test cycles begin mid-month

FREE Reports available at quarter end

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Testing focus

Test cycles last 3-5 weeks Detecting threats

• Unknown • Little-known

While having • minimal false positives

Recurring testing with latest threats • Keep informed with quarterly testing results. • Know how ATD solutions perform against latest threats. • Observe over time how products fare against the norm.

No cost to enterprises • Only participating vendors register and pay • Includes free reports on our website

https://www.icsalabs.com/products?tid[]=5352

How you benefit

The value of certification testing

ICSA Labs Certified

ATD Solutions

Without YOU certification testing disappears

Want more choices?

jwalsh@icsalabs.com

Statistics from 3 ATD test cycles

Vendors currently registered for ATD testing

11

Vendors with an ICSA Labs Certified

ATD Solution 5

Average Test Cycle Length

30.75 days

Average Number Test runs per

test cycle 610

Average Detection Effectiveness of Certified ATD Solutions Failing ATD Solutions

Approximate Number of ATD

Developers ~30

Data from previous 4 ATD test cycles

Ransomware is huge lately

Poor Fred

Will ATD solve all your problems?

About Jack Walsh Jack has worked eighteen years at ICSA Labs. Currently driving development of programs that test the security of IoT devices, advanced threat defense solutions and all things mobile, his prior roles included network intrusion prevention systems program manager, anti-spam program manager and firewall lab technical lead. Prior to joining ICSA Labs, Jack tested commercial products at the National Security Agency. While there he co-authored the first firewall protection profile. Jack earned his B.S. in Electrical Engineering from Penn State and later earned an M.S. in Computer Science from Johns Hopkins.

Jack Walsh New Initiatives & Mobility Programs Manager jwalsh@icsalabs.com 717.790.8126

Find out more at www.icsalabs.com/