I read with interest the latest batch of MITER evaluation data on various endpoint solutions, this time focusing on the detection, response, and containment of these various anti-malware solutions created by the FIN7 and CARBANAK threat groups. While academically interesting, it illustrates the difficulty in reviewing cybersecurity products in the endpoint protection category and attempting to assign a “better” label to a specific product in a specific category (either end point or whatever).
First, we focus on the report. The resulting samples came from two threat groups, Carbanak and Fin7.
Carbanak is a strange option, as the group’s leader was arrested in Spain in 2018 by Europol and is no longer active, not to mention that all its malware samples are now accessible to the public, so even all if I provided samples with a signature-based antivirus legacy, I would detect and stop them well.
Fin7 is a group that also effectively withdrew after U.S. police identified it was running out of a leading company in 2018. The group was responsible for targeting the northern retail, restaurant and hospitality sectors. -Americans since mid-2015 and often use the point of sale of malware. So how is all this relevant to today’s companies?
Well, it just isn’t. If you were an e-commerce company that sold widgets online in Europe, none of these results would be relevant to you. Absolutely not. Ignoring the fact that they were carried out years ago and that the actors of the threats have been dissolved, highlights the growing disconnect between the labels attributed to a product and the requirements that companies typically expect from an endpoint solution. If you take these reports to the fullest, it would be easy to find the best performing product and include it in your cybersecurity arsenal, but you will simply be falling into the requirements trap that happens to many companies when acquiring technology: You will not base any of these acquisitions in your requirements, but in someone else.
If we took a different product, say the humble web application firewall (WAF), your list of requirements would look quite long, divided into approximately two sections (functional and non-functional requirements) and would include a giant list of activities that should be. able to operate and at a specific level required by your company. Can you process a certain amount of traffic? What kind of attacks can you really see? You can see them in both GET and POST requests (you’d be surprised if many WAFs can’t see things like XXE in POST requests).
These are lists that you have to make yourself based on your needs and not the set of functions of the provider. Once you have this, you can begin the long and laborious process of product testing, value testing, and finding something you can afford, which leads me to one of the important warnings that are missing from all product reviews: the budget .
All tools have a monetary cost. Even when you use open source technology, you have a greater investment in staff and support (although the product itself is effectively free). Price and cost are absent from all product reviews.
While it’s understandable that sellers are reluctant to disclose product prices, those tend to refer to the “list price,” which is usually well above what any company will pay for the product.
The budget is a fundamental requirement for any acquisition, whether it is an endpoint solution or something else.
Suppose you were a U.S.-based retailer (one of the most popular targets in the FIN7 group) and you used the MITER list to choose an endpoint solution.
You’d choose the best-performing endpoint solution, but then you’ll quickly discover that you can’t afford it. Tools that are identified as XDR or EDR will, of course, be more expensive than “inherited” alternatives, which can cost up to $ 5 per person.
The list also ignores the fact that endpoint products have to cover aspects such as USB control, DLP, application control, encryption, and other such features that companies expect from an endpoint solution these days. Endpoint is no longer just about protecting your devices from malware.
When evaluating reviews, your last resort is usually to get advice from your contacts within the infosec industry, but again: be careful with loose comparisons. A “good” WAF recommended by your Company A partner may not match your requirements, as your company will have one of the following: a different infosec budget, a different technology stack, a different culture ‘different company, different sets of skills, a different business model and will operate in a different vertical. If by some miracle all these requirements match, you can give some weight to this recommendation, but otherwise you have to go back to the basics.
Relying on online reviews is a lost bet when it comes to cybersecurity tools. As with everything else, the aveat emptor is there: work out your requirements first, do your own research, do your own testing, and you’ll end up with something you really need, rather than something a salesperson wants. that you have.