SANS NGES Test: Cylance “Most Effective at Preventing Infection”

The SANS Next Generation Endpoint Security (NGES) test for the Center for Internet Security Critical Security Controls version 6.1, Control 8: Malware Defenses (or just SANS NGES Test) is a test conducted by Dean Sapp to evaluate the ability of a selection of endpoint security products to fulfill certain anti-malware objectives outlined in CSC 6.1 #8 – a cybersecurity standard focused on endpoint security for mitigating breach risk.

Specifically, it checks for product compliance to three of the six sub-controls: automatic system monitoring and defense, product updating, and anti-exploit features.

Testing Methodology

The test report states that the test was designed to focus on “prevention and blocking”, and not on detection. The test does this by utilizing a mixture of malicious and non-malicious executables run against victim virtual machines (VMs) secured by the products under test.

For each test run, a malicious executable file is transmitted to the victim system as though an insider-class attacker had uploaded it to the endpoint via USB. Then, the simulated attacker launches the executable.

The victim’s reaction to the file, malware or not, is then recorded and analyzed.

Non-malicious samples are then utilized in the same way to test a given product’s ability to distinguish between actual malware and benign software. A balance must be struck between the rate at which truly malicious programs are correctly blocked, and the rate at which benign ones are mistakenly stopped – known as a false positive.

Samples Used in Test

The malware used in the test was a subset – fifty total samples – of a much larger sample pool amassed from VirusTotal™, as well as from members of the cybersecurity community – not from antivirus (AV) vendors.

The non-malicious samples, used to test false-positive alert rates, were fifty programs selected from Microsoft’s (Read more...)

This is a Security Bloggers Network syndicated blog post authored by Scott Marcks. Read the original post at: Cylance Blog