We've seen the rise of the next-generation security products. Now it's time for next-generation testing. A large range of products exist to help detect and investigate breaches. While some of these overlap with anti-malware protection products, testing them requires more than simply scanning (or even executing) malware. We propose that, in order to gain a good understanding of the efficacy of such products, realistic attacks are required that progress from the initial breach through to a logical conclusion.
This paper outlines a full methodology for testing a wide range of security products, including those deployed as endpoint agents, perimeter gateways and cloud-based services. Different types of product can now be tested either individually or in collaboration with other solutions. For example, it is possible to test anti-malware and 'detection and response' endpoint agents; intrusion detection appliances; email gateways; cloud-based web filters; and both on-premises and cloud-based sandboxes.
In the presentation we will demonstrate what a full breach looks like (and why we are confident that this is what the real bad guys are doing) and deliver some results that show how different types of products work and interact with each other to provide levels of protection, remediation and actionable insight into a breach's history.