NSS Labs’ Andrew Braunberg, Jason Pappalexis, and Thomas Skybakmoen outline the BDS definition, market, NSS Labs Testing, Product Maturity, and is BDS worth the investment.

1. BREACH DETECTION SYSTEMS:
WHAT ARE THEY AND
DO YOU NEED ONE?
NSS Labs Research
October 7, 2015
Jason Pappalexis,
Research Director
Andrew Braunberg,
Research VP
Thomas Skybakmoen,
Research VP

2. Slide 2
Agenda
• BDS DefiniJon
• Market
• Architectural Overview
• TesJng
• Methodology
• Results
• Product Maturity
• BDS: Worth the Investment?
• Q&A

3. Slide 3
BDS Defined
Three Key Characteris.cs
1. A product or service deployed out of band
2. Variety of dynamic detecJon techniques
• Looking for previously unknown and/or highly targeted malicious content
3. IdenJty indicators of compromises that alert to an exisJng breach
Malware
idenJficaJon
(signatures,
heurisJcs, or
both)
Network traffic
analysis (flow
monitoring,
content analysis,
or both)
Sandboxing that
models internal
systems
(workstaJons
and servers)
Browser
emulaJon
ReputaJon
Dynamic Detec.on Techniques

4. Slide 4
State of the Market (CY2014)
• Market Size
• $714M in 2014
• $1.1B in 2015 (NSS est.)
• Current buyers
• Large Enterprise made
up 85% of sales in 2014
• Evolving market
requirements
FireEye
49%
Others
24%
Fidelis
15%
Palo Alto
Networks
7%
Blue Coat
5%

5. Slide 5
Three Key Market Drivers
1. Security effec.veness
• Best chance of detecJng a zero day
2. Time to Detec.on
• “Malware research team in a box” working 24/7/365
3. Improved Forensics
• “Smoking Gun” enables prompt and accurate incident response

6. Slide 6
• Deployment op.ons
• Complexity
• Protocol support
• Endpoint versus Network
• Dynamic analysis
• Sandboxes, emulaJon, virtualizaJon
• OS support (sandboxes)
Architecture & Deployment

7. Slide 7
World’s Leading Security Testing Facility
Largest live tesJng
harness in the world
3 Tbps
real world traffic
tesJng capacity
Richest mulJ-vendor test
infrastructure
$30 Million
data center
investment
Network, endpoint and
cloud test experJse
2 Million Hrs
accumulated test
experience

8. Slide 8
Security Effectiveness Testing
Exploits Evasions Malware Stability & Reliability
• Social
• Drive-By
• HTTP
• Email (IMAP/
SMTP)
• SMB
• Packers
• Compressors
• Virtual Machine
• Sandbox
• HTML
ObfuscaJon
• Layered Evasions
• DetecJon under
Extended Aiack
• Protocol Fuzzing
And MutaJon
• Persistence of Data
Data from BDS 2.0 Group Test

9. Slide 9
Performance Testing
UDP HTTP Capacity Max Capacity Real World Traffic Mixes
• 64 to
1514
Byte
Packets
• Max concurrent
TCP connecJons
• Max TCP
connecJons per
second
• Max HTTP
connecJons per
second
• No
TransacJon
Delays
• With
TransacJon
Delays
• Enterprise Perimeter
• EducaJon
Data from BDS 2.0 Group Test

10. Slide 10
Group Test Results
• Security
• Security EffecJveness 51.8% to 99.2%
• Average Security EffecJveness RaJng 86.8%
• Evasion effecJveness 87.1% to 100%
Data from BDS 2.0 Group Test
• Performance
• Throughput 750 Mbps to 4.583 Gbps
• Total Cost of Ownership
• 3 Year TCO ranged from $68,922 to $448,793
• Average 3 year TCO was $277,349

11. Slide 11
BDS: Worth the Investment to You?
• Architecturally complex
• Onen require mulJple devices to scan diverse traffic types
• Performance issues will eventually drive many BDS’s to the cloud
• Not designed to perform at line rate
• Sandbox lifecycle management
• Sandbox evasions
• Total cost of ownership
• Agents
• Require adult supervision
No security product is without limita3ons

12. Slide 12
In-Depth Research
• Market Analysis
• Buyers Guide
• Company Reports
Technical Briefs
Test Reports
ComparaJves Reports
• Security Value Map
• TCO
• Security
• Performance
Product Test Reports

13. Slide 13
Ques.ons?