Coming October 25: PeerSpot Awards will be announced! Learn more
2016-05-09T08:21:00Z
PeerSpot user
Technical Account Manager at a security firm with 51-200 employees
  • 9
  • 7

Holding Security Vendors Accountable

Off the back of Palo Alto's recent marketing video, one of the staff at Check Point put together a response for each of his claims which can be found here.

Original promo - 

https://vimeo.com/161622275

https://www.youtube.com/watch?v=tmaM3YHo79U&feature=youtu.be

Making bold claims about inventing technology, vendor specific capabilities, the size of your coverage, and so forth? I get that everyone has a tagline along the lines of "We are the best there is..." and nobody is aiming for "Second best" but when it comes to security the bad guys only need to win once, the good guys have to win 100% of the time. 

How is it acceptable for a company to say we are 100% safe when that is a) impossible to promise, and b) untrue with a basic level of research and understanding of their equipment. This is shocking behavior. If I sold you a '100% safe' bullet proof vest but when you put it on it had big holes in it you would want a refund. 

I said in a recent article that independent reviews should be the only way forward. I stand by that, but have learned that some such as Gartner are less reliable than say NSS Labs. We all need to be more vigilant in what we do to research a product. I talk with so many individuals who have had a rep in from Vendor X and they're completely sold on the idea before you have a chance to warn them of the inaccuracies faced.

Is there a better way for us to hold these vendors accountable to their bold claims? 

Does it affect your view of either side if one makes bold claims and the other side calls them on it?

I wish it wasn't necessary, but personally I like that a rebuttal has been made.

9
PeerSpot user
9 Answers
PeerSpot user
Technical Account Manager at a security firm with 51-200 employees
Vendor
2016-07-28T15:59:15Z
28 July 16

Some good responses here and I like that we're agreed on the whole 100% thing being a huge flaw. I am surprised that folk think PA are ahead of Check Point and Fortinet, possibly even Cisco currently in terms of security, as they have generally been on the wrong end of some huge vulnerability announcements and design flaws. Like all technology firms I have no doubt that PA have plans in place to revolutionize the field in their image, but all vendors do, and currently the strong support given for PA when there are bits like the above happening, is concerning.

PeerSpot user
General Manager at a tech services company
Consultant
2016-05-17T03:12:56Z
17 May 16

In my opinion he is the CEO of the company and its his job to position the marketing is such manner. However, do take note that the concept presented is acceptable as a "platform" to a better secured environment.

As everybody has been saying, I too agree that there is no such thing as 100% fool proof product out there. Reduced Risk and Deterrent might be a better option.

Today organizations tend to listen and jump into the bandwagon based on vendors views and experience. As usual the vendor will skew the situation to match their offering and this is where customers fall into the trap of not knowing what is it that they are actually looking for at the first place. they get all confused.

Some key steps that a customers needs to understand before making any decision is to:

1. Understand the weakness of your own environment
2. Assess the risk potentials versus the business revenues
3. Identify root causes of the problem
4. Device out what will be needed to prevent the problem based on your own findings
5. Get help from vendors.... their opinions
6. Perform POC's on isolated sections of organizations..... and review the results
7. Work the budget to see if this is acceptable for your organization.... if not phase it out by prioritizing the issues
8. Then look for the solution

Technology is a plenty out there, but how do you apply the right or almost the right one must still be a decision of owners of the network.

Cheers

PeerSpot user
Information Security Manager at a tech services company
Consultant
2016-05-17T01:58:48Z
17 May 16

We can't hold security vendors responsible since it is the company's authorized representatives to observe due diligence in selecting appropriate solution and vendor. It is a good idea to have a process such as Request for Information (RFI), Request for Proposal (RFP) and Proof-of-Concept (POC). 3rd party independent evaluators such as Gartner and NSS Labs are just source of information that companies can make use as a starting point. However, the POC will tell us a lot more based on the actual experience during the testing. In addition, there is no 100% bullet proof due to the existence of APTs that makes our security landscape fast evolving. In effect we need to have visibility on our network, operating systems, application and databases to establish pro-active incident management so that we could respond on a timely manner.

BJ
Director, Information Technology with 51-200 employees
User
2016-05-16T19:00:07Z
16 May 16

I prefer that companies make claims like this, because then I know not to buy their products! However, when I see a competitor take the time to create a response, I can go either way. I understand the battle for market share is intense and that you are mostly appealing to low-IT-information decision makers, but generally I would rather hear the responder’s claims indirectly, as part of their efforts to advertise their own products.

PeerSpot user
Sr. Security Architect with 1,001-5,000 employees
Vendor
2016-05-16T17:53:54Z
16 May 16

In the first topic, Moti Sagey compares PA’s threat intelligence integration (Wildfire) with CP’s threat extraction technology.: without a recent evaluation of how CP’s malware detection performs, it would be hard to reach a conclusion on what is the best method of malware prevention. Certainly threat intelligence is an exploding market, and PA was one of the first in that market. So, if the assertion is; that with CP’s malware detection – you don’t need threat intelligence, perhaps this is a reasonable position to take at the firewall layer. Yet, I am not ready to discount the entire threat intelligence market. In a recent evaluation of malware detection engines where I work, Cylance was the clear leader in malware prevention. We did not test firewalls for this functionality, and certainly PA did not address the ‘0’-day threats we were hunting. But nor did we expect to have them address it. We required endpoint protection for our devices above and beyond perimeter defenses. They are mobile. This functionality is an endpoint functionality.

In the second topic; Moti is comparing application protocol detection and prevention, and it’s a quick comparison of numbers showing Checkpoint to be the leader in application level control with that vendor addressing more applications, and showing some specific areas. While this may be a good metric, it may also be a lesson in what not to pitch. i.e. that this vendor has more fine-grain controls in application areas – releasing 6 controls for one specific application where other vendors release just the single control, while not performing any better protection against malicious apps than anyone else. There are two points to make here; without a real comparison of what is a threat, and how it is prevented, this comparison is probably not valid. Numbers without a deep review of what they mean is basically propaganda. And this section is almost a red flag for something to question, rather than accept. Furthermore, if the vendor has that many dials and knobs, it may require a subject matter expert to tune it that companies cannot afford today. Never just state: “more is better”, not today.

On the third matter; who invented the stateful firewall; and here Moti is comparing claims to what is submitted on a corporate patent, to who actually came up with the idea. Anyone who has written a patent before probably knows that you don’t always get your name on what you invented. The company that owns your work does, and they select the ownership of that patent. I don’t know who invented the stateful firewall, and I doubt that it was one person – after all, it is the logical progression of what you do with a firewall after you evolve off of a proxy-based firewall. However, this issue is pointless to mention. It would be nice to know what happened in the development skunkworks back then, but is irrelevant to firewall effectiveness.

On the next matter; an assertion that PA is representing themselves as unique in market functionality. PA is relatively unique in its next generation firewall approach and was certainly the first firewall vendor to logically combine technologies (IPS, FW, Web inspection, threat intelligence, DLP, etc.) acting on the periphery into one box. That is a huge bonus. For a long time, that was indeed unique. It is argumentative to take the marketing position for that position, combine it with their description of functionality in a specific area later on in the presentation, and come up with the assertion that PA is claiming to be something that they are not. Similarly, it is argumentative to argue what features should be offered on different product line models. However, on the final point; TRAPS, PA’s purchase of the Cyvera endpoint protection product, as being 100% effective in endpoint protection is indeed a poor representation. It does not strongly qualify – is this FW prevention of exploits? No, but the idea of that functionality in your NGFW is still a good one. To make a good point here, Checkpoint needs to be compared to PA, and that was not done.

NSS Labs comparison: anyone that has researched the benchmarks for NSS labs has an idea of the areas this touches on – and it focuses well on specific firewall capabilities, in a lot of areas. …and specific functionality that is boutique in FW jargon for these areas. Applying the research in that report to a company’s specific FW requirements is a research paper in itself. Some of the points made here could be very useful – specifically the man-hour support requirements for different products. If anything, this is an area that should have been deconstructed for valid input.

My response to this question is: marketing is just that, positioning your product to highlight the strengths of its features. Comparative marketing is useful also, but only as an introduction as to why a product should be considered. After some time with the Checkpoint folks, it would be interesting to test drive their product, and some of the innovations that Checkpoint may have made.

…but not based on this set of videos. PA leapfrogged Checkpoint 5 or so years ago. If, in that time, Checkpoint has subsequently managed to leapfrog PA, it would be great to hear about how.

PeerSpot user
Solutions Architect Security at a tech services company with 501-1,000 employees
Consultant
2016-05-16T16:33:17Z
16 May 16

There is no solution available in this market prevent you from zero day or advance threats.

The only solution is available having visibility on the movement of these kind of threats, like continuous protection, which you get with retrospective security feature.

Cisco Advance Malware Protection provides retrospective security.

Security professionals often lack visibility into the scope of advanced malware in their network, struggle to contain and remediate it after an outbreak, and cannot address fundamental questions, including:

● What was the method and point of entry?
● What systems were affected?
● What did the threat do?
● Can we stop the threat and eliminate the root cause?
● How do we recover from the attack?
● How do we prevent it from happening again?

Cisco AMP for network & AMP for endpoint solves all these unanswered questions.

Find out what your peers are saying about Palo Alto Networks, Morphisec, Microsoft and others in ATP (Advanced Threat Protection). Updated: September 2022.
633,572 professionals have used our research since 2012.
PeerSpot user
Marketing Consultant at a tech services company
Consultant
2016-05-16T15:19:34Z
16 May 16

No firm can claim/guarantee that they provide 100% protection. A company should look at Gartner and NSS Labs, and then, if possible bring in both products to do some comparisons on features and functionality. With respect to scalability, you'll have to discern whether it scales for your environment and anticipated growth.

HF
Professioan Services Engineer at A10 Networks
Real User
2016-05-16T13:32:33Z
16 May 16

There is no so called %100% security. All cybersecurity vendors stated Cleary that every single one of them is a Leader in this field but the question from customer point of view: How I can trust your claim(s)?

I do like to review Magic Quadrant Report but do I fully trust the report, of course NO because the report lacking many detailed information about the research process and analysis behind it which is not the case when talking about NSS Labs and ICSA Labs.

John Maddison, Sr. Vice President, Products and Solutions at Fortinet stated "validation from organizations like NSS Labs plays a critical role to help cut through the noise customers face today. Third-party testing holds vendors to the product specifications and their performance claims so customers can make truly informed decisions instead of discovering real-world performance after they deploy a solution in their network."

We need to educate IT people from all businesses about how it is important to review NSS Labs or any other 3rd party validation company when choosing among different cybersecurity vendors. NSS Labs testing of the top cybersecurity vendors, real-world scenarios that test security effectiveness against hundreds of attacks on a daily basis and network performance.

-Palo Alto fixes issues identified by NSS Labs
http://www.channelweb.co.uk/crn-uk/news/2374942/palo-alto-fixes-issues-identified-by-nss-labs

-Independent lab tests find firewalls fall down on the job
http://www.csoonline.com/article/2127998/data-protection/independent-lab-tests-find-firewalls-fall-down-on-the-job.html

-Lesson from SecurID breach: Don't trust your security vendor
http://www.networkworld.com/article/2177834/compliance/lesson-from-securid-breach--don-t-trust-your-security-vendor.html

PeerSpot user
Director of Product Marketing, Security and Compliance at CA Technologies
Real User
2016-05-16T12:23:04Z
16 May 16

You ask “how is it acceptable to say we are 100% safe?”. The answer is that it’s not! As you say, NO vendor can claim total safety from threats, breaches, or any other security-related metric.

I work for CA Technologies, a leading identity management vendor. We are scrupulous in our claims, in order to make sure that we don’t commit to the impossible. More specifically, we always state that our products “HELP improve security”, a far cry from promising complete safety. A vast majority of our customers have found that the products SIGNIFICANTLY help improve security, but we can’t, and don’t, claim a particularly level of security that will result from their use.

For those capabilities that are somewhat measureable, we rely on external validation to substantiate our claims. For example, all vendors promise scalability, but we have validated our identity management product (by an external analysis firm) to support 100 million users.

I agree with the premise that a vendor’s claims should be analyzed critically in order to gauge their credibility. Red flags such as “100%” should be viewed skeptically, no matter what they are promising 100% of. And, if it’s 100% security, discerning buyers should beat a hasty retreat and search out vendors who have a more realistic view of the capabilities of their product.

Related Questions
Satish Singh - PeerSpot reviewer
Cloud Security Architect at Kyndryl
Oct 26, 2021
Hi community members, I'm working as a Cloud Security Architect at a Tech Services Company with 10000+ employees. I'm looking for a security solution to detect and prevent APT attacks.  Can anyone suggest a good and cost-effective solution? Please explain why would you choose this particular tool or solution. Thank you!
2 out of 5 answers
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at ASPL INFO Services
25 October 21
Hi @Satish Singh, No single solution will 100% protect the environment. You need multiple layers of security working together, all the time, in addition to constant network monitoring. With that said, there are multiple ways to protect against advanced persistent threats. Install a Firewall Choosing a firewall is an essential first layer of defense against APT attacks. Software firewalls, hardware firewalls, and cloud firewalls are the 3 most common types of firewalls used – any of which will help you prevent advanced persistent threats. Enable a Web Application Firewall A web application firewall is a useful tool for defeating APT attacks because it can detect and prevent attacks coming from web applications by inspecting HTTP traffic. Install an Antivirus Up-to-date antivirus programs can detect and prevent a wide range of malware, trojans, and viruses, which APT hackers will use to exploit your system. Make sure that your antivirus can access real-time data and detect the newest threats, instead of only being able to recognize well-known malware. Implement Intrusion Prevention Systems Intrusion prevention systems (IPS) are an essential IT security service that monitors your network for any strange behavior or malicious code and alerts you if any is found. This is a powerful tool for recognizing network compromises before they can be exploited. Create a Sandboxing Environment A sandbox is a secure, virtual environment that allows you to open and run untrusted programs or codes without risking harm to your operating system. If a file is found to be infected, you isolate it, remove it, and prevent future infections. Install a VPN Remote access risks such as an insecure WiFi hotspot, present an easy opportunity for APT hackers to gain initial access to your company’s network. A virtual private network (VPN) provides an encrypted “tunnel” that you and your employees can use to access your network without cybercriminals snooping on your activity or gathering your data. Enable Email Protection Email is one of the most-used and most-effective forms of infiltration. Advanced persistent threat protection relies on good software as much as it does on good end-user behavior. Enable spam and malware protection for your email applications, and educate your employees on how to identify potentially malicious emails.
BobenGeorge - PeerSpot reviewer
Sr.Customer Engineer- Projects at a tech services company with 201-500 employees
25 October 21
When you are considering cost-effectiveness Hardening perimeter defenses such as firewalls and antivirus are pivot points of preventing APT malware from being installed on your computer systems. Not sharing account details, recognizing phishing attempts at the first stage, safe web browsing at work. As per me, no clear-cut solution is effective... it's a mixture of solutions / tools you may use when you are tackling the aftermath... There are solutions like Trend Micro XDR which can trace back but not so cost-effective.  APT attacks use cutting-edge technology and hacking methods to sneak into a company’s system, So the best thing is Prevention...
PeerSpot user
Technical Account Manager at a security firm with 51-200 employees
Jul 16, 2016
Working in security, it always interests me when I speak to people who have chosen company X or Y based on promises from the vendor themselves. Every single vendor claims to be the best at what they do. I can't imagine there is a company out there aiming to be any less than a leader. But there are huge gaps in the quality of Threat Prevention solutions on the market at the moment.  Many inde...
2 out of 13 answers
it_user398892 - PeerSpot reviewer
Ankara Regional Director with 51-200 employees
20 April 16
Please share my mobile number with the owner of the question: +90 533 1231945 Best Levent Sent from my ASUS -------- Orijinal Mesaj -------- Başlangıç:Ariel Lindenfeld - Community Manager at IT Central Station Gönderme:Wed, 20 Apr 2016 14:07:42 +0300 Bitiş:leventt@dereka.com.tr Konu:Seeking expertise in Advanced Threat Protection
it_user371112 - PeerSpot reviewer
User at CA, Inc.
20 April 16
Ariel, Unfortunately, he/she is asking a question about an area of security that we don’t play in. So, we have neither the expertise nor the relevant product offering to be a good source for a comment on this. Thx Sumner
Download Free Report
Download our free ATP (Advanced Threat Protection) Report and find out what your peers are saying about Palo Alto Networks, Morphisec, Microsoft, and more! Updated: September 2022.
DOWNLOAD NOW
633,572 professionals have used our research since 2012.