The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike

When a company is researching options for network security tools, it needs to be able to weigh a number of factors, including cost, effectiveness, compatibility, integration with current or third-party tools and platforms, and — perhaps most important — impact on network performance. To evaluate all options, however, there has to be some way to compare different solutions accurately. The recent legal conflict between CrowdStrike and NSS Labs illustrates why it is such a challenge for organizations to evaluate different vendors and products.

NSS Labs and CrowdStrike announced in late May that after two years, they had reached a confidential settlement to end their legal battle. CrowdStrike initially sued NSS Labs in February 2017 over negative test results that were published in an NSS Labs endpoint protection report. NSS Labs gave the CrowdStrike Falcon platform a "Caution" rating. CrowdStrike, however, maintained that the test was faulty. In late 2018, NSS Labs fought back with a lawsuit of its own against CrowdStrike, Symantec, ESET, and the Anti-Malware Testing Standards Organization (AMTSO), claiming that the vendors and AMTSO conspired to prevent NSS Labs from testing their products.

Following the settlement, NSS Labs retracted its 2017 assessment of CrowdStrike's Falcon platform and issued a corrective statement, saying that "NSS's testing of the CrowdStrike Falcon platform was incomplete and the product was not properly configured with prevention capabilities enabled. In addition to the results having already been acknowledged as partially incomplete, we now acknowledge they are not accurate and confirm that they do not meet our standards for publication."

The CrowdStrike-NSS altercation is only one legal battle between a testing lab and a vendor. The NSS Labs lawsuit against Symantec, ESET, and AMTSO is still ongoing, even in the wake of the settlement with CrowdStrike, and it is likely that similar lawsuits are in the pipeline.

What's Wrong with Network Security Testing
The situation involving NSS Labs and CrowdStrike is a perfect example of what's wrong with network security testing. In a Dark Reading column earlier this year, I described network security testing as the Wild West, noting that proprietary testing methods conducted under uniquely optimized conditions create a chaotic scenario in which everyone plays by their own rules and customers are left struggling to sort it all out.

The fact that NSS Labs retracted its rating of CrowdStrike's Falcon platform highlights one of the primary issues with closed or proprietary network security testing standards. Without visibility into the testing protocols and standards used, there is no way for organizations to objectively determine whether an NSS Labs assessment is right or wrong.

The flip side of the coin is that closed and proprietary testing standards also create the potential for vendors to game the system or gain an advantage over rival companies. Vendors frequently impose conditions on how their products can be tested and demand that testing labs design environments and tests that focus on areas in which the product excels, minimizing scenarios in which the product does not perform well.

In the end, however, whether the testing lab makes a mistake or misconfigures the product, or whether the vendor influences the testing unfairly to make its product look better, the result is that the testing can't be trusted. And untrustworthy testing is useless when organizations are trying to compare various products to make a purchasing decision.

The Importance of Open Security Testing Standards
Testing labs don't want to be in the position of trying to negotiate with vendors for the privilege of testing their products, nor do they want to cave to demands that make those products look better. Vendors don't want to have their products tested in scenarios that don't pit them against rivals on an even playing field. Customers don't want test results that can't be trusted, or assessments with questionable accuracy that can't be verified because the testing methodology is proprietary. The answer is to adopt open network security testing standards.

NetSecOPEN (like AMTSO, a vendor-led organization) was formed in 2017 to address issues and challenges related to the current proprietary testing environment. We believe that the network and security industries must go beyond simply validating test results and, instead, establish new tests that are open, transparent, and created through a cooperative, collaborative effort. Ultimately, apples-to-apples performance tests that accurately portray the effectiveness and impact of network security products on network performance are essential, and the result of such testing is a win-win-win for testing labs, vendors, and — most of all — customers.

Related Content:

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.