10 Questions to Ask an APT Protection Provider Before Choosing Them

Posted by George Yunaev on 2015-02-06 15:55:36

Are you looking for the right Advanced Persistent Threat (APT) protection provider? If you already have a security solution in place, talk to your current vendor first and get their view on APTs. Also, be sure to ask if they detect advanced malware threats, and whether the solution you license from them is just a “traditional, signature-based antivirus” or it has other features such as generic detection, proactive protection and heuristics.

APT security - 10 questions

If you talk to an APT vendor who is trying to convince you that you indeed need a separate APT solution, our prior APT protection analysis shows it is important that you ask them these 10 questions:

  1. How do you define the APT?

    You need to know what the vendor would protect you against. If they define it as “botnets, phishing and spam” you may want to stop right there.
  2. Could their solution detect more than <name your existing security vendor>?

    You are not interested in whether their solution is better than some unknown “traditional signature-based antivirus”. You are interested in whether it is better, or at least if it could add some significant value to your existing solution or even replace it.

  3. What are the APTs your solution detects and my existing vendor does not?

    If they claim they can detect some threats better than your current vendor, they should have examples. Preferably more than one. Check those with your vendor to get the second opinion.

  4. Do you participate in the industry standard malware protection tests such as those performed by AV-Test or AV-Comparatives? If not, why?

    Get ready to receive one or more of the responses mentioned above. You can either elaborate on that or move on.

  5. If you do not participate in industry tests, how do you know your solution is better?

    This is an important question. There is a possibility that their solution detects even less threats than your existing solution. Do not accept the internal test results – passing the internal tests should be part of any QA process, which is mandatory for any product release. If the vendor starts explaining how good their technology is, ask them instead whether they would sign the agreement with financial sanctions for every missed threat, or if their solution contains a typical “no warranty” license clause.

  6. What detection rate would you expect if I run your solution behind the existing security solutions?

    In this case, the solution which detects more than your current security solution would still detect something, while the solution which is inferior to your existing solution would detect nothing. Thus the vendor would likely ask you to try their solution by installing it in front of your existing solution. However this is not what you're interested in. You don't care if their solution detects just some type of  malware – this is what would be tested in this scenario. But you do care if their solution detects something your existing solution does not, so during the test it should obviously be behind.

  7. What is your false positive rate and how do you measure it?

    The solution that falsely screams “Breach!” every two weeks is worse than useless, as after two time-wasting investigations, people would ignore the real alarm. The same as with detection, the lack of independent confirmation is suspicious.

  8. What kind of remediation do you offer?

    Assuming the breach happened and the malware went through, does the vendor offer any remediation, such as ways to trace the infected machines, quarantine and remove them? Or do they just sound the alarm and let you handle it?

  9. How detailed is the detection information?

    Do they provide detailed enough information to help you find out what machine is infected and with what type of malware – for example: “machine with IP is communicating with a known botnet network ZZZ; may be infected with Botnet.ZZZ malware”? Or is their notification more like “something seems to be wrong with your network”?

  10. What kind of protection do you offer against other attack vectors?

    Network perimeter is a small part of the attack surface. Hackers have penetrated their targets by hacking into the Wi-Fi routers serving the internal network, or by dropping infected USB sticks on the company parking lots. A true targeted attack will never use just one attack vector, so the vendor that claims protection against APT attacks, but in fact protects only a small part of the attack surface, does not offer a valuable solution.


Seeking protection against APTs? Learn everything you need to know about APT security, myths and realities to choose wisely! Download our whitepaper now:

Advanced Persistent Threats

George Yunaev

George Yunaev is a Senior Software Engineer at Bitdefender. He joined the company's OEM Technology Licensing Unit in 2008, after working at Kaspersky Lab for seven years. Aside from developing SDKs for various OEM solutions, George is also providing partners and prospects with useful insights into emerging threats and potential pitfalls of technology licensing. His extensive software engineering experience of 19 years also covers reverse-engineering and malware analysis. He is based in Silicon Valley, California, and enjoys traveling and active sports such as skydiving and wakeboarding.

Topics: Threats, OEM Business