Tag: Zero Trust Network Access

CyberRatings.org Announces Test Results for Zscaler Zero Trust Exchange

Posted on by CyberRatings.org

Austin, TX – June 2, 2025 – CyberRatings.org (CyberRatings), the non-profit organization dedicated to providing insight into the capabilities of cybersecurity products and services through independent testing, has released additional results from its Security Service Edge (SSE) and Zero Trust Network Access (ZTNA) testing. This latest test focused on another leading product: Zscaler Zero Trust Exchange (ZTE).

Zscaler achieved a Security Effectiveness score of 100%, successfully blocking 100% of exploits, malware and evasions in the SSE test. The test report provides details on product performance across multiple threat categories, with scoring weighted by attack severity. The SSE evaluation covered:

  • TLS/SSL: Top 5 Ciphers used (accounts for ~97% of HTTPS traffic).
  • Malware: 6,184 attack samples sourced from current malware campaigns.
  • Exploits: 205 attack samples from widely exploited vulnerabilities in enterprise environments.
  • Evasions: 1,154 attacks spanning 37 evasion techniques.
  • False Positives: 1,514 samples from various business-critical files and applications, ensuring security measures did not disrupt legitimate traffic.

The ZTNA results confirmed that Zscaler demonstrated strong capabilities by effectively enforcing policies and managing access according to predefined rules, policies, and user roles, achieving 100% in all categories tested. The ZTNA test covered:

  • Authentication & Identity
  • Routing & Access Control
  • Resource Access (Zero Trust Network Access capabilities)
  • TLS/SSL Support

Of the SSE test criteria, meeting the threshold of blocking evasions had the most impact on scores.  Evasion techniques are used by attackers to disguise or obfuscate attacks so that they bypass detection. SSE products must not be tricked by evasions—failure exposes organizations to entire classes of undetected threats. Zscaler scored 100% in blocking all 1,154 evasion attempts.

Security Service Edge is a complex multi-layered security technology built on top of complex, ever-changing cloud technologies. Customers have minimal visibility into their operation and architecture, and testing is challenging. This double-layered opacity limits an organization’s ability to diagnose performance issues, fine-tune policy enforcement, or validate security outcomes.

“The only way to know if an SSE offering works properly is to test it,” said Vikram Phatak, CEO of CyberRatings.org. Our test determined that Zscaler provides exceptional security effectiveness and strong coverage across a wide variety of threat categories.”

CyberRatings is on track to test several other SSE vendors for Threat Protection along with a Comparative Report to be published this summer.

In addition to in-house testing technologies, CyberRatings used Keysight’s CyPerf tool to test performance and TLS/SSL functionality as well as TeraPackets Threat Replayer tool for exploit packet capture replay.

CyberRatings.org Announces Test Results for Fortinet Unified Secure Access Service Edge (FortiSASE)

Posted on by CyberRatings.org

Austin, TX – December 4, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of Fortinet Unified Secure Access Service Edge (FortiSASE).

The FortiSASE was tested for Security Service Edge (SSE) Threat Protection, and measured on how it defended against 205 exploits, 7,140 wild malware samples and whether any of 1,124 evasions could bypass its protection. The product was also tested on how it handled TLS/SSL 1.2 and 1.3 cipher suites.

Threat actors apply evasion techniques to disguise and modify attacks to avoid detection by security products. Therefore, it is imperative that an SSE correctly handles evasions. An attacker can bypass protection if an SSE fails to detect a single form of evasion. Fortinet resisted 1,124 out of 1,124 evasions.

FortiSASE received a “AAA” rating after achieving a 98.53% Protection Rate for blocking 99.02% of Exploits, 99.50% of Malware and 100% of Evasions. TLS/SSL Functionality scored at 100%.

The combined measurements to determine the overall Protection Rate also included false positives, which is a key to correctly identifying and allowing legitimate traffic while protecting against malware, exploits, and phishing attacks. False positive tests assessed Fortinet’s ability to block attacks while permitting legitimate traffic, achieving 100% for browsing and 99.83% for file downloads.

FortiSASE also received a “AAA” rating for Zero Trust Network Access (ZTNA). Authentication & Identity were 100%, Resource Access achieved 100%, Routing & Policy Enforcement tested at 95% and TLS/SSL Functionality scored at 100%.

“Fortinet handled our variety of use cases with ease and demonstrated that they could block attacks under a wide range of conditions. Their offering should be on everyone’s short list,” said Vikram Phatak, CEO of CyberRatings.org.

CyberRatings is on track to test several other SSE vendors for Threat Protection along with Software-Defined Wide Area Network (SD-WAN), and Zero Trust Network Access (ZTNA) bringing together the Secure Access Service Edge (SASE) package of test results to be published in the coming months.

Keysight provided its CyPerf tool to test performance and TLS/SSL functionality. TeraPackets provided its Threat Replayer tool for exploit packet capture replay.

Versa Security Service Edge (SSE) and Versa Zero Trust Network Access (ZTNA) Earn “AAA” ratings in CyberRatings.org SSE and ZTNA Tests

Posted on by CyberRatings.org

Austin, TX – October 24, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of Versa Security Service Edge (SSE) and Versa Zero Trust Network Access (ZTNA). Both products earned “AAA” ratings.

An SSE is a purpose-built cloud platform of integrated network security services designed to facilitate secure business use of the Internet. Versa’s SSE achieved an overall 99.96% Protection Rate for blocking 100% of Exploits, 99.96% of Malware and 100% of Evasions. The product was thoroughly tested to determine how it handled TLS/SSL 1.2 and 1.3 cipher suites.

Threat actors apply evasion techniques to disguise and modify attacks to avoid detection by security products. Therefore, it is imperative that an SSE correctly handles evasions. An attacker can bypass protection if an SSE fails to detect a single form of evasion. Versa resisted 1,124 out 1,124 evasions.

The combined measurements to determine the overall Protection Rate also included false positives, which is a key to correctly identifying and allowing legitimate traffic while protecting against malware, exploits, and phishing attacks. False positive tests assessed Versa’s ability to block attacks while permitting legitimate traffic achieving 99.72% for browsing and 99.2.0% for file downloads without any false positive events being encountered.

Versa’s ZTNA was tested to determine how it handled authentication and identity, managed resource access, processed routing and policy enforcement, and if it supported TLS/SSL 1.2 and 1.3 cipher suites. In all four cases, the ZTNA achieved 100%.

“Versa handled our variety of use cases with ease and demonstrated that they could block attacks under a wide range of conditions. Their offering should be on everyone’s short list,” said Vikram Phatak, CEO of CyberRatings.org.

CyberRatings is testing several other SSE and ZTNA vendors this year along with Software-Defined Wide Area Network (SD-WAN), bringing together the Secure Access Service Edge (SASE) package of test results to be published in the coming months.

Keysight provided its CyPerf tool to test performance, TLS/SSL functionality, stability and impairment. TeraPackets provided their Threat Replayer tool for packet capture replay.

The in-depth test reports are available at CyberRatings.org.

CyberRatings.org Publishes Security Service Edge (SSE) “Mini-Test” Results Designed to Answer One Question: Are They Secure by Default?

Posted on by CyberRatings.org

Austin, TX – October 3, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has published its first “Mini-Test.” This Mini-Test for Security Service Edge (SSE) products was focused on answering the question, “How secure are users if they rely on the vendors’ default configurations?” Tests showed four SSE products blocked between 89.90% to 96.74% of malware downloads, but three failed to block any malware at all (i.e. 0%).

“For products whose default configurations offered 0% protection, we made minor configuration changes to determine how much the protection could improve,” said Vikram Phatak, CEO of CyberRatings.org. “With those changes, we were able to achieve over 90% block rate on average. For products that offered effective defaults, no further adjustments were made.”

Research indicates that most customers expect cybersecurity vendors to ship with a high level of protection enabled by default. CISA states: “Secure-by-Default” means products are resilient against prevalent exploitation techniques out of the box without additional charge. These products protect against the most prevalent threats and vulnerabilities without end-users having to take additional steps to secure them. Secure-by-Default products are designed to make customers acutely aware that when they deviate from safe defaults, they are increasing the likelihood of compromise unless they implement additional compensating controls.”

SSE solutions are a subset of Secure Access Service Edge (SASE) that focus primarily on security services delivered through the cloud. SSE encompasses critical security functions such as Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), and Zero Trust Network Access (ZTNA), which work together to protect users, devices, and applications across distributed networks. SSE solutions improve flexibility and scalability, enabling enterprises to enforce security policies regardless of user location or device. SSE is particularly beneficial for organizations with a remote or hybrid workforce, as it provides consistent protection against threats, controls access to cloud services and ensures data security without relying on traditional network boundaries.

While some SSEs offer moderate malware protection by default, others do not. End-users should verify the security level their organizations require and assess whether the vendor’s default configuration meets their needs. If it does not, it is advisable to implement the vendor’s recommended configurations for an optimized solution. It should not be assumed that any vendor solution will be secure by default. 

Key Findings:

  • The level of security offered by default varies greatly across SSE vendors. Three out of seven SSE vendors tested offered no security by default.
  • In some cases, minor changes from a vendor’s supplied default configuration dramatically improved the security posture of an SSE solution. We observed improvements in malware blocking from 0% to >90% on average.
  • SSE customers should not assume any level of security by default without verification.
  • SSE customers should understand where the SSE they use stands by default, and whether that default offers the required level of security for their environment.
  • SSE customers should be aware of the potential default options and their implications during any guided setup offered, which may not provide the required level of security. This can be a risk when leveraging non-technical staff for initial setup and configuration.

SSE “Mini-Test” Results:

Further details can be found in the report at CyberRatings.org.

Keysight provides technology and support for CyberRatings testing programs.

Zscaler Zero Trust Exchange Earns “AAA” Rating in CyberRatings.org Security Service Edge Threat Protection Test.

Posted on by CyberRatings.org

Austin, TX – June 11, 2024 – cyberratings.org/ (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has completed an independent test of Zscaler’s Zero Trust Exchange Security Service Edge (SSE). An SSE is a purpose-built cloud platform of integrated network security services designed to facilitate secure business use of the Internet. Zscaler received a “AAA” rating for Security Service Edge after achieving a 98.0% Protection Rate for blocking 98.05% of Exploits, 99.93% of Malware and 100% of Evasions.

The product was subjected to thorough testing using both clear text and encrypted traffic to provide a more realistic rating based on modern network traffic. Zscaler’s Zero Trust Exchange was measured against how it defended against 205 exploits, 7,140 malware samples and whether any of 1,124 evasions could bypass its protection using clear text and TLS/SSL 1.2 and 1.3 cipher suites.

Threat actors apply evasion techniques to disguise and modify attacks to avoid detection by security products. Therefore, it is imperative that an SSE correctly handles evasions. An attacker can bypass protection if an SSE fails to detect a single form of evasion. Zscaler resisted 1,124 out 1,124 evasions.

The combined measurements to determine the overall Protection Rate also included false positives, which is a key to correctly identifying and allowing legitimate traffic while protecting against malware, exploits, and phishing attacks. False positive tests assessed Zscaler’s ability to block attacks while permitting legitimate traffic achieving 99.86% for browsing and 96.85% for file downloads.

“Zscaler handled all use cases with ease and demonstrated that they could block attacks under a wide variety of conditions. Their offering should be on everyone’s short list,” said Vikram Phatak, CEO of cyberratings.org/.

CyberRatings is on track to test several other SSE vendors this year for Threat Protection along with Software-Defined Wide Area Network (SD-WAN), and Zero Trust Network Access (ZTNA) bringing together the Secure Access Service Edge (SASE) package of test results later in the year.

SSE Success and Missteps: Implementing Security Service Edge

Posted on by CyberRatings.org

Today, we dive into the real-world implications of Security Service Edge (SSE) implementations – the victories and the challenges. SSE, a paradigm shift from traditional security models to cloud-based solutions, carries its unique set of complexities. Through these anonymized case studies, we highlight the critical role of verification in SSE deployments.

Company 1: The Success Story

Background: A large retail corporation, with a sprawling network of online and physical stores, transitioned to SSE to streamline their security operations and data protection.

Implementation: The company meticulously planned their SSE deployment, emphasizing extensive third-party verification at each stage. They prioritized the integration of Access Control, Data Loss Prevention (DLP), and Malware Protection, considering their vast customer data.

Outcome: The SSE implementation was a resounding success. The retail giant witnessed a significant decrease in security incidents. Their advanced DLP measures successfully thwarted potential data breaches, and Access Control efficiently managed employee and customer access, aligning with their Zero Trust Network Access (ZTNA) policy. The robust verification process was key in ensuring the SSE solution’s effectiveness.

Company 2: The Learning Curve

Background: An emerging FinTech startup adopted SSE to bolster their security posture. Eager to leverage the cloud’s operational benefits, they rapidly deployed an SSE solution.

Challenges: The startup overlooked critical aspects of SSE implementation, particularly in configuring Encryption (TLS/SSL) standards and Resistance to Evasions. Their haste led to gaps in their security model, making them vulnerable to advanced cyber threats.

Turning Point: After experiencing a security incident involving evasion techniques, the startup sought third-party verification. The review identified weaknesses in their configuration and provided actionable recommendations.

Outcome: Post-verification, the startup enhanced its SSE implementation, focusing on robust encryption standards and evasion detection. This pivot not only fortified their defenses but also served as a valuable lesson in the importance of thorough verification before and after SSE deployment.

Key Takeaways

  1. Verification is Vital: Both case studies underscore the necessity of third-party verification in SSE deployments. While the retail corporation’s proactive approach in verification led to a secure and efficient SSE system, the FinTech startup’s initial oversight highlighted the risks of inadequate verification.
  1. Tailored Configuration: SSE solutions must be tailored to the specific needs of an organization. The retail corporation’s success was partly due to their customized approach, aligning SSE functionalities with their business model and risk profile.
  2. Continuous Monitoring and Improvement: The FinTech startup’s experience reminds us that cybersecurity is a continuous journey. Regular assessments and updates are crucial in maintaining a robust defense, especially in the ever-evolving landscape of cloud security.
  3. Educate and Engage: Both organizations learned the importance of educating their teams about the nuances of SSE. Comprehensive training and engagement at all levels ensure better implementation and response to security incidents.

Conclusion

These case studies offer valuable lessons in the implementation of SSE. The success of an SSE deployment is not just in its technological capabilities but also in the strategy behind its adoption, including comprehensive planning, verification, and continuous improvement. As we navigate the complexities of cloud-based security, let’s remember the significance of a well-thought-out approach to SSE implementation.

Stay secure and informed.

CyberRatings.org Announces “Spot Check” for Security Service Edge (SSE).

Posted on by CyberRatings.org

Austin, TX – January 31, 2024 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has launched “Spot Check,” a verification of Security Service Edge (SSE) Threat Protection to help enterprises answer the question, “How do you know?”

Cloud delivered security such as SSE provides users with seamless secure access to applications and data regardless of location. Being a cloud technology, organizations are no longer burdened with day-to-day operational management. However, since a third party is now delivering security, oversight is key. This involves:

  • Ensuring the SSE provider maintains the system effectively.
  • Assessing the impact of policy changes on security.
  • Measuring the effectiveness of the SSE solution within the organization’s security framework.

“Often times cybersecurity is a black box; and SSE is a black box in a black box,” said Vikram Phatak, CEO of CyberRatings.org. “How do they know that their SSE is defending against the latest threats, or their policy modifications aren’t adversely impacting their security?” adds Phatak.

SSE solutions leverage the cloud’s scalability, flexibility, and operational benefits to deliver security – Access Control, Authentication and Identity, Data Loss Prevention (DLP), DNS Protection, Encryption (TLS/SSL), Exploit Detection and Prevention, Malware and Phishing Protection (including via Browser Isolation), Cloud Access / Application Control (CASB), and the ability to implement Zero Trust Network Access (ZTNA). It’s a lot harder to test SSE than traditional network security products, and many enterprises don’t have the time or expertise to build a test environment.

What will be tested:

  • Cipher Suite Support: Which cipher suites are supported?
  • False Positive Rate: What is the rate at which the SSE blocks legitimate traffic?
  • Exploits & Malware Delivered Over HTTP: What is the rate at which exploits & malware delivered over HTTP are blocked?
  • Exploits & Malware Delivered Over HTTPS: What is the rate at which exploits & malware delivered over HTTPS are blocked?
  • Evasions: Threat actors use evasion techniques to disguise and modify attacks at the point of delivery to avoid detection by security products. Which ones can be used to bypass protection?

“Spot Check” operates as a virtual employee that is added to the SSE policy being used by an organization. Using the customer’s SSE configuration and CyberRatings’ live network and targets of exploits, malware downloads and evasions, the testing service provides an independent evaluation of SSE solutions, verifying that they are delivering on their promise of protection.

CyberRatings Members with a Premium Membership will receive one free “Spot Check” annually.

CyberRatings has an active test program in 2024 with group test results on Cloud Network Firewall to be announced in early February. Test programs are also currently underway for SD-WAN, SSE Threat Protection, ZTNA, and Enterprise Firewall.

Additional Resources:

What is Security Service Edge (SSE)?

Posted on by CyberRatings.org

In the ever-evolving cybersecurity landscape, Security Service Edge (SSE) has emerged as a pivotal component, especially in the context of Zero Trust architectures. Let’s dive into what SSE is, understand why it’s increasingly relevant in today’s cloud-centric world, and its integral role in supporting Zero Trust Network Access (ZTNA).

SSE in the Cloud Era

The shift from traditional, on-premises security models to cloud-based solutions has been a significant evolutionary step in cybersecurity. Driven by the increasing reliance on cloud services, remote workforces, and the strategic shift to cost-effective operations, this transition necessitates a more flexible and comprehensive approach to security.

Technical Overview of SSE

SSE, as part of the Secure Access Service Edge (SASE) framework, offers an array of security functions vital for cloud environments:

  1. Access Control: Manages who can access network resources, ensuring that only authorized users and devices gain entry.
  2. Authentication: Verifies user and device identities, serving as a gatekeeper for accessing network resources.
  3. Identity Management: Integrates with third-party services like Okta, Ping, and Microsoft AD, managing user identities and permissions.
  4. Data Loss Prevention (DLP): Protects sensitive data from unauthorized access and breaches.
  5. DNS Protection: Secures against threats exploiting Domain Name System vulnerabilities.
  6. Encryption (TLS/SSL): Encrypts data in transit, ensuring secure communication over the internet.
  7. Threat Protection: Defends against exploits and malware, two critical and pervasive cyber threats.

SSE and Zero Trust Network Access

The Zero Trust model, predicated on the principle of “never trust, always verify,” aligns perfectly with SSE’s capabilities. Zero Trust Network Access (ZTNA) is a security solution that provides secure remote access to applications and services based on defined access control policies. SSE’s integration of Access Control, Authentication, Identity Management, along with its advanced threat protection and DLP capabilities, forms a strong foundation for implementing ZTNA.

By incorporating these elements, SSE facilitates a Zero Trust approach where access is strictly controlled and monitored based on user identity and context. This ensures that users have the necessary permissions and that their activities are continuously authenticated, authorized, and encrypted.

Conclusion

In conclusion, SSE is more than just a set of security tools; it represents a comprehensive approach that is crucial for adapting to the cloud-based, digitally transformed era. Its role in supporting Zero Trust Network Access further underscores its significance in today’s cybersecurity landscape. Understanding and effectively implementing SSE is key to maintaining robust and flexible security postures, especially as organizations navigate the complexities of modern digital environments and the challenges they pose. With its integration of essential security functionalities and support for Zero Trust principles, SSE is at the forefront of evolving cybersecurity strategies, ensuring organizations can confidently and securely operate in the cloud era.

CyberRatings.org Announces SD-WAN Test Results for Fortinet

Posted on by CyberRatings.org

Austin, TX – October 3, 2023 – CyberRatings.org/ (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has issued a Recommended Rating for Fortinet’s Software-Defined Wide Area Network (SD-WAN) Fortigate 100F model as a high availability pair at the head-end, along with Fortigate 70F models at corporate headquarters, a regional office, and a retail outlet. A product with the “Recommended” rating has the highest rating assigned by CyberRatings.

SD-WAN technology helps organizations achieve operational savings by enabling remote configuration of new locations rather than requiring engineers to be on site. Many vendors, such as Fortinet, offer zero-touch provisioning, where on site engineering expertise is optional other than the ability to power up the device and connect to the appropriate internal and external links. Once online, the device will call “home” through a cloud configuration service to gather the configuration details.

An SD-WAN offers traditional routing and policy control features including basic application identification, policy controls, stateful network controls and a virtual private network (VPN). It prioritizes applications, has remote configuration capabilities and should have a predictable performance experience for users. SD-WANs have highly resilient remote office connectivity.

To assess the SD-WAN, the traffic content, throughput, transport, and impairments were tailored for each use case to provide insight into how the SD-WAN would perform under various conditions. Management, routing and stateful access control, encryption, application identification and prioritization, WAN maximum capacity, stability and reliability, and rated throughput were all rigorously tested.

“The Fortinet SD-WAN handled all use cases with ease and proved to be highly reliable and capable. It should be on everyone’s short list,” said Vikram Phatak, CEO of CyberRatings.org.

SD-WAN is a component of the Secure Access Service Edge (SASE) security model which integrates multiple security services in a cloud-native platform. The SD-WAN report published today by CyberRatings is part of the independent, third party testing program that CyberRatings provides to the industry at large.

In addition, CyberRatings and MEF, a global industry association of network, cloud, security and technology providers, signed an agreement in August to launch a new SASE Certification Program for MEF technology and service provider members worldwide. The SASE certification program, based upon CyberRatings’ methodologies and test programs, will issue a rating on product and service effectiveness of SD-WAN, Security Service Edge (SSE Threat Protection), Zero Trust Network Access (ZTNA) and SASE. Participants in the beta program were announced today.

CyberRatings members can read Fortinet’s SD-WAN report here.

CyberRatings.org Announces Zero Trust Network Access (ZTNA) Test Results for Versa Networks

Posted on by CyberRatings.org

Austin, TX – August 09, 2023 – CyberRatings.org (CyberRatings), the non-profit entity dedicated to providing confidence in cybersecurity products and services through its research and testing programs, has issued a Recommended Rating for Versa Networks Zero Trust Network Access (ZTNA) solution.

CyberRatings tested Versa’s ZTNA across multiple use cases to determine how it handled authentication and identity, resource access, routing, policy enforcement, and TLS/SSL 1.2 and 1.3 cipher suites. Both clear text and encrypted traffic were measured for performance. For this test, CyberRatings tested up to 1 Gbps.

Zero Trust is a security model that replaces legacy models that assumes anything inside a network is safe. Trust should never be assumed, and access is granted on a least-privileged basis.

ZTNA offerings help IT teams implement Zero Trust principles. They are based on a user-to-application model and provide secure granular access to internal applications and resources for remote users and devices based on identity, context, and policy. As a result, ZTNA is gaining popularity as a solution that can protect networks from today’s threats, especially as multi-cloud use and remote work continue to decentralize IT infrastructure and dissolve the traditional network perimeter.

ZTNA is a component of the Secure Access Service Edge (SASE) security model, which integrates multiple security services in a cloud-native platform.

“Versa’s ZTNA handled all use cases with ease and proved to be highly consistent and reliable. Their offering should be on everyone’s short list,” said Vikram Phatak, CEO of CyberRatings.org.

CyberRatings is kicking off a series of ZTNA tests and certifications. A recent announcement from CyberRatings and MEF, a global industry association of network, cloud, security and technology providers accelerating enterprise digital transformation, outlined a new Secure Access Service Edge (SASE) Certification Program for MEF technology and service provider members worldwide.  The Beta program will begin in August with testing and certification of SD-WAN, followed by SSE Threat Protection and ZTNA.  Once the Beta program is completed later this year, certification will be available to the MEF membership at large in Q1 2024.

CyberRatings members can read the report here.

Executives from CyberRatings are attending the Black Hat conference in Las Vegas. To connect, please write to info@cyberratings.org.