1.Can they thwart bad guys at all phases in the threat lifecycle?
Don’t forget that malware and APTs are not the same thing. Your adversaries are engaging in reconnaissance. Then they’re infiltrating your network using malware, stolen passwords, targeted phishing, network vulnerabilities or other methods. Afterward, they’re propagating inside your environment and opening command and control (C2) channels. Then — almost always — they’re exfiltrating sensitive information. If a prospective vendor can only help you with one of these many phases, consider what other measures you’ll need to fill the gaps.
2. Are they an easy company to work with?
“Trusted advisor” is the relationship every vendor should be striving for, and some are better than others at achieving it. Be sure you’re working with someone who will be there for you before, during and well after your purchase decision … and not just at the end of the quarter when the next purchase order is due.
3. Are they innovating while embracing open standards?
Tomorrow it’ll be some other new thing. But today, one innovative tool security vendors should embrace is YARA, a technology aimed at (but not limited to) helping malware researchers identify and classify malware samples. YARA rules can find patterns where regex or snort rules fall hopelessly short. Fidelis Security has absorbed YARA into its prevention-enabled real-time inspection technology, leveraging YARA rules against both unknown protocols and files in transit. This is particularly useful for customers who may already be using YARA against static files or RAM images: they can re-use the same rules in other contexts.
4. Do they integrate with and complement other components in your information security stack?
We don’t live in a vacuum. Vendors all have to play nice, and you’ll be more successful when all of your security technologies are working together as one solution. Make sure you invest in technologies with well-documented and provably usable APIs, well-defined use cases for integration, and available integration services to help you make the most of those integration opportunities.
5. Do they feature a stellar research organization?
The threat landscape continues to move quickly, and unless you have a team of, say, a dozen passionate and knowledgeable security ninjas, you can’t keep up with these developments on your own. You’ll need a partner looking out for you, a partner with the research chops that are needed to be sure your defensive assets are equipped with the latest and most applicable knowledge about hacker behaviors and how to defeat them.
6. Do they offer a proven technology?
The advanced threat defense category is a relative newcomer to the security community, but third-party test results are already beginning to emerge. Has your vendor participated in these tests?
7. Do they offer tightly integrated technology and service offerings?
If a prospective vendor doesn’t have their own credible breach services organization, ask whom they partner with. All of the latest whiz-bang tech in the world won’t help you in a jam if you don’t have the smartest people in the business standing beside you.
8. Have they assembled a community of satisfied, fanatical customers?
No one is an island. It’s especially true lately that we need to improve the ways in which we collaborate. What is your vendor doing to facilitate the kind of communication and collaboration among its customers that will create the rising tide that lifts all boats?
9. Is their technology ‘just right,’ not overly mature and not too bleeding edge?
This is not a Goldilocks question: one size does not fit all. You may be sophisticated enough (and sufficiently prominent as a target) to have an appetite for less mature technology. Other folks don’t have the resources for the leading edge and may see the latest technology as risky in and of itself. How well do your vendors match up against your particular posture toward innovation?