CrowdStrike denied bid to block security report in legal challenge against ''subversive'' NSS Labs

Updated: CrowdStrike deemed NSS Lab's operations "unethical, illicit, and subversive," but the courts did not uphold this belief.
Written by Charlie Osborne, Contributing Writer

CrowdStrike has failed in a bid to prevent the NSS Labs endpoint security report from going public at RSA after a court in Delaware refused to side with the firm's arguments.

The CrowdStrike Falcon Host, which aims to combine "next-generation antivirus, endpoint detection and response and proactive features" to keep enterprise systems secure, is the product NSS Labs included in both public and private testing.

However, it is allegations of underhanded tactics and alleged poor testing methods which are at the heart of the matter -- rather than the results themselves.

On February 10, CrowdStrike appealed to the Delaware courts to lay down a temporary restraining order and preliminary injunction which would block the release of the NSS Labs Advanced Endpoint Protection (AEP) group report, due to be showcased at the RSA 2017 conference in San Francisco this week.

According to court documents, the Delaware court disagreed with CrowdStrike's arguments for the restraining order. CrowdStrike said, among other things, that while a public and private test was performed by NSS Labs in a poor fashion, a "negative report shouted from the stage at the RSA Conference would damage" the firm's reputation, which would result in "irreparable harm."

In addition, CrowdStrike alleged that NSS Labs' report would expose trade secrets, allegedly obtained during the private test to conduct the public test.

However, the judge overseeing the claim said the court was "not convinced" this was the case, nor that NSS Labs failed to "maintain the confidentiality of CrowdStrike's data" in relation to their contract.

"The only colorable aspect of CrowdStrike's breach of contract claim is that NSS failed to return or destroy the Falcon software after termination of the Private Agreement," the documents state. "Even if CrowdStrike were likely to succeed on that aspect of their claim, however, such a breach would not warrant granting a temporary restraining order or preliminary injunction."

"It is a simple breach of contract claim that, if later proven, can be remedied with traditional monetary damages," the judge added.

On February 13, the Federal Court denied CrowdStrike's bid, allowing NSS Labs to go ahead and release the results of the endpoint tests.

In a blog post, NSS Labs said the company's mission is to "arm the public with the fact-based and objective information required to get secure and stay secure."

The endpoint security report, available to subscribers, analyzed the security of 13 vendors which offer endpoint protection solutions.

The vendors included in the report were Carbon Black, CrowdStrike, ESET, Fortinet, Invincea, Kaspersky, Malwarebytes, McAfee, SentinelOne, Sophos, Symantec, and Trend Micro.

Out of the 13, nine received a "Recommend" rating, one received "Security Recommended," one was "Neutral" and two were in "Caution."

The AEP report creates what NSS Labs' calls a "Security Value Map," (SVM) which connects up the value of security investment, effectiveness and the cost of ownership to demonstrate the overall value of a security solution for clients.

While 11 products were granted an "above average" value, two were rated as having a "below average" value -- one of which being CrowdStrike's Falcon platform.

According to the subscription-only report, obtained by ZDNet, the Falcon Host received an overall security effectiveness rating of 73.2 percent and a score of 99 percent for evasion techniques tested. After what NSS Labs calls "initial tuning," the company's solution did not alert on false positives during testing.

As a result, the CrowdStrike Falcon Host received a "caution" rating, alongside Malwarebytes, which only gained an overall security effectiveness rating of 57.9 percent.

NSS Labs says that there are no fees for participating, and the test methodology, available to read online, "is in the public domain to provide transparency and help enterprises understand the factors behind the results."

"The "no fee for participation" and "public domain" are part of NSS Labs' commitment to provide empirical data and objective group test results that will enable security organizations [to] make educated decisions about purchasing and optimizing security infrastructure products and services," the cybersecurity firm says.

However, it appears that CrowdStrike is less than impressed, based on the firm's subsequent blog post.

CrowdStrike's lawsuit against NSS Labs in a US Federal District Court was pushed forwards in order to "hold it accountable for unlawfully accessing our software, breaching our contract, pirating our software, and improper security testing."

The company says that regardless of the test results, CrowdStrike is "making a stand against what we believe to be unlawful conduct."

According to CrowdStrike, the earlier injunction was filed after the relationship between the firm and NSS Labs soured. Although the two companies originally worked together in April 2016 to include Falcon in the private tests, CrowdStrike became concerned with NSS Lab's methodologies.

CrowdStrike calls the testing procedures "deeply flawed," claiming NSS Labs made a number of "basic errors" such as "labeling legitimate software such as Firefox, Skype, and Java, digitally signed by vendors, as malicious."

This, in turn, left CrowdStrike less-than-confident, and after an additional round of testing failed to resolve the issue, the firm attempted to withdraw from the testing altogether.

"After explicitly telling NSS on multiple occasions that they were prohibited from using our software for public testing, they colluded with a reseller and engaged in a sham transaction to access our software to conduct the testing," the firm says. "In doing so, NSS breached their contract with CrowdStrike, violated our end user licensing agreement (EULA), misappropriated our intellectual property, and improperly used credentials."

The "sham transaction" took place, CrowdStrike claims, as an unauthorized user account associated with a reseller, David Thomason, was used for the tests -- however, once the company caught wind of this, it suspended access.

CrowdStrike believes this restriction will result in any tests NSS performed being "incomplete and materially flawed."

"We believe the actions of NSS are detrimental to the security industry and they need to be held accountable," CrowdStrike says. "We reject the unethical, illicit, and subversive way that NSS does business and the harm it brings to our industry, security research, and most of all, the users of security technologies."

"To be crystal clear, the results of the report are unknown to us at this time and irrelevant, we are suing NSS because of their illicit activity, breach of contract and misappropriation of our intellectual property," the company added.

In response, Vikram Phatak, CEO of NSS Labs said in a statement that there is little the security firm can say, and "whether or not it is their intent, their suit has the effect of keeping us from debating the facts publicly."

"We obviously disagree and are disappointed with Crowdstrike's characterization of NSS as portrayed in their recent blog post," Phatak commented. "We would direct you to the AEP Group Test findings we published this morning. And as far as Crowdstrike's suit against NSS, we believe the judge's ruling and memorandum speak for themselves."

In a statement to ZDNet, Marcin Kleczynski, CEO & co-founder of Malwarebytes commented:

"Malwarebytes does not endorse the test results by NSS Labs as we believe the testing methodology is severely flawed. We were contacted by NSS several months ago to participate in this test to the tune of tens of thousands of dollars.
Our results were downgraded because the testbed of "malware" contained Microsoft and Malwarebytes built programs. Put simply, NSS Labs wanted us to detect our own intellectual property as malicious."

Update 16.2.2017:

CrowdStrike has released an update based on the NSS Labs' report, emphasizing that the Falcon Host platform was the only one labeled "incomplete."

The company says that based on a review of the test telemetry and audit logs, NSS Labs turned off the Falcon's prevention settings "during the entire test period," and "as a result of the failure to turn on prevention, the report's conclusions about the total cost of ownership, the blocking of malware, exploit mitigation, and blended threat prevention are simply false."

"Taken in total, NSS's failure to conduct the most basic of fact checking during the private testing and the well-publicized history of problems with NSS testing ultimately gave us no confidence that NSS Labs could conduct accurate testing of our security products," CrowdStrike says. "Therefore, we declined to participate in the public test."

10 things you didn't know about the Dark Web

How to secure your third party ecosystem without stifling it:

Editorial standards