Real-World Testing to Inform Your NGFW Buying Decision

We’re excited to share with you the latest NSS Labs NGFW test results. In the most rigorous independent NGFW testing to date, Cisco outperformed eight competitors in security effectiveness, blocking 100% of evasions and surpassing four vendors by over 50 points. You can download the reports to get the details. For the fourth year in a row, Cisco Firepower NGFW earned a “Recommended” rating from NSS Labs.

The NSS evaluation underscores three things you should consider when selecting a NGFW.

1. Blocking Evasions

The first is why blocking evasions matters. A 100% block rate for evasions means that you are protected against stealthy attacks that slip through other vendors’ NGFWs. NSS Labs described the implications of failing to detect an evasion best:

“…it allows an attacker to use an entire class of exploits for which the device is assumed to have protection. This renders the device virtually useless.”

All it takes is one successful evasion for attackers to infiltrate your network and have a huge advantage. Cisco was one of only two vendors, out of the ten evaluated, to prevent adversaries from using evasion techniques to disguise attacks at point of delivery.

Some vendors did poorly at blocking evasions—to the point that NSS Labs would not recommend their NGFWs. They could only block the evasions upon retesting – having fixed weaknesses from the first test.

Which vendors are best prepared? One that got it right the first time?  Or one that required retesting to fix their weaknesses? Which would you like working for you?   As we all know, in the real-world, there are no second chances when blocking threats.  One evasion can pose serious risk to your business.

It’s imperative to validate security buying decisions using real-world tests that demonstrate how a solution performs when it’s protecting your environment. Buying decisions based solely on quadrant or wave positions are just data points –  incomplete unless paired with actual product testing.

2. Consistency of Performance

The second consideration is consistency of performance. While it’s great to score well in any given test, strong performance year after year is what counts most, as shown in the graphic below of Cisco’s performance the past seven years.  Note the dotted lines are test averages of all participating vendors.

Cisco delivers investment protection with consistently strong results in independent testing. Note: the majority of the products in the 2017 NGFW test failed to detect one or more evasions. The impact of missed evasions weighed heavily on the overall scoring for security effectiveness explaining the considerable drop in the test average.

When you select an NGFW that not only performs well on Day 1, but on Day 100 and Day 1000, it means you can confidently:

  • Keep pace with evolving threats. As security needs and threats evolve over time, you can count on Cisco Firepower NGFW to provide consistent protection and performance.
  • Make informed buying decisions judged by historical performance, where you compare vendor track records over time.


3. Time to Detection

When threats slip through frontline defenses, time to detection of malware is a critical security metric. It is the window between the first observation of a file and detection of that file as a threat. We all know that adversaries can wreak more havoc the longer they remain undetected, so we must reduce their dwell time. The current, and candidly unacceptable, industry average for the time it takes to detect a breach is over 100 days.

In recent Breach Detection Systems testing, also performed by NSS Labs, Cisco products, including Firepower NGIPS and Advanced Malware Protection (AMP), detected 100 percent of the tested breaches within 24 hours.  Plus, Cisco performed significantly better than its competitors – detecting the vast majority of breaches within minutes. This matters since it reduces adversaries’ dwell time – and the risk to your organization. We have been tracking our Time to Detection progress since late 2014. In less than two years, Cisco has dropped the median TTD from 50 to 15 hours to now about nine hours. We continue to make progress integrating Cisco’s security architecture – including AMP across our network, endpoint and cloud security products.  We will update you again on our efforts to reduce Time to Detection through the Cisco 2017 Midyear Cybersecurity Report, to be published later this summer.

To sum up, today’s digital enterprises depend on effective security and Cisco delivers – AGAIN. The independent NSS Labs NGFW evaluation should give you great confidence that you have the best solution of its kind – whether you’re already a Cisco Firepower NGFW customer, or considering your next firewall. And beyond the firewall, only Cisco’s security architecture enables you to change the security equation in your favor, making your security posture more effective now and in the future.



Jason Lamar

Senior Director

Security Product Management Group