NSS Labs fires back at CrowdStrike over endpoint security test
NSS Labs CEO Vikram Phatak accuses CrowdStrike of putting customers' cybersecurity at risk
Security testing lab NSS Labs has accused CrowdStrike of jeopardising its customers' cybersecurity protection in the latest installment of their public spat over an endpoint security test.
Last month CrowdStrike tried and failed to obtain an injunction stopping NSS Labs publishing the results of its endpoint security test, claiming the testing house unlawfully acquired its software and has an "unethical" testing methodology.
NSS Labs remained tight-lipped on the matter, publishing its report on 15 February but offering no response to CrowdStrike's claims other than to say that a court battle is continuing.
NSS Labs CEO Vikram Phatak has now opened up on the matter in a blog post on the NSS website - addressing CrowdStrike's complaints individually and accusing it of not taking its poor test results seriously.
CrowdStrike scored lower than a number of its competitors in NSS Labs' test.
"We are disappointed that in the weeks since the AEP [advanced end-point] group test was published, CrowdStrike has not reached out to NSS to understand the attacks and evasions they missed," he said.
"Instead, they have made a concerted effort to obfuscate and divert attention away from their test results - vilifying NSS in an effort to justify their actions.
"The question the people should be asking is, 'Do CrowdStrike's actions serve the public interest? Do they help make their customers safer?'"
Phatak went on to address the individual accusations that CrowdStrike made, including claims that NSS Labs asked for payment from CrowdStrike to be in the test, and that it included test results based on incomplete tests.
Phatak vehemently denied that NSS Labs demanded money from CrowdStrike saying "the entire test is done on our dime" and said CrowdStrike does not have the right to excuse itself from public testing.
"Participation in an NSS group test is not at the vendor's discretion," he said.
"If you are an identified market leader, or if our enterprise clients want to see your products tested, then we will test them.
"It is always worrying when a vendor is resistant to having its product tested. We have found it to be a reliable indicator the vendor knows something is not working as well as it should."
CrowdStrike had not responded to CRN's request for comment at the time of publication.
At the end of the blog Phatak seemingly held out an olive branch to CrowdStrike by offering to help it address "problems" in its solution.
"We sincerely hope CrowdStrike executives will begin to take the results of this test seriously and move quickly to protect their customers," he concluded.
"As ever, NSS is more than willing to work with any vendor to identify and fix problems and help make our networks and computers safer.
"Further, if/when CrowdStrike fixes its product, we will try to test it and publish the results. Until that happens, we are also happy to work with CrowdStrike customers to help minimise their risk as far as possible given the current limitations of the product."
Updated 8 March 2017
Since publication Crowdstrike has sent over a statement in response to NSS Labs' blog:
"We are aware that NSS Labs - a pay-for-play, for-profit business - published a blog on 2 March relating to the legal action we initiated against them on 10 February and the blogs we published the week of 12 February. As they state at the end of the third paragraph of their recent post, 'unfortunately, nothing has changed'.