Perimeter security strategies need to be revised

Apr 16, 2015 12:13 GMT  ·  By
Post-infection detection should be part of a company's defense arsenal
2 photos
   Post-infection detection should be part of a company's defense arsenal

Infected devices behind a company’s protected network can still communicate with the outside without being detected, despite properly configured perimeter defenses, show the results of a recent study.

The research extended for a period of 90 days and gathered information from a total of 61.9 billion communication streams originating from the networks of enterprises in North America, listed in Fortune 2000, where 800,000 Seculert client devices were present.

Gateway and SIEM security defenses do not block all malicious contact

Conducted by Seculert security company specialized in automated breach detection, the experiment revealed that compromised devices inside the organization generated about 3 million communications and only 87% were blocked by gateway solutions from different vendors, meaning that 13% of them were able to reach the intended destination.

The security researchers note that each enterprise whose outbound communication was monitored was protected by a secure gateway and/or an advanced firewall solution, as well as IPS (intrusion prevention system) and SIEM (security information and event management) products.

The security level was also increased by the availability of a fully functioning protection suite on endpoint systems.

Among the gateway solutions observed during the research were products from Blue Coat, Fortinet, McAfee, Palo Alto Networks, Websense, and Zscaler.

As for the SIEM software and services present, these came from HP (ArcSight), IBM (QRadar), Splunk, RSA, TIBCO (LogLogic), LogRhythm, and McAfee.

400,000 communication streams bypass security solutions

According to the report, the gateway that recorded the best results preventing the communication of the infected devices permitted 15% of the gadgets to access the malicious command and control (C&C) server.

Furthermore, three of the gateways allowed more than 90% of the devices to perform malicious communication.

The findings revealed that about 2% of the devices in the organizations were compromised by malware, and almost 400,000 of the interactions they generated went undetected, delivering different types of data to threat actors.

“These results point to one clear issue, current generation prevention systems, even when they are well run, can not provide complete protection in the current threat landscape. CISOs need to ‘think different’ about their entire security strategy and begin augmenting their existing perimeter security strategy with a comprehensive post infection detection solution,” said Dudi Matot, Seculert CEO.

From the first malicious communication, companies were able to contain the breach in 17 days on average.

Breakdown of malicious communication allowed by secure gateways
Breakdown of malicious communication allowed by secure gateways

Photo Gallery (2 Images)

Post-infection detection should be part of a company's defense arsenal
Breakdown of malicious communication allowed by secure gateways
Open gallery