Real Data Does Not Lie – Existing Security Controls Are Failing

On April 15th, we participated in a very successful webinar with Dark Reading entitled “Why Bad Security Breaches Keep Happening To Good Organizations”. During the back and forth between the two speakers, we took a poll of the attendees, asking them the following question:

Which applications do you think are currently running in your organization’s IT environment? Attendees were able to select all that applied and the results of a total of 181 votes showed the following:
P2P 43.6% (79)
Google apps 73.5% (133)
Anonymizers/proxies 33.7% (61)
Unauthorized IM 56.4% (102)
Encrypted tunneling apps (e.g. TOR)Â 43.6% (79)

In this case, the poll is a valuable tool to keep audience members engaged but often times they do not show all the data or tell the entire story.

Here’s why I say this. Our recently published Application Usage and Risk Report analyzed application traffic on more than 60 customer networks and the findings show very different numbers.
P2P 92%
Google apps 81%
Anonymizers/proxies 81%
Unauthorized IM 97% (to be fair, we did not ask if the use of IM is approved or not).
Encrypted tunneling apps (e.g. TOR) 11%

Real data always tells a more complete story. And what this report tells us is that enterprises collectively spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products – yet the data shows that these products are unable to control the application traffic traversing the network. Here’s some of the key findings to support that conclusion.

* Applications are designed for accessibility. More than half of the nearly 500 unique applications found are “firewall friendly” in that they can hop from port to port, use port 80 or port 443 as a means of simplifying end-user access.
* Users are actively circumventing security controls. Employees are going to the extreme measure of using external proxies (typically not endorsed by corporate IT), remote desktop access and encrypted tunnel applications to do what they want on the network.
* File sharing usage is rampant. Despite the known risks, employee use of P2P is rampant and browser-based file sharing has effectively doubled in use over the last 12 months.

What else did we find? We found more than 111 collaborative applications – social networking, email, webmail, IM, blogging – you name it we found it. Many of these applications are beneficial. David Smith, from Gartner comments in this SC Magazine article that “some applications enable users to more easily do their job”. Absolutely true. No question about it. But when employees use them without IT oversight and the associated security, then the company is exposed to unnecessary business and security risks. Bill Brenner from CSO Magazine summarizes some of the risks in his article about the 4 Reasons Botnets are Hard to Fight.

You get the picture. I encourage you to read the executive summary, download the report or listen to a 10 minute overview here.

Check it out. Post a comment. The data does not lie.

2 Reader Comments

  1. I’m really surprised by the #s and don’t think most IT managers have a clue as to what is really happening on their network. Fact of the matter is, most appliance-based control solutions are long on control features and lacking in true report visibility. For example, the one IT guy who said “Websense blocks all P2P activity” yet we showed him several instances where P2P activity was still active under the WS radar screen.

    Indeed, real data does not lie. Real data however, isn’t all data and to get that real data comes an expensive price tag and many promises. Moreover, real data isn’t so much the problem. It’s missing data that still confronts everyone who buys an “all-in-one solution” and expects their problems to be solved. Signature-based or content-based controls are attempting to do what anti-virus vendors cannot: stop dynamic content on the fly. Patents, features and promises aside, someone –a person– has to make a decision about everything on their network. Most IT managers, based on my experience, don’t have the time or resources at their disposal to know what’s really happening. If they did, why are these applications still there?

  2. mkeil

    Great question Scott. I think that one reason they still exist on the network is exactly as you state. They had no idea. Our customers are using the product as a means to fist learn what is on the network, then use that data to make more informed decisions. The era of blocking any strange application is gone. IT can’t do that without user and/or executive backlash. Deciding what to do with applications like P2P and external proxies is an easy one. However, deciding what to do with IM, or streaming media is more of a balancing act. One is a productivity tool the other may help improve morale.

    Case in point. We had one customer who put our box in, started blocking many of the applications found and the influx of help desk calls was so great, they decided to increase their BW pipe AND then re-write their application usage policies around the use of these applications – making it more of a perk. They allow the applications and the scan them for threats. It is a win-win scenario.

    Thanks for reading.

Got something to say?

Get updates: Unit 42

Sign up to receive the latest news, cyber threat intelligence and research from Unit42


SUBSCRIBE TO RSS