It was almost exactly ten years ago that U.S. Counter Terrorism Advisor Richard Clarke stood before the Congressional committee investigating the 9/11 attacks and uttered the famous phrase, “Your government failed you. Those entrusted with protecting you failed you. And, I failed you.” It was a seminal moment in America’s processing of the tragedy of 9/11 because an adult stood up and declared himself to be accountable.
I have to admit I sometimes wish the cyber-security industry would admit similar accountability. The fact of the matter is that this $71 billion industry IS failing to protect us from the cyber-threats we now face each day. To be clear, I’m not pointing the finger at any single vendor or its products, but merely observing that, in aggregate, our security strategies are not succeeding when they most need to. There are a number of issues with our strategies and today I want to illuminate just one of them.
We recently investigated a particular protection security strategy used by our customers and what we found is pretty startling. Most Seculert customers have a complete suite of prevention products and cyber security services in place including next generation firewalls, IPS systems, the relatively new breach detection products, modern endpoint security, and secure web gateways. Because of where the Seculert automated breach detection platform lives in the malware kill chain, we can “see” the infections that manage to defeat the commonly used prevention and remediation measures.
Recently, I asked Seculert’s Research Lab to examine just one measure of the efficacy of these prevention and malware search (SIEM) systems. The Research Lab examined nearly three million malicious communications we’ve observed in the Seculert installed base to see what malware was getting onto our customer’s networks and how it behaved once it was installed. I won’t go into the details of exactly how the team in our Research Lab did this research or the detailed results (though we will in a subsequent blog), but at a high level what we found is:
- • The average enterprise network has about 2% of its devices infected on any given day.
- • The secure web gateways in place on these networks allow, on average, about 1/3 of these infected devices to communicate out to the perpetrators command and control servers either to retrieve operating instructions or expropriate data.
- • The very best performing web gateway studied allowed 15% of the infected devices to communicate out. About half allowed more than 90% to do so.
- • These particular enterprises also run very sophisticated SOC operations with current generation SIEMs. Even with these technical and human resources in place, the average time to identify and mitigate a new infection was nearly three weeks
I have to point out here that Seculert’s customers tend to be large, well-funded, and sophisticated enterprises. These security systems aren’t failing to protect them because they are mis-configured or badly operated. They’re failing because the “prevention only” approach is fundamentally flawed and has proven itself incapable of providing complete protection. Even in those cases where a current generation SIEM is in place, the manual, labor intensive “search” for malware does not appear capable of finding these infections quickly enough to prevent them from doing real damage.
I also have to point out that these results are not just a function of gateway device performance; it’s just that this is the best point on the network from which to observe the performance of the overall prevention infrastructure. By the time a piece of malware circumvents a SWG it has already defeated the NGFW, IPS, sandbox, endpoint solution, and whatever else is being used.
So, my hope as we head into the annual RSA show next week is that, as an industry, we stand up and hold ourselves accountable. Make no mistake; prevention isn’t going away as an approach to cyber security. It is a necessary countermeasure in the current threat landscape. But, it’s time that those of us “entrusted with protecting you”, told the truth about the extent to which we really can.
To read the full report by Seculert’s Research Lab, click here: State of Perimeter Security Defenses Report