As my colleague and co-founder, Dudi Matot, noted in his Perimeter Security Defense: Time to “Think Different”? post last week, we’ve just finished a very interesting piece of Big Data research focused on the behavior of the malware that has succeeded in infecting our customer’s networks. Just to set a little context, all of Seculert’s customers run very sophisticated, multi-layered malware prevention systems that include Next Generation Firewalls, modern Intrusion Prevention Systems, inline sandbox technologies, Secure Web Gateways, and current endpoint security. These are some of the most cyber-security oriented enterprises on earth and yet they are still finding malware infecting their networks on a daily basis.
The goal of our research was to determine how frequently malware was defeating our customer’s prevention layer (aka perimeter security) and how, exactly, the malware behaved once it took up residence on the target network. We used Seculert’s Big Data analytics infrastructure and proprietary machine learning engine to examine the outbound communications generated by malware that had infected our customer’s networks. We have found that observing this outbound traffic provides us the best visibility on malware penetration rates and subsequent malware behavior.
The work by our Research Lab involved 100+ enterprise domains, about 800,000 end user devices and roughly 70 million outbound communications generated by those perimeter security devices during a little more than eight months. What we found through our crowdsourced threat intelligence was that the average enterprise domain had more than 200 infected devices on any given day. Over the course of our study these devices generated nearly a half million communication attempts to the perpetrator’s command and control servers. The vast majority of these communication attempts were, unfortunately, successful.
If you’re curious, the most popular web gateways in use by Seculert’s customers are BlueCoat, Fortigate, McAfee, Palo Alto Networks, Websense, and zScaler. What we found though our research is that, as good as these products are, the very best of them allowed more than 15% of the infected devices on the networks they were protecting to communicate with the command and control servers maintained by the perpetrators. While that may seem like a lot, we found that half of the proxies we studied allowed nearly all of the infected devices to “call home” or exfiltrate confidential data.
The other thing we found is that even enterprises with well-funded and fully staffed incident response (IR) teams take a rather long time to identify and mitigate new infections. Because of where Seculert lives in the cyber threat kill chain, we know when indicators of compromise appear in QRadar, ArcSight, Splunk, etc. What we found is that enterprises running these SIEMs take nearly three weeks, on average, to identify and mitigate an infected device. An “owned” device attached to an enterprise network can do a LOT of damage in three weeks.
For sophisticated practitioners, none of this is really news. We all know that relying on prevention-focused perimeter security, leaves enterprises vulnerable to targeted attacks. And we know that all enterprises are infected with malware at some level each day.The challenge is finding those infected devices and mitigating them as quickly and cost-effectively as possible.
To read the report by Seculert’s Research Lab, follow this link: State of Perimeter Security Report.