01:30 PM
Connect Directly

Web Gateways Need Backstops

New report emphasizes the importance of layered defense.

A new report out this week showed how permeable network gateway protections can be on their own. In a 10-month study of 200 billion communications over one million client devices, Securlert took a deep dive look into the types of malicious activities that initially got past eight leading web gateway products. While some performed better than others, the conclusion was that there were still plenty of threats getting through this layer of defense.

The study looked at whether the gateways were allowing infected, internal devices to communicate outside of the organization to their perpetrators. According to the researchers, almost all of the environments studied were running sophisticated perimeter defense systems that included a secure web gateway and/or next generation firewall, an IPS/IDS, plus fully functioning endpoint protection and SIEM correlation.

According to the report, more than half of the gateways studied allowed more than 40% of the attempted malicious outbound communications to successfully reach C&C servers. And overall, 40% of all attempted malicious communication managed to beat the web gateways in question.

"Today’s enterprises are unknowingly allowing malicious outbound communication to be transmitted through their web gateways on a daily basis,” said Richard Greene, Seculert CEO.

According to the recent IWK Strategic Security Survey, while firewalls remain the security product most valued by security professionals -- 62% of them put them in their top three -- gateway antivirus or anti-malware is only similarly valued by about 12% of security professionals.

Seculert didn't name and shame specific vendors for their performance, but did show through anonymized data that there was definitely a range of performance levels across the technologies. For example, one particular gateway let 50 percent of connected and infected devices communicate with C&C servers, and allowed an average of 350 communications per incident. Whereas another only allowed about 5% of devices to communicate outbound and only had an average of 50 communications in those rare incidents let through. Across all products, the average number of successful outbound communications per incident was over 100.

Interestingly, the report noted that almost all of the gateways showed uneven performance. For example, what might have been seen as good blocking for weeks or months changed after some attack technique enabled adversaries to beat the technology during a different period of time.

The lessons are likely two-fold. One that the drumbeat for layered security should continue to be heeded. And two, that careful vetting is necessary for even the most commoditized of products and categories. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Title Partners Role in Perimeter Security
Title Partners Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.