Detailed analysis of traffic on 60 enterprise networks finds broad usage of software that isn't sanctioned by IT

Tim Wilson, Editor in Chief, Dark Reading, Contributor

September 15, 2008

3 Min Read

End users are employing unauthorized, untested applications on their companies' networks at an alarming rate, and most IT departments don't know about it, according to a report published earlier today.

Palo Alto Networks issued its "Application Usage and Risk Report," a twice-yearly study of data collected from evaluations of live traffic at enterprises that use its next-generation firewall, which can monitor application traffic at a granular level. In the new study, Palo Alto reports on traffic in 60 enterprises, representing about 960,000 users.

The key finding, according to Palo Alto, is that most enterprises are supporting traffic from applications they don't know they have -- and in many cases, don't allow.

"In the 60 enterprises we evaluated, we found a total of 290 applications," says Steve Mullaney, vice president of marketing at Palo Alto. "We found as many as 230 applications in one enterprise. The low number was 50."

What that means, according to Palo Alto, is that many companies are running applications that IT doesn't sanction, or even know about. For example, more than 80 percent of the enterprises showed some traffic from Google applications, which most companies don't use for business, and virtually all of the enterprises exhibited at least some peer-to-peer traffic, which is generally viewed as a security vulnerability and disallowed by IT.

"This is nothing new," says Mullaney. "People have been bringing applications into the corporate network for years, and IT is always the last to know. But what surprises a lot of IT people is just how widespread it is. They feel like they've got a pretty good idea of what's on their network, but often, they don't."

Some of the "extra" applications traffic comes from malware, Palo Alto says. The study found iFrame attacks in 86 percent of the enterprises, and about 200 different variations of spyware. "We're also seeing a lot more media-based attacks," such as those hidden in audio or video content, Mullaney says.

Video and other streaming media, which usually aren't required for everyday business, represent a large chunk of the bandwidth used in the corporate network, Palo Alto says. "During one week of the Olympics, we saw one company where 80 percent of the Internet video usage was from sites related to the Olympics," Mullaney says. "That wasn't part of the company's business."

Aside from the threats to security or productivity, Palo Alto also spotted some trends that indicate significant shifts in application usage. For example, the study indicates that 64 percent of HTTP traffic is linked to specific applications, rather than a Web browser. "That means that HTTP is becoming the universal protocol for application delivery," Mullaney says. "You can no longer assume that most of your HTTP traffic is from people surfing the Web."

After looking at the Palo Alto data, some of the companies in the study tried blocking or filtering the unsanctioned applications, but they received heavy pushback from users. "In a lot of cases, what they decided was to go ahead and allow a lot of the applications, but talk to the users about how to use them securely," he said. "It's sometimes better to let the user keep it above board, so that you can track it and monitor it and build a policy for using it, than to outlaw it and drive the user underground."

But in the case of applications that have a big security downside and very little business value, it might make more sense to do blocking, Mullaney advises. "There are some applications, like Tor and P2P, which have no earthly business on the network except to get around IT," he notes. "In those cases, we see companies just trying to root it out."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Tim Wilson, Editor in Chief, Dark Reading


Tim Wilson is Editor in Chief and co-founder of Dark, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights