X
Tech

Palo Alto Networks, McAfee, Websense gateway systems allow malicious traffic to slip through the net

Researchers claim a number of high-profile gateway solutions do little to interrupt or prevent malicious communications.
Written by Charlie Osborne, Contributing Writer
credit-cnet.jpg
CNET

Gateway solutions provided by companies including Palo Alto Networks, McAfee and Websense leave corporate networks open to malicious communication, researchers claim.

Security professionals and IT departments face an ongoing battle to keep enterprise networks as safe as possible from intrusion. However, cybersecurity is a fluid industry which requires skill, time, investment and multiple solutions. As the volume of cyberattacks and sophistication of malware increases and evolves, staying ahead of the game is not always possible -- and no single security solution is foolproof.

The changing landscape has become a catalyst for a shift in thinking -- rather than focusing exclusively on preventing or blocking attacks, it may be the case that companies assume security breaches are a matter of when, not if -- and as a result, damage control and post-attack protocols are now becoming just as important.

Prevention-focused perimeter security solutions such as gateways, firewalls and IPS remain an attractive target -- and cannot protect organizations from every advanced, persistent threat they face.

Seculert has released research on existing gateway tools in the market and their effectiveness at detecting outbound malicious communications. In the report, titled the "State of Perimeter Security Defenses," the security firm says that due to the variety of cybersecurity threats online, no single solution can completely prevent intrusion -- and potentially hundreds of thousands of malicious communications go undetected every year. released research on existing gateway tools in the market and their effectiveness at detecting outbound malicious communications. In the report, titled the "State of Perimeter Security Defenses," the security firm says that due to the variety of cybersecurity threats online, no single solution can completely prevent intrusion -- and potentially hundreds of thousands of malicious communications go undetected every year.

The firm examined a subset of its installed base environments that included nearly 800,000 client devices -- generating nearly 62 billion total communications from Fortune 2000 companies in the United States -- over a period of 90 days in order to determine whether existing gateway systems were allowing internal devices to become infected and release outbound, malicious traffic. Each environment had a "perimeter defense system in place, including a secure web gateway and/or next generation firewall, an IPS, and a SIEM in addition to fully functioning endpoint protection," according to the firm.

However, this is not enough. Out of roughly 62 billion communication streams detected, nearly 3 million attempted malicious outbound communication from infected devices -- 13 percent of which were permitted by the gateway systems.

Seculert found that roughly two percent of all devices were infected, and every environment examined contained infected devices allowed to communicate outside of corporate networks. The best performing gateway still allowed 15 percent of infected devices to communicate outside to a threat actor's command and control (C&C) server, and three out of the six gateways observed allowed over 90 percent of infected devices to send communications along to cyberattacker servers.

In total, the security researchers say almost 400,000 communications escaped detection, allowing data to be transferred.

The gateway systems analyzed by Seculert included those from BlueCoat, Fortinet, McAfee, Palo Alto Networks, Websense, and ZScaler. In addition, the company analyzed security information and event management (SIEM) software such as HP ArcSight, IBM Security QRadar, Splunk, LogRythm and McAfee Enterprise Security Manager.

screen-shot-2015-04-16-at-09-04-13.png

The company also scrutinized how long it takes the average company using SIEM solutions to uncover a data breach, and on average, it took 17 days to find and contain a security problem.

While the reasons for gateways and security solutions to fail in this manner were not discussed in depth within the report, Seculert says that prevention systems have to work in real0time, and as they depend on manual correlation and discovery processes, containing a breach can be time and labor-intensive.

Dudi Matot, CEO & founder of Seculert commented:

"These results point to one clear issue, current generation prevention systems, even when they are well run, can not provide complete protection in the current threat landscape. CISOs need to "think different" about their entire security strategy and begin augmenting their existing perimeter security strategy with a comprehensive post infection detection solution."

According to Verizon's 2015 Data Breach Investigations Report, for every record lost in a data breach, the company will pay an average of 58 cents per record, far below previous estimates of about $201 per record. While less, when you consider how many records can be lifted by cyberattackers who remain undetected for long periods of time, the costs still add up -- as well as potential blow to stock and reputation.

ZDNet has reached out to companies mentioned in the research and will update if we hear back.

Read on: In the world of security

Read on: Fixes and Flaws

Editorial standards