Layered security may be security best practice, but many of the current technologies don’t appear to be detecting and blocking exploits, according to recent NSS Labs research.
In a test which layered typical defense technologies in various combinations, only 3 percent of unique combinations managed to detect all the exploits used, NSS Labs said in its new “Correlation of Detection Failures” report released Wednesday. The report tested the security effectiveness of next-generation firewalls, intrusion prevention systems, and endpoint protection.
The group tests included 37 security products from 24 different vendors and 1,711 exploits. There were 16 IPS, 8 next-generation firewall, and 13 endpoint protection products in the test. Networking products included the Barracuda F900 networking security appliance, Check Point 12600, and the Palo Alto PA5020.
None of the 37 tested products managed to detect all the exploits on their own. Of the 606 combinations possible with two of the security products in the test, only 3 percent of the possibilities detected all the exploits, NSS Labs said.
The results “present a serious challenge to the security industry as they allow an attacker to bypass several layers of defense using only a small set of exploits,” wrote Stefan Frei, research director at NSS Labs and principal author of the report.
The number of exploits that managed to bypass multiple security products, and the number of security products that were unable to block the exploits is “significantly higher than the common expectation,” Frei wrote. Security professionals run the risk of overestimating the security benefits of deploying multiple protection technologies.
It doesn’t appear to make a difference if there were multiple products within a security category, such as intrusion prevent systems, or multiple products across multiple categories, such as having antivirus running on an endpoint behind both an IPS and a next-generation firewall. Either deployment method “does not always provide the ‘defense in depth’ that we are led to believe exists,” Frei said.
Since many of the vendors use the same sources of threat intelligence and the same vulnerability research feeds, it’s likely they have the same deficiencies in their exploit detection and blocking capabilities. Layered defenses are critical to securing the enterprise, but organizations need to think about which products actually results in security gains.
NSS Labs did not specify the two products that successfully blocked the exploits.
“This analysis shows that, while it is helpful to adopt a layered approach to security, the real key to effective protection against threats lies in an organization’s choice of protection technologies to be combined,” Frei wrote.
Related Reading: Chainmail – A Great Model for a Solid Security Strategy