Why Web Gateways Are Not Enough
Why can't web gateways fully protect you from attack and how can you maximize their performance?
By Richard Greene, Seculert
When Gartner analyst Neil MacDonald wrote that "Prevention is Futile" three years ago, it was likely considered heretical by many, if not most, IT security experts. Now, as we near the second half of 2016, MacDonald's thesis is considered merely conventional wisdom.
There are few CISOs left that want to discuss whether all cyberattacks can be prevented. They prefer instead to engage on the more relevant topic of how to respond when their networks are successfully attacked -- which they are fully aware will happen eventually.
In response to this realization, the gateway market is one of the subsets of the IT security space that has grown rapidly in recent years. Whether the products are branded as secure web gateways, next generation firewalls or merely proxies (collectively gateways), they are all supposed to serve similar functions.
How Web Gateways Work
These products are designed to block the malicious outbound traffic generated by a successful attack (or malware) that takes up residence inside an enterprise's network. As almost all modern attacks are designed to "call home" once they've installed themselves on a victim's device, it's a good way to identify which devices are infected and block the traffic generated by a successful attack -- at least in theory.
Recent research by Seculert Labs shows that, as a category, gateways are a necessary but insufficient solution for blocking malicious outbound traffic from exiting an enterprise's network. In our recent research we examined products from Barracuda, BlueCoat, Fortigate, Ironport, McAfee, Palo Alto Networks, Websense and Zscaler. Nearly all of these products allowed significant outbound communications to escape from the enterprises they were supposedly protecting.
Web Gateway Shortcomings
In 2015, Seculert researchers observed that web gateways allowed up to 40 percent of the malicious outbound traffic -- that they are ostensibly designed to block -- through the network perimeter to the attacker's command and control (C&C) infrastructure. In addition, the research revealed that when measured over time, gateway performance was very uneven. Some performed well for a period of weeks or months, and then allowed significant traffic to escape when faced with a new attack.
Finally, the research showed that when a gateway starts "leaking" data it doesn't allow just a little bit to escape. The average number of successful outbound communications per observed incident was found to be more than 100.
There are several reasons why gateways are unable to protect enterprises from the consequences of a successful attack. First, like most IT security technologies, gateways are fundamentally static lines of defense. As such, they are vulnerable to an aggressive and nimble adversary that has the time and resources to understand exactly how they work and develop attacks aimed at defeating the design and implementation weaknesses found in each one.
Second, gateway performance is dependent upon the quality of the threat data available to them and the skills of the team maintaining them to use that data to optimize the gateway's efficacy. The harsh reality is that few enterprises have access to all of the threat data required, let alone the talent to leverage and deploy it.
Finally, even in the best funded and operated cybersecurity organizations, many web gateways can only act on attempted communication based upon its destination. Even when a gateway's repository of malicious destinations is well maintained, the adversary changes "location" so frequently that gateways are often defeated.
More damaging, however, is the fact that, by their nature, gateways are unable to identify or act on all of the behavioral or contextual traffic patterns presented by new or very sophisticated attacks. Even the very best gateways, which have some limited behavioral identification features, are commonly defeated because the adversary knows exactly how these features work and can design their attacks around them.
Improving Web Gateway Performance
So if prevention is futile and gateways can't reliably stop the outbound malicious traffic generated by current attacks, what does a thoughtful security practitioner do to improve their enterprise's security posture?
Well first, recognize that abandoning the gateway approach is not an option. They may not be perfect, but they play a vital role. The path forward lies in complementing the gateway's functionality with a containment strategy that leverages what we know about the adversary's strategy and tactics and allows the deployed defenses to become as nimble as the attackers.
The one immutable weakness that the adversary has is that their attacks must communicate back to the C&C infrastructure to complete their mission. In practice, most malware actually communicates "back home" quite a bit before it's completed. It's just that modern attacks do so in very low volume over extended periods of time at irregular intervals to avoid detection. "Seeing" this communication is one of the current Big Data problems of cybersecurity.
Finding the needle in the stack of needles that reveal the presence of a new attack requires compute and storage resources well beyond what even the most powerful gateways can bring to bear. This is the kind of data analysis and machine learning problem that can only be solved with a cloud-based software-as-a-service approach that is capable of finding anomalous behavior in the terabytes or petabytes of data that exit a typical enterprise network each day. The analysis must be based on far more variables than destination, volume or time of day and must include all of the other contextual variables that reveal the presence of an active attack.
Once the analysis is complete and the new attack is identified and characterized, most gateways can then be updated to recognize any subsequent successful attacks and block them effectively -- at least until the next new one comes along.
As CEO of Seculert, Richard Greene brings over 25 years of experience in the IT security industry to the company. Previously, he served as president and CEO of AppCentral and was responsible for setting the stage for Good Technologies' successful acquisition of the company in 2012. He has held sales and management leadership roles in McAfee, PGP and Symantec and currently serves on Adallom's advisory board. Richard holds a B.Sc. in Mechanical Engineering from Nottingham University (United Kingdom).
May 06, 2016
What can handicapping and betting on horse racing teach infosec pros about security analytics?