Defense-in-Breadth WhitepaperEvolving IT Security Strategiesin a World of Growing Breadth.Because achieving 99% defense-in-depth foronly 50% of the attack surface isn’t enough.
The Expanding Attack SurfaceIT team’s goals have been focused on 100% protection, but the reality is alwaysless than 100%. Both depth of the enforcement technologies and breadth of theattack surface determine a security solution’s efficacy. THREATS, VECTORS, NETWORKS AND DEVICES MOBILE MOBILE ROAMING STATIONARY STATIONARY PHONES TABLETS LAPTOPS COMPUTERS SERVERSGrowing Threat and Vector Breadth.Inbound attacks may occur primarily over popular email- or Web-basedcommunication channels. But most outbound data leaks occur silently over oftenubiquitous, non-protected protocols and systems, such as tunneling via P2P(peer-to-peer) or DNS (domain name system) communications.The data leak recipient is often not a centralized hacker-controlled server that canbe easily blacklisted, but one of thousands of distributed infected devices thatunknowingly participate in the botnet (see our botnet whitepaper for more details).These botnet hosts change by the minute for the ultimate game of whack-a-mole.Hackers sell do-it-yourself malware kits or rent out control of established botnetsto less tech-savvy, but more fiscally- or politically-motivated criminals. The impactof today’s threats has escalated from IT remediation time to more costly legalaudit fees.Growing Device and Network Breadth.Organizations have increasingly nomadic workforces, and BYOD initiatives are notrestricted to only mobile devices (e.g. tablets, phones). Roaming laptops (e.g.PCs, Macs) are accessing the Internet from outside the enterprise networkperimeter ~50% of the time. Mobile devices are accessing the Internet via 3G/4Gwireless connections that bypass the network perimeter ~90% of the time. Re-Gain Visibility and Control. Everywhere. Page 2
In these situations, the Wi-Fi networks used to connect to the Internet haveunknown security and hence cannot be trusted. A user’s home router may stillhave the default login set with remote access enabled. A hotel’s payment proxyserver may not have the latest vulnerability patches installed.There are many bad hosts distributing malware on the Internet. If these roaminglaptops or mobile devices become infected, there’s often no defense to stop themfrom re-entering the enterprise network perimeter. Hence exposing internalnetwork systems to now botnet-controlled devices.Advancing ThreatsHackers and criminals attack, then security vendors and IT teams defend. Thisarms race is persistent and always advancing the current threatscape andenforcement technologies. ATTACK SURFACE APP CONTROL, AV, DLP (1-5%) ENFORCEMENT TECHNOLOGIESIn the past, IT teams sought to improve their “defense-in-depth” strategy bylayering defenses. First installing client-based software on endpoints. Theninstalling on-premises hardware on networks. First using routing rules via firewallsand filtering rules via Web or email gateways. Then content matching via Web oremail proxies. And more advanced Web or email proxy functions (e.g. appcontrols, AV, DLP). Despite vendors’ various marketing claims of achieving 100%prevention, such defenses are always reactionary. It’s the nature of an arms race.Many unbiased third parties in the security community cite that signature andheuristic matching techniques used by enforcement technologies such as anti-virus (AV) have dropped below 50% efficacy. This shifts importance back to first-line of defense enforcement technologies, such as routing and filtering. Re-Gain Visibility and Control. Everywhere. Page 3
Existing Products Lack Network and Device Breadth.The type and ownership of IT-approved devices is expanding rapidly. The IT teamnow wants to protect user-owned roaming computers running either Windows orMac operating systems, and user-owned mobile devices running fundamentallynew types of operating systems (e.g. iOS). Yet, IT still must protect any IT-owneddevices connected to the enterprise network. • How many different products must be provisioned, deployed, setup and maintained to create the solution? • How much extra effort is required to manage and report on all networks and devices?Also, various mobile device manufacturers or wireless carriers restrict how appsand network settings can be used. This makes provisioning and setup difficult onany device. • Will substituting the native Web browser app with a third-party app break other apps’ Web links?Existing Products Lack Threat and Vector Protection.On-Net, Internet-Wide SecurityThe most common solutions already in-use rely on Web-based proxies. They offera higher level of depth than breadth, because they are very dependent on the app,protocol or port used to communicate over the Internet. They may offer lots ofcontrols for Web data and apps, but no controls over P2P, DNS or other non-Webtraffic, which are commonly used by infected devices participating in a botnet. ASecure Cloud Gateway fills in the expanding gaps unaddressed by Web-proxies(see our enterprise buyer guide for more details). • Where are users and devices are connecting via non-Web apps, protocols or ports?Off-Net, Internet-Wide SecurityFor organizations embracing BYOD initiatives, the most common solution isMobile Device Management (MDM). These solutions do enforce some mobiledevice-centric security policies (e.g. password enforcement, data wipes, apprestrictions). But they do not provide Internet-wide protection, visibility andcontrol for how the device’s data, apps and users communicate over the Internet.Also, many MDM solutions do not cover roaming, off-net laptops. MDM is acomplement to Secure Cloud Gateways, but not an end-to-end solution (see ourmobility buyer guide for more details). • Do users choose the same login credentials for both personal (e.g. Gmail, Facebook) and corporate (e.g. SalesForce, Dropbox) accounts? • Are users protected from logging into a phishing site using these account credentials via their mobile device? Does it provide visibility and control over this? Re-Gain Visibility and Control. Everywhere. Page 4
DEFENSE-IN-BREADTH (~50%) MOBILE MOBILE ROAMING STATIONARY STATIONARY PHONES TABLETS LAPTOPS COMPUTERS SERVERS APP CONTROL, AV, DLP (1-5%) DEFENSE-IN-DEPTH (95-99%)Re-Gain Protection, Visibility and Control EverywhereLearn about how Umbrella’s Secure Cloud Gateway fits within your evolving ITsecurity strategy (see our everywhere solution overview). DEFENSE-IN-BREADTH (95-99%) MOBILE MOBILE ROAMING STATIONARY STATIONARY PHONES TABLETS LAPTOPS COMPUTERS SERVERS APP CONTROL, AV, DLP (1-5%) DEFENSE-IN-DEPTH (90-95%) Re-Gain Visibility and Control. Everywhere. Page 5