1. Defense-in-Breadth
Whitepaper
Evolving IT Security Strategies
in a World of Growing Breadth.
Because achieving 99% defense-in-depth for
only 50% of the attack surface isn’t enough.
2. The Expanding Attack Surface
IT team’s goals have been focused on 100% protection, but the reality is always
less than 100%. Both depth of the enforcement technologies and breadth of the
attack surface determine a security solution’s efficacy.
THREATS, VECTORS, NETWORKS AND DEVICES
MOBILE MOBILE ROAMING STATIONARY STATIONARY
PHONES TABLETS LAPTOPS COMPUTERS SERVERS
Growing Threat and Vector Breadth.
Inbound attacks may occur primarily over popular email- or Web-based
communication channels. But most outbound data leaks occur silently over often
ubiquitous, non-protected protocols and systems, such as tunneling via P2P
(peer-to-peer) or DNS (domain name system) communications.
The data leak recipient is often not a centralized hacker-controlled server that can
be easily blacklisted, but one of thousands of distributed infected devices that
unknowingly participate in the botnet (see our botnet whitepaper for more details).
These botnet hosts change by the minute for the ultimate game of whack-a-mole.
Hackers sell do-it-yourself malware kits or rent out control of established botnets
to less tech-savvy, but more fiscally- or politically-motivated criminals. The impact
of today’s threats has escalated from IT remediation time to more costly legal
audit fees.
Growing Device and Network Breadth.
Organizations have increasingly nomadic workforces, and BYOD initiatives are not
restricted to only mobile devices (e.g. tablets, phones). Roaming laptops (e.g.
PCs, Macs) are accessing the Internet from outside the enterprise network
perimeter ~50% of the time. Mobile devices are accessing the Internet via 3G/4G
wireless connections that bypass the network perimeter ~90% of the time.
Re-Gain Visibility and Control. Everywhere. Page 2
3. In these situations, the Wi-Fi networks used to connect to the Internet have
unknown security and hence cannot be trusted. A user’s home router may still
have the default login set with remote access enabled. A hotel’s payment proxy
server may not have the latest vulnerability patches installed.
There are many bad hosts distributing malware on the Internet. If these roaming
laptops or mobile devices become infected, there’s often no defense to stop them
from re-entering the enterprise network perimeter. Hence exposing internal
network systems to now botnet-controlled devices.
Advancing Threats
Hackers and criminals attack, then security vendors and IT teams defend. This
arms race is persistent and always advancing the current threatscape and
enforcement technologies.
ATTACK SURFACE
APP CONTROL,
AV, DLP (1-5%)
ENFORCEMENT
TECHNOLOGIES
In the past, IT teams sought to improve their “defense-in-depth” strategy by
layering defenses. First installing client-based software on endpoints. Then
installing on-premises hardware on networks. First using routing rules via firewalls
and filtering rules via Web or email gateways. Then content matching via Web or
email proxies. And more advanced Web or email proxy functions (e.g. app
controls, AV, DLP). Despite vendors’ various marketing claims of achieving 100%
prevention, such defenses are always reactionary. It’s the nature of an arms race.
Many unbiased third parties in the security community cite that signature and
heuristic matching techniques used by enforcement technologies such as anti-
virus (AV) have dropped below 50% efficacy. This shifts importance back to first-
line of defense enforcement technologies, such as routing and filtering.
Re-Gain Visibility and Control. Everywhere. Page 3
4. Existing Products Lack Network and Device Breadth.
The type and ownership of IT-approved devices is expanding rapidly. The IT team
now wants to protect user-owned roaming computers running either Windows or
Mac operating systems, and user-owned mobile devices running fundamentally
new types of operating systems (e.g. iOS). Yet, IT still must protect any IT-owned
devices connected to the enterprise network.
• How many different products must be provisioned, deployed, setup and
maintained to create the solution?
• How much extra effort is required to manage and report on all networks
and devices?
Also, various mobile device manufacturers or wireless carriers restrict how apps
and network settings can be used. This makes provisioning and setup difficult on
any device.
• Will substituting the native Web browser app with a third-party app break
other apps’ Web links?
Existing Products Lack Threat and Vector Protection.
On-Net, Internet-Wide Security
The most common solutions already in-use rely on Web-based proxies. They offer
a higher level of depth than breadth, because they are very dependent on the app,
protocol or port used to communicate over the Internet. They may offer lots of
controls for Web data and apps, but no controls over P2P, DNS or other non-Web
traffic, which are commonly used by infected devices participating in a botnet. A
Secure Cloud Gateway fills in the expanding gaps unaddressed by Web-proxies
(see our enterprise buyer guide for more details).
• Where are users and devices are connecting via non-Web apps, protocols
or ports?
Off-Net, Internet-Wide Security
For organizations embracing BYOD initiatives, the most common solution is
Mobile Device Management (MDM). These solutions do enforce some mobile
device-centric security policies (e.g. password enforcement, data wipes, app
restrictions). But they do not provide Internet-wide protection, visibility and
control for how the device’s data, apps and users communicate over the Internet.
Also, many MDM solutions do not cover roaming, off-net laptops. MDM is a
complement to Secure Cloud Gateways, but not an end-to-end solution (see our
mobility buyer guide for more details).
• Do users choose the same login credentials for both personal (e.g. Gmail,
Facebook) and corporate (e.g. SalesForce, Dropbox) accounts?
• Are users protected from logging into a phishing site using these account
credentials via their mobile device? Does it provide visibility and control
over this?
Re-Gain Visibility and Control. Everywhere. Page 4
5. DEFENSE-IN-BREADTH (~50%)
MOBILE MOBILE ROAMING STATIONARY STATIONARY
PHONES TABLETS LAPTOPS COMPUTERS SERVERS
APP CONTROL,
AV, DLP (1-5%)
DEFENSE-IN-DEPTH
(95-99%)
Re-Gain Protection, Visibility and Control Everywhere
Learn about how Umbrella’s Secure Cloud Gateway fits within your evolving IT
security strategy (see our everywhere solution overview).
DEFENSE-IN-BREADTH (95-99%)
MOBILE MOBILE ROAMING STATIONARY STATIONARY
PHONES TABLETS LAPTOPS COMPUTERS SERVERS
APP CONTROL,
AV, DLP (1-5%)
DEFENSE-IN-DEPTH
(90-95%)
Re-Gain Visibility and Control. Everywhere. Page 5