Internal Threat Landscape
In today's world, more and more customer data is being found on servers, desktops and laptops which contain critical information that can promote a company's growth or destroy the company in an instant. Furthermore, the risk extends beyond the private sector to the public sector and anyone in their homes receiving services from one of these infrastructure entities.
A study performed by Promisec, Inc., a company that regularly conducts comprehensive security audits across a number of industries - including finance, healthcare, insurance, manufacturing, etc., found that:
Use of unauthorized removable storage continues to rise in organizations.
The number of endpoints that do not apply threat management agents or are not updated with the latest build or signatures continues to rise.
Instances of unauthorized instant messaging continue to increase in all organizations.
The study also discovered that -
12% of infected computers had a missing or disabled anti-virus program.
10.7% had unauthorized personal storage like USB sticks or external hard drives.
9.1% had unauthorized peer-to-peer (P2P) applications installed.
8.5% had a missing 3rd party desktop agent.
2.6% had unprotected shared folders.
2.2% had unauthorized remote control software.
2% had missing Microsoft service packs.
Without application awareness, both perimeter and defensive island systems were easily defeated. For example, SQL Slammer was able to enter organizations quickly because:
Firewalls and anti-virus solutions that rely on signatures didn't view the traffic as a threat.
Often, SQL Slammer bypassed perimeter defenses and entered at the network edge through laptops and mobile devices whose traffic never traversed the firewall.
Like firewalls, without a signature to identify it, anti-virus software and most HIDS did not recognize it as a threat.
SQL Slammer was memory resident. Most anti-virus software completely missed it because their scanning engines are often focused on detecting exploits written to disk drives.
Within minutes of an initial SQL Slammer infection, nearly all vulnerable computers on the inside of the network were compromised. Depending on the number of infected devices, this often resulted in massive denial of service on the internal LAN. Furthermore, newer types of attacks are designed not to make "noise" in order to stay undetected.
Product Substitute Availability
Firewalls are a necessary security control for policy enforcement at any network trust boundary, but changing business and threat conditions are putting pressure on growth in the firewall market. Enterprises are redesigning their demilitarized zones (DMZs) to react to the business realities of how staff and customers connect, which drives firewall demand up. However, the increasing requirement for network defense against more-complex threats has increased the deployment of network intrusion prevention, and driven vendors to provide products that support complex deployments and rule sets that mix traditional port/protocol firewall defense with deep-packet inspection intrusion prevention.
At one point in time, Cisco had the best firewall on the market. As the years passed, competitors of all sizes were vying for Cisco's market share. Vendors, such as Juniper, Checkpoint, McAfee and others, have challenged and even taken market share from Cisco. In the Gartner's 2008 magic quadrant, only two vendors are residing in the upper right hand "leaders" quadrant - Juniper and Checkpoint.
In the latest Gartner report, dated 12 October 2009, large enterprises will be replacing stateful firewalls with the Next Generation firewalls during the natural lifecycle replacement. And there are very few vendors that have upgraded their respective product lines to reflect the new attack vectors. Gartner believes that the changing threat conditions and changing business and IT processes will drive network security managers to look for NGFW capabilities at their next firewall/IPS refresh cycle. The key to successful market penetration by NGFW vendors will be to demonstrate first-generation firewall and IPS features that match current first-generation capabilities while including NGFW capabilities at the same or only slightly higher price points.