Even a layered approach may fail to block exploits

by CXOtoday News Desk    May 27, 2013

layered approach

Until now, security experts believed a layered approach to cyber security to be the most effective way to prevent attacks. However, a new report by NSS Labs suggests that this approach to security in most cases have failed to block exploits.

In a test where layered typical defense technologies were used in various combinations, only 3 per cent of unique combinations managed to detect all the exploits used, according to the report that tested the security effectiveness of next-generation firewalls, intrusion prevention systems, and endpoint protection. The group tests included 37 security products from 24 different vendors and 1,711 exploits.

“The results present a serious challenge to the information security industry as they allow an attacker to bypass several layers of defense using only a small set of exploits,” said Stefan Frei, Research Director at NSS Labs and principal author of the report in a statement.

Though the best practices in layered security cannot be completely ruled out, enterprises need to be careful about the security vendor and also ‘the choice of protection technologies to be combined.’
-Stefan Frei, Research Director at NSS Labs

Frei further observed that the number of exploits that managed to dodge multiple security products, and the number of security products that were unable to block the exploits is significantly higher than the general expectation. As a result, security professionals run the risk of overestimating the security benefits of deploying multiple protection technologies.

Whether there were multiple products within a security category like in the case of intrusion prevent systems, or multiple products across multiple categories, such as having antivirus running on an endpoint and a next-generation firewall – these methods of deployment may not always provide adequate security, according to Frei.

Frei concluded that though the best practices in layered security cannot be completely ruled out, enterprises need to be careful about their ‘choice of security vendor’ and also ‘the choice of protection technologies to be combined’ so as to result in security gains.