Layered defenses largely fail to block exploits, says NSS

Security experts have long touted a layered approach to cyber security as the most effective way to thwart network intruders, but the strategy can be less effective than the industry would like organizations to believe, according to a report released this week by NSS Labs.

A comparison of cyber defense technologies -- next-generation firewall, intrusion prevention systems and endpoint protection -- shows a "significant correlation of failures to detect exploits," noted the study, authored by NSS Labs Research Director Stefan Frei.

"Such detection failures present a serious challenge to the security industry as they allow an attacker to bypass several layers of defense using only a small set of exploits," NSS reported.

[See also: Three steps to properly protect your personal data]

When security products are layered, it's expected that the combined effect provides a more effective shield. While NSS's research shows security can improve, there's a wide variance as to how much better it gets.

In its study, NSS looked at 37 security products from 24 vendors and layered them in pairs, creating 606 unique combinations. Only three percent of those combinations were able to detect the 1,711 known exploits used in the test.

"Layered defense is still good to do," Frei said in an interview. "However, what we found was the products that you combine is of paramount importance. ...You need to really know what products to combine."

One pitfall to avoid with layered security is using products from the same vendor. That's because all of a single vendor's products are based on the same technology and security intelligence.

"Failure correlation between products from the same vendor is extremely high," Frei said. "If you want to benefit from layered security, you have to mix different products from different vendors."

The problem with introducing multiple vendors into an environment is you're also introducing additional complexity. "Naturally, the more complex it is, the more you have to understand your environment," McAfee Executive Vice President and CTO Michael Fey said in an interview.

For example, you need to know the detection methods used by the products you're layering so you don't duplicate them across the layers. "You're wasting your money if you use the same detection type multiple times," Fey said.

"If you're using something like blacklisting multiple times," he continued, "you're not getting anything for that extra effort."

"You have to make sure your layered model actually does diversify your defenses," he added.

Careful attention must also be paid to an individual vendor's technology because all vendors aren't created equal. "You have to be very careful to choose vendors that put the best intelligence into their products," Joe Stewart, director of malware research at Dell SecureWorks, said in an interview.

Shared threat intelligence plays a role in the dismal performance of many of the product combinations tested by NSS, according to the report.

There is a significant correlation of failures to detect exploits between security products. "This is because most vendors use the same sources of threat intelligence and the same vulnerability research feeds as each other, and this means that they will, more often than not, have the same deficiencies in their coverage," NSS reported.

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags NSS Labsmcafeeapplicationssoftwarelayered securitydata protection

More about DellMcAfee AustraliaSecureWorks

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello Jr.

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place