Real Data Does Not Lie - Existing Security Controls Are Failing

On April 15th, we participated in a very successful webinar with Dark Reading entitled “Why Bad Security Breaches Keep Happening To Good Organizations”. During the back and forth between the two speakers, we took a poll of the attendees, asking them the following question:

Which applications do you think are currently running in your organization’s IT environment? Attendees were able to select all that applied and the results of a total of 181 votes showed the following:
P2P 43.6% (79)
Google apps 73.5% (133)
Anonymizers/proxies 33.7% (61)
Unauthorized IM 56.4% (102)
Encrypted tunneling apps (e.g. TOR)Â 43.6% (79)

In this case, the poll is a valuable tool to keep audience members engaged but often times they do not show all the data or tell the entire story.

Here’s why I say this. Our recently published Application Usage and Risk Report analyzed application traffic on more than 60 customer networks and the findings show very different numbers.
P2P 92%
Google apps 81%
Anonymizers/proxies 81%
Unauthorized IM 97% (to be fair, we did not ask if the use of IM is approved or not).
Encrypted tunneling apps (e.g. TOR) 11%

Real data always tells a more complete story. And what this report tells us is that enterprises collectively spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products – yet the data shows that these products are unable to control the application traffic traversing the network. Here’s some of the key findings to support that conclusion.

* Applications are designed for accessibility. More than half of the nearly 500 unique applications found are “firewall friendly” in that they can hop from port to port, use port 80 or port 443 as a means of simplifying end-user access.
* Users are actively circumventing security controls. Employees are going to the extreme measure of using external proxies (typically not endorsed by corporate IT), remote desktop access and encrypted tunnel applications to do what they want on the network.
* File sharing usage is rampant. Despite the known risks, employee use of P2P is rampant and browser-based file sharing has effectively doubled in use over the last 12 months.

What else did we find? We found more than 111 collaborative applications – social networking, email, webmail, IM, blogging – you name it we found it. Many of these applications are beneficial. David Smith, from Gartner comments in this SC Magazine article that “some applications enable users to more easily do their job”. Absolutely true. No question about it. But when employees use them without IT oversight and the associated security, then the company is exposed to unnecessary business and security risks. Bill Brenner from CSO Magazine summarizes some of the risks in his article about the 4 Reasons Botnets are Hard to Fight.

You get the picture. I encourage you to read the executive summary, download the report or listen to a 10 minute overview here.

Check it out. Post a comment. The data does not lie.