NSS Labs has published an interesting analysis on how different IT security products, titled “Correlation of Detection Failures“. It is worth reading for anyone trying to gain greater security effectiveness for his network.
Some key findings:
- There is only limited breach prevention available. Not one of the 37 tested security devices managed to detect all of the exploits, and only 3% of the 606 unique security product combinations were able to detect all of the exploits.
- The significant correlation of failures to detect exploits over a wide range of security devices particularly impacts the layered security approach, since the enterprise is inclined to overestimate the security effect of combining multiple protection technologies.
- The number of exploits that were able to bypass multiple security devices, as well as the number of security devices that were bypassed by these exploits, is significantly higher than is the prediction for risk models that ignore correlation.
- No combination of two security devices in the NGFW 2012 group test would detect all exploits.
NSS Lab so recommends:
- Enterprises should focus on the effectiveness of specific combinations of devices at blocking specific exploits rather than simply layering randomly in the hope that multiple devices equal higher protection.
- Organizations should assume they are already breached. Prevention should be paired with both breach detection and security information and event management (SIEM) to enable the prompt detection of successful security breaches.
- Security professionals should take into account the effects of correlation when modeling risk. Naïve risk models that ignore correlation of detection failures are severely underestimating the risk of successful compromise.
- Enterprise should prioritize patch management programs to minimize the effects of correlation of failure across multiple security devices.