NSS Labs research reveals that only 3% of security product combinations successfully blocked 1,711 known exploits in first empirical testing of layered security defenses

AUSTIN, Texas – May 23, 2013 − NSS Labs today released new research showing that the common security strategy of “defense in depth” – layering multiple security products within a single security category (such as intrusion prevention from two different vendors) or even across multiple categories (intrusion prevention systems plus next generation firewalls, for example) – doesn’t always provide the level of protection most enterprises expect. NSS’ findings raise fundamental questions about the performance and value layered security products deliver for CIOs and CISOs concerned with cost and complexity in addition to the risk of compromise and data breaches.

In the past 18 months, NSS Labs tested the security effectiveness of typical defense technologies such as next generation firewall (NGFW), intrusion prevention systems (IPS), and end point protection suites (EPP – also known as antivirus/malware detection) and found that there are significant correlations in their failure to block against known exploits. While layered security remains a best practice in principle, NSS research reveals that the real key to effective protection lies in an organization’s choice of protection technologies to combine and documents wide variances in the security effectiveness of different product combinations.

NSS research found the following key conclusions:

• There is only limited breach prevention available: NSS looked at 606 unique combinations of security product pairs (IPS + NGFW, IPS + IPS, etc.) and only 19 combinations (3 percent) were able to successfully detect ALL exploits used in testing. This correlation of detection failures shows that attackers can easily bypass several layers of security using only a small set of exploits. Most organizations should assume they are already breached and pair preventative technologies with both breach detection and security information and event management (SIEM) solutions.
• Security performance varies greatly between both individual products and specific product combination: While the joint failure rate for all combinations of security device pairs was lower than the failure rate of any single device, the choice of which products were combined made a significant difference. The best combination of two IPS devices, for example, detected all but 2 exploits, while the worst combination failed to detect 61 exploits. Only NSS can provide clients in-depth insight into how effective any specific combination of layered security devices will be.
• Enterprises often overestimate the security effectiveness of layered security deployments: Because vendors often use the same sources of threat intelligence and vulnerability research feeds, competing products will, more often than not, have the same deficiencies in coverage. However, until now the degree to which protection – and gaps – from leading products across categories overlapped had not been verifiably researched through empirical testing.
• Exploits defeating the most layered security product combinations target prevalent and relevant software, not niche products: The exploits that bypass the most systems target almost exclusively software from mainstream software vendors enterprises and individuals rely on. For example, none of the 33 network security devices (NGFW and IPS) tested successfully detected all exploits against Microsoft products and only 5 of the 33 successfully detected all exploits against Apple products. Enterprises should prioritize patch management programs to help minimize the effects of correlation of failure across multiple security devices.

Commentary:

“Security professionals have long believed that deploying ‘defense in depth’ in any product combination uniformly improves protection by default – but our latest research shatters this traditional assumption and we were surprised to find that a mere 3% of the 606 unique security product combinations tested were able to detect all exploits,” said Stefan Frei, Research Director at NSS Labs. “To derive real value from layered security – offsetting the assumed cost and complexity – it’s imperative for organizations to carefully compare their assets and an array of products’ performance in our tests, in order to tailor their security layers for optimal protection. Ignoring this correlation leads to an overestimation of the security effect of combining multiple protection technologies by orders of magnitude.”

The NSS Group Tests used for this analysis include:

• 2013 NSS Group Test for End Point Protection – Corporate
• 2012 NSS Group Test for Next Generation Firewall
• 2012 NSS Group Test for Intrusion Prevention Systems
• 2013 NSS Group Test for Next Generation Firewall