Evolving IT Security Strategies in a World of Growing Breadth. Because achieving 99% defense-in-depth for only 50% of the attack surface isn’t enough.

Defense-in-Breadth Whitepaper

Re-Gain Visibility and Control. Everywhere. Page 2

The Expanding Attack Surface

IT team’s goals have been focused on 100% protection, but the reality is always

less than 100%. Both depth of the enforcement technologies and breadth of the

attack surface determine a security solution’s efficacy.

Growing Threat and Vector Breadth.

Inbound attacks may occur primarily over popular email- or Web-based

communication channels. But most outbound data leaks occur silently over often

ubiquitous, non-protected protocols and systems, such as tunneling via P2P

(peer-to-peer) or DNS (domain name system) communications.

The data leak recipient is often not a centralized hacker-controlled server that can

be easily blacklisted, but one of thousands of distributed infected devices that

unknowingly participate in the botnet (see our botnet whitepaper for more details).

These botnet hosts change by the minute for the ultimate game of whack-a-mole.

Hackers sell do-it-yourself malware kits or rent out control of established botnets

to less tech-savvy, but more fiscally- or politically-motivated criminals. The impact

of today’s threats has escalated from IT remediation time to more costly legal

audit fees.

Growing Device and Network Breadth.

Organizations have increasingly nomadic workforces, and BYOD initiatives are not

restricted to only mobile devices (e.g. tablets, phones). Roaming laptops (e.g.

PCs, Macs) are accessing the Internet from outside the enterprise network

perimeter ~50% of the time. Mobile devices are accessing the Internet via 3G/4G

wireless connections that bypass the network perimeter ~90% of the time.

THREATS, VECTORS, NETWORKS AND DEVICES

ROAMING LAPTOPS

MOBILE TABLETS

MOBILE PHONES

STATIONARY COMPUTERS

STATIONARY SERVERS

Re-Gain Visibility and Control. Everywhere. Page 3

In these situations, the Wi-Fi networks used to connect to the Internet have

unknown security and hence cannot be trusted. A user’s home router may still

have the default login set with remote access enabled. A hotel’s payment proxy

server may not have the latest vulnerability patches installed.

There are many bad hosts distributing malware on the Internet. If these roaming

laptops or mobile devices become infected, there’s often no defense to stop them

from re-entering the enterprise network perimeter. Hence exposing internal

network systems to now botnet-controlled devices.

Advancing Threats

Hackers and criminals attack, then security vendors and IT teams defend. This

arms race is persistent and always advancing the current threatscape and

enforcement technologies.

In the past, IT teams sought to improve their “defense-in-depth” strategy by

layering defenses. First installing client-based software on endpoints. Then

installing on-premises hardware on networks. First using routing rules via firewalls

and filtering rules via Web or email gateways. Then content matching via Web or

email proxies. And more advanced Web or email proxy functions (e.g. app

controls, AV, DLP). Despite vendors’ various marketing claims of achieving 100%

prevention, such defenses are always reactionary. It’s the nature of an arms race.

Many unbiased third parties in the security community cite that signature and

heuristic matching techniques used by enforcement technologies such as anti-

virus (AV) have dropped below 50% efficacy. This shifts importance back to first-

line of defense enforcement technologies, such as routing and filtering.

APP CONTROL, AV, DLP (1-5%)

ENFORCEMENT TECHNOLOGIES

ATTACK SURFACE

Re-Gain Visibility and Control. Everywhere. Page 4

Existing Products Lack Network and Device Breadth.

The type and ownership of IT-approved devices is expanding rapidly. The IT team

now wants to protect user-owned roaming computers running either Windows or

Mac operating systems, and user-owned mobile devices running fundamentally

new types of operating systems (e.g. iOS). Yet, IT still must protect any IT-owned

devices connected to the enterprise network.

• How many different products must be provisioned, deployed, setup and

maintained to create the solution?

• How much extra effort is required to manage and report on all networks

and devices?

Also, various mobile device manufacturers or wireless carriers restrict how apps

and network settings can be used. This makes provisioning and setup difficult on

any device.

• Will substituting the native Web browser app with a third-party app break

other apps’ Web links?

Existing Products Lack Threat and Vector Protection.

On-Net, Internet-Wide Security

The most common solutions already in-use rely on Web-based proxies. They offer

a higher level of depth than breadth, because they are very dependent on the app,

protocol or port used to communicate over the Internet. They may offer lots of

controls for Web data and apps, but no controls over P2P, DNS or other non-Web

traffic, which are commonly used by infected devices participating in a botnet. A

Secure Cloud Gateway fills in the expanding gaps unaddressed by Web-proxies

(see our enterprise buyer guide for more details).

• Where are users and devices are connecting via non-Web apps, protocols

or ports?

Off-Net, Internet-Wide Security

For organizations embracing BYOD initiatives, the most common solution is

Mobile Device Management (MDM). These solutions do enforce some mobile

device-centric security policies (e.g. password enforcement, data wipes, app

restrictions). But they do not provide Internet-wide protection, visibility and

control for how the device’s data, apps and users communicate over the Internet.

Also, many MDM solutions do not cover roaming, off-net laptops. MDM is a

complement to Secure Cloud Gateways, but not an end-to-end solution (see our

mobility buyer guide for more details).

• Do users choose the same login credentials for both personal (e.g. Gmail,

Facebook) and corporate (e.g. SalesForce, Dropbox) accounts?

• Are users protected from logging into a phishing site using these account

credentials via their mobile device? Does it provide visibility and control

over this?

Re-Gain Visibility and Control. Everywhere. Page 5

Re-Gain Protection, Visibility and Control Everywhere

Learn about how Umbrella’s Secure Cloud Gateway fits within your evolving IT

security strategy (see our everywhere solution overview).

DEFENSE-IN-BREADTH (~50%)

APP CONTROL, AV, DLP (1-5%)

ROAMING LAPTOPS

MOBILE TABLETS

MOBILE PHONES

STATIONARY COMPUTERS

STATIONARY SERVERS

DEFENSE-IN-DEPTH (95-99%)

DEFENSE-IN-BREADTH (95-99%)

ROAMING LAPTOPS

MOBILE TABLETS

MOBILE PHONES

STATIONARY COMPUTERS

STATIONARY SERVERS

APP CONTROL, AV, DLP (1-5%)

DEFENSE-IN-DEPTH (90-95%)

Umbrella is brought to you by OpenDNS.

Trusted by millions around the world.

The easiest way to prevent malware and phishing

attacks, contain botnets, and make your Internet faster

and more reliable.

OpenDNS, Inc. • www.umbrella.com • 1.877.811.2367

Copyright © 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by

any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information

contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no

responsibility for its use.

Umbrella-Defense-in-Depth-v0.1