Mining the alphabet soup for what matters part 2

On a theoretical level, it’s pretty easy to understand the value that WatchGuard’s layered UTM solutions provide, but analytical, scientific-minded people require quantifiable proof before they believe in any theory. Fortunately, NSS Labs, one of the world’s leading independent security product testing laboratories, has recently released a new threat warning service and testing methodology that proves the value of layered UTM security.

NSS Labs’ Cyber Advanced Warning System (CAWS)  enables vendors and end-users alike to view how effectively a variety of network security solutions are blocking real-time security threats. The system enables subscribers to view the efficacy of different solutions operating under different profiles: the base profile only enables specific so-called NGFW features as defined earlier in this blog, as well as the advanced profile, where a vendor can enable value-added UTM services such as I described in the example above, and which we provide at WatchGuard.

WatchGuard has actively participated in the CAWS service for the past few months, and it not only has helped us increase our security efficacy, but has also provided a very quantifiably measure of why UTM defenses works. Here’s a chart showing WatchGuard’s “block rate” results for about a month of new CAWS attacks:

Figure 1: Image courtesy of NSS Labs CAWS system

In the chart above, the lower, orange line represents a traditional NGFW, that primarily only uses IPS to catch threats. However, the upper, muddy-yellow line represents our product using the full UTM feature set, which includes antimalware services like GAV and APT Blocker, as well as all our URL filtering services.

What’s important to note is the drop in our IPS only block rate during January 31^st. While there could be a few reasons for this, it’s typically indicative of a new attack that our IPS didn’t catch. So why would I highlight this IPS miss? Well, looks at the yellow, UTM line… its block rate stays relatively high, despite the fact that IPS might have temporarily missed something new. Whether or not our daily IPS efficacy goes up or down, our full UTM defenses still catch well over 90% of the new threats each day, this further reinforces the importance of a layered approach to security as dips in IPS efficacy is not unique to WatchGuard.

Some have claimed, defense-in-depth, or layered security is dead. They make this declaration out of frustration, because lately we’ve seen so many organizations get compromised despite some defenses. However, I believe layered security is still the most effective way to prevent the majority of attacks. Breaches will still happen because no defense is infallible, but WatchGuard’s NSS Labs’ CAWS testing proves that having the layered security of a UTM appliance increases your overall security efficacy, and can even successfully block an attack when one layer of security misses. — Corey Nachreiner, CISSP (@SecAdept)