Large organizations continue to invest significant amounts of money in IT security initiatives despite the lagging worldwide economy, but most continue to struggle in preventing today's sophisticated electronic attacks, researchers contend.
In a recent report on the pervasiveness of online threats, and the inability of most organizations to sufficiently protect themselves against such risks, analysts with Enterprise Research Group said that continued investment in perimeter defensive mechanisms is not paying off.
Attackers are well aware of the types of systems being aligned to stop their online assaults and are showing little trouble in circumventing the tools, said ESG analyst Jon Oltsik in the report.
"Today's security portfolio of e-mail filers, security gateways, and endpoint security are only marginally effective in detecting, blocking, or remediating web threats," the analyst said. "This isn't a coincidence since the multi-faceted approach used by modern cyber-attacks takes advantage of the large gaps between all of these independent security tools."
In particular, the ability of attackers to trick end users into falling for social engineering schemes, specifically those carried out via legitimate sites including popular social networking platforms including Facebook and Twitter, is making it even harder for organizations to effectively protect their IT environments.
The dynamic nature of the web that has provided so many organizations with so much opportunity to expand their reach is also leaving them woefully at risk as attackers find new and highly effective ways to leverage the online ecosystem to pursue their criminal intentions, Oltsik said.
At the same time, so-called cloud-based security systems that use centrally located online intelligence and filtering capabilities to identify potential threats before they reach users do offer the potential for some relief from Web-based attacks, the expert contends.
Ultimately most organizations will need to avail themselves of both internal defensive solutions and such cloud-based services, according to the ESG paper. Users will also have to do a better job of helping to warn each other about emerging online threats if real progress is to be made, the researcher said.
"What's needed is a new type of layered defense architecture combining onsite security systems and cloud-based intelligence. Furthermore, users should help each other by banding together in a cloud-based 'community watch' as they share intelligence in a community of other users and security vendors," Oltsik writes. "This community-based 'network effect' may be the only way to address unprecedented web threat volume."
In fact, ultimately the pressure to find new ways to handle online risks may force organizations to do a far better job in creating top-down security strategies that address the entire spectrum of potential attacks, the expert said.
"Since web threats demand new types of defenses, smart CIOs and CISOs may be able to address web threats with an integrated 'defense-in-depth' architecture that combines multiple packet filtering technologies for web threats, viruses and DLP," Oltsik concludes. "This may also provide a perfect occasion to align malicious code defenses that block 'bad' traffic, networking technologies that accelerate 'good' traffic, and a solution that includes central management and advanced tools for network visibility."
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.