A best practice for IT security has long been to deploy some form of gateway security, be it a firewall or an intrusion prevention system that is able to block potentially malicious traffic coming into or coming out of a network. But how does an organization know for sure if its security gateway is, in fact, stopping all the bad traffic?
Seculert’s Javelin technology is a new tool designed to help organizations find gaps in their gateway security.
“Instead of just providing visibility to customers who upload their logs to us, we thought it would be interesting if everyone could understand if their own gateway is allowing malicious communications to go out,” Aviv Raff, CTO and co-founder of Seculert, told eWEEK.
The idea to build a tool that can “understand” the status of gateway security was inspired by research that Seculert released in February that shows a lack of visibility for outgoing malicious communications. The Seculert study looked at a subset of data from its 1.5 million users, examining the performance of devices from Palo Alto Networks, Blue Coat, Websense, Zscaler, Fortigate and Barcuda, among others. The study found that 40 percent of malicious communications attempts were successful and not intercepted by organizations’ Web gateways.
The new Seculert Javelin technology simulates how attacker tools are able to get malicious communications out of an organization to some form of command-and-control node, Raff said. The goal of the Javelin tool is to demonstrate how an organization’s own Web gateway will respond to the simulated attack attempt to send data out to a potentially malicious host.
“It’s a pure Web-based experience. The simulation runs the malware behavior communication to the command-and-control node,” Raff explained.
The entire simulation can be conducted inside of two minutes, providing an organization with a rapid answer to the question of their Web gateway’s security posture.
The idea of blocking outbound traffic that is attempting to connect to a malicious host is something that many Web gateway technologies will aim to block by default, with lists of known bad IP addresses. Javelin goes beyond known bad IPs and makes use of intelligence that Seculert has about attacks, Raff said.
“Our analytics platform is behavior based, so we might identify something that no one else in the industry has yet,” Raff said. “We cherry-pick those kinds of attacks, which is why this is more powerful than just relying on known lists of bad addresses.”
To test the performance of Web security gateways, the Javelin simulation attempts to connect to hosts that Seculert has identified as malicious. While Javelin attempts to connect to the malicious locations, the tool is not exposing the organization to real risk, Raff said.
“Javelin is communicating to bad places, but the idea is if you already have infected devices within your network, they’re already communicating with those places,” Raff said. “We’re doing the communication in a safe manner that does not try to send any data or download any data from the bad places.”
From a remediation perspective, a Javelin test is complete, Raff explained, adding that a customer can get a package from Seculert called proactive containment. “It’s a package that can help to proactively contain machines within an organization that might get infected and attempt to contact malicious command-and-control servers,” he said. “There will also be an API that will help to automatically update the Web gateway.”
Back in October 2015, Seculert launched its Executive Dashboard technology to provide high-level visibility into organizational security risks.
“Javelin is more of a way to help organizations to understand gaps in a Web gateway,” Raff said. “But if you want to find out if you have infected devices in your organization, we have log analysis technology that includes the Executive Dashboard.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
