Conclusion I reached after 3,200 individual malware removals.

Bit Defender's new "Box" coming out will likely swipe up a ton of things like the Kaspersky/ZyXEL one. Mostly because it's examining at the packet level, and dropping compromised packets based on known trojan signatures within the packets. This is pretty advanced stuff, needed in today's environment IMO.

 

I had the same thought as FleischmannTV. It reminded me of Is it time to Fire your network protection vendor?:

 

This is total nonsense. I know of no vendor that would ever use such a stupid technique to try and scare people, and if you have evidence any have done this please provide it. Fortinet invests an amazing amount of man hours into keeping their IPS signatures up to date for emerging threats. I know, I worked with them for 48 hours straight within only a few hours of sleep on the BASH incident. Once the signatures were deployed the amount of BASH incidents defeated as they were coming in was pretty remarkable. I still see between 5-100 Heartbleed attacks on the average network everyday.

You don't need to trick companies to invest in UTM's, they aren't overly expensive anymore, and provide a very significant level of protection. The article points to 50 of 6000 threats logged being capable of executing on a machine, well that's 50 potential exploits removed from the picture, so why the complaint? My UTM blocks nearly 100,000 attacks/viruses/injections/exploits a week, even at 1% reduction in attack surface I view that as a success. 1% spread over a company with hundreds, even thousands of computers is significant.

 

@Mayahana: I'm interested in any data on successful attacks on Windows client machines whose OS and commonly attacked programs have been kept up to date in a timely manner. I know of Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World (paper). Any others?

 

Focus had 528 injections/exploits/viruses blocked in the first day, even by modest standards, 1% 'potential' of execution/success would mean that around 5-6 of those had any potential to cause harm to his system. I don't find that insignificant at all for a fairly low investment with some guarantees at the front end of the network.

 

Gotcha. Also I agree keeping everything absolutely up to date is a first, and effective line of defense. It's not uncommon to find fully compromised systems running 2 year old Java Clients, no question about that. The more advanced, even state sponsored threats seem to be less reliant on unpatched systems or known vulnerabilities. One of Reign's vectors was supposedly Yahoo Messenger, an unpatched hole that went undiscovered for years. That's where I think a UTM also assists in mitigation, especially a stream-inspection (flow) one like Kaspersky UTM as it can find traces of attacks within normal packets.

 

You mean Regin, right?

 

Typo.

Here's a capture of the intrusion log this week from a fairly small company with about 30 clients. We installed a Fortigate 80D because they were getting hacked, and their desktops were being compromised. The logs affirm the fact that their network is at least getting some activity. There are some pretty significant threats logged.

 

Thanks .

Any there any zero-day attacks on those desktops?

 

I've found a few over the last week. Fortigate's running 5.2.1ROS will IP ban desktops it detects that are infected, so I've had to do a lot of remediation while deploying this device due to the banned IP's. Most of those on that list are remote attacks. Some of the IP's trace to the Ukraine, interestingly. I usually toss the zero-days on honeypots, then re-check a few days later. Fortigate's aren't as good with zero-day as ZyXEL, Kaspersky has masterfully crafted malware detection through deep packet analysis in realtime. Fortigate's rely on raw signatures, and with that - raw horsepower required to handle that work, and a lot of manpower to keep everything up to date. Part of the reason they have a free client is to assist in discovery and analysis of threats, not just integration into the appliance. Fortigate has pretty good URL/HTTP scanning in my opinion though, and great application/IP/URL types of controls for companies. Forticloud is almost exclusively for monitoring/reviewing. We pump everything here through out Fortianalyzer for granular observation, and the Fortimanager to push updates, and make surface adjustments.

I tend to prefer Kaspersky's method, since it can pull threats out from within packets, and can deal with stream/quantum injections quite handily. But it does generate a lot of alerts because of this, and has a high degree of granularity.

 

@Mayahana: sorry, I meant zero-day attacks using exploits.

 

Sooner or later IoT will be everything around us, so UTM or such protection mechanism (e.g. scanner & IPS on router) will become more popular as Mayahana says, and it's always better to be ahead of times.
However, on current situation, UTM is not necessary for most home users as long as he/she follow best practices.
0-day exploit is quite rare in common mass-attacks, in fact some recent 0-day attacks for IE or for flash were originally only occur in targeted attacks, but later other criminals started to copy the attack and made some victims. IOW, if user were careful enough and pay attention to those news, he/she could avoid those because effective mitigations were announced before official patching.
I can say it's difficult to get infected if you keep up-to-date, only download truly reputable software from reputable source and check signature, be extreme careful for freeware and always choose 'custom install' or so, always check news, and so on... yes, even if your AV was MSE, still it's very difficult and I know many people who use MSE and never get infected (of course they sometimes take 2nd opinion scan).
I want to point out if you put IPS on network perimeter, it's not uncommon it gets a lot of 'attacks'. Those may even include common port scanning attempt or such. Most of them are actually not harmful, and thus can be regarded as noise. Yeah, even TrendMicro CEO admitted that those noise alert actually reduces security and the Target (company name) incident was due to that, so now they started to take human psychology into account, reduces alert and only warn really important one.
Even in actually harmful exploit case, most of them will be prevented by just a patching.
Also, I saw a post about detection for SecureAPlus but it's a FP. POODLE detection also can be regarded as FPs (there's no actual POODLE attack reported so far). I suspect there're still other FPs.

As to state-sponsored attack, I highly doubt any UTM can detect that. I don't know any actual case of that. Most of such attacks stays undetected several years, and while deploying UTM is common in business world, targeted attack often bypass it.
But anyway the possibility that common user get involved in such attack is extremely low, unless you have valid reason. Regin seems to be somewhat large campaign, but still the number of infection Symantec could find is below a hundred, while they protect hundreds of thousands machines.

Don't misunderstand, I'm not saying UTM is not good. Actually I'm thinking add it as another layer of protection, but I have to say if user keeps best practices, it's not necessary currently. IOW, such best practices should be the first.

 

I agree, these statistics do reveal the need for this kind of protection, even for the home user. You would think that your ISP would filter out this kind of garbage but it doesn't appear to be happening. I have been sensing the need for a stronger form of protection for my home/home office for the past year or so. Reading about home router fails, SSL fails, heavy duty intrusions into large organizations, this kind of thing, is what really led me to purchase the ZyXel UTM product.

This is really a personal choice. I do follow "best practices" and keep everything up to date as possible on my systems, AV, AE, active firewall monitoring, Sandboxie, most of the essential (IMO) stuff. Offline storage of my backups (truthfully I am not as good about this as I should be) in case the entire system gets locked up by ransomeware. But just the thought of someone "cracking" into my system and getting a look at my locally stored password manager when it is open, for instance, is quite troubling. So I added this new layer of protection, the ZyXel, and I do feel more secure, more protected.

The last thing I ever wish to do is spread FUD. Even though I personally feel that the threat environment, even for the home user, is expanding exponentially, and a device like the ZyXel can reduce the threat, it is still a personal decision, kind of like whether to use an AV or not.

 

Would our Zyxel new USGs catch some of the same I know they only use "high use" IDS definitions in their Zyxel feed. I don't have an infected machine behind my USG and Sophos UTM in bridge so I don't ever see these.

 

Infected machines is one thing. But USG's would catch them, and has. I've got many snags on Poodle for example.

 

I agree, an UTM for the home seems like overkill to me. But it also depends on how many devices you need to protect.

I also do not understand why these UTM's seem to block so many things? But I think Mayahana is employing UTM's in business environments, then it does make sense.

 

It's really a necessity in the business environment. But with blended threats, targeting a wide array of home appliances/products/devices, it's going to become very important for homes to deploy them. As time goes on, and more devices go live, with more varied OS's and architectures.. Ranging from smartTV's, DVR's, Streaming boxes, phones, tablets, desktops, laptops, smart appliances, smart security systems, etc. To protect them all with individual software packages gets difficult, if not impossible in some cases, and expensive in others. So a UTM to cover the bases is probably going to be commonplace in the next few years in the home environment.

 

If you don't mind me chiming in, my personal take is that for click-happy and high-risk home users, they can't be helped. Well, at least not without me getting frustrated.

The ones that I have encountered mostly ignore the warnings (they don't understand or they think it's an error) and disable their AV or take it out of the quarantine when they "need" to run that "useful program"...usually sketchy and dubious codec installer, mp3/video downloaders, etc etc. No amount of detection (regardless of whether it's through heuristics or reputation) can stop them from getting what they want.

On the other hand, there are non-techies who practice safer computing habits and yet survive just fine regardless of whichever AV is installed. PUP is a pretty normal occurence for this crowd but things could have been worse.

 

Don't give them a choice, password lock all security programs and use automatic actions.