Key findings from Palo Alto Networks Application Usage and Risk Report, December 2011 (Canada Only).
The slides provides insight into application activity that is based on network application assessments that show what is really happening on corporate networks.
Collecting & Temporal Analysis of Behavioral Web Data - Tales From The Inside
Palo Alto Networks Application Usage and Risk Report - Key Findings for Canada
1. Five Facts About Application Usage on
Canadian Enterprise Networks
Application Usage and Risk Report
December 2011
2.
3. Average number of social networking
applications per organization?
A total of 58 different social networking applications were
found in 94% of the 49 participating organizations with an
average of 15 found in each network.
4.
5. Which application is used more heavily?
Based on the percentage of social networking bandwidth
consumed in the 49 participating Canadian organizations,
Zynga games were used more heavily than Linkedin.
6. Social networking is more active in Canada with games, plugins, posting
used more heavily than they are globally. Organizations must balance
social networking application use with the associated risks – setting
appropriate enablement policies and more importantly educate users what
those policies are.
7.
8. Average number of browser-based
filesharing applications per organization?
A total of 36 different browser-based filesharing
applications were found in 86% of the 49 participating
organizations with an average of 10 in each.
9. Browser-based filesharing use cases: work or
entertainment. Both uses have a common set of business
and security risks that organizations must address.
10.
11. The number of applications
using Port 80 (tcp/80) only?
The number of applications that ONLY use Port 80 is 187 or
27% of the 703 applications found in the participating
Canadian organizations.
12.
13. Percentage of total bandwidth consumed
by applications not using tcp/80?
65% of the total bandwidth is being consumed by 282 (40%
of 703) applications that DO NOT USE port 80 at all. Ever.
14. Port 80 only security is shortsighted. The common
perception is that Port 80 (tcp/80) is where all the traffic and all
the problems are. A port 80 emphasis is an absolute
requirement; but too much focus is shortsighted.
15.
16. Palo Alto Networks Application Usage
and Risk Report
www.paloaltonetworks.com/aur
Editor's Notes
The average number of social networking applications on each network observed is higher or lower than 12? Canada: The average number of social networking applications found in each organization is higher – an AVERAGE of 15 social networking applications per organization were found in 94% of the 49 Canadian organizations observed. In total, 58 DIFFERENT social networking applications were found in Canada. Globally: The average number of social networking applications found in each organization is higher – an AVERAGE of 16 social networking applications per organization were found. In total, 71 DIFFERENT social networking applications were found.
The average number of social networking applications found in each organization is higher – an AVERAGE of 15 social networking applications per organization were found in 94% of the 49 Canadian organizations observed. In total, 58 DIFFERENT social networking applications were found in Canada. Globally: The average number of social networking applications found in each organization is higher – an AVERAGE of 16 social networking applications per organization were found. In total, 71 DIFFERENT social networking applications were found.
For comparison: Globally, Twitter usage (based on % of bandwidth consumed) is up 700% in year over year usage. Reasons: Twitter is a news source; companies are using it as a communications vehicle, graphics and pictures now supported by Twitter (added mid 2011). Social networking has become more active in a year over year comparison. Facebook applications, games, plugins and posting all show increases in volume of use as measured by percentage of social networking bandwidth Organizations will need to balance the corporate use of social networking applications with the associated risks – setting appropriate enablement policies to allow “browsing” but limit posting to Marketing (for example).All and Scan all SN traffic for threats and EDUCATE users not to click so blindly and willingly.
The average number of browser-based applications on each network observed is higher or lower than 13? Canada: The average number of browser-based filesharing applications found in each organization is lower – an AVERAGE of 10 per organization were found across the 94% of the 49 Canadian organizations observed. In total, 36 DIFFERENT browser-based filesharing applications were found in Canada. Globally: The average number is 13 BBFS applications were found in 92% of the 1,636 organizations. In total, 65 BBFS applications were found.
The average number of browser-based applications on each network observed is higher or lower than 13? Canada: The average number of browser-based filesharing applications found in each organization is lower – an AVERAGE of 10 per organization were found across the 94% of the 49 Canadian organizations observed. In total, 36 DIFFERENT browser-based filesharing applications were found in Canada. Globally: The average number is 13 BBFS applications were found in 92% of the 1,636 organizations. In total, 65 BBFS applications were found.
This slide shows the commonly used applications in terms of frequency of use and the percentage of browser-based file sharing bandwidth consumed. Business Risks include potential copyright violations and data loss/sharing – purposeful or otherwise. The same application that is useful to the user for sending large PowerPoint files is also potentially just as valuable for moving illegal music, movies or even large amounts of sensitive enterprise data. Several of the media focused browser-based filesharing applications discussed above have been found to be in violation of, or have been accused of, copyright violations. Some of the most highly publicized P2P-related data breaches were inadvertent, traced to either a misconfigured P2P client or other user error. Initially, browser-based filesharing applications dramatically reduced the risk of inadvertent sharing because the initial focus was a one-to-one distribution or a one-to-a few. As many of these offerings add clients and premium services, the risks increase. For example, the Dropbox client creates a folder on the Windows desktop that, by default, automatically synchronizes desktop folder to the cloud-based folder. If a proprietary file is dropped into the folder accidently, it is automatically shared with those who have folder permissions. The risks, while still lower than those associated with P2P, have increased in conjunction with the usage and should be addressed. Security Risks include being a common source for malware and providing cybercriminals with an ideal infrastructure for cybercriminals and their malware. File transfer applications have long been associated with malware. Peer-to-peer file transfer applications, for example, have been notorious in this respect for years (Mariposa most recently), and malware has been using FTP for communication for an even longer period of time. Put another way, whatever mechanism that is used to electronically transfer files, is also commonly used to move malware, and browser-based file transfer applications are the latest front in this evolution. Browser-based filesharing applications have unique characteristics that make them uniquely suited for cybercriminals: they are Free and anonymous. Since these applications are typically free (or at least offer free versions), a cybercriminal can easily upload malware anonymously. Most services only require an email address in order to use the service, so the cybercriminal can remain virtually untraceable simply by using a disposable email address and a network anonymizer, a proxy or circumventor. Furthermore, the ease with which attackers can upload files means that they can easily and continually update and refresh their malware in order to stay ahead of traditional antivirus signatures. They are simple to use and trusted. A key reason for the popularity of browser-based filesharing applications is the fact that they make file transfers very easy. They are easily built into the browser or even the application tray of the operating system. This means that file transfers are almost as simple as clicking on a link, which vastly increases the opportunities for a target user to be lured into a dangerous spear-phishing click. Several of the offerings provide that enables folders and shared files to be embedded into web site while other application offerings include a developer API. They can automatically synchronize yo9ur folders. A common, though not universal feature of browser-based filesharing applications is the ability to regularly sync files or entire directories. This sort of capability is already being marketed as a method for delivering and updating applications. This functionality could easily benefit malicious applications just as much as approved ones. A key requirement for modern malware is to establish a method of command and control for the malware in which the attacker can direct the malware, update the program and extract data. An attacker could use this syncing ability to perform all of these functions under the cover of an approved application.
The number of applications that are traversing tcp/80 (HTTP/web browsing) is higher or lower than 200? Canada:The number is lower - 187 (27%) out of 793applications use port 80 only. Globally:The actual number is higher - 297 (25%) out of 1,195 applications use port 80 only.
The number of applications that are traversing tcp/80 (HTTP/web browsing) is higher or lower than 200? Globally:The actual number is higher - 297 (25%) out of 1,195 applications use port 80 only.
The percentage of total bandwidth consumed by applications that do NOT use port 80 at all is higher or lower than 50%? Canada: The actual number is higher - applications that DO NOT USE port 80 at all are consuming 65% of the total bandwidth. The number of applications in this category is 282 (40%) of the 703 applications found. Globally: The number is higher - applications that DO NOT USE port 80 at all are consuming 51% of the total bandwidth. The number of applications in this category is 413 (35%) of the 1,195 applications found
The percentage of total bandwidth consumed by applications that do NOT use port 80 at all is higher or lower than 50%? Canada: The actual number is higher - applications that DO NOT USE port 80 at all are consuming 65% of the total bandwidth. The number of applications in this category is 282 (40%) of the 703 applications found. Globally: The number is higher - applications that DO NOT USE port 80 at all are consuming 51% of the total bandwidth. The number of applications in this category is 413 (35%) of the 1,195 applications found
This set of applications include a wide range of common applications such as 51 different remote access / remote management applications, as well as database applications. Remote access applications are commonly used by cybercriminals as a penetration vector. This is well documented by Verizon in their databreach report and also more recently, remote access tools were how Subway customers were had $3M stolen. The common perception is that Port 80 (tcp/80) is where all the traffic and all the problems are. This is just not true. Focus on port 80 only is a requirement – without a doubt, but too much focus would not be considered best-practices. In fact, in the out of 703 applications found in the Canadian organizations observed, 40% of them do not use port 80 at all and those 282 applications are consuming 65% of the bandwidth. For comparison, Globally, 1,195 applications were found and 35% of them do not use port 80 at all and those 413 applications are chewing through 51% of the bandwidth.