By Cameron Camp, ESET Security Researcher
All your data is moving to the network, but can your security keep up? Whether your infrastructure has a mix of public and private cloud, on premise servers, workstations or mobile devices, network performance reigns.
In years past, workstation security was all that mattered. Now, with increasing network usage, it becomes more imperative to limit excessive loads by managing security-related traffic and minimizing its impact on security nodes throughout the network. This means a lightweight network footprint can have a serious impact on the speed at which your security nodes can respond and keep you safe.
Additionally, many network sensors take considerable time to tune for performance. If you use default settings on many network-enabled devices they can create considerable false positive or low value notifications, further choking the network needlessly. Anyone who’s installed a default SNORT sensor and enabled default notifications knows it’s possible to get hundreds or even thousands of email notifications in a day, congesting both the network and your inbox in the process.
Determining network impact
To determine what the real network impact will be for a typical user in a typical environment, ESET commissioned a report by the folks at AV-Comparatives, an independent testing organization with deep roots in the market segment. They looked at what typical users will see, in terms of lag due to network-related congestion from less-than-optimized network security products.
The results are compelling. When stacked up against the household names in network security around the globe, ESET performs admirably well. That’s due to its light footprint, lower network resource consumption due to smaller updates, smaller packages needed to protect endpoints, and lower CPU/memory requirements across your network landscape.
We wanted to see how average hardware performed, not esoteric high-budget specialized devices, under these real world loads. So commodity hardware was selected with common software loads like Windows Server 2012 R2 64 Bit with 4GB of RAM, the kind of gear you’d find in server racks around the world in daily use.
Networks never rest
It’s easy to see how a security event can create a spike in network activity, but when your network is at rest it’s not really resting. There is a multitude of network signaling and information traffic to push updates, receive logs, contact reputation systems in the cloud and the like. We asked AV-Comparatives to look at average day-to-day network usage as well, and here they found that the tiny lightweight signatures, updates and packages had a significant overall impact as well.
Additionally, those network spikes have an impact on end users as well, especially if the endpoint security suites can’t cope with the traffic, or have such high usage that the workflows slow significantly. Here again, AV-Comparatives ranked these household brands by how they compared on resource utilization at the endpoint itself.
Pop-ups, marketing “warnings” and other processes on the endpoint add to the load, and reduce the ability to cope with security events without impacting workflows, so aside from being an annoyance to end users, they produce needless system loads.
Security should take a holistic approach for sure, but network and endpoint system load are increasingly impactful on the enterprise. You should be looking to optimize both performance and security. After all, if users disable security defenses because they’re too difficult to use or they slow users down, it can inadvertently create a giant security hole.
With all the complexity of securing the resources on your network, starting with lightweight endpoint security is a very good first step.