State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 1
State of the Web Quarter 3, 2011 Report
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 2
Introduction
In this Q3 2011 edition of the State of the Web from Zscaler
ThreatLabZ, we take a closer look at Enterprise web traffic,
aggregated across over a hundred billion transactions and millions of
business users across the globe.
This quarter we continued to see the social elements of the web
dominate advanced threats and attacks in Enterprise networks.
Leveraging sophisticated social engineering techniques to launch their
attacks, malicious groups and hactivists know that human interest,
curiosity and oversight represent the weakest link in any enterprise
security chain. For that reason, ThreatLabZ wasn’t surprised to see
popular social networking applications leveraged as a top attack
channel and target.
While these trusted social networks and applications continue to
dominate enterprise Internet use, employees often have a false sense
of security – trusting their favorite tools and apps to provide them
‘safe’ information. However, hackers this quarter continued to take
advantage of this trust to exploit corporate victims through web apps,
web searches and targeted email scams.
Three major trends noticeable in this report include:
• Facebook still dominates enterprise web application use
- Facebook still remains the dominant web application in
enterprise traffic – risking like-jacking, fake videos, and
spear-phishing
• Corporate mobile devices split between business and personal use
- While social networking remains the dominant source of mobile
device traffic, business-related traffic follows closely behind
• Blended threats continue to target browser plug-ins
- Browser plug-ins and extensions remain well out of date,
providing a large target base for attacks.
In This Issue:
Decline in Facebook
Mobile device usage in the workplace
Browser plug-ins/extensions remain out of date in enterprise
•
•
•
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 3
A Look Beyond the Browser .................................................................................................4
The Hidden Risks of Plug-ins and Extensions .......................................................................6
Android Reclaims its Title in the Enterprise ...........................................................................8
Mobility Meets Productivity ..................................................................................................10
Facebook ‘Likes’ the Enterprise ............................................................................................12
When Malware Strikes ..........................................................................................................14
A Safe and Productive Network ............................................................................................16
Conclusion ............................................................................................................................17
Contents
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 4
Looking Beyond the Browser
Every quarter, Zscaler ThreatLabZ tracks enterprise HTTP and HTTPS
traffic—including the specific browsers in use. This allows us to
show trends in Web and browser use, as well as the vulnerabilities
associated with them.
With the dominance of Microsoft end-user operating systems in
the enterprise, Internet Explorer (IE) maintained its position as
the most popular browser observed this quarter. Although Web
browsers make up over 75% of HTTP and HTTPS traffic, the other,
non-browser traffic is worth looking at. This is made up of browser
plug-ins, add-ons and extensions – as well as HTTP and HTTPS traffic
from native applications.
In Q3, we continued to see a rise in non-browser web traffic – being
driven by mobile and desktop applications that leverage HTTP(S) for
outbound communication. This is not entirely surprising, as most
enterprises have ‘firewalled’ off most ports beyond the ones needed
for web and email traffic. As a result, ports 80 and 443 represent a
viable egress point for any application.
Much of enterprise web
traffic originates from
native apps, and browser
extensions - not just web
browsing
“
“
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 5
Q3 Enterprise Browser Traffic
Despite its dominance, the enterprise traffic share for Internet Explorer
has been dropping as Apple becomes a more accepted desktop and laptop
solution. This is fueling a growth in Safari, and enterprise employees
continue to adopt other alternatives such as Firefox. We have yet to
see significant adoption of Chrome in the enterprise, despite increasing
adoption in the consumer space. Below are the Q3 traffic shares by
browser type:
Internet Explorer 9 –
despite its additional
security features and
HTML5 compatibility –
has yet to see significant
adoption at the enterprise
level
“
“
Figure 1
Opera
Safari
Chrome
Non-Browser
Firefox
Internet Explorer
Q3 HTTP(S) Browser Traffic by Type
58.38%
10.64%
23.04%
0.17%
7.02%
Q3 HTTP(S) Browser Traffic by Type
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 6
Internet Explorer Versions in Use
As outlined in the graph above, Internet Explorer commands just over
half of the total web traffic in the enterprise. Internet Explorer 9 – despite
having been released in March of this year with additional security features
and HTML5 compatibility – has yet to see significant adoption at the
enterprise level. Drilling deeper into the Internet Explorer usage data over
each month of the quarter, we see the following:
The Hidden Risks of Plug-ins and Extensions
Today, plug-ins, add-ons or extensions combine with nearly every browser
running in the enterprise. Similar to most any kind of software, older
versions of plug-ins typically have more security vulnerabilities.
Zscaler offers a unique solution known as Secure Browsing. Secure
Browsing identies the type and version of web browser that is in use. As
well – and even more importantly – it also identifies the browser plug-ins
Figure 2
0%
5%
10%
15%
20%
25%
30%
AugustJulyJune
IE 9.xIE 8.xIE 7.xIE 6.x
Internet Explorer Traffic ShareQ3 2011
4.21%
22.02%
28.23%
1.68%
Internet Explorer Traffic Share Q3 2011
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 7
that have been employed. As we can see in the chart below, enterprise
browser plug-ins are dominated by Microsoft and Adobe, with Adobe Flash
remaining the most popular overall browser plug-in in the enterprise.
Unfortunately, Secure Browsing reveals a highly concerning statistic.
Beyond simply revealing which plug-ins are most popular, it also provides
insight into the plug-ins that are most commonly outdated. These statistics
do tend to fluctuate from quarter to quarter. This is due to typical quarterly
patch release cycles, which tend to cause a spike in outdated versions for
specific plug-ins as end-users fail to implement the updates.
This is an area where enterprises are currently struggling. As ThreatLabZ
continues to highlight, browser plug-ins are made up of a potentially
dangerous combination of characteristics – all of which adds up to a
tempting target for hackers.
Looking at the statistics below, it becomes clear that most companies have
little control over the type of plug-ins that their employees are using, or the
specific version of plug-ins in use.
Why it Matters to Your Enterprise:
Browser plug-ins offer a dangerous combination of characteristics
• Readers and players are ubiquitous, across browsers
Most users aren’t aware of which plug-ins they have installed
Most enterprises have no patch management deployed to keep plug-ins up to date
•
•
Figure 3
0% 20%4 0% 60%8 0% 100%
Adobe Flash
Windows Media Player
Adobe Reader
Outlook
.NET
SilverLight
Adobe Shockwave
Java
Microsoft Office
Quicktime
Most Common Web Browser Plugins Q3 2011
6.88 %
6.96 %
8.62 %
39.29 %
46.44 %
81.63 %
84.29 %
84.76 %
87.01 %
94.41 %
Most Common Web Browser Plugins Q3 2011
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 8
Android Reclaims its Title in the Enterprise
Both mobile device usage and mobile device web transactions logged
through Zscaler’s global security cloud infrastructure continue to grow. The
highest percentage of Q3 mobile transactions through Zscaler’s cloud was
from Android devices – followed by Blackberry, and Apple IOS devices.
As mobile transactions from our enterprise customers continue to
grow, we notice that the Android platform accounts for the largest and
geographically dispersed user-population. As well, it represents the mobile
platform with the highest number of transactions through our cloud.
The Apple IOS platform moved to third place this quarter, falling to 22.38%
from 42.37% in Q2 2011. This is likely due to a growing sample size of
mobile use outside the US.
Android and Blackberry devices were used more than any other mobile devices on corporate networks in Q3:
• Android: 40.36%
• Blackberry: 37.26%
• iOS: 22.38%
Figure 4
Most Outdated Web Browser Plugins Q3 2011
0% 20%4 0% 60%8 0% 100%
Adobe Shockwave
Java
Adobe Reader
QuickTime
Outlook
RealPlayer
Adobe Flash
SilverLight
Windows Media Player 1.26 %
1.81 %
7.12 %
10.02%
19.81%
42.45%
65.84%
70.60%
94.22%
Most Outdated Web Browser Plugins Q3 2011
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 9
Figure 6 provides a geographic breakdown on web client transactions that
used standard Android, BlackBerry or Apple IOS user-agents. The United
States made up about 80% of the mobile client transactions from Zscaler’s
enterprise customer base.
Figure 6
Figure 7
Other
Singapore
Australia
Saudi Arabia
Spain
UK
Israel
France
US
Q3 Mobile Usage by Geography
79.44%
3.97%
3.61%
2.57%2.11%
1.39%1.09%
1.07%
4.75%
Other
Mexico
India
Netherlands
UK
Singapore
Israel
Spain
US
75.34%
9.17%
2.76%1.53%
1.29%1.13%
.94%
2.35%
Android Percent by Country
5.48%
Q3 Mobile Usage by Geography
Android Percent by Country
Q3 Mobile Device Usage/Transactions
IO ndroid Blackberry
22.38%
40.36%
37.26%
Figure 5
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 10
Among our global enterprise customers, Android has the largest geographic
coverage. Whereas, among US-based customers, BlackBerry and IOS
devices represented more than 80% of the mobile usage. The following
charts break out device usage by-country. (Note that IP addresses that did
not resolve to a particular country were excluded from the percentages.)
Why it Matters to Your Enterprise:
• Enterprise users continue to leverage a variety of smartphones and tablets for both personal and business use
Supporting and securing an increasing variety of mobil devices remains a significant challenge for enterprises
•
Figure 8
Figure 9
UK
Israel
Saudi Arabia
US
82.76%
6.77%
4.12%
1.95% 4.41%
Other
IOS Percent by Country
Other
Mexico
Australia
UK
France
US
80.78%
7.78%
3.48%2.10%
1.25%.80%
3.80%
5.48%
Blackberry Percent by Country
Japan
Blackberry Percent by Country
IOS Percent by Country
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 11
Mobility Meets Productivity
Zscaler ThreatLabZ tracks the most prominent website categories viewed
by enterprise mobile platforms. For Q3 2011, social networking topped
all others among website categories most viewed on enterprise mobile
devices. This differs, however, from overall enterprise web browsing—
where corporate marketing, professional services, web search and news/
media sites are more popularly visited than social networking.
Music/ Streaming Audio
Other
Entertainment
Sports
Digital Media
News & Media
Web Search
Corporate Marketing
Professional Services
Social NetworkingAndroid
4.69%
4.30%2.28%
16.95%
10.55%
7.50%
8.07%
1.60%1.16%
iPhone
28.86%
2.28%
30.20%
7.12%
4.54%
3.67%0.67%
0.40%
21.84%
0.51%
Blackberry
11.36%
2.15%
6.33%
7.82%
8.28%
5.82%
1.53%0.12%
6.14%
iPad
1.62%
3.77%15.02%
0.61%0.99%
12.99%
6.44%
10.91%
0.02%
iPod
0.58%
21.83%8.36%
2.35%
3.73%
5.18%
7.20%
5.79%
5.72%
Q3 Web Category by Mobile PlatformQ3 Web Category by Mobil Platform
Figure 10
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 12
When looking at various website categories browsed by specific mobile
device platforms, few differences are noticed. However, Android and iPod
have a much higher percentage of social networking browsing than other
mobile device platforms. As well, the iPhone is more popular for music,
streaming audio and professional services than other platforms. In some
usage areas, the Blackberry and Ipad platforms seem closely related – with
both being popularly used for news and media.
Interesting to note is the mix of business and recreational traffic on all
devices – these are being used for some productive purposes, not just
personal apps and browsing.
Facebook ‘Likes’ the Enterprise
Maintaining the trend seen in Q2 2011, social networking was once again
the most dominant category of browsed web applications through the
Zscaler cloud in Q3. And, given its dominance in enterprise web application
use, Facebook once again lead the pack. Yet, for the first time, ThreatLabZ
saw a slight month-to-month drop in enterprise client Facebook usage.
Meanwhile, other popular web applications like Gmail, YouTube, Twitter and
LinkedIn experienced a slight increase.
Figure 11
Q3 Website Categories Accessedby Mobile Devices
0%
3%
6%
9%
12%
15
September
August
July
Ente
rtain
men
t
Digita
l Med
ia
Spor
ts
Web
Sea
rch
News &
Med
ia
Corpora
te M
aket
ing
Profe
ssio
nal S
ervic
es
Socia
l Net
working
Shopping is more popular
on desktop systems than
mobile platforms, while
sports is more popularly
viewed on mobile platforms
than desktops
“
“
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 13
Similar to last quarter, social networking and webmail made up the majority
of the total web application transactions for the quarter – with web search
representing a comparatively smaller percentage. The chart below provides
a detailed drill-down of overall web usage (by site) throughout the quarter:
Why it Matters to Your Enterprise:
• Facebook remains the predominant web 2.0 app in the enterprise—making up nearly 50% of overall usage for the quarter
As Facebook, Twitter, LinkedIn and YouTube continue to dominate overall web application use, enterprises are often allowing unrestricted employee access to social networking apps
Allowing, yet securing, social networking apps is a paradox for today’s IT teams
•
•
Figure 12
Figure 13
Blogger
Pandora
Other
Google Search
Hotmail
Yahoo Mail
MSN IMTwitter
YouTube
GmailFacebook
Q3 Web Application Usage Drill-Down
45.72%
16.16%
11.61%6.58 %
6.51 %3.00 %
2.78 %
1.94 %2.35 %1.39 %1.15 %0.81 %
0%
10%
20%
30%
40%
50%
September
August
July
LinkedInYahoo MailMSN IMTwitterYouTubeGmailFacebook
Top Q3 Web Application Usage by Month
Q3 Web Application Usage Drill-Down
Top Q3 Web Application Usage by Month
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 14
When Malware Strikes
Zscaler ThreatLabZ identifies and tracks malicious content in real time –
across both HTTP and HTTPS. This gives Zscaler ThreatLabZ the information
needed to identify the sources of malware, while tracking general trends in
malware threats.
The top trend in malware continues to be the inclusion of IFrames within
malicious content (often an exploit kit). In September 2011, greater than
67% of the anti-virus signatures that triggered were on web pages that had
malicious IFrame inclusions. We have continued to notice a steady increase
in security blocks—over time and throughout Q3—that resulted from
malicious web responses. Below are the top 10 malware types for Q3.
* based on A/V detection only for the most recent month of the quarter
(September)
Q3 top 10 families of malware*
1 6
2 7
3 8
4 9
5 10
Malicious HTML IFrame
Malicious JS Redirector
Malicious binary, heuristic detection
Malicious SWF
OnlineGames Malware
Malicious JS IFrame
Malicious JS in PDF
Malware/Spyware Toolbar
Malicious W32 Trojan
JS Shellcode
Figure 14
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 15
Blackhat Sites and Phishing Spikes
Blackhat SEO continues to be a tactic used by cyber criminals to increase
web traffic to their sites. Compared to last quarter, the number of search
results leading to malware has decreased. However, the number of spam
sites (fake stores, fake search engines, etc.) using hijacked sites has
increased. University websites (.edu) are still the main source of hijacked
sites. The following chart breaks out the types of sites being served in
these campaigns.
5.44%
Other
Singapore
Australia
Saudi Arabia
Spain
UK
Israel
Site Down
Fake Store
40.69%
2.01%3.72%
22.35%
12.61%
7.45%
5.73%
Blackhat SEO Site Types
Figure 14
Blackhat SEO Site Types
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 16
A Safe and Productive Network
Throughout Q3, Zscaler noticed a monthly drop in web policy blocks
in social networking, webmail, and malware transactions. Conversely,
there was a monthly increase in botnet, instant messaging, and anti-virus
transactions.
Malicious web responses continue to be on the rise – with malicious IFrame
or Javascript inclusions being the primary threat blocked. This malicious
content redirects browsers, often to an exploit site that attempts to exploit
known vulnerabilities within web browsers or browser plug-ins. The most
common plug-ins that our customers have installed and left unpatched/
vulnernable are Adobe Shockwave, Java, and Adobe Reader. Each of these
plug-ins has more than 50% of its installs left out-of-date. This is a sharp
increase from the previous quarter.
Malicious web responses
continue to be on the rise
– with malicious IFrame or
Javascript inclusions being
the primary threat
blocked
“
“
Figure 15
0%
5%
10%
15%
20%
25%
30%
September
August
July
Anti-VirusWebmailIMBotnetSocNetMalware
Q3 Web Policy BlocksQ3 Web Policy Blocks
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 17
Conclusion
Every quarter Zscaler ThreatLabZ publishes our State of the Web report
to provide some high-level trends observed from the large number of
enterprise web transactions traversing the Zscaler security cloud. Given the
scale of transactions we see (over a hundred billion across millions of global
users), ThreatLabZ is able to provide interesting data-points on enterprise
browser usage, browser plug-ins, mobile devices, website categories and
various security trends we observe.
Of the trends and data-points noticed this quarter, a few stand-out:
• A month-to-month percentage decline in enterprise Facebook usage.
• While Android mobile devices continue to be in the lead within our
global user-base, we noticed Apple IOS devices representing the
largest quarterly increase.
• Malicious web-site responses – particularly those containing malicious
IFrame or Javascript inclusions – appear to be on the rise.
• At the same time, the number of clients with vulnerable versions of
browser plug-ins also seem to be on the rise.
State of The Web - Quarter 3, 2011
© 2011 Zscaler. All Rights Reserved. Page 18
About the Authors
This report was written by Michael Sutton, Julien Sobrier, Mike Geide,
Pradeep Kulkarni, and Umesh Wanve.
About Zscaler: The Cloud Security Company™
Zscaler enforces business policy, mitigates risk and provides twice the
functionality at a fraction of the cost of current solutions, utilizing a
multi-tenant, globally-deployed infrastructure. Zscaler’s integrated, cloud-
delivered security services include Web Security, Mobile Security, Email
Security and DLP. Zscaler services enable organizations to provide the
right access to the right users, from any place and on any device—all while
empowering the end-user with a rich Internet experience.
About Zscaler ThreatLabZ™
ThreatLabZ is the global security research team for Zscaler. Leveraging an
aggregate view of billions of daily web transaction, from millions of users
across the globe, ThreatLabZ identifies new and emerging threats as they
occur, and deploys protections across the Zscaler Security Cloud in real time
to protect customers from advanced threats.
For more information, visit www.zscaler.com.