NGFW – WTF is the Intelligence?
Definition: Intelligence - can be generally described as the ability to perceive and/or retain knowledge or information and apply it to itself or other instances of knowledge
Today’s state of cyber security is one of the most interesting, and challenging it has ever been. If you take a step back and review the advancements in the traditional security infrastructure, there has been little innovation in the terms of providing protection layers that are as advanced as the tactics used by today’s threat actors.
Let’s take a look at the state of firewalls, and their most recent ambassador – the Next Generation Firewall (NGFW) as coined by the industry analyst community to try and set some level of differentiation from the early era firewall products. However, I hesitate to agree that the so-called NGFW solutions have added much in the way of intelligence in response to the increased level of sophistication driven by the threat actors.
Let’s take a short walk through some of the firewall market evolution starting with stateful inspection solutions. This was a technology designed to enforce policies designed by the network/security team in order to ensure only acceptable applications are able to transit the firewall. The “intelligence” was held with the staff that created the policies and the firewall was there to simply to enforce those policies. While this may over simplify the details of this technology, the truth is that the firewall had no real intelligence and relied on operators to define what is acceptable and unacceptable to the organization.
Now let’s look at the UTM evolution – this had firewall vendors claiming some level of intelligence to thwart more advanced threats, but in reality they only implemented additional pre-defined filtering technologies. The new capabilities introduced in this category typically included Anti-virus, Anti-spam, URL filtering and IPS features, by pure definition, each of these technologies rely on pre-defined signatures that are defined either by a research team, or the user – but still are just filters, not intelligence – the intelligence came from the back-end research.
Now, on to the so-called king of the firewall market; the NGFW. As defined by Gartner: “Next-generation firewalls (NGFWs) are deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall”. Let’s explore this in context of the product capabilities. The NGFW allows customers to implement policies including all of the base-line predecessor capabilities (protocol policies, antivirus, URL filtering etc.), with the addition of inspecting protocols for the presence of applications (e.g. Facebook, Twitter etc on Web protocols). The intelligence provided is really a pre-defined set of signatures that allow the identification of these applications based on a pattern in the data, BUT it relies on pre-defined signatures (provided by the vendor).
The question remains, where is the intelligence. In all of the firewall technologies, including NGFW, intelligence is created by the vendors (or users) and systematically fed to the product.
Given the fact that current adversaries have developed simplistic techniques to circumvent all of these technologies, and the definition of intelligence - I stand by the statement that there is no “intelligence” built into the current standard security offerings.
Does this mean the firewall/UTM/NGFW solutions are ineffective? No. They have a purpose, and achieve that purpose for which they are designed – block what is “known” to be bad or undesired. The key is that they only are able to protect from the “known” attack.
Alternatively, advanced threat defense platforms (such as the Cyphort Advanced Threat Platform) are designed to rely on intelligence derived from the system, and share that intelligence back to the firewall or other blocking infrastructure. When building an platform that provides intelligence, it is important to build a foundation that derives malicious intent based on the behavioral characteristics of the threat itself (the delivery mechanism, the payload, or the follow-on network activity). This ability to self-diagnose when something is malicious, and couple with a machine-learning layer to leverage additional intelligence for an informed decision (instead of a signature) is far closer to a solution that has “intelligence” than the current security stacks deployed for basic security requirements.
Executive, Ex-Uber/VP of Risks@Qualys, Security, Risk and Fraud
9 年Each enterprise or data center carries totally different transactions of data traffic with different characteristics. Security intel has to be computed based on each customer's specific use case. Machine based learning (supervised or unsupervised) over patterns, behaviors and contexts, sigmoid functions layer over layer, is ONE great way to produce the right intelligence suitable for the defense of that particular customer at that time & context. This is not to say effective sec intel can not be derived in other ways. As a matter of fact, network behavior analysis (most basic learning on ASIC/FPGA/SW) has been around for FW and DDoS, machine learning for endpoint security has been used in Advanced Malware Protection (AMP). It takes real technology to develop an accurate, fast converging solution with minimum false positive.
One of our machine learning engineers sent over a simple web site that does a good job of giving the highlights of utilizing machine learning to solve complex problems. Great visual lesson IMHO: https://www.r2d3.us/visual-intro-to-machine-learning-part-1/
CISO | DIGITAL TRANSFORMATION SECURITY VISIONARY | APP SECURITY ARCHITECTURE EXPERT
9 年Hi anthony is this all about MRTI approach ?
CEO DecryptedTech LLC | Editor-in-Chief DecryptedTech.com Fractional CISO at Kavaliro Cybersecurity Consultant God Emperor of Dune
9 年Allen, You hit the nail on the head. The traditional security mindset is keep them out. That approach keeps failing. There needs to be a change the focuses on the security of the data and also preventing it from being removed. The same thing happened in physical security years ago with the concept of containment security.
Technologist focused on datacenter, AI Clusters, Intent Based Networking and automation!
9 年You should do more research. There are NGFW's that have intelligence when it comes to preventing the "unknown" threat. However, NGFW is not enough. You need a holistic approach to security (endpoint protection, etc.) The biggest challenge I see is still getting customers to take security seriously. Security is still underfunded and under-resourced.