The recent slew of high profile data breaches has prompted organizations to harden network perimeter defenses with the latest security technologies. In response, some cybercriminals are shifting their focus toward the human element, with phishing and social engineering scams that fool corporate users or contractors into giving up network access credentials. Others hackers are using more sophisticated methods to evade defenses such as advanced evasion techniques (AETs). Once inside, attackers often discover a lack of internal security controls. They can take their time to avoid detection while installing malware that exfiltrates data from internal file servers or devices such as point-of-sale terminals, ATM machines, critical infrastructure controllers, and healthcare endpoints. This exfiltration process can go on for weeks, months, and sometimes even years before discovery.
Data loss prevention (DLP) solutions do an excellent job of classifying, fingerprinting, and controlling access to “data at rest” on PCs, servers, and even removable storage devices. They also control how potentially sensitive “data in use” is handled at endpoints and discover and protect sensitive “data in motion” such as data sent through network traffic, email, and instant messaging. DLP is effective against both intentional and unintentional disclosure of confidential information. However, there are certain instances of data in motion where a next-generation firewall can also be effective in preventing data theft. As demonstrated in recent major retail breaches, attackers were able to bypass security controls by setting up their own communications back channels or encrypting exfiltrated data to bypass keyword filters. Because of their strategic locations at ingress and egress points throughout networks, NGFWs are able to work with endpoint management and DLP solutions to enhance existing protections and provide additional security in the battle against data breaches.
Getting More from Your Firewall
While cybercriminals keep changing their tactics, security best practices have not changed much over the years. Best practices still recommend deploying a standard set of processes and security tools, including firewalls, IPSs, and DLP solutions, with the same basic protection strategies. Firewalls are still positioned primarily for blocking intrusion attempts at the network perimeter or protecting data centers. However, when hackers circumvent perimeter defenses with phishing tactics and AETs, firewalls are rendered useless and other defenses must pick up the slack.
It's time to challenge conventional thinking and get more from your firewall. Next-generation firewalls should serve a dual purpose -- they should stop attackers from infiltrating the network and prevent attackers from exfiltrating sensitive data.
The most logical way to do this is to leverage the connection-blocking capabilities already built-in to most firewalls. Today’s next-generation firewalls have the logistical placement, performance capabilities, and application control features required to block unauthorized data streams from rogue applications before they leave the network. The challenge is that most firewalls are blind to these data exfiltration activities. Real-time, granular, actionable intelligence from endpoints is the critical information that firewalls need to enable application layer exfiltration protection. High level requirements for a more complete inbound and outbound protection solution are listed below:
- Endpoint intelligence. Endpoint intelligence must work with firewalls and other security services across the network for risk correlation, analysis, and forensics.As a team, they should validate the use of trusted applications, inventory application processes, monitor communications activities, and scrutinize all outgoing connections made by executables. Applications must be associated with legitimate users, especially where BYOD or shared devices are a concern.
- Minimal performance overhead and device footprint. Many endpoint devices have limited resources and storage capacities -- especially in the case of retail POS systems, ATM kiosks, and medical devices. The endpoint implementation must be very lightweight, both in terms of size and processing requirements.
- Whitelisting to allow only authorized activity. Firewalls and endpoints must both enforce the use of trusted applications, users, and associated connections with whitelisting technology, allowing legitimate, validated traffic to pass through to file servers, data storage, or trusted third parties such as merchant banks.
- Blacklisting integration for corrective action. For real-time protection, firewalls and endpoints must also be capable of sending notifications when rogue application are discovered, blocking illegitimate traffic, and taking immediate corrective action. Compromised hosts must be quarantined and the identified malware and communications blacklisted to prevent data exfiltration.
- Efficient management. A new approach must work within an existing centralized management schema to maximize management efficiency and minimize related expense.
- Low cost. Upfront cost is always an issue. Perhaps more important, the solution should readily integrate with your existing security systems, reducing the deployment and operational impact to your security budget and staff resources.
Keeping Insiders Out
These requirements can also address one of today’s biggest challenges: insider attacks. Disgruntled employees and contractors with legitimate access to internal systems can deploy malware on shared workstations, making it difficult to monitor and block potentially malicious network communications. By associating user information and security identifiers with endpoint application processes, application layer exfiltration protection can greatly minimize the risks posed by insider attacks.