Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11:10 AM
Pat Calhoun
Pat Calhoun
Partner Perspectives

Application Layer Exfiltration Protection: A New Perspective on Firewalls

Organizations must adopt a new way of thinking about safeguarding sensitive data from theft and unauthorized exfiltration.

The recent slew of high profile data breaches has prompted organizations to harden network perimeter defenses with the latest security technologies. In response, some cybercriminals are shifting their focus toward the human element, with phishing and social engineering scams that fool corporate users or contractors into giving up network access credentials. Others hackers are using more sophisticated methods to evade defenses such as advanced evasion techniques (AETs). Once inside, attackers often discover a lack of internal security controls. They can take their time to avoid detection while installing malware that exfiltrates data from internal file servers or devices such as point-of-sale terminals, ATM machines, critical infrastructure controllers, and healthcare endpoints. This exfiltration process can go on for weeks, months, and sometimes even years before discovery.

Data loss prevention (DLP) solutions do an excellent job of classifying, fingerprinting, and controlling access to “data at rest” on PCs, servers, and even removable storage devices. They also control how potentially sensitive “data in use” is handled at endpoints and discover and protect sensitive “data in motion” such as data sent through network traffic, email, and instant messaging. DLP is effective against both intentional and unintentional disclosure of confidential information. However, there are certain instances of data in motion where a next-generation firewall can also be effective in preventing data theft. As demonstrated in recent major retail breaches, attackers were able to bypass security controls by setting up their own communications back channels or encrypting exfiltrated data to bypass keyword filters. Because of their strategic locations at ingress and egress points throughout networks, NGFWs are able to work with endpoint management and DLP solutions to enhance existing protections and provide additional security in the battle against data breaches.

Getting More from Your Firewall

While cybercriminals keep changing their tactics, security best practices have not changed much over the years. Best practices still recommend deploying a standard set of processes and security tools, including firewalls, IPSs, and DLP solutions, with the same basic protection strategies. Firewalls are still positioned primarily for blocking intrusion attempts at the network perimeter or protecting data centers. However, when hackers circumvent perimeter defenses with phishing tactics and AETs, firewalls are rendered useless and other defenses must pick up the slack.

It's time to challenge conventional thinking and get more from your firewall. Next-generation firewalls should serve a dual purpose -- they should stop attackers from infiltrating the network and prevent attackers from exfiltrating sensitive data.

The most logical way to do this is to leverage the connection-blocking capabilities already built-in to most firewalls. Today’s next-generation firewalls have the logistical placement, performance capabilities, and application control features required to block unauthorized data streams from rogue applications before they leave the network. The challenge is that most firewalls are blind to these data exfiltration activities. Real-time, granular, actionable intelligence from endpoints is the critical information that firewalls need to enable application layer exfiltration protection. High level requirements for a more complete inbound and outbound protection solution are listed below:

  • Endpoint intelligence. Endpoint intelligence must work with firewalls and other security services across the network for risk correlation, analysis, and forensics.As a team, they should validate the use of trusted applications, inventory application processes, monitor communications activities, and scrutinize all outgoing connections made by executables. Applications must be associated with legitimate users, especially where BYOD or shared devices are a concern.
  • Minimal performance overhead and device footprint. Many endpoint devices have limited resources and storage capacities -- especially in the case of retail POS systems, ATM kiosks, and medical devices. The endpoint implementation must be very lightweight, both in terms of size and processing requirements.
  • Whitelisting to allow only authorized activity. Firewalls and endpoints must both enforce the use of trusted applications, users, and associated connections with whitelisting technology, allowing legitimate, validated traffic to pass through to file servers, data storage, or trusted third parties such as merchant banks.
  • Blacklisting integration for corrective action. For real-time protection, firewalls and endpoints must also be capable of sending notifications when rogue application are discovered, blocking illegitimate traffic, and taking immediate corrective action. Compromised hosts must be quarantined and the identified malware and communications blacklisted to prevent data exfiltration.
  • Efficient management. A new approach must work within an existing centralized management schema to maximize management efficiency and minimize related expense.
  • Low cost. Upfront cost is always an issue. Perhaps more important, the solution should readily integrate with your existing security systems, reducing the deployment and operational impact to your security budget and staff resources.

Keeping Insiders Out

These requirements can also address one of today’s biggest challenges: insider attacks. Disgruntled employees and contractors with legitimate access to internal systems can deploy malware on shared workstations, making it difficult to monitor and block potentially malicious network communications. By associating user information and security identifiers with endpoint application processes, application layer exfiltration protection can greatly minimize the risks posed by insider attacks. 

Pat Calhoun is Senior Vice President & General Manager, Network Security at Intel Security and responsible for defining and executing the strategic direction for McAfee's Network Security business. Calhoun leads the engineering, marketing, and sales functions that drive ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
4/28/2015 | 4:08:09 PM
Security Configuration Management
I think this is my favorite article today.  I'm a software configuration manager -SCM- (code/build/release) by trade.  I see so many parallels here between the core intent behind good SCM, source revision control and application library version management.  The whole idea of change managing an Enterprise to ensure security and data integrity is a natural fit, yet somehow - unlike in the software development world - it has taken a long time for the tools to do that to come together.  

In SCM, of course, there are plenty of issues with getting coders to follow the rules or to even adopt SCM in the first place.  I imagine there are going to be lots of similar conversations with Enterprise staff in rolling out solutions like this due to the overhead that will be introduced.  As with all automated solutions, they are only truly "semi-"automated and there still needs to be human eyes and hands on the toolset.

Yet this is what we need, sadly, to keep both external and internal threats under wraps.  Don't think of this as "Big Brother" though - it's just another type of change management.  It's not you being watched, just the data and the environment.
User Rank: Ninja
4/28/2015 | 2:47:11 PM
Keeping Insiders Out
This is why having an efficient off-boarding process is crucial. Without one, employees disgruntled or not can have access for no reason far after they have "left". This represents a rather large security hole as many organizations off-boarding procedures are less than efficient.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...