Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
11:10 AM
Pat Calhoun
Pat Calhoun
Partner Perspectives

Application Layer Exfiltration Protection: A New Perspective on Firewalls

Organizations must adopt a new way of thinking about safeguarding sensitive data from theft and unauthorized exfiltration.

The recent slew of high profile data breaches has prompted organizations to harden network perimeter defenses with the latest security technologies. In response, some cybercriminals are shifting their focus toward the human element, with phishing and social engineering scams that fool corporate users or contractors into giving up network access credentials. Others hackers are using more sophisticated methods to evade defenses such as advanced evasion techniques (AETs). Once inside, attackers often discover a lack of internal security controls. They can take their time to avoid detection while installing malware that exfiltrates data from internal file servers or devices such as point-of-sale terminals, ATM machines, critical infrastructure controllers, and healthcare endpoints. This exfiltration process can go on for weeks, months, and sometimes even years before discovery.

Data loss prevention (DLP) solutions do an excellent job of classifying, fingerprinting, and controlling access to “data at rest” on PCs, servers, and even removable storage devices. They also control how potentially sensitive “data in use” is handled at endpoints and discover and protect sensitive “data in motion” such as data sent through network traffic, email, and instant messaging. DLP is effective against both intentional and unintentional disclosure of confidential information. However, there are certain instances of data in motion where a next-generation firewall can also be effective in preventing data theft. As demonstrated in recent major retail breaches, attackers were able to bypass security controls by setting up their own communications back channels or encrypting exfiltrated data to bypass keyword filters. Because of their strategic locations at ingress and egress points throughout networks, NGFWs are able to work with endpoint management and DLP solutions to enhance existing protections and provide additional security in the battle against data breaches.

Getting More from Your Firewall

While cybercriminals keep changing their tactics, security best practices have not changed much over the years. Best practices still recommend deploying a standard set of processes and security tools, including firewalls, IPSs, and DLP solutions, with the same basic protection strategies. Firewalls are still positioned primarily for blocking intrusion attempts at the network perimeter or protecting data centers. However, when hackers circumvent perimeter defenses with phishing tactics and AETs, firewalls are rendered useless and other defenses must pick up the slack.

It's time to challenge conventional thinking and get more from your firewall. Next-generation firewalls should serve a dual purpose -- they should stop attackers from infiltrating the network and prevent attackers from exfiltrating sensitive data.

The most logical way to do this is to leverage the connection-blocking capabilities already built-in to most firewalls. Today’s next-generation firewalls have the logistical placement, performance capabilities, and application control features required to block unauthorized data streams from rogue applications before they leave the network. The challenge is that most firewalls are blind to these data exfiltration activities. Real-time, granular, actionable intelligence from endpoints is the critical information that firewalls need to enable application layer exfiltration protection. High level requirements for a more complete inbound and outbound protection solution are listed below:

  • Endpoint intelligence. Endpoint intelligence must work with firewalls and other security services across the network for risk correlation, analysis, and forensics.As a team, they should validate the use of trusted applications, inventory application processes, monitor communications activities, and scrutinize all outgoing connections made by executables. Applications must be associated with legitimate users, especially where BYOD or shared devices are a concern.
  • Minimal performance overhead and device footprint. Many endpoint devices have limited resources and storage capacities -- especially in the case of retail POS systems, ATM kiosks, and medical devices. The endpoint implementation must be very lightweight, both in terms of size and processing requirements.
  • Whitelisting to allow only authorized activity. Firewalls and endpoints must both enforce the use of trusted applications, users, and associated connections with whitelisting technology, allowing legitimate, validated traffic to pass through to file servers, data storage, or trusted third parties such as merchant banks.
  • Blacklisting integration for corrective action. For real-time protection, firewalls and endpoints must also be capable of sending notifications when rogue application are discovered, blocking illegitimate traffic, and taking immediate corrective action. Compromised hosts must be quarantined and the identified malware and communications blacklisted to prevent data exfiltration.
  • Efficient management. A new approach must work within an existing centralized management schema to maximize management efficiency and minimize related expense.
  • Low cost. Upfront cost is always an issue. Perhaps more important, the solution should readily integrate with your existing security systems, reducing the deployment and operational impact to your security budget and staff resources.

Keeping Insiders Out

These requirements can also address one of today’s biggest challenges: insider attacks. Disgruntled employees and contractors with legitimate access to internal systems can deploy malware on shared workstations, making it difficult to monitor and block potentially malicious network communications. By associating user information and security identifiers with endpoint application processes, application layer exfiltration protection can greatly minimize the risks posed by insider attacks. 

Pat Calhoun is Senior Vice President & General Manager, Network Security at Intel Security and responsible for defining and executing the strategic direction for McAfee's Network Security business. Calhoun leads the engineering, marketing, and sales functions that drive ... View Full Bio
Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Ninja
4/28/2015 | 2:47:11 PM
Keeping Insiders Out
This is why having an efficient off-boarding process is crucial. Without one, employees disgruntled or not can have access for no reason far after they have "left". This represents a rather large security hole as many organizations off-boarding procedures are less than efficient.
User Rank: Ninja
4/28/2015 | 4:08:09 PM
Security Configuration Management
I think this is my favorite article today.  I'm a software configuration manager -SCM- (code/build/release) by trade.  I see so many parallels here between the core intent behind good SCM, source revision control and application library version management.  The whole idea of change managing an Enterprise to ensure security and data integrity is a natural fit, yet somehow - unlike in the software development world - it has taken a long time for the tools to do that to come together.  

In SCM, of course, there are plenty of issues with getting coders to follow the rules or to even adopt SCM in the first place.  I imagine there are going to be lots of similar conversations with Enterprise staff in rolling out solutions like this due to the overhead that will be introduced.  As with all automated solutions, they are only truly "semi-"automated and there still needs to be human eyes and hands on the toolset.

Yet this is what we need, sadly, to keep both external and internal threats under wraps.  Don't think of this as "Big Brother" though - it's just another type of change management.  It's not you being watched, just the data and the environment.
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-07-31
A Session ID leak in the DEBUG log file in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
PUBLISHED: 2021-07-31
A Session ID leak in the audit log in Graylog before 4.1.2 allows attackers to escalate privileges (to the access level of the leaked session ID).
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.15 allows XXE attacks via three steps: modify a .css file to have <!ENTITY content, create a .xml file for a generic survey template (containing a link to this .css file), and import this .xml file at the survey/admin/folderSurvey.do?action=viewImportSurvey['importFil...
PUBLISHED: 2021-07-31
ObjectPlanet Opinio before 7.14 allows Expression Language Injection via the admin/permissionList.do from parameter. This can be used to retrieve possibly sensitive serverInfo data.
PUBLISHED: 2021-07-31
admin/file.do in ObjectPlanet Opinio before 7.15 allows Unrestricted File Upload of executable JSP files, resulting in remote code execution, because filePath can have directory traversal and fileContent can be valid JSP code.