The recent slew of high profile data breaches has prompted organizations to harden network perimeter defenses with the latest security technologies. In response, some cybercriminals are shifting their focus toward the human element, with phishing and social engineering scams that fool corporate users or contractors into giving up network access credentials. Others hackers are using more sophisticated methods to evade defenses such as advanced evasion techniques (AETs). Once inside, attackers often discover a lack of internal security controls. They can take their time to avoid detection while installing malware that exfiltrates data from internal file servers or devices such as point-of-sale terminals, ATM machines, critical infrastructure controllers, and healthcare endpoints. This exfiltration process can go on for weeks, months, and sometimes even years before discovery.
Data loss prevention (DLP) solutions do an excellent job of classifying, fingerprinting, and controlling access to “data at rest” on PCs, servers, and even removable storage devices. They also control how potentially sensitive “data in use” is handled at endpoints and discover and protect sensitive “data in motion” such as data sent through network traffic, email, and instant messaging. DLP is effective against both intentional and unintentional disclosure of confidential information. However, there are certain instances of data in motion where a next-generation firewall can also be effective in preventing data theft. As demonstrated in recent major retail breaches, attackers were able to bypass security controls by setting up their own communications back channels or encrypting exfiltrated data to bypass keyword filters. Because of their strategic locations at ingress and egress points throughout networks, NGFWs are able to work with endpoint management and DLP solutions to enhance existing protections and provide additional security in the battle against data breaches.
Getting More from Your Firewall
While cybercriminals keep changing their tactics, security best practices have not changed much over the years. Best practices still recommend deploying a standard set of processes and security tools, including firewalls, IPSs, and DLP solutions, with the same basic protection strategies. Firewalls are still positioned primarily for blocking intrusion attempts at the network perimeter or protecting data centers. However, when hackers circumvent perimeter defenses with phishing tactics and AETs, firewalls are rendered useless and other defenses must pick up the slack.
It's time to challenge conventional thinking and get more from your firewall. Next-generation firewalls should serve a dual purpose -- they should stop attackers from infiltrating the network and prevent attackers from exfiltrating sensitive data.
The most logical way to do this is to leverage the connection-blocking capabilities already built-in to most firewalls. Today’s next-generation firewalls have the logistical placement, performance capabilities, and application control features required to block unauthorized data streams from rogue applications before they leave the network. The challenge is that most firewalls are blind to these data exfiltration activities. Real-time, granular, actionable intelligence from endpoints is the critical information that firewalls need to enable application layer exfiltration protection. High level requirements for a more complete inbound and outbound protection solution are listed below:
Keeping Insiders Out
These requirements can also address one of today’s biggest challenges: insider attacks. Disgruntled employees and contractors with legitimate access to internal systems can deploy malware on shared workstations, making it difficult to monitor and block potentially malicious network communications. By associating user information and security identifiers with endpoint application processes, application layer exfiltration protection can greatly minimize the risks posed by insider attacks.Pat Calhoun is Senior Vice President & General Manager, Network Security at Intel Security and responsible for defining and executing the strategic direction for McAfee's Network Security business. Calhoun leads the engineering, marketing, and sales functions that drive ... View Full Bio