Wednesday, December 9, 2015

Part 3 - Challenges of the Typical NGFW

Part 3

Challenges of the Typical NGFW

What good is a malicious verdict on something that had already penetrated the system?

There is no system in the world that can stop 100% of attacks/attackers 100% of the time, so infection is an inevitability that must be anticipated.  Something WILL get through and when it does, the quality of your threat system and incident response plan will surely be tested.  The Cisco Firepower Threat-focused NGFW is designed to understand what has happened through the entire life cycle and to be able to make immediate and automatic adjustments to contain the threat and provide the Practitioner with the forensic details necessary to manage and respond to the incident.

Typical NGFW solutions add on extra defense systems (malware sandboxes, URL gateways, etc.) in attempt to avoid this altogether with the focus on point-in-time prevention.   Whether a Typical NGFW or a Threat-focused one, all use technologies like Threat Intelligence cloud lookups of known malware signatures, or even sandboxing to allow the full progression of an ‘unknown’ to operate in a contained environment and ultimately determine if clean or malicious so it can be given an accurate disposition at the initial point-in-time.  How they are used is the critical point.  While a threat-focused firewall integrates these functions into its core, the Typical NGFW leverages less-integrated add-on components in order to go back to step 1 and try to deny what shouldn’t get through at first sight – attempting to prevent everything with that binary decision.  Great idea, except for a few critical deficiencies:  First, most modern malware is sandbox-aware and only used once.  Therefore, if it runs in a sandbox it may not execute the same way as it would in the wild. Signatures are only good for the 2nd time malware is seen, so a cloud lookup isn’t, with or without sandboxing, enough to confirm an unknown that only ever has one instantiation. 

The second deficiency exists in the NGFW itself – a threat must pass-through the box for anything to happen, and the NGFW must know everything it may need to all at once, at that point-in-time, for a typical NGFW to deny a threat.  Having to wait for a sandbox detonation or locating (or building) a signature means that either the system blocks all unknowns – potentially dropping legitimately clean data, or it must wait while these systems do their analysis – which ultimately slows the system and/or network down.  Once again, Speed kills, so some NGFWs will just let unknowns pass to keep performance up, while awaiting background systems like sandboxes, to do their work. Some Sandbox systems will actually let the initial data through at the same time it is being analyzed, so if it ends up being malicious, it can deny the data the next time it is seen somewhere – IF it is seen again. This is called the ‘Sacrificial Lamb’ concept and you can imagine that there is much cleanup work to follow – especially since many threats have the ability to replicate and morph.


Integrated Threat Defense


The Threat-focused NG-Firewall has successfully identified the threat, even retrospectively for complex and evasive malware, has dynamically adjusted the system to prevent further damage, known as ‘Adaptive Security’ and has correlated a ton of information to create a very detailed view of the threat progression and everywhere it ended up on your network.  A great start and certainly more than any typical NGFW was designed to do. 

How then are the evasive threats contained?

This is where the intelligence from the endpoint comes into play. Firepower, Cisco’s threat-focused NG-Firewall, can do its job without needing to run an endpoint agent on each client, using AMP for Networks, which is built into the system at its core. Adding an agent (AMP for Endpoints) sweetens the process of containment and remediation as we saw in the previous example. However, the Firepower approach passively discovers and collects detailed information from EVERY endpoint on the network; including network infrastructure devices, printers, mobile and pc-based systems, virtual systems, IP Phones, etc. Information collected includes details on every application that runs locally on each system, the local services and OS version and all related vulnerabilities*, a complete history of every user that used the system, and of course, behavioral analysis of activity such as all inbound and outbound connections, intrusion and file events, including file copy operations, which can provide reliable Indications of Compromise (IoC) to the overall Security system.


*While vulnerabilities are automatically detected through integration with public vulnerability information (feeds), Firepower Management Center can also integrate bi-directionally via Open APIs with commercial vulnerability management systems such as Qualys, Nessus and others.



Figure 3. Host Profile Drill-in with Firepower Management Center








Once this much information is known about every client on the network, you can imagine how much more accurate and effective detection and response turns out.  The high-confidence that comes from knowing that 61 of my 2,340 systems are running a vulnerable version of FireFox when a critical exploit to that vulnerability is seen, makes the accuracy and ‘actionability’ of detection very high.  This is where the impact assessment  flag comes from – events that are highest criticality and are confirmed IoC is another missing piece that the typical NGFW just cannot produce. It doesn’t have enough information, nor was it designed to collect it.  I have seen a couple of NGFW vendors try, but it ends up just being clever naming for an informational element that once again, makes the naïve feel safe and informed.  How do you know a host is compromised if you know almost nothing about that host, for instance.  That folks is called the game of marketing.  

Threat actors absolutely Love Marketing – makes their job easier.

In order for any security system to be effective, dynamic introspection into every system on the network (not just PC-based) is the critical first piece of impact assessment. What the systems do, apps they run, typical and unusual behaviors, connections they make to other systems (that do not traverse the NGFW), you get the idea.  Doing this without the need to run agent software on each client is an absolute requirement – we will likely never have the same level of tools across all of our mobile and PC platforms, and with IoT becoming our next generation, this is even more obvious.  From all of that data collected, the Practitioner gains a very rich quorum of data to work with – but remember we mentioned that ‘Noise is the enemy of protection’ without capability to intelligently assess risk and impact; this is where Impact Assessment becomes an absolute requirement for a Practitioner and for a modern security system – especially a threat-focused one.

Impact Assessment is a crucial piece for the Practitioner to know what to focus on,– turning data into actionable information.  Of the thousands or millions of tracked events that will occur on Enterprise networks, knowing what is high criticality is an imperative.  Then the ability to use continuous analysis to track a file (and related host behaviors) AFTER it reaches the end systems is a critical function of the Threat-Focused platform, so as a Practitioner, I immediately know a malicious file has somehow morphed into something that can attack others through lateral movements, other applications or process, etc.  Threat trajectory adds to this by combining the advanced visibility with continuous analysis, which allows the threat-focused platform to provide REAL risk assessment and prioritization for the Practitioner, while logging all of the forensic details needed for a more complete view during post-mortem.


Figure 4 – Impact/Risk Assessment in Firepower Management Center – and direct drill-in of course














I personally find it extremely naïve how often folks try to compare Firepower Threat-Focused NG-Firewall side-by-side with the typical NGFW.  I suppose that is exactly what good marketing is supposed to do. Change the evaluation criteria.  If all you want is a Firewall with some extra visibility for the lowest possible price, your best route may be the typical NGFW - certainly what the modern attacker is hoping for.  You will then rely on the Security Practitioner’s to invest in all of the other tools needed to protect your resources and data. As we called out earlier - Tool-Rich, Information-Sparse.

Like it or not, the NGFW by itself has become less and less relevant as the primary defense against modern threats.  This is evident by the number of partnerships and acquisitions that typical NGFW vendors are making to try and fill the gaps in their solution. 

Cisco not only has an advantage with Firepower Threat-Focused NG-Firewall, which includes the aforementioned Security Practitioner tools built-in directly into its core, but also has the advantage of the additional integration with the underlying transport network. Especially powerful when your network is Cisco-based. Routers, switches, Wi-Fi, mobility, SP, Carrier and Data Center-class network equipment are all a part of the Integrated Threat Defense flight at Cisco.  Integrated Threat Defenses allow us to use the network for both a sensor and enforcer, without having to rely upon a point of pass-through (like a NGFW) for visibility, containment and protection. 

"Bliss"


In future episodes we will explore the individual security components of Cisco Firepower Threat Defense even deeper; things like outbreak controls and behavioral Indications of Compromise, network, file and device trajectory, as well as threat hunting and remediation.  Technologies that you may not even know are integrated into the threat-focused system like AMP ThreatGrid, Cognitive Threat Analytics and Talos, the Cisco Threat Intelligence and Security/Threat Research component. We will dig deeper into the ‘lifetime of an attack’ and how the Cisco Firepower Threat Defense system is helping you to get from day-zero to incident closure in the shortest possible time, actually compressing the Attack Chain to benefit your Security Incident Response process. We will also explore how to integrate with key technologies like OpenAppID and AMP for Gateways as well as how the network itself is used for more than just moving packets around.


²Frost & Sullivan Report (sponsored by WatchGuard) http://www.watchguard.com/docs/analysis/FS_Article_WatchGuard_052814_CM.pdf

Part 2 - Enter Threat-Focused NG-Firewall

Part 2

Enter Threat-Focused NG-Firewall


What does a Threat-focused NG-Firewall do differently?  Just about everything. Let’s compare the most popular NGFW systems on the market (typical NGFW) with the Cisco Firepower NG-Firewall system, (a Threat-Focused NG-Firewall).

If you consider the typical NGFW available from your choice of vendors, you are staring at a system that was designed for, and normally sold to, Network-focused Admins that need more visibility into their policy and desire some additional depth of what they can choose to allow or deny.  Typical policy has been circumvented by the ever-present danger of threats, and thus policy management that actually has any effect on protection has become extremely difficult. The limiting factor with the standard NGFW is that it can only accurately enforce permit or deny on what it understands.  The classic example is the firewall that employs IDS/IPS signatures in the packet path to ‘detect’ what it understands and take an action – with an output event that something was seen and some basic information about who and what, along with the action taken. 

A Threat-focused NG-Firewall system by contrast, looks at the world differently – with its foundation a set of detection engines that leverage both signature-based and signature-less technologies to hand out verdicts on data flows, files and other bits of information.  How well this is done depends on the intelligence built into the verdict engines – not only allowing detection and dispositions of point-in-time events, like many other vendors do, but also detection beyond the event horizon, which is the Cisco Firepower NG-Firewall’s most obvious differentiator. The event horizon is the point-in-time where a system first sees something good, bad or unknown and issues a verdict or disposition. 

Figure 1a – Point-in-time analysis, used by every NGFW that you can buy today











If the data was issued a clean disposition, a typical NGFW will no longer attempt to view or track that data because a clean disposition has already been issued and continuing to watch ‘everything’ takes extra horsepower that most NGFW vendors are not willing to dedicate in favor of better packet-in/ packet-out performance.  NGFW was designed to be sold to Network Admins remember?  We expect routers to move packets as fast as possible – that is the typical focus of evaluation with the standard NGFW; Speed, Simplicity and Price.

Continuous Analysis

To actually defend and protect your network from modern threats… speed kills.
 
I am not trying to say that you cant have good performance, just that packet-in/packet-out speed doesn’t equate to being thorough, especially when most of the advanced attacks we see today do not immediately show up as malicious and are used only once in most cases. Security is about detecting, understanding and stopping threats. Using the foundation of visibility you can understand context and apply collective intelligence to detect a threat.  Going beyond the event-horizon uses a concept known as ‘continuous analysis’ to continue watching the activity of information that has already passed initial evaluation and been given a clean or unknown disposition.  When modern malware, especially zero-day, single-use malware that is previously unknown changes behaviors, a threat-focused system can retrospectively evaluate and detect behaviors like lateral movement, sleep techniques, polymorphism, encryption or even unknown protocols. With this new detection, a new malicious (bad) verdict can be issued and further actions can be automatically taken – even retrospectively.    


Figure 1b – Continuous Analysis - beyond the Event Horizon used by only the Cisco Threat-Focused NG-Firewall








If a threat is detected retrospectively or in real-time, extremely high-confidence, automated enforcement, or ‘Adaptive Security’ is used to stop the threat. In order to accomplish this, the system must be able to record everything that is seen to have a continuous capability to detect threats hours, days or even weeks later. Visibility, context and attribution of Threat Actor, threat, and target of threat must be part of the same process in order to be effective – not separate bolt-on systems. This is what the Cisco Firepower Threat-centric NG-Firewall is built to do.

Let’s look at an example of what a continuous analysis flow looks like within the Firepower Management Center (which manages Cisco Firepower NG-Firewalls) on a file that was downloaded by a user from their browser and initially given an ‘unknown’ disposition at point-in-time, not knowing that this file contains a day-zero Malware threat (never seen before).  Keep in mind that this is all done in an environment where no additional client agent software has been installed to provide details to the system.  You will see the value of adding an optional Advanced Malware Protection (AMP) host agent later in the process.


Figure2a – The Network Trajectory Screen in Firepower Management Center
























Figure 2b – Trajectory showing file originally downloaded by FireFox





Figure 2c – Trajectory showing the file is copied (laterally) via browser






Figure 2d – and copied laterally again, this time using SMB application

















Figure 2e – and yet again to a 4th system using SMB protocol




Figure 2f – Using Cisco Collective Threat Intelligence (Talos), it is learned to be malicious 7 hours after the first download – a zero-day threat
























Figure 2g – The 2nd device to receive the file happens to be running AMP for Endpoints and reacts by automatically quarantining the malware. The other 3 devices are not running AMP for Endpoints but are automatically part of the threat scope and all activities are fully recorded


























Figure 2h – The Firepower Management Center automatically modified the policy to prevent this Malware from ever traversing your enterprise again – and automatically defined the scope of the threat, identified patient-zero and other necessary forensic details than can be used by the Practitioner

















Since the information is constantly tracked, this continuous temporal visibility also enables Automatic Threat containment and scope, impact analysis and incident response as well as all hierarchical relationships to Patient-zero, etc. – all useful actions and information for the Practitioner. Due to the context and visibility of these functions, the high-confidence Security Automation is suddenly available to the process – the ability to self-adjust both policy and actions, provide automatic outbreak controls, attribution and parent-child relationships, all while a typical NGFW would be completely blind to what is happening and unable to perform these functions.


Stay Tuned for Part 3 - Challenges of the Typical NGFW and Integrated Threat Defense with the Cisco Firepower NG-Firewall