Part 3
Challenges of the
Typical NGFW
What good is a malicious verdict on something that had already
penetrated the system?
There is no system in the world that can stop 100% of
attacks/attackers 100% of the time, so infection is an inevitability that must
be anticipated. Something WILL get
through and when it does, the quality of your threat system and incident
response plan will surely be tested. The
Cisco Firepower Threat-focused NGFW is designed to understand what has happened
through the entire life cycle and to be able to make immediate and automatic adjustments
to contain the threat and provide the Practitioner with the forensic details
necessary to manage and respond to the incident.
Typical NGFW solutions add on extra defense systems (malware
sandboxes, URL gateways, etc.) in attempt to avoid this altogether with the
focus on point-in-time prevention. Whether
a Typical NGFW or a Threat-focused one, all use technologies like Threat
Intelligence cloud lookups of known malware signatures, or even sandboxing to
allow the full progression of an ‘unknown’ to operate in a contained
environment and ultimately determine if clean or malicious so it can be given an
accurate disposition at the initial point-in-time. How they are used is the critical point. While a threat-focused firewall integrates
these functions into its core, the Typical NGFW leverages less-integrated add-on
components in order to go back to step 1 and try to deny what shouldn’t get
through at first sight – attempting to prevent everything with that binary
decision. Great idea, except for a few
critical deficiencies: First, most
modern malware is sandbox-aware and only used once. Therefore, if it runs in a sandbox it may not
execute the same way as it would in the wild. Signatures are only good for the
2nd time malware is seen, so a cloud lookup isn’t, with or without sandboxing,
enough to confirm an unknown that only ever has one instantiation.
The second deficiency exists in the NGFW itself – a threat
must pass-through the box for anything to happen, and the NGFW must know
everything it may need to all at once,
at that point-in-time, for a typical NGFW to deny a threat. Having to wait for a sandbox detonation or locating
(or building) a signature means that either the system blocks all unknowns –
potentially dropping legitimately clean data, or it must wait while these
systems do their analysis – which ultimately slows the system and/or network down. Once again, Speed kills, so some NGFWs will
just let unknowns pass to keep performance up, while awaiting background
systems like sandboxes, to do their work. Some Sandbox systems will actually
let the initial data through at the same time it is being analyzed, so if it
ends up being malicious, it can deny the data the next time it is seen
somewhere – IF it is seen again. This is called the ‘Sacrificial Lamb’ concept
and you can imagine that there is much cleanup work to follow – especially since
many threats have the ability to replicate and morph.
Integrated Threat
Defense
The Threat-focused NG-Firewall has successfully identified
the threat, even retrospectively for complex and evasive malware, has
dynamically adjusted the system to prevent further damage, known as ‘Adaptive
Security’ and has correlated a ton of information to create a very detailed
view of the threat progression and everywhere it ended up on your network. A great start and certainly more than any
typical NGFW was designed to do.
How then are the evasive threats contained?
This is where the intelligence from the endpoint comes into
play. Firepower, Cisco’s threat-focused NG-Firewall, can do its job without needing to run an endpoint agent
on each client, using AMP for Networks,
which is built into the system at its core. Adding an agent (AMP for Endpoints) sweetens the process
of containment and remediation as we saw in the previous example. However, the Firepower
approach passively discovers and collects detailed information from EVERY endpoint on the network; including
network infrastructure devices, printers, mobile and pc-based systems, virtual
systems, IP Phones, etc. Information collected includes details on every
application that runs locally on each system, the local services and OS version
and all related vulnerabilities*, a complete history of every user that used
the system, and of course, behavioral analysis of activity such as all inbound
and outbound connections, intrusion and file events, including file copy
operations, which can provide reliable Indications of Compromise (IoC) to the
overall Security system.
*While vulnerabilities are automatically detected through
integration with public vulnerability information (feeds), Firepower Management
Center can also integrate bi-directionally via Open APIs with commercial
vulnerability management systems such as Qualys, Nessus and others.
Figure 3. Host Profile Drill-in with Firepower Management
Center
Once this much information is
known about every client on the network, you can imagine how much more accurate
and effective detection and response turns out.
The high-confidence that comes from knowing that 61 of my 2,340 systems
are running a vulnerable version of FireFox when a critical exploit to that
vulnerability is seen, makes the accuracy and ‘actionability’ of detection very
high. This is where the impact
assessment flag comes from – events that
are highest criticality and are confirmed IoC is another missing piece that the
typical NGFW just cannot produce. It doesn’t have enough information, nor was
it designed to collect it. I have seen a
couple of NGFW vendors try, but it ends up just being clever naming for an
informational element that once again, makes the naïve feel safe and
informed. How do you know a host is
compromised if you know almost nothing about that host, for instance. That folks is called the game of
marketing.
Threat actors absolutely Love
Marketing – makes their job easier.
In order for any security
system to be effective, dynamic introspection into every system on the network
(not just PC-based) is the critical first piece of impact assessment. What the
systems do, apps they run, typical and unusual behaviors, connections they make
to other systems (that do not traverse the NGFW), you get the idea. Doing this without the need to run agent
software on each client is an absolute requirement – we will likely never have
the same level of tools across all of our mobile and PC platforms, and with IoT
becoming our next generation, this is even more obvious. From all of that data collected, the
Practitioner gains a very rich quorum of data to work with – but remember we
mentioned that ‘Noise is the enemy of protection’ without capability to
intelligently assess risk and impact; this is where Impact Assessment becomes
an absolute requirement for a Practitioner and for a modern security system –
especially a threat-focused one.
Impact Assessment is a
crucial piece for the Practitioner to know what to focus on,– turning data into
actionable information. Of the thousands
or millions of tracked events that will occur on Enterprise networks, knowing
what is high criticality is an imperative.
Then the ability to use continuous analysis to track a file (and related
host behaviors) AFTER it reaches the end systems is a critical function of the
Threat-Focused platform, so as a Practitioner, I immediately know a malicious
file has somehow morphed into something that can attack others through lateral
movements, other applications or process, etc. Threat trajectory adds to this by combining
the advanced visibility with continuous analysis, which allows the
threat-focused platform to provide REAL risk assessment and prioritization for
the Practitioner, while logging all of the forensic details needed for a more
complete view during post-mortem.
Figure 4 – Impact/Risk
Assessment in Firepower Management Center – and direct drill-in of course
I personally find it extremely naïve how often folks try to
compare Firepower Threat-Focused NG-Firewall side-by-side with the typical
NGFW. I suppose that is exactly what
good marketing is supposed to do. Change the evaluation criteria. If all you want is a Firewall with some extra
visibility for the lowest possible price, your best route may be the typical
NGFW - certainly what the modern attacker is hoping for. You will then rely on the Security
Practitioner’s to invest in all of the other tools needed to protect your
resources and data. As we called out earlier - Tool-Rich, Information-Sparse.
Like it or not, the NGFW by itself has become less and less
relevant as the primary defense against modern threats. This is evident by the number of partnerships
and acquisitions that typical NGFW vendors are making to try and fill the gaps
in their solution.
Cisco not only has an advantage with Firepower
Threat-Focused NG-Firewall, which includes the aforementioned Security Practitioner
tools built-in directly into its core, but also has the advantage of the
additional integration with the underlying transport network. Especially powerful when your network
is Cisco-based. Routers, switches, Wi-Fi, mobility, SP, Carrier and Data
Center-class network equipment are all a part of the Integrated Threat
Defense flight at Cisco. Integrated
Threat Defenses allow us to use the network for both a sensor and enforcer,
without having to rely upon a point of pass-through (like a NGFW) for
visibility, containment and protection.
"Bliss"
In future episodes we will explore the individual security
components of Cisco Firepower Threat Defense even deeper; things like outbreak
controls and behavioral Indications of Compromise, network, file and device
trajectory, as well as threat hunting and remediation. Technologies that you may not even know are
integrated into the threat-focused system like AMP ThreatGrid, Cognitive Threat
Analytics and Talos, the Cisco Threat Intelligence and Security/Threat Research
component. We will dig deeper into the ‘lifetime of an attack’ and how the
Cisco Firepower Threat Defense system is helping you to get from day-zero to
incident closure in the shortest possible time, actually compressing the Attack
Chain to benefit your Security Incident Response process. We will also explore
how to integrate with key technologies like OpenAppID and AMP for Gateways as
well as how the network itself is used for more than just moving packets around.
²Frost & Sullivan Report (sponsored by WatchGuard) http://www.watchguard.com/docs/analysis/FS_Article_WatchGuard_052814_CM.pdf