Wednesday, December 9, 2015

Part 3 - Challenges of the Typical NGFW

Part 3

Challenges of the Typical NGFW

What good is a malicious verdict on something that had already penetrated the system?

There is no system in the world that can stop 100% of attacks/attackers 100% of the time, so infection is an inevitability that must be anticipated.  Something WILL get through and when it does, the quality of your threat system and incident response plan will surely be tested.  The Cisco Firepower Threat-focused NGFW is designed to understand what has happened through the entire life cycle and to be able to make immediate and automatic adjustments to contain the threat and provide the Practitioner with the forensic details necessary to manage and respond to the incident.

Typical NGFW solutions add on extra defense systems (malware sandboxes, URL gateways, etc.) in attempt to avoid this altogether with the focus on point-in-time prevention.   Whether a Typical NGFW or a Threat-focused one, all use technologies like Threat Intelligence cloud lookups of known malware signatures, or even sandboxing to allow the full progression of an ‘unknown’ to operate in a contained environment and ultimately determine if clean or malicious so it can be given an accurate disposition at the initial point-in-time.  How they are used is the critical point.  While a threat-focused firewall integrates these functions into its core, the Typical NGFW leverages less-integrated add-on components in order to go back to step 1 and try to deny what shouldn’t get through at first sight – attempting to prevent everything with that binary decision.  Great idea, except for a few critical deficiencies:  First, most modern malware is sandbox-aware and only used once.  Therefore, if it runs in a sandbox it may not execute the same way as it would in the wild. Signatures are only good for the 2nd time malware is seen, so a cloud lookup isn’t, with or without sandboxing, enough to confirm an unknown that only ever has one instantiation. 

The second deficiency exists in the NGFW itself – a threat must pass-through the box for anything to happen, and the NGFW must know everything it may need to all at once, at that point-in-time, for a typical NGFW to deny a threat.  Having to wait for a sandbox detonation or locating (or building) a signature means that either the system blocks all unknowns – potentially dropping legitimately clean data, or it must wait while these systems do their analysis – which ultimately slows the system and/or network down.  Once again, Speed kills, so some NGFWs will just let unknowns pass to keep performance up, while awaiting background systems like sandboxes, to do their work. Some Sandbox systems will actually let the initial data through at the same time it is being analyzed, so if it ends up being malicious, it can deny the data the next time it is seen somewhere – IF it is seen again. This is called the ‘Sacrificial Lamb’ concept and you can imagine that there is much cleanup work to follow – especially since many threats have the ability to replicate and morph.

Integrated Threat Defense

The Threat-focused NG-Firewall has successfully identified the threat, even retrospectively for complex and evasive malware, has dynamically adjusted the system to prevent further damage, known as ‘Adaptive Security’ and has correlated a ton of information to create a very detailed view of the threat progression and everywhere it ended up on your network.  A great start and certainly more than any typical NGFW was designed to do. 

How then are the evasive threats contained?

This is where the intelligence from the endpoint comes into play. Firepower, Cisco’s threat-focused NG-Firewall, can do its job without needing to run an endpoint agent on each client, using AMP for Networks, which is built into the system at its core. Adding an agent (AMP for Endpoints) sweetens the process of containment and remediation as we saw in the previous example. However, the Firepower approach passively discovers and collects detailed information from EVERY endpoint on the network; including network infrastructure devices, printers, mobile and pc-based systems, virtual systems, IP Phones, etc. Information collected includes details on every application that runs locally on each system, the local services and OS version and all related vulnerabilities*, a complete history of every user that used the system, and of course, behavioral analysis of activity such as all inbound and outbound connections, intrusion and file events, including file copy operations, which can provide reliable Indications of Compromise (IoC) to the overall Security system.

*While vulnerabilities are automatically detected through integration with public vulnerability information (feeds), Firepower Management Center can also integrate bi-directionally via Open APIs with commercial vulnerability management systems such as Qualys, Nessus and others.

Figure 3. Host Profile Drill-in with Firepower Management Center

Once this much information is known about every client on the network, you can imagine how much more accurate and effective detection and response turns out.  The high-confidence that comes from knowing that 61 of my 2,340 systems are running a vulnerable version of FireFox when a critical exploit to that vulnerability is seen, makes the accuracy and ‘actionability’ of detection very high.  This is where the impact assessment  flag comes from – events that are highest criticality and are confirmed IoC is another missing piece that the typical NGFW just cannot produce. It doesn’t have enough information, nor was it designed to collect it.  I have seen a couple of NGFW vendors try, but it ends up just being clever naming for an informational element that once again, makes the naïve feel safe and informed.  How do you know a host is compromised if you know almost nothing about that host, for instance.  That folks is called the game of marketing.  

Threat actors absolutely Love Marketing – makes their job easier.

In order for any security system to be effective, dynamic introspection into every system on the network (not just PC-based) is the critical first piece of impact assessment. What the systems do, apps they run, typical and unusual behaviors, connections they make to other systems (that do not traverse the NGFW), you get the idea.  Doing this without the need to run agent software on each client is an absolute requirement – we will likely never have the same level of tools across all of our mobile and PC platforms, and with IoT becoming our next generation, this is even more obvious.  From all of that data collected, the Practitioner gains a very rich quorum of data to work with – but remember we mentioned that ‘Noise is the enemy of protection’ without capability to intelligently assess risk and impact; this is where Impact Assessment becomes an absolute requirement for a Practitioner and for a modern security system – especially a threat-focused one.

Impact Assessment is a crucial piece for the Practitioner to know what to focus on,– turning data into actionable information.  Of the thousands or millions of tracked events that will occur on Enterprise networks, knowing what is high criticality is an imperative.  Then the ability to use continuous analysis to track a file (and related host behaviors) AFTER it reaches the end systems is a critical function of the Threat-Focused platform, so as a Practitioner, I immediately know a malicious file has somehow morphed into something that can attack others through lateral movements, other applications or process, etc.  Threat trajectory adds to this by combining the advanced visibility with continuous analysis, which allows the threat-focused platform to provide REAL risk assessment and prioritization for the Practitioner, while logging all of the forensic details needed for a more complete view during post-mortem.

Figure 4 – Impact/Risk Assessment in Firepower Management Center – and direct drill-in of course

I personally find it extremely naïve how often folks try to compare Firepower Threat-Focused NG-Firewall side-by-side with the typical NGFW.  I suppose that is exactly what good marketing is supposed to do. Change the evaluation criteria.  If all you want is a Firewall with some extra visibility for the lowest possible price, your best route may be the typical NGFW - certainly what the modern attacker is hoping for.  You will then rely on the Security Practitioner’s to invest in all of the other tools needed to protect your resources and data. As we called out earlier - Tool-Rich, Information-Sparse.

Like it or not, the NGFW by itself has become less and less relevant as the primary defense against modern threats.  This is evident by the number of partnerships and acquisitions that typical NGFW vendors are making to try and fill the gaps in their solution. 

Cisco not only has an advantage with Firepower Threat-Focused NG-Firewall, which includes the aforementioned Security Practitioner tools built-in directly into its core, but also has the advantage of the additional integration with the underlying transport network. Especially powerful when your network is Cisco-based. Routers, switches, Wi-Fi, mobility, SP, Carrier and Data Center-class network equipment are all a part of the Integrated Threat Defense flight at Cisco.  Integrated Threat Defenses allow us to use the network for both a sensor and enforcer, without having to rely upon a point of pass-through (like a NGFW) for visibility, containment and protection. 


In future episodes we will explore the individual security components of Cisco Firepower Threat Defense even deeper; things like outbreak controls and behavioral Indications of Compromise, network, file and device trajectory, as well as threat hunting and remediation.  Technologies that you may not even know are integrated into the threat-focused system like AMP ThreatGrid, Cognitive Threat Analytics and Talos, the Cisco Threat Intelligence and Security/Threat Research component. We will dig deeper into the ‘lifetime of an attack’ and how the Cisco Firepower Threat Defense system is helping you to get from day-zero to incident closure in the shortest possible time, actually compressing the Attack Chain to benefit your Security Incident Response process. We will also explore how to integrate with key technologies like OpenAppID and AMP for Gateways as well as how the network itself is used for more than just moving packets around.

²Frost & Sullivan Report (sponsored by WatchGuard)

No comments:

Post a Comment