In my role here at Bandura Cyber, I often have great conversations with folks about our ThreatBlockr. We talk about the problems we solve, the value we provide, and how our platform works. While these conversations are different based on their unique cybersecurity challenges and where they are in their threat intelligence journey, there is one aspect that is not. It’s this one common subject that sometimes leaves me with an Exorcist-like, head spinning experience, by the end of the day.
The conversation usually goes something like this…
“My next-generation firewall does this!”
“My next-generation firewall doesn’t do this!”
“I can do this with my next-generation firewall”
“I can’t do this with my next-generation firewall (shoulder tap…”which by the way is why I’m talking to you in the first place!”)
Do you see the issue? Which is it? Does your next-generation firewall (NGFW) do “this” or doesn’t it?
I think the answer to this question comes down to clearly defining what “THIS” is.
“THIS” is…”My NGFW Uses Threat Intelligence, Therefore I Am Protected”
Let me explain why “This” is a myth. (This is a two-part answer)
First….NGFWs continue to provide a solid foundation for network security. I mean this is kind of why pretty much everyone has one, right? However, a key challenge with firewalls is that they depend on proprietary threat intelligence to detect and block threats. This intelligence is derived from activity they see in the firewalls within their customers’ networks.
So ask yourself, “Does my NGFW use threat intelligence?” The answer is, “Yes it does…. BUT.” That big “BUT” being that the threat intelligence they use is proprietary.
The second important question that you should be asking yourself is, “I wonder if the threat intelligence provided by my NGFW is good enough to protect me?” Unfortunately, the answer is a resounding, “NO!” To be clear, the proprietary threat intelligence that NGFWs use does have value. However it alone is insufficient because it’s just one vendor’s view of the threat landscape. Now, to be fair, this isn’t “new news”. For years, vendors have touted their threat intelligence as being an advantage over their competition. However, that’s a very “2005” way of looking at cyber security. And unfortunately, it’s very common. But times have changed (boy have they!). As the threats and the threat actors have evolved, so have the methods of identifying them. For some time now, very sophisticated and security-savvy organizations have been incorporating a broad-based view of threat intelligence, from multiple sources, into their security operations. This includes threat intel from commercial providers, open source, government, and industry sources. These organizations have found that by leveraging threat intelligence from varied perspectives, they are able to have true visibility into the types of malicious traffic that may affect their networks, improving their ability to protect their networks and organization.
“THIS” #2 – “My NGFW Can Integrate Third-Party Threat Intelligence”
In full transparency, this answer is a bit more complicated, as it is more like a “little YES” and “Big NO!”
Let me explain. There is not one name-brand NGFW on the market that doesn’t have external IP and domain blocklist capabilities. However, these same firewalls have significant limitations with respect to: (1) the volume of threat indicators in their external blocklists; (2) the size of blocklists; and (3) the ways in which you can integrate third-party threat intel data, into that firewall.
So let’s put some data behind the “little yes” and the“BIG NO!” One of the top, name brand NGFWs on the market can handle a maximum of 150,000 IPs in their external block list. If one were to throw a few open source threat intel feeds into that firewall, they would quickly hit these limits. In a real world scenario, were that same organization to try to integrate Webroot’s IP Reputation Feed and its 4.8 million indicators into their NGFW, they would quickly find this to be extremely challenging to impossible.
If you’re new to this concept, that may be a bit to digest. Let me summarize a bit:
- The threat intelligence that NGFWs use to detect and block threats is proprietary, based on a single vendor’s view of the threat landscape. While this has value, it does not provide the broad-based view of threat intelligence that is required to protect your network.
- Next-generation firewalls have significant limitations with respect to the volume of third-party threat indicators that can be integrated, as well as how easy it is to integrate them. Therefore, making threat intelligence actionable in NGFWs is challenging.
Hopefully, I’ve got your head spinning on this subject (in a good way!). If you would like to dig deeper into this topic, I’d like to invite you to check out our recently released whitepaper The Threat Intelligence Challenges with Next Generation Firewalls.
In this whitepaper we:
- Provide an in-depth look at Next Generation Firewalls’ reliance on proprietary and closed threat intelligence and their limited ability to integrate third-party threat intelligence;
- Quantify these limitations with real world data from leading next-gen firewall providers;
- Discuss why NGFWs have these limitations; and
- Take a quick look at how the Bandura platform is not only helping organizations to overcome their NGFW threat intelligence challenges but also helping them to improve the efficiency and return on their next-generation firewall investment.
Want to learn more about the Bandura Cyber ThreatBlockr? Schedule a Demo.