Page 73 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 73
While firewalls can detect attacks within an organization’s network, they don’t work when the attacker is
already inside. Advanced firewall solutions may be able to identify unusual behavior, but they can’t
prevent the exfiltration of account data from within the authorized account. Firewalls only use a limited
amount of cyber intelligence and have limited ability to handle additional cyber intelligence sources,
allowing threats to sneak past. Not to mention, managing the small amount of threat intelligence you can
add to a firewall is slow due to its manual nature. This “firewall gap” problem creates challenges for
organizations when it comes to updating their cybersecurity defenses and securing their networks.
● Gap #1: Firewalls detect and block threats using their own proprietary threat intelligence, which
represents a narrow view of the threat landscape. When defending against threats is a volume
game that requires huge amounts of cyber intelligence from multiple sources, no single source of
threat intelligence or existing security control can cover the entirety of the threat landscape alone.
For effective threat detection, organizations need threat intelligence from multiple sources.
● Gap #2: Firewalls have limited ability to add threat intelligence, and while adding additional threat
feeds in an attempt to close this firewall gap is great in theory, it is significantly more challenging
in practice. Firewalls also have limited ways you can integrate data into them. Firewalls were not
designed to work with large volumes of third-party threat feeds, and they do a variety of different
things today (many that they weren’t originally designed to do), all of which require significant
resources.
● Gap #3: Lastly, for most organizations, the process of managing threat intelligence in firewalls is
manual and involves updating external blocklists directly on the firewall. Even with automated
blocklist capabilities, many organizations must also account for firewall changes to go through a
change management process driven by compliance requirements, which adds additional time to
updating blocklists.
The threat intelligence volume of limits of firewalls combined with the dynamic nature of threat intelligence
amplify these problems. Threats are rapidly changing and so is threat intelligence, the dynamic nature of
which makes it nearly impossible and impractical to manage manually. Multi-source cyberintelligence
should include commercial threat intelligence providers, open source intelligence (OSINT), government
cyber intelligence, and industry threat intelligence to assist organizations in effectively detecting and
blocking threats. With this wide array of cyber intelligence available combined with the fact that
organizations also generate their own valuable intelligence, it’s critical to have the flexibility to add more
sources of intelligence and an integration process that doesn’t delay an organization’s ability to rapidly
respond to threats.
The Colonial Pipeline, JBS, Volkswagen, and ParkMobile incidents all have one thing in common: They
all had firewalls protecting their networks but they were still breached. While firewalls continue to provide
an important layer of network protection, they can’t protect a network on their own. With gaps like the
limited view of threat intelligence that firewalls use to detect and block threats combined with a limited
ability to significantly increase the intelligence of your firewall, your network is only partially protected
from today’s cyber threats.
73
