By Pat McGarry, CTO, ThreatBlockr
The Cybersecurity and Infrastructure Security Agency (CISA) recently added 66 vulnerabilities to its list of known exploited security holes, including a WatchGuard firewall vulnerability exploited in attacks linked to a Russian state-sponsored threat actor. CISA’s call to patch this vulnerability follows on the heels of last year’s Colonial Pipeline attack, as well as other cybersecurity incidents where firewalls were breached. Whether the threat came in through the front door or not, every successful cyberattack has breached a firewall at some point.
There’s no denying that cybercriminals are growing increasingly sophisticated – just look at the headlines from recent years. Unfortunately, despite industry innovation and government guidance, what organizations are doing to protect themselves has largely remained the same. We’re seeing it more and more: Firewalls are becoming antiquated when compared to the sophisticated technologies used by cybercriminals. It’s high time for organizations to acknowledge the firewall gaps and take steps to build more robust cybersecurity defenses.
While firewalls can detect attacks within an organization’s network, they don’t work when the attacker is already inside. Advanced firewall solutions may be able to identify unusual behavior, but they can’t prevent the exfiltration of account data from within the authorized account. Firewalls only use a limited amount of cyber intelligence and have limited ability to handle additional cyber intelligence sources, allowing threats to sneak past. Not to mention, managing the small amount of threat intelligence you can add to a firewall is slow due to its manual nature. This “firewall gap” problem creates challenges for organizations when it comes to updating their cybersecurity defenses and securing their networks.
- Gap #1: Firewalls detect and block threats using their own proprietary threat intelligence, which represents a narrow view of the threat landscape. When defending against threats is a volume game that requires huge amounts of cyber intelligence from multiple sources, no single source of threat intelligence or existing security control can cover the entirety of the threat landscape alone. For effective threat detection, organizations need threat intelligence from multiple sources.
- Gap #2: Firewalls have limited ability to add threat intelligence, and while adding additional threat feeds in an attempt to close this firewall gap is great in theory, it is significantly more challenging in practice. Firewalls also have limited ways you can integrate data into them. Firewalls were not designed to work with large volumes of third-party threat feeds, and they do a variety of different things today (many that they weren’t originally designed to do), all of which require significant resources.
- Gap #3: Lastly, for most organizations, the process of managing threat intelligence in firewalls is manual and involves updating external blocklists directly on the firewall. Even with automated blocklist capabilities, many organizations must also account for firewall changes to go through a change management process driven by compliance requirements, which adds additional time to updating blocklists.
The threat intelligence volume of limits of firewalls combined with the dynamic nature of threat intelligence amplify these problems. Threats are rapidly changing and so is threat intelligence, the dynamic nature of which makes it nearly impossible and impractical to manage manually. Multi-source cyberintelligence should include commercial threat intelligence providers, open source intelligence (OSINT), government cyber intelligence, and industry threat intelligence to assist organizations in effectively detecting and blocking threats. With this wide array of cyber intelligence available combined with the fact that organizations also generate their own valuable intelligence, it’s critical to have the flexibility to add more sources of intelligence and an integration process that doesn’t delay an organization’s ability to rapidly respond to threats.
The Colonial Pipeline, JBS, Volkswagen, and ParkMobile incidents all have one thing in common: They all had firewalls protecting their networks but they were still breached. While firewalls continue to provide an important layer of network protection, they can’t protect a network on their own. With gaps like the limited view of threat intelligence that firewalls use to detect and block threats combined with a limited ability to significantly increase the intelligence of your firewall, your network is only partially protected from today’s cyber threats.
As cybercriminals become increasingly sophisticated and their attack vectors evolve, we must too. Organizations can no longer protect against real-time data threats with an approach based on reactive legacy solutions. To keep pace with the cyber threats of today and tomorrow, organizations need real-time threat intelligence from multiple sources and automated protection to defend their network in every moment.
About the Author
Pat McGarry has more than 25 years of hands-on experience in all aspects of hardware and software development, to include iterative requirements analysis, architecture, engineering, test, managerial, and leadership roles. His skills have been brought to bear across a wide variety of technology-related disciplines including embedded systems design, network systems analysis and design, advanced network testing, cybersecurity, deployable machine learning and artificial intelligence, internet of things, big data, advanced data analytics, and high-performance heterogeneous computing. He has been granted three US patents and has spoken at a variety of user and industry conferences. He received bachelor’s degrees in Computer Science (BSCS, ’93) and Electrical Engineering (BSEE, ’94) along with a minor in Mathematics, all from Virginia Tech.
Pat can be found on LinkedIn and on the ThreatBlockr website at ThreatBlockr.com.