Sophos – The problem with next-gen firewall incident response
It’s not about the individuals, it’s about the team.
As I wrote in my recent article about next-generation firewall protection, cyberattacks are becoming increasingly sophisticated.
Unlike ransomware, which is necessarily obvious and noisy because of its financial demands, many advanced threats are extremely stealthy. These APTs (Advanced Persistent Threats) are specifically designed to penetrate their targets silently, often by exploiting device or system vulnerabilities. Having gained a foothold they can spread to all corners of a compromised network, quietly exfiltrating sensitive data or performing other malicious tasks under the radar.
You may be surprised to learn that at any given time a majority of organisations are harbouring some compromised systems on their network, and in many cases they are unaware of the infection. It’s a pervasive and wide-spread problem – no wonder then that 74% of data breaches go undiscovered for 6 months or more.
Stealthy APTs and noisy ransomware variants alike normally try to spread and infect as many targeted systems as possible using a variety of sophisticated techniques. So while it’s vital you have the right protection in place to prevent attackers getting a foothold in the first place, it’s also critically important that you can clearly identify a compromise if one does occur, and take action to prevent it from spreading.
Communication is key but, sadly, most IT security systems aren’t team players and do a poor job of identifying threats and then sharing that information with other systems. They’re designed to work as point solutions and are oblivious to the other parts of your multi-layered defences. There is no sharing of threat intelligence, malicious activity or health status between IT security products and most of these products offer nothing in the way of an automated, coordinated response.
You might be reading that and thinking that SIEM (Security Information and Event Management) tools are the answer (indeed, you may even have one). Although they’re designed to collect and collate data into a single view they typically fail to extract essential information and present it in a way that network admins can actually understand or act upon. Even if they do offer something actionable it’s still up to the admin to take manual action.
Wouldn’t it be nice if your next-gen firewall actually talked to your other IT security products, like your endpoints, to instantly identify systems at risk, compromises and attacks, and then automatically isolated them until they’re cleaned up?
Yes! Of course.
Unfortunately, most firewalls make it near impossible to identify the presence of a threat on the network, never mind actually do something about it.
Review our new whitepaper on Synchronized Security to see how our XG Firewall and Sophos endpoints offer an incredibly elegant solution that can save you hours of time remediating security incidents and help stop attacks in their tracks.