What is a next-generation firewall?
A traditional firewall provides stateful inspection of network traffic. It allows or blocks traffic based on state, port, and protocol, and filters traffic based on administrator-defined rules.
A next-generation firewall (NGFW) does this, and so much more. In addition to access control, NGFWs can block modern threats such as advanced malware and application-layer attacks. According to Gartner's definition, a next-generation firewall must include:
- Standard firewall capabilities like stateful inspection
- Integrated intrusion prevention
- Application awareness and control to see and block risky apps
- Threat intelligence sources
- Upgrade paths to include future information feeds
- Techniques to address evolving security threats
What should I look for in a next-generation firewall?
The best next-generation firewalls deliver five core benefits to organizations, from SMBs to enterprises. Make sure your NGFW delivers:
1. Breach prevention and advanced security
The No. 1 job of a firewall should be to prevent breaches and keep your organization safe. But since preventive measures will never be 100 percent effective, your firewall should also have advanced capabilities to quickly detect advanced malware if it evades your front-line defenses. Invest in a firewall with the following capabilities:
- Prevention to stop attacks before they get inside
- A best-of-breed next-generation IPS built-in to spot stealthy threats and stop them fast
- URL filtering to enforce policies on hundreds of millions of URLs
- Built-in sandboxing and advanced malware protection that continuously analyzes file behavior to quickly detect and eliminate threats
- A world-class threat intelligence organization that provides the firewall with the latest intelligence to stop emerging threats
2. Comprehensive network visibility
You can't protect against what you can't see. You need to monitor what is happening on your network at all times so you can spot bad behavior and stop it fast. Your firewall should provide a holistic view of activity and full contextual awareness to see:
- Threat activity across users, hosts, networks, and devices
- Where and when a threat originated, where else it has been across your extended network, and what it is doing now
- Active applications and websites
- Communications between virtual machines, file transfers, and more
3. Flexible management and deployment options
Whether you are a small to medium-sized business or a large enterprise, your firewall should meet your unique requirements:
- Management for every use case--choose from an on-box manager or centralized management across all appliances
- Deploy on-premises or in the cloud via a virtual firewall
- Customize with features that meet your needs--simply turn on subscriptions to get advanced capabilities
- Choose from a wide range of throughput speeds
4. Fastest time to detection
The current industry standard time to detect a threat is between 100 to 200 days; that is far too long. A next-generation firewall should be able to:
- Detect threats in seconds
- Detect the presence of a successful breach within hours or minutes
- Prioritize alerts so you can take swift and precise action to eliminate threats
- Make your life easier by deploying consistent policy that's easy to maintain, with automatic enforcement across all the different facets of your organization
5. Automation and product integrations
Your next-generation firewall should not be a siloed tool. It should communicate and work together with the rest of your security architecture. Choose a firewall that:
- Seamlessly integrates with other tools from the same vendor
- Automatically shares threat information, event data, policy, and contextual information with email, web, endpoint, and network security tools
- Automates security tasks like impact assessment, policy management and tuning, and user identification
Endpoint Detection and Response
Endpoint detection and response (EDR), also known as endpoint threat detection and response (ETDR), is an integrated endpoint security solution that combines real-time continuous monitoring and collection of endpoint data with rules-based automated response and analysis capabilities. The term was suggested by Anton Chuvakin at Gartner to describe emerging security systems that detect and investigate suspicious activities on hosts and endpoints, employing a high degree of automation to enable security teams to quickly identify and respond to threats.
The primary functions of an EDR security system are to:
- Monitor and collect activity data from endpoints that could indicate a threat
- Analyze this data to identify threat patterns
- Automatically respond to identified threats to remove or contain them, and notify security personnel
- Forensics and analysis tools to research identified threats and search for suspicious activities
Adoption of EDR solutions
Adoption of EDR is projected to increase significantly over the next few years. According to Stratistics MRC's Endpoint Detection and Response - Global Market Outlook (2017-2026), sales of EDR solutions—both on-premises and cloud-based—are expected to reach $7.27 billion by 2026, with an annual growth rate of nearly 26%.
One of the factors driving the rise in EDR adoption is the rise in the number of endpoints attached to networks. Another major driver is the increased sophistication of cyberattacks, which often focus on endpoints as easier targets for infiltrating a network.
New types of endpoints and endpoint attacks
An average IT department manages thousands of endpoints across its network. These endpoints include not only desktops and servers, but laptops, tablets, smartphones, internet of things (IoT) devices, and even smart watches and digital assistants. The SANS Endpoint Protection and Response Survey reports that 44% of IT teams manage between 5,000 and 500,000 endpoints. Each of these endpoints can become an open door for cyberattacks; therefore, endpoint visibility is critical.
While today's antivirus solutions can identify and block many new types of malware, hackers are constantly creating more. Many types of malware are difficult to detect using standard methods. For example, fileless malware—a recent development—operates in the computer's memory, thus avoiding malware signature scanners.
To bolster security, an IT department may implement a variety of endpoint security solutions, as well as other security applications, over time. However, multiple standalone security tools can complicate the threat detection and prevention process, especially if they overlap and produce similar security alerts. A better approach is an integrated endpoint security solution.
Key components of EDR security
EDR security provides an integrated hub for the collection, correlation, and analysis of endpoint data, as well as for coordinating alerts and responses to immediate threats. EDR tools have three basic components:
Endpoint data collection agents. Software agents conduct endpoint monitoring and collect data—such as processes, connections, volume of activity, and data transfers—into a central database.
Automated response. Pre-configured rules in an EDR solution can recognize when incoming data indicates a known type of security breach and triggers an automatic response, such as to log off the end user or send an alert to a staff member.
Analysis and forensics. An endpoint detection and response system may incorporate both real-time analytics, for rapid diagnosis of threats that do not quite fit the pre-configured rules, and forensics tools for threat hunting or conducting a post-mortem analysis of an attack.
- A real-time analytics engine uses algorithms to evaluate and correlate large volumes of data, searching for patterns.
- Forensics tools enable IT security professionals to investigate past breaches to better understand how an exploit works and how it penetrated security. IT security professionals also use forensics tools to hunt for threats in the system, such as malware or other exploits that might lurk undetected on an endpoint.
New EDR capabilities improve threat intelligence
New features and services are expanding EDR solutions' ability to detect and investigate threats.
Third-party threat intelligence services increase the effectiveness of endpoint security solutions. Threat intelligence services provide an organization with a global pool of information on current threats and their characteristics. That collective intelligence helps increase an EDR's ability to identify exploits, especially multi-layered and zero-day attacks. Many EDR security vendors offer threat intelligence subscriptions as part of their endpoint security solution.
Additionally, new investigative capabilities in some EDR solutions can leverage AI and machine learning to automate the steps in an investigative process. These new capabilities can learn an organization's baseline behaviors and use this information, along with a variety of other threat intelligence sources, to interpret findings.
Another type of threat intelligence is the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) project underway at MITRE, a nonprofit research group that works with the U.S. government. ATT&CK is a knowledgebase and framework built on the study of millions of real-world cyberattacks.
ATT&CK categorizes cyberthreats by various factors, such as the tactics used to infiltrate an IT system, the type of system vulnerabilities exploited, the malware tools used, and the criminal groups associated with the attack. The focus of the work is on identifying patterns and characteristics that remain unchanged regardless of minor changes to an exploit. Details such as IP addresses, registry keys, and domain numbers can change frequently. But an attacker's methods—or "modus operandi"—usually remain the same. An EDR can use these common behaviors to identify threats that may have been altered in other ways.
As IT security professionals face increasingly complex cyberthreats, as well as a greater diversity in the number and types of endpoints accessing the network, they need more help from the automated analysis and response that endpoint detection and response solutions provide.