What do Colonial Pipeline, JBS, Volkswagen, and ParkMobile all have in common? They all had firewalls protecting their networks but they were still breached. Every successful cyber attack has breached a firewall at some point. Whether the threat came in through the front door or not, it evaded a firewall.
Now let’s make an important point up front. Next-generation firewalls provide a critical foundational layer of network defense. However, it’s clear that securing your network with firewalls alone is insufficient.
The reason for this is “the firewall gap” problem and the fact is there are multiple gaps which lead to multiple problems. In this blog, we will take a high-level look at the firewall gap problem and the challenges this creates for organizations when it comes to securing their networks. In future blogs, we will take a closer look at each of the specific firewall gaps.
Gap #1: They Don’t Catch Every Threat
As mentioned, every cyber attack has evaded a firewall at some point. This is despite the evolution of firewalls to next-generation firewalls that have multiple ways to detect and block threats.
The question is why? The truth is there isn’t one answer to this question. For one, we know attacks have become more sophisticated and with automated attacking tools and the availability of “attack as a service” offerings that even unsophisticated attackers can launch sophisticated attacks. At the same time, the volume of attacks has increased significantly. In fact the volumes are so large that it is impossible for any one vendor to have complete visibility into the threat environment and to protect you from all threats.
This leads to one of the key challenges with firewalls, which is they detect and block threats using their own proprietary threat intelligence. While this threat intelligence has value, it’s insufficient because it is just one vendor’s view of the threat landscape. Defending against threats is a volume game that requires the use of massive amounts of cyber intelligence from multiple sources.
To sum up firewall gap #1, firewalls don’t catch every threat and a key reason for this is they detect and block threats based on a single vendor’s view of the threat landscape.
Gap #2: Limited Ability to Add Intelligence
One logical way to close this firewall gap is to increase the intelligence of the firewall by adding more threat feeds into it. This sounds great in theory but is significantly more challenging in practice. This is because firewalls have limited ability to integrate third party threat intelligence data.These limits include both the volume of indicators a firewall blocklist (and allow list) can support and the ways you can integrate threat intelligence data into the firewall. The end result is that it is challenging to increase the intelligence of your firewall.
Gap #3: Updating Intelligence in Firewalls is Manual & Too Slow
The third firewall gap is more operational in nature. For many organizations, managing external blocklists in firewalls remains a manual and time consuming process. Now if you are fortunate to be using a Threat Intelligence Platform (TIP) or a Security Orchestration, Automation and Response (SOAR) solution, you can automate this. However, for many organizations, TIPs and SOARs are beyond scope. More importantly, even though there are some ways to automate firewall blocklist management this doesn’t solve the threat intelligence volume limitations firewalls have.
In addition to manually managing blocklists, another key operational challenge with firewalls is that changes are often required to go through a change management process.
The end result of manually managing blocklists and firewall change management processes is it takes time creating a gap in your ability to rapidly respond to threats.
Every cyber attack has gotten past a firewall at some point. While firewalls continue to provide an important layer of network protection, they alone are insufficient to protect your network due to firewall gaps. These gaps are a result of firewalls operating with too narrow a view of threat intelligence, having limited ability to increase their intelligence, and a slow and time-consuming process when it comes to updating firewall blocklists.
In future blogs, we will take a closer look at each of the three firewall gaps. We will also look at how ThreatBlockr fills the gap by doing what firewalls can’t do. Specifically, the ThreatBlockr platform:
- Uses massive volumes of cyber intelligence to detect and block threats on your network;
- Lets you easily add cyber intelligence from any source with no limits; and
- Automates and simplifies the deployment and enforcement of intelligence on your network.