Blog

Firewall Gap #1: They Don’t Catch Every Threat

10.04.2021

In our previous blog, we defined The Firewall Gap and the multiple dimensions to it. Specifically, we highlighted three gaps including: (1) firewalls don’t catch every threat; (2) they have limited ability to add cyber intelligence; and (3) updating intelligence in firewalls is manual and too slow.

In this blog, we will take a closer look at the first gap and talk about how the use of multi-source cyber intelligence can help you fill in this gap.

Threats Are Getting Through Your Firewall

Every cyber attack has evaded a firewall at some point. This is despite the evolution of firewalls to next-generation firewalls that have multiple ways to detect and block threats.

A key reason why threats are getting through firewalls is because they detect and block threats using their own proprietary threat intelligence. While this threat intelligence has value, it represents too narrow a view of the threat landscape. The fact is today’s threat landscape is so large and vast that it’s impossible for any single vendor or single source of threat intelligence to provide comprehensive coverage of threats.

Let’s use a simple sports analogy to put this in perspective. If you were to go to a high school football game with 100 fans in attendance, it might be possible for a single set of eyes to detect and stop malicious behavior. However, if you were to go to a college football game with 100,000 fans in attendance it would be impossible for one set of eyes to detect and stop malicious behaviors. At this scale, detecting and stopping malicious behavior would require multiple sets of eyes.

Today’s threat landscape is much closer to a college football game with 100,000 fans than a high school game with 100.

Multi-source Cyber Intelligence Provides More Comprehensive Visibility & Protection From Threats

With the threat landscape being too large and vast for any single vendor or source of intelligence to provide comprehensive visibility and protection, it’s critical for organizations to use threat intelligence from multiple sources. We call this multi-source cyber intelligence.

Multi-source intelligence is cyber intelligence from multiple, diverse sources. This includes:

Commercial Threat Intelligence Providers: This is cyber intelligence provided by companies that specialize in producing threat intelligence. Examples include Bambenek Labs, Cyjax, DomainTools, Intel 471, IntSights, Malware Patrol, Proofpoint Emerging Threats, Recorded Future, and Webroot.

Open Source Intelligence (OSINT): There are lots of great free, open source cyber intelligence feeds available. Examples include AlienVault OTX, Blocklist.de, CINS Army List, Emerging Threats, Feodo, and others.

Government Cyber Intelligence: With cybersecurity being a national security issue and major issue for state and local governments, government organizations represent a valuable source of cyber intelligence. Examples include: DHS’ Automated Indicator Sharing (AIS) Program, DHS’ Cyber Information Sharing & Collaboration Program (CISCP), State of Missouri SOC, and the State of Oklahoma’s OK-ISAC.

Industry Threat Intelligence: With threat actors targeting specific industries using and sharing industry intelligence is critical. Today, pretty much every major industry has an Information Sharing & Analysis Center/Organization (ISAC/ISAO). Examples include: E-ISAC (energy), FS-ISAC (financial services), H-ISAC (healthcare), LS-ISAO (legal services), MS-ISAC (state, local, and terrestrial government organizations) and TB-ISAO (Texas Bankers Association).

Using multi-source cyber intelligence allows you to leverage multiple sets of eyes on the threat landscape significantly improving your ability to detect and block threats.

How ThreatBlockr Fills In The Firewall Gap

At ThreatBlockr, our platform was purpose-built to use massive volumes of cyber intelligence from multiple sources. Our platform provides access to over 30 cyber intelligence feeds out of the box. This includes a diverse mix of threat intelligence feeds from commercial threat intelligence providers, open source, and government sources. For industry intelligence, we make it easy for our customers that are members of ISACs/ISAOs to integrate that intelligence into our platform. Our platform then leverages automation and simple policies to deploy all of this cyber intelligence on your network to help you use it to protect your network.

ThreatBlockr & Firewalls are Like Red Wine & Steak

Like a good red wine paired with a steak (or white wine with seafood), ThreatBlockr pairs nicely with your firewall. In fact, not only does our platform fill the firewall gap by providing an additional layer of network protection but it also significantly improves the effectiveness and efficiency of your firewall by allowing it to focus its resources on cleaner traffic.

The Proof is in the Pudding

The benefits of pairing ThreatBlockr with your firewall is evidenced by the fact that today over 300 customers have deployed ThreatBlockr as an essential layer of protection that complements their firewall.

We’d like to wrap up this blog with a powerful customer story. Several years ago, we were engaged with a regional law firm prospect. The firm had what you would describe as a typical security stack that included firewalls, secure web gateway, and endpoint protection. The head of IT security felt pretty good about the protection being provided by the current stack. However, he was intrigued by ThreatBlockr and thought it would not only be a good opportunity to evaluate a new capability but also test the effectiveness of his current security stack. The prospect deployed ThreatBlockr behind the firewall in order to gain a clear picture of whether threats were getting through the firewall.

The result? After deploying ThreatBlockr, the prospect had an eye opening experience seeing a significant volume of threats that were getting through their firewall. By using massive volumes of cyber intelligence from multiple sources, the ThreatBlockr platform was able to detect and block these threats. Based on this, the law firm ended up deploying the ThreatBlockr platform as an additional, essential layer of network protection.

Fast forward to today and our platform continues to provide significant protection for this customer. This is evidenced by recent feedback the customer provided to our customer support team.

“We had a user download a malicious file and run it. Somehow this file got past our Forcepoint Web filtering, Cisco Firepower Firewall, and Sentinel One software. Dell SecureWorks quickly alerted us to the issue but it was ThreatBlockr that saved the day and prevented information from being exfiltrated. Thank you ThreatBlockr!”

In our next blog, we will take a closer look at the second firewall gap, which is a limited ability to add intelligence into firewalls.

In the meantime, if you are interested in learning more about our platform check out our data sheet, schedule a demo, and/or take a test drive!