Blog

Your Firewall Lacks Adequate Threat Intel Sources

04.14.2022

One of the best things about my role is that I get to talk to our ThreatBlockr customers and get a sense of what they need and how things are going. While these conversations are different based on their unique cybersecurity challenges and where they are in their threat intelligence journey, there is one aspect that is not. 

Rather remarkably, one of the most common things I hear from customers are both “my next-generation firewall does this!” and “my next-generation firewall doesn’t do this!” Somehow, both appear to be true for a sizeable amount of people. 

So, which is it? Does your next-generation firewall (NGFW) do “this” or doesn’t it? I think the answer to this question comes down to clearly defining what “THIS” is. For us, “this” is adequately applying threat intel sources to a cybersecurity posture in a way that actually makes it useful. 

What is a Threat Intel Source and Why the Confusion? 

A threat intel source is either an internal or external place where data on cybersecurity threats is collected and analyzed. All good firewalls pull from vetted threat intelligence sources in order to tell their firewall what to block and what to allow. 

So in this regard, yes, your firewall does “this.”

The confusion comes when you start narrowing down on which sources you’re pulling from, how many you can pull at a time, and how they’re being integrated into your firewall. ThreatBlockr does “this” very well. Most firewalls…well…hence the need for ThreatBlockr. 

The primary issues most firewalls face in applying threat intel sources can be summed up by two key points: 

  • They rely too heavily on proprietary cyber threat intelligence sources, and
  • They struggle to integrate other threat intel sources, leading to a limited amount of eyes protecting your network. 

Issue 1: Proprietary Cyber Threat Intelligence Sources

NGFWs continue to provide a solid foundation for network security. I mean this is kind of why pretty much everyone has one, right? However, a key challenge with firewalls is that they depend on a proprietary threat intel source to detect and block threats. This intelligence is derived from activity they see in the firewalls within their customers’ networks.

So if you ask yourself, “Does my NGFW use threat intelligence?” The answer is, “Yes, it does…. BUT.”  That big “BUT” being that the threat intelligence they use is proprietary. This means that they’re pulling threat intelligence from their own sources, and more or less only their own sources. 

The second important question that you should be asking yourself is, “I wonder if the threat intelligence provided by my NGFW is good enough to protect me?” Unfortunately, the answer is a resounding, “NO!”  

To be clear, the proprietary threat intelligence sources that NGFWs use do have value. However, it alone is insufficient because it’s just one vendor’s view of the threat landscape. Now, to be fair, this isn’t “new news”. For years, vendors have touted their threat intelligence as being an advantage over their competition. However, that’s a very “2005” way of looking at cybersecurity. 

And unfortunately, it’s very common. But times have changed (boy have they!). As the threats and the threat actors have evolved, so have the methods of identifying them. For some time now, very sophisticated and security-savvy organizations have been incorporating a broad-based view of threat intelligence, from multiple cyber threat intelligence sources, into their security operations. 

This includes threat intel from commercial providers, open source, government, and industry sources. These organizations have found that by leveraging threat intelligence sources from varied perspectives, they are able to have true visibility into the types of malicious traffic that may affect their networks, improving their ability to protect their networks and organization.

Issue 2: Integrating Other Threat Intelligence Sources

That takes us to our second issue with most NGFW—their (in)ability to let you integrate other threat intel sources now that you know you need additional eyes on your landscape. 

Every name-brand NGFW on the market has external IP and domain blocklist capabilities. However, these same firewalls have significant limitations with respect to: (1) the volume of threat indicators in their external blocklists; (2) the size of blocklists; and (3) the ways in which you can integrate third-party threat intel data, into that firewall.

One of the top, name brand NGFWs on the market can handle a maximum of 150,000 IPs in their external block list. If one were to throw a few open source threat intel sources into that  firewall, they would quickly hit these limits. 

In a real world scenario, were that same organization to try to integrate Webroot’s IP Reputation Feed and its 4.8 million indicators into their NGFW, they would quickly find this to be extremely challenging to impossible.

In the end, this means that even if you recognize (as you now do) that integrating other threat intelligence sources is vital to the health and success of your cybersecurity measures, your NGFW won’t really let you. 

What to Do About It

In summary: 

  • The threat intelligence that NGFWs use to detect and block threats is proprietary, based on a single vendor’s view of the threat landscape. While this has value, it does not provide the broad-based view of threat intelligence that is required to protect your network.
  • Next-generation firewalls have significant limitations with respect to the volume of third-party threat indicators that  can be integrated, as well as how easy it is to integrate them. Therefore, making threat intelligence actionable in NGFWs is challenging.

What this boils down to is a need to add an extra layer of security that can integrate all the threat intel sources you need to protect your network. That’s where a tool like ThreatBlockr comes in. 

ThreatBlockr is an inline gateway that proactively blocks malicious and unwanted network connections while simultaneously logging activity & actions and delivering that intel back to the cloud for future reporting and protection. You can think of it as a firewall for your firewall that actually allows for easy, useful integration of various cyber threat intel sources. 

ThreatBlockr Covers Your Bases

ThreatBlockr is designed from the ground up to work with multiple threat intel source and isn’t capped at a certain number of inputs. This means you get the most coverage with the most flexibility possible. No matter what new attacks are created over the coming years, ThreatBlockr helps your team lean and adapt so that you’re always prepared. 

Want to learn more? Schedule a Demo.