How Do You Protect Your Perimeter When You’ve Blown it to Pieces?

How Do You Protect Your Perimeter When You’ve Blown it to Pieces?

Ian Kilpatrick

Executive Vice President Cyber-Security at Nuvias Group and Chairman Wick Hill Group

Views 296

How Do You Protect Your Perimeter When You’ve Blown it to Pieces?

24.11.2016 11:15 am

In 2016, we are subject to near constant headlines detailing the latest big data breach or hacking scandal. Many of us probably think we have a pretty good handle on the different types of security risks that can threaten our businesses. But the reality may be a little different. 

The introduction of new technologies, the growth of cloud computing and changing employee working practices have all opened the door to a raft of new security vulnerabilities – often without us realising it.

The security perimeter that was once in place no longer exists; Bring your own Device (BYOD), remote working or working across multiple sites, combined with an increasing reliance on cloud-based applications such as Office 365 and Salesforce, and public cloud services like Amazon AWS or Microsoft Azure, have contributed to a de-centralised environment where company data and applications can be freely accessed from almost any device, on any network.

Without knowing it, many organisations have repeatedly punched holes into their once-secure perimeter, potentially leaving themselves not only vulnerable but fully open to attack.

However, because these changes have happened over time, in some cases several years, many firms have missed, or have under-prioritised the potential risks they face. This in some instances has led to complacency regarding legacy security systems – if something has always worked, and was secure in the past why mess with it? But of course, this doesn’t take into account the new wave of attacks coming from outside the weakened perimeter.

Firewall technology 

One of a number of areas that this applies to is firewall technology, which has had to evolve to counter this next generation of security threats. The firewall that has done a perfectly good job over the past five years, may not be enough to protect your business in the future.

For example, firewalls deployed across a multi-site environment today, should be able to offer extra features such as the ability to optimise and protect business-critical traffic from being swamped by less important network activities. So, ideally your active firewall should feature product capabilities like compression, data-deduplication or application-based prioritisation and bandwidth guarantees.

Meanwhile, businesses are facing an unprecedented wave of ransomware attacks. These generally come in through email, but you could also have computers “calling home” to the Command & Control (C&C) server to install stealthware. With the right firewall – often described as next generation – in place, these activities can be detected and curbed

In addition to the protection on the perimeter, you can deploy more firewalls internally to create zones. Zone-ing or segmentation makes it harder for malware and attackers to cross network boundaries.

Often it makes sense to allow for direct access to cloud applications from each branch office location, effectively moving away from the traditional centralised access approach. Allowing internet access from branch locations may now mean deploying firewalls at these locations. The practical challenges here are threefold:

  1. Does the deployed, ‘smaller’ firewall device at each branch provide all the security controls needed and is it still affordable? Must-haves would be next-generation firewall features such as app control, user awareness, integrated IPS, the ability to intercept SSL, and advanced threat and malware detection.
  2. Can these devices be effectively managed from a central user interface? This is important, because it means that only one security policy needs to be defined and maintained across all the deployed firewalls, even though enforcement now takes place in multiple physical locations.
  3. What does the associated operational cost look like? Firewall devices need to be trouble-shot, logs need to be managed, updates applied etc.

Next Generation Firewalls

As with all things IT, Next Generation Firewalls (NGFW) are subject to more hype than reality. While many are fully featured, some are overmarketed versions of older technology and despite there being plenty of choice, there can be a blurring around the capabilities and performance on offer. 

The customer should start by determining their needs, as they differ by organisational type, size, performance requirements, security concerns and of course compliance requirements. While there is a wide variation of prices in NGFW, often they are not matched directly to capability – which is why needs precedes budget considerations.

At the risk of creating a boring feature list, some of the elements to consider and prioritise for Next Generation Firewalls include application firewalling (using deep packet inspection), intrusion prevention, encrypted traffic inspection TLS/SSl, website filtering, bandwidth management, and third party identity management integration (LDAP, Radius active directory, etc.) 

Other features can include antivirus, sandbox filtering, logging and auditing tools, network access control, DDoS protection and of course cloud capabilities. 

Clearly different organisations will have a divergent range of needs driven by their own size, performance and security requirements. With the significant range of solutions on offer, the challenge can often be selection, particularly with the significant number of new suppliers entering the market with innovative offerings. However, these can often create more cloud than light in this area, plus there’s a real risk that if they have a genuinely innovative solution, they will be acquired by a bigger player.  

Budget and management capabilities are also key elements in this equation. Given that a firewall often is deployed for considerably more than three years it’s crucial to make the right decision to protect your environment, not only against today’s threats but also those that will be the centre of attacks in the future. 

Having been around security for more than 40 years, my own suggestion is that the conservative approach of going with a well-established player that can and will continue to invest in threat defences and upgrades is the best route. There are many organisations that fit this bill, including Barracuda Networks, Check Point and WatchGuard Technologies to name a few. Subject to the size and potential cost of your deployment, putting one or more suppliers through a full POC (proof of concept) ahead of the decision can be a very effective investment to protect your organisation in a radically changed risk environment from three years ago, and one which will continue to change at potentially an even faster rate.

Latest blogs

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Robert Flowers DivideBuy

It Doesn’t Have to Be the End – How Retailers Can Grow in Light of COVID-19

It’s no news that the retail industry has been flipped on its head by the COVID-19 pandemic. Due to the lockdown, most in-store operations have been shut down, and nationwide furloughs, reduced pay and steady streams of income at risk have fuelled a Read more »

n/a n/a

4 Ways to Protect Your Small Business Against Cyber Attacks

Just because you are running a small scale business doesn’t mean you are beyond the reach of hackers and attackers. Many small businesses have this thought, which is why they do not invest in their cybersecurity. Unfortunately, every year small Read more »

Kirston Winters MarkitSERV, IHS Markit

IBOR transition update: €STR grabs a foothold?

In the latest development in the IBOR transition, on the weekend of July 25th, we saw the major CCPs perform the much-anticipated Euro discounting and price alignment transition from using EONIA to EuroSTR (a.k.a. €STR) for all Euro OTC interest Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel