This post is part of a blog series where we examine the 10 things to test in your future next-generation firewall. These 10 points will help ensure your next firewall matches the needs of your organization in its current and future states.
Lean on Automation to Prevent Difficult to Identify and Fast-Changing Threats
With attackers employing more and more automation, security teams are seeing more security events across throughout their organizations every minute. Someone must sift through many security events to identify which are high-risk, determining the point of entry that is likely compromised. Once identified, this information must be turned into an actionable response to mitigate an attack before it succeeds – and before sensitive data leaves the organization.
Why Should You Advocate and Test This Capability?
Done manually, the process of analyzing and correlating vast numbers of security events is difficult to scale. Security teams can easily drown in alerts and miss the critical, actionable ones. Even actionable information depends on human intervention, which slows mitigation and increases the likelihood of error. To move quickly enough to mitigate an attack before it succeeds, security tools and services should be able to identify the attack, then generate and distribute protections automatically, as well as integrate with other tools to set off the next action in your workflow.
Move Beyond the Status Quo
As attacks have become automated, the security tools used to discover them must be agile enough to identify known and never-before-seen threats, as well as prevent them more quickly than they can progress through the attack lifecycle. To do so, every step in the process, from discovery to full prevention, should be automated.
Known threats must be pre-emptively blocked without degrading firewall performance or impacting business productivity. Security tools must also analyze and identify malicious behavior – ideally within a cloud environment in order to take advantage of elastic compute and scalability – to prevent never-before-seen threats.
A secure cloud environment also ensures that new analytics and prevention controls can be rolled out without causing service interruption or requiring new hardware or manual updates across an organization. It centralizes decision support in a way that all firewalls, clouds and endpoints can get the latest data from a single, trusted source.
Once a new threat has been identified, protections should be automatically generated and implemented across all technologies to provide consistent coverage across the organization. They should also be distributed to all customers in the shared threat intelligence community to stop the spread of the attack.
With knowledge of the malicious behavior of the newly discovered threat, security tools must also use automation to identify potentially infected endpoints within your environment before any sensitive data can be exfiltrated. Using automated data correlation, the tools should identify and surface hosts on your network exhibiting any of the same malicious behavior as the threat.
True automation goes beyond providing information and allows you to configure automated actions. Some organizations may want to automate the immediate quarantine of potentially infected hosts. This can be done by moving a host to a policy that denies it access to all parts of the network while retaining connectivity for remediation efforts. Others may take a more nuanced approach by automatically applying multi-factor authentication to a potentially infected host so that, if attackers gain access to it, they cannot access corporate data or applications.
Automation enables organizations to act against threats without waiting for human intervention, improving response time and, if implemented appropriately and in conjunction with the right tools, preventing successful attacks. A security vendor that offers automation allows security teams to move away from basic operational tasks and focus on strategic efforts that directly benefit the organization. Reducing human intervention reduces avoidable errors, ultimately enabling a more secure security posture.
Recommended RFP Questions
- Does your security vendor support the capability to automatically generate prevention signatures across the attack lifecycle for all data relevant to attacks?
- Can your firewall correlate and identify infected hosts in the network, and quarantine them to limit their access in the network?
- Can your firewall trigger multi-factor authentication to prevent credential abuse and secure critical applications?
- Can your firewall correlate the threats seen in the network with information obtained from global threat intelligence?