10 Things To Test In Your Future NGFW: Incorporate Dynamic Lists and Third-Party Threat Intelligence

This post is part of a blog series where we dissect the ten things to test in your future next-generation firewall. These ten points will help ensure your next firewall matches the needs of your organization in its current and future states.

Firewalls have the ability to import lists of predetermined rules and policies that, once consumed, allow the firewall to act against the objects outlined in the list. Afterward, firewall administrators are responsible for updating the firewall to reflect newfound threats, protections and policy rules. With attackers employing more advanced methods, such as automation and evasion, having the most updated security posture possible requires moving at machine speed.

Why Should You Advocate and Test This Capability?

Incorporating automation and dynamic lists into your next-generation firewall is the most effective and efficient way to improve your organization’s security posture. Dynamic lists are often provided by your NGFW vendor and can be updated manually or by integrating third-party threat intelligence. As a result, changes to rules and policies only need to be made to the list, and all firewalls tied to the dynamic lists will regularly and automatically import the most updated protections.

Move Beyond the Status Quo

Dynamic Lists

When new threats are identified, it falls to the firewall administrator to create a new rule or policy so that the firewall can respond appropriately. This must be done for each risk object and potentially each firewall in the network – a labor-intensive, often error-prone, manual process.

Working with dynamic lists dramatically reduces manual efforts and improves response time. Modern dynamic lists include protections against known, and high-risk, malicious IP addresses validated by your NGFW vendor. They also protect against high-risk IP addresses drawn from correlated third-party data that has not been validated by your vendor, which you can opt in to at the level of policy enforcement appropriate for your organization.

Third-Party Threat Intelligence Feeds

Organizations subscribe to third-party threat intelligence feeds for access to continuously updated data on potential threats and attack sources, ultimately increasing their knowledge base. These feeds provide massive amounts of data on raw indicators of compromise, or IoCs, which are used to turn unknown threats into known before attackers have a chance to compromise an organization.

Turning threat intelligence into actionable protections, much like creating new rules and policies based on activity seen on the firewall, is a time-consuming, manual process that many security teams struggle to manage.

The data from threat intelligence feeds must be current and formatted, potentially requiring the data format to be changed to a consumable form. The data must also be correlated to validate whether a given IoC is malicious, correlating multiple IoCs to reveal larger patterns of malicious behavior, and adding necessary context, such as the priority and relevance of newly identified threats. Once the data has been validated and enriched with context, security teams can much more efficiently create and distribute protections to address-specific threats across various security enforcement points. Alternatively, vendors can push protections out to enforcement points, but consolidation with local traffic isn’t as effective. Without completing these steps, threat feeds remain inert reams of data.

Automation is necessary to rapidly improve your security posture with the latest threat intelligence, alleviate manual intervention and eliminate human error. Based on context collected from outside your organization, automation can turn unknown threats into known protections more quickly than attackers can successfully complete the attack lifecycle.

Recommended RFP Questions

• Can your NGFW dynamically incorporate third-party or custom threat intelligence feeds in the firewall without policy commits?
• Does your security architecture support threat feed aggregation, consolidation and deduplication of threat feeds before pushing the indicators to your firewall?
• Does your security architecture integrate with your NGFW to automate timeout of expired threat indicators to avoid using stale threat intelligence?
• Does your security architecture allow you to target threat indicators from recent APT campaigns and incorporate threat feeds proactively on your NGFW?
• Does your security architecture allow you to enrich threat intelligence based on a confidence rating to reduce the operational overhead from dealing with false positives?

Learn more about the 10 things to test for in your future NGFW.