It is commonly agreed that firewalls have served as a vital weapon in the unrelenting battle against cyber attacks for years. Just to be clear, a firewall is a barrier or shield that is intended to protect your PC, tablet, or mobile phone against the data-based malware dangers lurking on the Internet. Data is exchanged between your computer and servers and routers in cyberspace, and firewalls monitor this data (sent in packets) to check whether they are safe by establishing if the packets meet pre-established rules. Based on these rules, packets of data are either accepted or rejected.
Sounds great, right? Your firewall is keeping your data secure and you can sleep easy at night. Well, don’t get too complacent just yet. While this security concept may have sufficed in the past, increasingly sophisticated malware has created new dangers that firewalls are unable to detect. Risk levels are further compounded by the fact that firewalls are constantly inundated by relentless waves of new attacks, so that only a small section of the malware alerts can be investigated in depth. Despite the firewall that you may have in place, the system is incapable of identifying and neutralizing every alert around the clock.
Defusing the Real Threats
Even when incident response is initiated, there is no clear evidence that the threat has been completely defused. The system may drop a specific connection, delete a file, block some data from leaving the company or take other action, but all of these steps could merely be temporary solutions dealing with a symptom rather than the root problem itself. So taking the medical metaphor one step further, this basically means that you may inadvertently be applying a bandaid to a life-threatening hemorrhage.
What has changed? The nature of the attacks. Current attacks (external or internal) often contain several stages and artifacts, so that security devices are likely to glimpse only partial elements of a wider, far more destructive picture. A picture that the firewall is unable to detect.
Firewalls Are No Longer Enough
That it not to say that the firewall is flawed. It is not flawed, but rather it is insufficient. It is not able to effectively prevent threats like infected hosts, various malware downloads, and illegal connections to the server. Due to the myriad evolving threats, the application of additional, multi-layer security measures has become common practice, and alerts are constantly popping up. These security devices are doing their jobs, raising flags in detection or prevention mode that require further correlation, investigation and analysis.
Are Your Incident Responses Effective?
It’s the responsibility of your incident response team to take a step back, dig deep and endeavor to understand how an attack happened rather than concentrating on a single event or symptom. In order to ensure that no persistency or lasting damage has been left to linger behind, in-depth forensic tools need to be employed. Without a panoramic understanding, gaps in your defenses remain vulnerable to future attacks. Here are several examples of questions that your IT experts need to be asking:
- Is there an infected host in the network looking for a C2 server, which may be causing drops in the firewall?
- Are all of the connections being dropped or only some of them?
- Is it possible that the culprit downloaded a new payload, which was detected by the AV, but the downloader evaded detection?
- Is it possible the AV’s signatures were just updated so the infection was cleaned, but it managed to lurk undetected for several months? Is it possible that it leaked data during that time and only some of it was blocked by the DLP?
A Tsunami of Endless Alerts
But even when your IT team asks the right questions, it is virtually impossible to investigate the vast number of alerts that swamp them. According to ‘The Cost of Malware Containment’ report published by the Ponemon Institute in 2015: “Approximately 4 percent of all malware alerts are investigated. On average, organizations receive almost 17,000 malware alerts in a typical week but only 19 percent of these alerts are deemed to be reliable. Of the 3,218 reliable alerts, only 705 are investigated.” This suggests that participating organizations do not have the resources or in-house expertise to detect or block serious malware.
The Folly of Chasing the Wrong Alerts
But the quantity of alerts is not the only problem: The report also states that “two-thirds of the time spent by security staff responding to malware alerts is wasted because of faulty intelligence. It costs organizations an average of $1.27 million annually in time wasted responding to erroneous or inaccurate malware alerts. According to respondents, an average of 395 hours is wasted each week detecting and containing malware because of false positives and/or false negatives. The extrapolated average value of lost time is estimated at approximately $25,000 per week or $1.27 million each year for participating organizations.”
So the bottom line is that security teams waste time chasing inconsequential alerts while only investigating a very small number of alerts to begin with.
Preemptive Forensics - Full Comprehension of Your Security Scenario
There’s no doubt that it is important for you to have firewalls and other security measures in place. But if you really want to fight increasingly powerful malware effectively, the key lies in preemptive forensics. Using a tiny sensor on each host, a preemptive forensics system records every event, providing sharp end-to-end visibility, including every action and behavior on every endpoint and server: File, Network, Registry, Process, User, USBs, Event Log, and more. By posing pre-built queries, you gain full visibility of every component across the network, including installed applications, open shares, local admins, printed docs, drivers and services, autoruns, PowerShell, etc.
The system automatically correlates any alert from any source with host forensic data to reveal the full context of an alert instantly, without manual intervention. Security teams are able to significantly shorten incident response time with full comprehension of the security scenario. Not only has this specific attack been contained, but valuable lessons have been learned to prevent future security breaches.