Our Cybersecurity team leaders recently attended the IT Nation Secure conference held in Orlando. The top two challenges discussed at the event were “Keeping pace with the Threat Landscape” and the need to “Scale and Operationalize Cybersecurity.” Automating your cybersecurity is imperative. To achieve this, employ security systems like SIEM, which includes firewalls, IDS, and IPS. This approach improves the scalability and operability of your network. Ensuring consistency in implementing the strategy is of utmost importance. These systems are critical in establishing a solid cybersecurity plan that can effectively protect against potential threats.
Security Information and Event Management (SIEM)
According to a 2020 Gartner report, the SIEM market grew 5.4% in 2019, reaching $2.2 billion. This indicates increased adoption due to the growing number of cyber threats.
A case study from the University of North Georgia (UNG) illustrates how SIEM can be beneficial. After experiencing numerous phishing attacks, UNG implemented a SIEM solution that significantly reduced the number of successful attacks. The SIEM helped by aggregating and correlating logs from various systems, enabling quick detection and response to threats.
In conclusion, real-world examples and industry trends underline the adoption and importance of these security measures. The complexity and frequency of cyber-attacks highlight the need for a robust, layered cybersecurity approach that includes firewalls, IDS/IPS, and SIEM.
Firewalls
According to the “2021 State of the Firewall Report” from FireMon, 96% of survey respondents consider firewalls as critical infrastructure for their organizations. In the same report, 24% indicated that they manage 100 or more firewalls, underscoring the scale of their deployment.
One example of a firewall breach was the infamous Target data breach in 2013, where attackers stole credit and debit card information from 40 million customers. The attackers used a phishing email to access Target’s HVAC vendor, then moved laterally within the network because Target’s internal firewalls were insufficiently configured to prevent this activity.
Companies can use several types of firewalls to protect their networks and systems. Here are some commonly used types of firewalls:
Network Layer Firewall (Packet Filtering Firewall): This is the most basic type of firewall operating at the OSI model’s network layer (Layer 3). It examines and filters individual data packets based on predefined rules, such as source and destination IP addresses, port numbers, and protocol types.
Stateful Inspection Firewall: Stateful firewalls operate at the network layer (Layer 3) and the OSI model’s transport layer (Layer 4). They keep track of the state of network connections and evaluate the context of packets, allowing or blocking traffic based on the packet’s connection state.
Application Layer Firewall (Proxy Firewall): Application layer firewalls operate at the OSI model’s application layer (Layer 7) and can inspect traffic at a deeper level. They act as intermediaries between client and server connections, examining and filtering network traffic based on specific application protocols, such as HTTP, FTP, or SMTP.
Next-Generation Firewall (NGFW): NGFWs combine traditional firewall functionality with additional security features such as intrusion prevention, deep packet inspection, application awareness, and advanced threat protection. NGFWs offer more advanced capabilities to identify and block sophisticated threats, including application-specific attacks.
Unified Threat Management (UTM): UTM appliances integrate multiple security features into a single device. In addition to firewall capabilities, they often include antivirus, anti-malware, intrusion detection and prevention, virtual private networking (VPN), content filtering, and other security services.
Web Application Firewall (WAF): WAFs are designed to protect web applications from various attacks, including SQL injection, cross-site scripting (XSS), and other application-layer attacks. They examine and filter web traffic, focusing on the application layer vulnerabilities and attack patterns.
Cloud Firewall: With the increasing adoption of cloud services, cloud firewalls have emerged. Cloud service providers often offer built-in firewall capabilities as part of their cloud infrastructure services. These firewalls help protect cloud-based resources and control network traffic within the cloud environment.
It’s worth noting that some firewalls can be deployed as hardware appliances, while others are software-based or provided as cloud services. They monitor and control incoming and outgoing network traffic based on security rules you establish. The primary purpose of a firewall is to block malicious traffic, like cyber-attacks and hacking attempts, while allowing legitimate traffic to flow. The choice of firewall type depends on the organization’s specific security requirements, network architecture, budget, and scalability needs.
It’s always recommended for organizations to work with firms such as Infinavate Consultancy Services to conduct a thorough assessment of their security needs and determine the most suitable firewall solution(s) for their environment.
Intrusion Detection and Prevention Systems (IDS/IPS)
A 2020 survey conducted by Cybersecurity Insiders found that 27% of organizations experienced at least one intrusion that bypassed their preventive security controls. This underscores the need for robust IDS/IPS systems. The 2016 Bangladesh Bank heist is an example where an IDS/IPS could have prevented a massive theft. Malware was used to monitor bank staff and steal credentials. Hackers then asked New York Federal Reserve members to transfer money from the Bangladesh Bank to a bank in the Philippines, where four fake accounts were opened in the Manila branch. The money was withdrawn in a matter of days. Attackers exploited the bank’s weak cybersecurity infrastructure and stole $81 million through fraudulent transactions. A well-implemented IDS/IPS system could have detected unusual transaction patterns and blocked these activities.
Intrusion Detection Systems (IDS)
As pointed out, an IDS monitors a network or systems for malicious activity or policy violations. The primary function of an IDS is to identify suspicious activity and then alert the system or network administrators. An IDS can be network-based (NIDS), monitoring the entire network’s traffic, or host-based (HIDS), focusing on a single host. The main difference between a firewall and IDS is that a firewall looks outwardly for intrusions to stop them from happening, while an IDS looks inwardly for intrusions that may have already happened.
Intrusion Prevention Systems (IPS)
An IPS can be considered an extension of IDS because it not only detects potential security breaches and takes proactive countermeasures to prevent them. An IPS operates inline and inspects network traffic, capable of responding instantly to detected threats before they reach their targets.
Security Information and Event Management (SIEM)
SIEM is a holistic approach that provides real-time analysis of security alerts generated by applications and network hardware. By gathering log and event data and combining that with threat intelligence feeds, SIEM systems can identify, categorize, and analyze incidents and events and generate reports.
When used together, these systems create a layered defense, significantly reducing the likelihood of successful attacks. Cybersecurity is not a one-size-fits-all proposition, and it’s crucial to implement a tailored combination of these systems according to your organization’s unique needs.
It is essential to update and patch your systems to prevent new vulnerabilities regularly and exploits from being used against you. For example, the recent Fortinet vulnerability allowed attackers to execute code remotely without authentication, highlighting the importance of maintaining proper cybersecurity measures. To protect yourself from cyber threats, it’s essential to have suitable systems in place, such as firewalls, IDS, IPS, and SIEM, and to be proactive in your cybersecurity strategy.
Contact Infinavate to discuss your Cybersecurity Threat Intelligence Team.
References:
Ponemon Institute. (2020). The Cost of Malicious Cyber Activity to the U.S. Economy. Retrieved from https://www.ponemon.org/library/the-cost-of-malicious-cyber-activity-to-the-u-s-economy/
IBM Security. (2021). Cost of a Data Breach Report 2021. Retrieved from https://www.ibm.com/security/digital-assets/cost-data-breach-report/
Deloitte. (2020). Future-Proofing Your Cybersecurity Strategy. Retrieved from https://www2.deloitte.com/us/en/insights/topics/cyber-risk-services/cyber-risk-research.html