Don’t Try to Defend Your Data by Fighting the Last War

Never has your data lived in a more dangerous world. Attacks are more frequent, more damaging, and more ingenious than ever.

Ransomware like WannaCry is costing companies billions of dollars. DDoS attacks like the Mirai botnet are bringing down data centers and networks. Some attacks are the sophisticated multi-stage variety, in which a spear phishing exploit implants an advanced persistent threat (APT) within an organization, where it may live for months or years. Malicious actors are no longer teenagers in their parents’ basements, but sophisticated cyber criminals intent on financial gain, as well as nation-states seeking to destabilize large enterprises and national economies.

It’s your job to defend your data, but fighting the last war won’t work. That’s because the battlefield of IT infrastructure has changed.

Once there was a perimeter to defend. No more. Wi-Fi signals travel beyond the walls of corporate facilities and can be picked up across the street or in the building next door. Mobile devices come and go, carrying corporate data outside an organization and bringing malware in. In the course of a single transaction, data might go to and from multiple public cloud services. The idea of a defensible perimeter is obsolete.

 

In this battle, you want to have technology on your side. But which? Many enterprise security leaders are facing a choice between Secure Web Gateway (SWG) and Next-Generation Firewall (NGFW) technologies. Because you are likely to hear plenty of claims and counterclaims about both, you owe it to yourself and your organization to be an educated buyer.

Without question, NGFWs include significant advances over previous-generation firewalls, such as deep packet inspection (DPI) and intrusion prevention system (IPS) technologies. But they can’t do everything. To understand how an NGFW works and why you might require more, I suggest you take a look at the white paper, “Network Security for the Cloud Generation -- A Comprehensive Defense-in-Depth Approach,” published by Symantec. To get the full picture, you should read it from beginning to end. Here are the things that jump out at me:

Encryption is a key tool for defending your data -- but unfortunately, it’s also a key tool used by bad actors to enable their malware to fly under the radar and into your organization. According to Ponemon Institute, nearly half of cyber attacks over a 12-month period used encryption to penetrate organizations undetected.

To decrypt data packets and inspect them takes work. NSS Labs found that when SSL decryption was enabled on NGFWs, performance plummeted by an average of 81%. With that kind of drop-off, it’s no wonder network administrators adjust the settings on many NGFWs to let SSL traffic pass through uninspected.

SWG also blocks malware better. In a head-to-head test conducted by the Tolly Group in March 2017, the Symantec Secure Web Gateway demonstrated significantly better blocking capability than NGFW. For example, SWG blocked 99.26% of phishing attacks, compared with 78.75 for NGFW. And SWG blocked 99.18% of malicious URLs, vs. 61.01% for NGFW.

What’s more, NGFW evasion techniques are becoming increasingly sophisticated, according to Felix Leder, director of the detection technology group at Symantec. One technique is to split data or encode it in ways that an NGFW cannot understand. When the NGFW receives the data, but does not understand the request that data is making, the NGFW will forward it and react later. If just one packet can get through this way, it’s possible to re-establish connections over and over again to send more packets to infect an organization with malware. In contrast, a SWG will block these packets, Leder explains.

Because we live in the cloud era, the ability to support a large number of cloud-based applications is critical. The Tolly Group found a leading NGFW could support only one-eighth the number of cloud applications as the Symantec SWG.

Finally, a SWG can form the foundation of an Integrated Cyber Defense (ICD) platform covering both cloud and on-premises elements of your IT infrastructure. That’s because it can integrate with other parts of your security ecosystem, such as your data loss prevention (DLP) application, something that NGFWs are not designed to do.

All this is not to say that NGFWs have no place in your cyber defense strategy. But as you study NGFW and SWG technologies, you are likely to find the ability of a solution like Symantec SWG to more effectively inspect and decrypt traffic, and block malware without slowing down your network, is something your organization cannot do without. It’s technology designed for a time when the perimeter of yesteryear is gone, never to return.