“Detection is a Flawed” Strategy by Simon Crosby at Dark Reading:
Simon goes over the problems we have had including the Target failure, where the malware was detected but not acted upon (2014). So the Firewall Industry does sell a difficult job – they do know that breaches occur, there will be breaches.
(image from previous post on industrial firewalls)
The problem we have is that we do have to have a Firewall according to compliance standards, such as PCI (Payment Card Industry)
In fact the PCI industry standard v3.1 (updated April 2015) puts a firewall pretty high on the list, with a Requirement # 1 – install and maintain a firewall configuration to protect cardholder data.
So we know we need a firewall, and in fact you need an Intrusion Detection System with logging capabilities…
Requirement 10. Track and monitor all access to network resources and cardholder data
So what do we have to do? We know we will get breached – we know we will get attacked. first we have to log everything we have in our network.
10.6.1 Logs of all servers and system components that perform security functions (for example, firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), authentication servers, e-commerce redirection servers, etc.).
11.4 Is where the recommendation for an actual IPS/IDS systems is required.
So we know we need a firewall, and we also should have an IPS /IDS system, which is why the Security industry is pushing the Next Gen Firewall(NGFW), which can do both IPS and firewall.
If we know we will get breached, the key as Richard Bejtlich recommends in his post June 30th http://taosecurity.blogspot.com/2015/06/my-security-strategy-third-way.html
Mr. Bejtlich notes the recent OPM(Office Personnel Management) federal breach and the distillation of a couple of sentences which say that there is no fully secure network, or fully intrusion-proof network. What we must do instead is to Detect and respond to breaches.
There are other people who have outlined the security industry problems, which are steeped in Tactics, Techniques and Procedure while being limited by our experience:
http://oversitesentry.com/security-industry-one-dimensional-limited-by-experience/
As Mr. Yoran says – “We are on a journey to full visibility”
We have to learn our IPS firewall systems to the best of our ability.
We have to improve our network as the bad guys are improving all the time.
Bruce Schneier as mentioned in my Jan22nd post http://oversitesentry.com/reviewing-all-of-the-changes-in-2015/ from BlackHat2014.
The Predators have an advantage, and will until our tools change significantly, but in the meantime we need to devise ways to minimize false positives, and act on potential and actual breaches.
PCI compliance requires logging and maintaining a firewall. Why not an IPS system? Even though it will not fully secure your network it has to be done as it is the best that can be done.
Improve your metrics, improve your understanding of IPS systems. Focus on detecting the real breaches.
Contact Me to discuss this issue – free email list inclusion for firewall posts.