Next generation firewalls to become last generation firewalls

Hackers – utilizing artificial intelligence and machine learning – will no longer be slowed down by a next-generation firewall alone.


Due to increased end-to-end encryption and the rise of affordable artificial intelligence (AI), your business’ security suite needs to evolve to keep up with today’s threats. While next generation firewalls (NGFW) still provide a critical component in a business’ security solution, they no longer provide a “one box to protect it all” turn-key solution. Today, hackers, knowing most businesses have a NGFW, focus on application layer attacks and they utilize transport layer security (TLS) to obscure their connections. This evades the defenses provided by a NGFW and requires businesses to either proxy connections at an edge gateway or move security down to the endpoint in order to remain secure. 

Hackers adopting artificial intelligence at an increased pace

Through the use of stolen compute cycles from compromised computers or fraudulent cloud accounts and open source software such as TensorFlow or OpenAI, building an AI hacking platform no longer requires PhD level expertise or significant capital. The combination allows cyber criminals to replace the days or weeks of manual probing and analysis required to execute attacks on the application layer. With AI, previously complex and time consuming attacks are now as easy as executing an Nmap scan and then running an exploit for the known vulnerability in the CVE database at the network layer. A NGFW provides protection at the network layer stopping yesterday’s attacks. While hackers already use application security scanners looking for vulnerabilities such as the OWASP Top 10, the output of those scans require lots of manual effort to evaluate the large volume of false positives. 

The evolution of network firewalls and hacking attacks

Early firewalls only provided simple access lists for IP address, protocol, and port filtering. NGFW added support for stateful packet inspection and many other features to provide extra security. With over five years of general availability, the prevalence of NGFW deployments led hackers to send traffic outbound over transmission control protocol (TCP)/443 wrapped in hypertext transfer protocol secure (HTTPS) headers as this type of traffic obscures their communications with the communications required for employees to visit most websites. Because HTTPS is end-to-end encrypted and necessary for business productivity, nearly everyone allows it outbound from their network. In many cases, the hackers will send communications through a compromised domain to avoid triggering a DNS blacklist defeating another security layer (ex. running their command and control software on a small business website such as a hacked local doctor or dentist that your employees would need to legitimately visit via HTTPS). Security vendors responded with web application firewalls (WAF) to proxy and scan connections. WAF deployments primarily protect public facing websites, especially for e-commerce due to the PCI-DSS 6.6 requirement and little else due to privacy and complexity concerns. 

Hackers are getting inside – perimeter security is no longer enough

Through drive-by downloads, phishing, universal serial bus (USB) drops, and other attacks exploiting individual employees, hackers get inside business’ networks every day. A limited number of enterprises and industries deploy advanced protection on intranet sites allowing hackers, once inside, to quickly expand their footprint and control territory. After an attacker has spread out across an environment, expunging them becomes very time consuming and costly. Security professionals discuss these type of hackers in their own category called advanced persistent threats (APT). Through the use of a compromised endpoint, asynchronous attacks progress via command and control channels over unsecured internet connections. Employees often use their laptops within range of open WiFi hotspots or on their home network with no advanced security systems in place. The hacking software will wait, potentially days or weeks, to send communication back to the control platform. With an attack spread out over days or weeks a security analyst will not correlate events and identify the compromise through intrusion detection eyes on glass style monitoring unless the security information event management (SIEM) platform performs advanced correlation to help them. 

Host-based security false positives frustrate employees 

Security teams all want and need to provide an in-depth defense with enough layers for one or more of the systems catch and either provide an alert or block the attack directly. Host-based security software can provide an important layer with strong protection to limit the ability and speed of an attacker. Both Microsoft Windows and Apple macOS have built-in packages that should either be enabled or replaced by a third-party solution as running without any host-based security today creates substantial risk. Higher security settings will trigger false positives impacting employee productivity. Low security settings miss real hacks and create a false negative allowing hackers to exploit the system. As businesses everywhere strive to increase employee engagement and productivity, host-based security systems often end up with minimal configurations or get disabled all together. With this struggle between business line leaders and the office of the CSO, most organizations side with the business unit over allowing the security team enough time to custom tune each individual system to minimize false positives and false negatives. This makes it nearly impossible to turn host-based security into a “one layer to protect it all” solution. 

Recommendation: fight AI with AI

To stop AI enabled hackers in a financially rationale manner, businesses need to start looking at and implementing their own AI platform for monitoring anomalies instead of continuing to scale out your “eyes on glass” security monitoring analyst team. Many security information event management (SIEM) and log monitoring solutions are adding basic AI functionality. Feeding data into the system is key as it can’t analyze what it doesn’t know. As an example, if an employee is out of the office visiting a customer or on vacation, traffic shouldn’t be coming from their workstation outbound to the internet. Would your existing security operations center (SOC) catch this? Not likely, with the data integration and staffing levels most businesses or managed security service providers (MSSP) operate at today. While your business cannot steal compute cycles to create a free AI platform, you can easily start using AI as Google, Amazon, and Microsoft all have turn-key services available. If you prefer buying commercial solutions over development, look at an AI powered security operations and analytics platform architecture (SOAPA) as an evolutionary replacement for your SIEM.

Copyright © 2017 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.