What Darwin really talked about was adaptation. It’s clear that network defense tools have evolved tremendously to meet a changing threat landscape. Let’s walk through some of those evolutions.
Firewalls were among the first systems designed to protect the enterprise from external threats. Early firewalls controlled outside access to the network through rudimentary packet-filtering, a simple set of rules that looked at basic attributes such as port number and destination address.
These rules quickly evolved to add a concept of “state” – is this packet new or from an existing connection. Filtering traffic became much more efficient but the generalized nature of attack detection based on ports left the firewall relatively porous. In addition, large volumes of attack traffic could overwhelm the connection-state memory of the firewall, making these in-line devices attractive targets for denial of service (DoS) attacks.
The introduction of the application firewall, or Firewall Toolkit (FWTK), added a layer of protocol filtering, specifically on common communication protocols such as File Transfer Protocols (FTP) or Hypertext Transfer Protocols (HTTP). These firewalls could identify how these protocols were supposed to work, and later versions could adapt on the fly to the different ways applications made use of protocols.
Another key tool for perimeter defense is standalone Intrusion Detection/Prevention Systems (IDS/IPS). Originally designed with exploit signatures, these devices were created to provide an additional layer of protection beyond firewalls. However, as attackers have proven adept at quickly changing vectors and crafting new exploits that are unable to be identified – at least in time to be effectively detected and contained – these systems have evolved to incorporate signatures based on vulnerabilities, such as known but un-patched exposures.
And next-generation firewalls evolved to fix the vulnerabilities in traditional firewalls, as well as incorporate other functions to lessen the ‘conga line’ of inspection devices going into the network. This evolution typically included web-applications, the ability to accommodate VPNs, and some deep-packet inspection capabilities.
The fact is threat defense at the perimeter using any signature-based device poses a challenge for security organizations. Signature-based defenses can generate a significant number of false positives – legitimate traffic that triggers an alarm. We have recently seen these devices trying to leverage other software gauges, such as reputation, to improve their accuracy and reduce false positives. However, attackers are also evolving and modifying their techniques, using obfuscation to make malicious traffic immune to detection. In both cases, investigating these attacks to determine validity and degree of genuine threat can overwhelm security resources and waste valuable time.
The Security Information and Event Management (SIEM) system evolved to help manage many of these network security devices. Ironically, SIEMs suffer from their success – too many alerts. The truth is SIEMs need to evolve to provide effective network security against a changing threat landscape, such as more visual analytical capabilities to speed investigation of alerts.
When Darwin introduced the theory of evolution what he was really talking about was adaptation. Network defense tools have evolved tremendously, and must continue to adapt to meet a changing threat landscape.
At the end of the day, the network defender’s approach must match the attacker’s approach – with speed and agility. That is both easier said than done, and must involve not only tools, but communications, planning and process.