The detection of a security breach by an organization takes, on average, 206 days, according to a current study by the Ponemon Institute “Cost of a Data Breach Report 2019”.
FireEye analysts are somewhat more optimistic and estimate that the average detection time in the EMEA area is “only” 177 days (according to the „M-Trends 2019” report). Even if we have a difference of almost 30 days, the conclusion is the same: organizations need several months to detect a security event or a vulnerability. A reality that most companies are aware of only when they have been victims of an attack.
To prevent such situations, Datanet Systems specialists recommend an integrated multi-level security approach and the use of complementary protection solutions. In this case, the recommended solution is the Next-Generation Intrusion Prevention (NGIPS).
When firewall is not enough…
Some companies may consider the recommendation “redundant”, given that more and more Next-Generation Firewall (NGFW) firewalls are also integrating some IPS functionality. Apparently, they’re right, but … just about any firewall, be it Next-Generation, has a number of inherent limitations.
Such as the fact that when the IPS functionality subset is activated on NGFW equipment, network performance decreases rapidly and high application latencies occur. In the case of NGIPS solutions, such problems do not exist, as they can be used both as a passive intrusion detection system (signaling activities and events with potential risk) and as an in-line prevention system (effectively blocking the detected threats).
Another limitation of firewalls is their location – because NGFW equipment is perimeter-based, they cannot cover the entire network, as a result areas that are critical to the conduct of business activities are not controlled and inspected. NGIPS solutions have the advantage of being placed behind firewalls, in the central nodes of the network, which ensures them an extended visibility and allows them to detect the “lateral movements” of the files – a useful feature in identifying the already compromised equipment and the threats that managed to get through the protection systems.
Last but not least, NGIPS systems have the advantage of not using a “state table” inspection system, as opposed to firewalls. Therefore, they are less vulnerable to Denial of Service attacks. In addition, they integrate “Fail-to-Wire” options that doesn’t allow network traffic to be disrupted in case the NGIPS equipment fails, until the problem is resolved or the equipment replaced.
The competitive advantages of the Cisco solution
The listed limitations are mainly felt by companies that operate complex networks, widely use Cloud services and have a large number of mobile users.
If you find yourself in this “sketch,” Datanet Systems specialists recommend adopting the Cisco Firepower NGIPS solution. This recommendation is based on the solution’s performances, acknowledged by both analysts from Gartner (Firepower NGIPS is 7 years consecutive leader in the Magic Quadrant) and those from NSS Labs. Cisco solution tests have shown a level of effectiveness of 99.7% in blocking threats and 100% in identifying the latest types of threats and vulnerabilities.
To achieve this level of performance, Firepower NGIPS integrates several Cisco proprietary technologies, which provide it with a number of important competitive advantages.
For example, Firepower NGIPS is updated with new IPS rules and threat signatures every two hours, using the Security Intelligent Talos service, which operates the world’s largest threat detection network. Talos analyzes 600 billion emails daily, over 1 billion web requests and about 1.5 million malware “samples” to identify the latest threats and vulnerabilities. Thus, from the start, you benefit from an early warning system, which provides you with up-to-date information on the latest threats.
However, these are not the only information that the Cisco solution uses. Firepower NGIPS collects and analyzes real-time contextual data from the network, which includes information about applications, users, equipment, operating systems, files and their behavior in the network, vulnerabilities, traffic flows, ports, etc. All of this contextual data can help you define – with the help of Datanet specialists – your own IPS rules, customized to your organization’s specific needs, in addition to the 30,000 IPS rules that Cisco’s solution uses to identify and block network traffic who are trying to exploit an existing vulnerability.
By applying IPS rules, Firepower NGIPS can provide immediate temporary help for patch-free or patch-free systems. The Cisco solution cannot replace patch application, but using IPS rules can create so-called “virtual patches”, which are simple and fast to implement, efficient and do not require many resources
Automatic protection measures
Another important gain ensured by Firepower NGIPS is the automation of the protection measures, which will ensure the increase of the operational efficiency, by prioritizing the real threats and the automatic delivery of policy recommendations based on vulnerabilities identified. Basically, the intrusion attempts detected are automatically correlated with the vulnerabilities detected in the network and alerts are issued about the attacks that may have a chance of success, which allows you to focus your efforts on the events that matter.
At the same time, the network’s weaknesses are automatically detected and analyzed, and recommendations of security policies to remedy them are also generated automatically. This way you can dynamically adapt to all changes in the network and have a permanent protection system adapted to the specific conditions of your company.
In addition, Firepower NGIPS permanently monitors the IoC (Indications of Compromise) parameters throughout the entire network, facilitating the detection of compromised equipment by correlating specific information from multiple sources.
Last but not least, the Cisco solution also offers advanced URL filtering options – it provides you with control over 80 domain categories and covers over 300 million unwanted URLs – which helps you improve your organization’s security and compliance level.
An „All in One” product
By using Firepower NGIPS you also benefit from other Cisco solutions with confirmed performance. For example, Advanced Malware Protection (AMP), which is fully integrated into Cisco’s NGIPS solution.
Cisco AMP for networks (version specifically designed for use on network security devices such as NGIPS and NGFW) detects and eliminates sophisticated threats that use evasion techniques and are not detected by traditional security systems. Through it, using Firepower NGIPS you also benefit from advanced sandboxing capabilities (in Cloud or on-premises), a threat scoring system and file behavior analysis, which can prove salutary against unknown threats and Zero- day attacks. Last but not least, with the help of AMP you can also act retroactively, as the solution issues alerts as soon as a new threat has been detected in your infrastructure, even if the initial analysis allowed the malware to penetrate.
Cisco’s NGIPS solution is centrally managed through the Firepower Management Center, which provides a single point of information gathering on security and policy management events for all NGIPS, NGFW and AMP implementations. You benefit from such extended visibility on security throughout the organization and protection at all points of the network, all through a reduced management effort.
Capitalization through integration
Datanet Systems specialists can help you select the Firepower NGIPS solution that suits your organization’s needs. Cisco’s offer includes several models of equipment, built to cover a wide range of requirements, as well as a virtual version.
We can ensure rapid deployment of the solution, without generating major hardware changes to your infrastructure, and integrations into hybrid architectures, leveraging the fact that Firepower NGIPS provides native support for Azure, AWS, Vmware and more hypervisors.
Our specialists can help you integrate Firepower NGIPS with other Cisco solutions to achieve a higher level of protection. For example, by integrating with Cisco Identity Services Engine, threats detected by Firepower NGIPS can generate automated remedial actions (quarantine, access blocking, etc.) performed by ISE.
Also, using OpenAppID, we can help you define the applications you want to monitor through Firepower NGIPS, the Cisco solution providing visibility and control over how over 4,000 applications are accessed and used.
These are just some of the practical ways in which Datanet Systems can help you leverage the NGIPS Firepower solution and improve cybersecurity throughout your organization. If you would like to know more details, please do not hesitate to contact us.