Ever since the internet was in its infancy, criminals have been trying to penetrate our networks and computers, often without us even being aware of this. The reports do not lie. Year after year, the impact of attacks, malware incidents and other malicious cyber activities has been growing. In 2009, businesses in the US carelessly lost 21 million dollars; by 2019, that figure had already risen to 105 million dollars. Consequently, vendors of security services and products have become engaged in a bitter arms race. Until now, there has been only one adequate way of keeping cyber criminals at bay: by studying their techniques and strategies as well as possible and acting on the findings. The more thoroughly you did that, the safer your networks.
But this approach is not working anymore. Hackers are becoming more and more professional. We no longer have script kiddies targeting our networks, but real IT pros available for hire by either criminal organisations or intelligence agencies. Are they worth the money? Absolutely! It is estimated that hackers raked in no less than a billion dollars worldwide in 2018. To make matters worse, new encryption protocols (DNSoH and TLSv1.3) are weakening existing network security mechanisms (web filtering, intrusion detection and network anti-malware solutions, etc.). While these protocols make user communication more confidential, at the same time they obstruct the security mechanisms that read the network packages, so gaps arise. As hackers make good use of these, their attacks are becoming increasingly targeted.
At Dstny, we are well aware that this arms race is raging with full intensity. Criminals are working feverishly to come up with higher ladders and ways to breach our thick firewalls. So, there is no other option but to keep on making these walls thicker and stronger. But we know better than anyone that we will not achieve our goal with decryption and TLS and DNS analysis alone. We need to tap into alternative ways to keep our networks secure:
First and foremost, using our common sense and strengthening existing preventive security measures, such as strong authentication and the separation of rights from permissions;
Investing more in endpoint security because these mechanisms work on the operating system (and no network decoding is required for this);
Exploring products that use artificial intelligence to identify anomalies in network behaviour (network decryption is not required for this either). As IPS and other mechanisms that inspect network content become less efficient, this is the way to compensate for that decline.
One of the most effective network security solutions is the next-generation firewall (NGFW) from Palo Alto. The latter was certainly not the first company to offer firewalls, but it did emerge as a powerhouse in the market. Palo Alto was also the first security player to implement what is known as user and application awareness, in other words the ability to create filter rules based on user identity and application name (instead of IP addresses and TCP/UDP ports). This application has drastically changed the manner in which we design a firewall policy. What is more, Palo Alto was the first company to combine a sandbox with a firewall. A sandbox is a kind of quarantine area where you can perform an in-depth file analysis; if the object has been infected with malware, there is a high chance that you will detect this, even if it is zero-day malware. And even more importantly, the infection only affects the virtual environment of the sandbox, which is simply destroyed after the analysis; the rest of the network remains intact. In short, Palo Alto has made firewalls higher, thicker and, above all, smarter in recent years.
Even today, Palo Alto continues to set the pace in the market. It is the first supplier of next-generation firewalls to have combined artificial intelligence with both a firewall and its own endpoint product, most notably the anti-malware platform Cortex XDR. This detects suspicious behaviour, such as the injection of executable code into memory segments. It also collects all potential security breaches from the company’s firewall platforms and endpoint agents and brings them together. A statistical analysis of events and mechanisms that enrich the data allows us to send out relevant alerts based on user behaviour. At the same time, this enables us to exclude most false positives, which are an absolute nightmare for security administrators. The alerts themselves are also contextualised: We know the username and process ID of whomever is behind the suspicious action; we know when it happened thanks to a time stamp; we know the exact machine, the IP address and also the location; and we know the sequence and description of the suspicious incidents. This means that we can make a more targeted diagnosis and also propose more targeted recovery operations. We do not need to rely as much on decrypting traffic to detect attacks and malware.
Thanks to Palo Alto, the future looks a lot less frightening for security engineers. Obviously, the arms race is far from over, but the wall is higher and thicker, for the foreseeable future at least.
