In this lesson, you’ll learn about:
Monitors connections to ensure they are legitimate but without inspecting full content. 3. Third Generation — Stateful Inspection Firewall Tracks the state of connections:
Filters based on specific applications or internet services (e.g., HTTP, FTP, SMTP).
Often used to inspect and regulate user behavior within applications. 5. Next Generation Firewall (NGFW) The modern standard offering advanced, combined capabilities:
Strong SLAs (Service Level Agreements) are required to ensure:
Monitors:
Monitors traffic flowing through switches, routers, and firewalls.
Ideal for detecting lateral movement or perimeter attacks. B. Detection Styles 1. Signature-Based Detection
- Firewall fundamentals and their evolution across generations
- The role of firewalls in network perimeter defense
- Intrusion Detection and Prevention Systems (IDS/IPS) and how they operate
- Deployment models and detection methods for IDS/IPS
- Best practices for modern perimeter security
- IP addresses
- Protocols (TCP/UDP)
- Port numbers
Also known as screening routers.
Monitors connections to ensure they are legitimate but without inspecting full content. 3. Third Generation — Stateful Inspection Firewall Tracks the state of connections:
- Remembers which internal device initiated a session
- Allows only expected return traffic
Provides more contextual filtering than earlier generations.
Filters based on specific applications or internet services (e.g., HTTP, FTP, SMTP).
Often used to inspect and regulate user behavior within applications. 5. Next Generation Firewall (NGFW) The modern standard offering advanced, combined capabilities:
- Packet filtering
- Stateful inspection
- Deep Packet Inspection (DPI)
- TLS proxy and web filtering
- Quality of Service (QoS) controls
- Anti-malware integration
- Built-in IDS/IPS
Organizations today are strongly advised to deploy NGFWs due to their comprehensive feature set.
- Log events such as configuration changes and reboots
- Send logs to a central Security Information and Event Monitoring (SIEM) system
This ensures proper monitoring, auditing, and investigation of suspicious activity.
- Scans for malicious traffic
- Generates alerts (email, SMS, console alerts)
- Allows administrators to investigate manually
- Detects malicious activity
- Automatically takes action (e.g., blocks ports, drops traffic, changes rules)
- Essential for mitigating fast-moving attacks like DDoS or ICMP-based floods
Strong SLAs (Service Level Agreements) are required to ensure:
- Prompt alerting
- Accurate monitoring
- Proper response times
Monitors:
- Local firewall logs
- System changes
- Suspicious local activity
Monitors traffic flowing through switches, routers, and firewalls.
Ideal for detecting lateral movement or perimeter attacks. B. Detection Styles 1. Signature-Based Detection
- Compares traffic to known attack signatures
- Effective against well-known malware or attack patterns
- Requires frequent signatu
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep Dive. Today, we are really
focusing on one of the most critical challenges in cybersecurity.
Speaker 2 (00:06):
Yeah, protecting the perimeter exactly.
Speaker 1 (00:08):
And it's not just about, you know, putting up a
digital fence. It's about the philosophy for that exact point
where your safe internal network meets the well, the chaos
of the public Internet.
Speaker 2 (00:22):
It really is the original digital border war. I mean,
we talk a lot today about zero trust, you know,
trusting nothing even inside your network, but the perimeter is
still that primary line of defense. If you can't keep
the unknowns out, all those internal strategies become well a
lot less effective.
Speaker 1 (00:38):
And when you talk about that first line of defense,
you have to start with the firewall. But I think
it's worth taking just a second to frame why it
was even needed in the first place.
Speaker 2 (00:47):
Oh for sure.
Speaker 1 (00:48):
I mean back in the sixty seventies, when networking was
just starting, security was physical.
Speaker 2 (00:52):
It was about locks on doors, that's it. The idea
of someone electronically intruding from miles away just wasn't a concept.
Speaker 1 (00:58):
Yet we were completely footed when the Internet went public.
Speaker 2 (01:01):
That's the key. The threat changed overnight from who can
get in the building to who can reach my system
from anywhere? The firewall was just a necessity. It's the
traffic cop making sure only good traffic gets in or out.
Speaker 1 (01:13):
Okay, let's unpack this. Then we're going to trace how
firewalls evolve, and I mean evolved rapidly. Then we'll look
at the modern next generation firewall and then see how
its own limits led us to things like intrusion detection
and prevention.
Speaker 2 (01:27):
Systems, the IDs and IPS. Yeah, building that truly robust,
multi layered defense.
Speaker 1 (01:32):
So when you deploy a firewall, it's that gatekeeper right
sitting right between your private network and.
Speaker 2 (01:37):
Everything else right the untrusted public space. It's a vital tool,
but it's never ever enough on its own, and.
Speaker 1 (01:44):
That takes us straight to this idea of defense in depth.
You can't just see the firewalls pantas. Yeah, it's not
so if an attacker gets past that first layer, what's next?
Speaker 2 (01:53):
You need more layers. That's the whole philosophy. You build
in layers of defense. Some of them are even redundant,
so that when one fails, and it will fail, it
doesn't mean a total compromise.
Speaker 1 (02:04):
The firewall is just one very powerful part of that strategy.
Speaker 2 (02:07):
An extremely powerful part.
Speaker 1 (02:08):
Yeah. So when an organization is choosing one, do they
just buy the most expensive box with the most features.
Speaker 2 (02:15):
Absolutely not, that's a huge mistake. You have to do
your due diligence.
Speaker 1 (02:19):
What does that mean in this context?
Speaker 2 (02:20):
It means aligning the firewall with your actual security goals.
If your biggest worry is a nation state attacker trying
to steal specific research data, that's a very different problem
than say, a hospital trying to prevent general ransomware attacks.
Speaker 1 (02:36):
The tool has to match the threat.
Speaker 2 (02:39):
It's no negotiable.
Speaker 1 (02:40):
Okay, so let's track the evolution here. It's amazing how
fast this technology changed, mostly because attackers just kept finding
ways around the last version.
Speaker 2 (02:48):
It was a constant arms race.
Speaker 1 (02:50):
It started with the most basic type, right packet filtering firewalls.
Speaker 2 (02:53):
The first generation. Yeah, they basically just looked at the envelope.
They could see the source and destination IP addresses, the
port numbers, and that was it.
Speaker 1 (03:03):
So they lacked any kind of context.
Speaker 2 (03:05):
Zero context. It could block all traffic to a specific
web server port, but if it allowed a connection through,
it had no idea if that connection was legitimate or malicious.
Speaker 1 (03:15):
Attackers must have blown right past.
Speaker 2 (03:16):
That immediately, which led to the next major leap, really
the third generation stateful inspection.
Speaker 1 (03:26):
And this was a game changer.
Speaker 2 (03:27):
A total game changer. A stateful firewall remembers the context
of the conversation. It knows who started it.
Speaker 1 (03:34):
So if I, from inside the network ask for.
Speaker 2 (03:37):
A web page, the firewall remembers that request, and when
the wood page traffic comes back, it says, ah, I
was expecting you, and let's it through.
Speaker 1 (03:44):
Which means an attacker can't just send random data to
an open port anymore exactly.
Speaker 2 (03:48):
It forces them to get much more sophisticated.
Speaker 1 (03:50):
And then eventually we move all the way up the
stack to layer seven with the application level firewall.
Speaker 2 (03:55):
Right filtering based on the specific service. But they were complex.
You often needed a whole separate system for each application.
Speaker 1 (04:01):
That sounds like a management nightmare.
Speaker 2 (04:03):
It was, and that complexity is really what drove the
market to where we are today with the next generation firewall,
the NNGFW.
Speaker 1 (04:11):
What's so fascinating here is that the NGFW isn't just
another step. It's more of a consolidation.
Speaker 2 (04:16):
That's a perfect way to put it. It takes all
those previous features packet filtering, stateful inspection, and then adds
in a whole suite of new.
Speaker 1 (04:24):
Tools like built in IDs and IPS, anti malware, and.
Speaker 2 (04:28):
The really big one, Deep packet inspection or DPI.
Speaker 1 (04:32):
Okay, let's talk about DPI. This is where the firewall
stops looking at just the envelope and actually opens it
up to read the letter inside.
Speaker 2 (04:39):
Right precisely, it analyzes the content, the actual payload inside
the packet, and coupled with another feature the TLS proxy,
it can even do that for encrypted traffic.
Speaker 1 (04:49):
Wait, it can decrict secure traffic, inspect it, and then
re encrypt it YEP.
Speaker 2 (04:53):
Which gives administrators incredible visibility.
Speaker 1 (04:56):
But I have to imagine there's a huge trade off here.
All that inspection, especially decryption, that has to create a
massive performance bottleneck, doesn't it?
Speaker 2 (05:04):
It does, and that is the central strategic question every
single organization has to answer.
Speaker 1 (05:09):
Is the visibility worth the speed hit?
Speaker 2 (05:12):
Exactly? You gain this crucial ability to spot malware hiding
and encrypted channels, which is fantastic for security, but the
processing overhead is huge. You have to buy a hardware
that can handle that load, or you risk grinding your
network to a halt.
Speaker 1 (05:26):
Okay, so the firewall is our gatekeeper, our first line
of defense. But even the best NGNGFW is still just
following rules it blocks or allows.
Speaker 2 (05:36):
It's fundamentally reactive.
Speaker 1 (05:37):
Yes, we need something that's actively looking at the traffic
that does get through that gate, and that brings us
to detection and prevention exactly.
Speaker 2 (05:45):
The firewall is necessary, but it's not sufficient. That's where
an IDs comes in. An intrusion detection system.
Speaker 1 (05:52):
So what's its job.
Speaker 2 (05:53):
Its job is to scan from malicious traffic the firewall
might have missed or that it allowed based on its rules.
But and this is key, it's designed to be purely.
Speaker 1 (06:02):
Passive, meaning it just tells you there's a problem.
Speaker 2 (06:05):
It sends an alert, an email, a text, a pop
up on a monitoring screen. An administrator then has to
see that alert, investigate and decide what.
Speaker 1 (06:12):
To do, which I imagine could take time, too.
Speaker 2 (06:15):
Much time in many cases. And that's the natural evolution
to the IPS, the intrusion prevention system. It turns passive
detection into active defense.
Speaker 1 (06:23):
So an IPS doesn't just send an alert, it does something.
Speaker 2 (06:27):
Yes, it can take direct automated action on the network.
For example, well, let's say a botanet starts a DDAs
attack against one of your servers with a flood of
ICMP traffic. An IPS can see that happening and instantly
shut down the compromise port or block that specific type
of traffic. It mitigates the damage in real time, no
(06:48):
human intervention needed.
Speaker 1 (06:49):
Okay, that automated response sounds like the perfect solution. Ye,
but I've heard it called a double edged sword. What's
the risk here?
Speaker 2 (06:56):
The risk is all in the configuration. If your sensitivity
thresholder set too high, or the rules are just misconfigured,
an attacker can sometimes turn the IPS against you.
Speaker 1 (07:05):
How'd that work?
Speaker 2 (07:06):
Imagine an attacker discovers that sending a very specific, slightly
malformed packet will trigger your IPS to shut down a critical.
Speaker 1 (07:14):
Port like the port for your company's main website.
Speaker 2 (07:17):
Exactly. They can effectively weaponize your own defense system to
launch a denial of service attack against you. It's why
following manufacturer best practices isn't just a suggestion.
Speaker 1 (07:28):
It's critical and managing these complex systems is a huge job,
especially for smaller teams, which is leading a lot of
them to security as a service success.
Speaker 2 (07:37):
It's very common you basically outsource the management of your
IDs and IPS to a cloud provider. It gives smaller
companies access to world class expertise they couldn't afford to hire.
Speaker 1 (07:48):
But when you outsource, you're creating a dependency. You need
strong service level agreements the SLAS.
Speaker 2 (07:54):
Of course, absolutely, with financial penalties if possible.
Speaker 1 (07:58):
But how do you make sure your own internal TA
doesn't lose all their skills? I mean, what if that
provider relationship ends. You don't want to be left completely helpless.
Speaker 2 (08:06):
That is a major strategic risk you have to manage.
You have to insist on read only access to their
monitoring tools. You need regular detailed reports. You basically ensure
knowledge transfer is part of the contract so your own
team's expertise doesn't just fade away.
Speaker 1 (08:20):
Okay, so let's connect this to the bigger picture architecture. Yeah,
how do you decide where to even put these systems?
You've got host based versus network.
Speaker 2 (08:29):
Based correct, So HIDS or hips that's host based is
all about protecting one single system, like a supercritical server
exactly your main database server that holds all the confidential
client data. You put HIPS on that specific machine. It's
expensive because you're licensing it per system, but for your
crown jewels, it's worth it.
Speaker 1 (08:51):
And the alternative is NIDS or NIPS network.
Speaker 2 (08:54):
Based right, and that's about protecting the network holistically. It's
looking at general traffic. It's monitoring raw and switches and
sending all that data to a central log monitor. It's
cheaper and it gives you that broad general protection.
Speaker 1 (09:07):
So you do a risk assessment to figure out where
you need that concentrated, more expensive host based protection.
Speaker 2 (09:12):
Always you put your strongest defenses where your most valuable
assets are.
Speaker 1 (09:17):
Finally, let's get into how these systems actually find threats.
The detection methods. They're two main flavors, right, signature based
and heuristics based yep.
Speaker 2 (09:26):
And most modern systems will actually try to use a
combination of both.
Speaker 1 (09:29):
So what's signature based?
Speaker 2 (09:31):
Signature base is like having a database of criminal mugshots.
It uses patterns or signatures from known malware and known attacks.
It compares all the traffic against that database, and if
it finds a match, it blocks it.
Speaker 1 (09:44):
It's fast, it's efficient, but it can only catch things
it already knows about.
Speaker 2 (09:49):
Precisely, it can only catch known criminals. It has no
way of stopping a brand new attack.
Speaker 1 (09:54):
And that is where heuristics comes in.
Speaker 2 (09:56):
Exactly. A heuristics based system isn't looking for known threat yet,
it's looking for anomalist behavior.
Speaker 1 (10:03):
How does it know it's anomalous.
Speaker 2 (10:04):
You have to establish a baseline first. You let the
system watch your network during normal operation to learn what
normal looks like. Then it uses machine learning to compare
current traffic against that baseline.
Speaker 1 (10:15):
So if something deviates too far from normal.
Speaker 2 (10:18):
It flags it as a potential threat, even if it's
a piece of malware that has never been seen before.
That's how you get protection against those brand new zero
day attacks.
Speaker 1 (10:26):
The trade off I assume is false positives.
Speaker 2 (10:29):
A lot more false positives, yeah, because you're flagging unusual behavior,
not a specific piece of code. So it creates more
work for your security team to investigate those alerts. But
that capability is absolutely essential today.
Speaker 1 (10:41):
So this deep dive has really shown that we've had
to move so far beyond simple filters. A modern perimeter
needs that defense in depth strategy. You need the NNGFW
doing the heavy lifting on filtering, but then you need
that integrated IDs and IPS providing real time detection and prevention.
Speaker 2 (10:59):
And it has to be based on a mix of
those known signatures and the behavioral heuristics you need.
Speaker 1 (11:04):
Both, and that strategic alignment is everything, isn't it.
Speaker 2 (11:07):
At the end of the day, That's what it all
comes down to. Every choice, whether to take the performance
hit for DPI, whether to use host based or network
based systems, your detection style, it all has to flow
directly from the unique risks and threats your organization actually faces.
Speaker 1 (11:21):
That leaves us with one final thought for you to consider.
Imagine a massive coordinated botnet attack. It's leveraging a brand new,
never before seeing vulnerability. No security company in the world
has a signature for it. Yet which detection style, signature
based or heuristics based, would be more likely to successfully
mitigate that initial threat? And why that's your homework. Thanks
(11:42):
for joining us.
Welcome back to the deep Dive. Today, we are really
focusing on one of the most critical challenges in cybersecurity.
Speaker 2 (00:06):
Yeah, protecting the perimeter exactly.
Speaker 1 (00:08):
And it's not just about, you know, putting up a
digital fence. It's about the philosophy for that exact point
where your safe internal network meets the well, the chaos
of the public Internet.
Speaker 2 (00:22):
It really is the original digital border war. I mean,
we talk a lot today about zero trust, you know,
trusting nothing even inside your network, but the perimeter is
still that primary line of defense. If you can't keep
the unknowns out, all those internal strategies become well a
lot less effective.
Speaker 1 (00:38):
And when you talk about that first line of defense,
you have to start with the firewall. But I think
it's worth taking just a second to frame why it
was even needed in the first place.
Speaker 2 (00:47):
Oh for sure.
Speaker 1 (00:48):
I mean back in the sixty seventies, when networking was
just starting, security was physical.
Speaker 2 (00:52):
It was about locks on doors, that's it. The idea
of someone electronically intruding from miles away just wasn't a concept.
Speaker 1 (00:58):
Yet we were completely footed when the Internet went public.
Speaker 2 (01:01):
That's the key. The threat changed overnight from who can
get in the building to who can reach my system
from anywhere? The firewall was just a necessity. It's the
traffic cop making sure only good traffic gets in or out.
Speaker 1 (01:13):
Okay, let's unpack this. Then we're going to trace how
firewalls evolve, and I mean evolved rapidly. Then we'll look
at the modern next generation firewall and then see how
its own limits led us to things like intrusion detection
and prevention.
Speaker 2 (01:27):
Systems, the IDs and IPS. Yeah, building that truly robust,
multi layered defense.
Speaker 1 (01:32):
So when you deploy a firewall, it's that gatekeeper right
sitting right between your private network and.
Speaker 2 (01:37):
Everything else right the untrusted public space. It's a vital tool,
but it's never ever enough on its own, and.
Speaker 1 (01:44):
That takes us straight to this idea of defense in depth.
You can't just see the firewalls pantas. Yeah, it's not
so if an attacker gets past that first layer, what's next?
Speaker 2 (01:53):
You need more layers. That's the whole philosophy. You build
in layers of defense. Some of them are even redundant,
so that when one fails, and it will fail, it
doesn't mean a total compromise.
Speaker 1 (02:04):
The firewall is just one very powerful part of that strategy.
Speaker 2 (02:07):
An extremely powerful part.
Speaker 1 (02:08):
Yeah. So when an organization is choosing one, do they
just buy the most expensive box with the most features.
Speaker 2 (02:15):
Absolutely not, that's a huge mistake. You have to do
your due diligence.
Speaker 1 (02:19):
What does that mean in this context?
Speaker 2 (02:20):
It means aligning the firewall with your actual security goals.
If your biggest worry is a nation state attacker trying
to steal specific research data, that's a very different problem
than say, a hospital trying to prevent general ransomware attacks.
Speaker 1 (02:36):
The tool has to match the threat.
Speaker 2 (02:39):
It's no negotiable.
Speaker 1 (02:40):
Okay, so let's track the evolution here. It's amazing how
fast this technology changed, mostly because attackers just kept finding
ways around the last version.
Speaker 2 (02:48):
It was a constant arms race.
Speaker 1 (02:50):
It started with the most basic type, right packet filtering firewalls.
Speaker 2 (02:53):
The first generation. Yeah, they basically just looked at the envelope.
They could see the source and destination IP addresses, the
port numbers, and that was it.
Speaker 1 (03:03):
So they lacked any kind of context.
Speaker 2 (03:05):
Zero context. It could block all traffic to a specific
web server port, but if it allowed a connection through,
it had no idea if that connection was legitimate or malicious.
Speaker 1 (03:15):
Attackers must have blown right past.
Speaker 2 (03:16):
That immediately, which led to the next major leap, really
the third generation stateful inspection.
Speaker 1 (03:26):
And this was a game changer.
Speaker 2 (03:27):
A total game changer. A stateful firewall remembers the context
of the conversation. It knows who started it.
Speaker 1 (03:34):
So if I, from inside the network ask for.
Speaker 2 (03:37):
A web page, the firewall remembers that request, and when
the wood page traffic comes back, it says, ah, I
was expecting you, and let's it through.
Speaker 1 (03:44):
Which means an attacker can't just send random data to
an open port anymore exactly.
Speaker 2 (03:48):
It forces them to get much more sophisticated.
Speaker 1 (03:50):
And then eventually we move all the way up the
stack to layer seven with the application level firewall.
Speaker 2 (03:55):
Right filtering based on the specific service. But they were complex.
You often needed a whole separate system for each application.
Speaker 1 (04:01):
That sounds like a management nightmare.
Speaker 2 (04:03):
It was, and that complexity is really what drove the
market to where we are today with the next generation firewall,
the NNGFW.
Speaker 1 (04:11):
What's so fascinating here is that the NGFW isn't just
another step. It's more of a consolidation.
Speaker 2 (04:16):
That's a perfect way to put it. It takes all
those previous features packet filtering, stateful inspection, and then adds
in a whole suite of new.
Speaker 1 (04:24):
Tools like built in IDs and IPS, anti malware, and.
Speaker 2 (04:28):
The really big one, Deep packet inspection or DPI.
Speaker 1 (04:32):
Okay, let's talk about DPI. This is where the firewall
stops looking at just the envelope and actually opens it
up to read the letter inside.
Speaker 2 (04:39):
Right precisely, it analyzes the content, the actual payload inside
the packet, and coupled with another feature the TLS proxy,
it can even do that for encrypted traffic.
Speaker 1 (04:49):
Wait, it can decrict secure traffic, inspect it, and then
re encrypt it YEP.
Speaker 2 (04:53):
Which gives administrators incredible visibility.
Speaker 1 (04:56):
But I have to imagine there's a huge trade off here.
All that inspection, especially decryption, that has to create a
massive performance bottleneck, doesn't it?
Speaker 2 (05:04):
It does, and that is the central strategic question every
single organization has to answer.
Speaker 1 (05:09):
Is the visibility worth the speed hit?
Speaker 2 (05:12):
Exactly? You gain this crucial ability to spot malware hiding
and encrypted channels, which is fantastic for security, but the
processing overhead is huge. You have to buy a hardware
that can handle that load, or you risk grinding your
network to a halt.
Speaker 1 (05:26):
Okay, so the firewall is our gatekeeper, our first line
of defense. But even the best NGNGFW is still just
following rules it blocks or allows.
Speaker 2 (05:36):
It's fundamentally reactive.
Speaker 1 (05:37):
Yes, we need something that's actively looking at the traffic
that does get through that gate, and that brings us
to detection and prevention exactly.
Speaker 2 (05:45):
The firewall is necessary, but it's not sufficient. That's where
an IDs comes in. An intrusion detection system.
Speaker 1 (05:52):
So what's its job.
Speaker 2 (05:53):
Its job is to scan from malicious traffic the firewall
might have missed or that it allowed based on its rules.
But and this is key, it's designed to be purely.
Speaker 1 (06:02):
Passive, meaning it just tells you there's a problem.
Speaker 2 (06:05):
It sends an alert, an email, a text, a pop
up on a monitoring screen. An administrator then has to
see that alert, investigate and decide what.
Speaker 1 (06:12):
To do, which I imagine could take time, too.
Speaker 2 (06:15):
Much time in many cases. And that's the natural evolution
to the IPS, the intrusion prevention system. It turns passive
detection into active defense.
Speaker 1 (06:23):
So an IPS doesn't just send an alert, it does something.
Speaker 2 (06:27):
Yes, it can take direct automated action on the network.
For example, well, let's say a botanet starts a DDAs
attack against one of your servers with a flood of
ICMP traffic. An IPS can see that happening and instantly
shut down the compromise port or block that specific type
of traffic. It mitigates the damage in real time, no
(06:48):
human intervention needed.
Speaker 1 (06:49):
Okay, that automated response sounds like the perfect solution. Ye,
but I've heard it called a double edged sword. What's
the risk here?
Speaker 2 (06:56):
The risk is all in the configuration. If your sensitivity
thresholder set too high, or the rules are just misconfigured,
an attacker can sometimes turn the IPS against you.
Speaker 1 (07:05):
How'd that work?
Speaker 2 (07:06):
Imagine an attacker discovers that sending a very specific, slightly
malformed packet will trigger your IPS to shut down a critical.
Speaker 1 (07:14):
Port like the port for your company's main website.
Speaker 2 (07:17):
Exactly. They can effectively weaponize your own defense system to
launch a denial of service attack against you. It's why
following manufacturer best practices isn't just a suggestion.
Speaker 1 (07:28):
It's critical and managing these complex systems is a huge job,
especially for smaller teams, which is leading a lot of
them to security as a service success.
Speaker 2 (07:37):
It's very common you basically outsource the management of your
IDs and IPS to a cloud provider. It gives smaller
companies access to world class expertise they couldn't afford to hire.
Speaker 1 (07:48):
But when you outsource, you're creating a dependency. You need
strong service level agreements the SLAS.
Speaker 2 (07:54):
Of course, absolutely, with financial penalties if possible.
Speaker 1 (07:58):
But how do you make sure your own internal TA
doesn't lose all their skills? I mean, what if that
provider relationship ends. You don't want to be left completely helpless.
Speaker 2 (08:06):
That is a major strategic risk you have to manage.
You have to insist on read only access to their
monitoring tools. You need regular detailed reports. You basically ensure
knowledge transfer is part of the contract so your own
team's expertise doesn't just fade away.
Speaker 1 (08:20):
Okay, so let's connect this to the bigger picture architecture. Yeah,
how do you decide where to even put these systems?
You've got host based versus network.
Speaker 2 (08:29):
Based correct, So HIDS or hips that's host based is
all about protecting one single system, like a supercritical server
exactly your main database server that holds all the confidential
client data. You put HIPS on that specific machine. It's
expensive because you're licensing it per system, but for your
crown jewels, it's worth it.
Speaker 1 (08:51):
And the alternative is NIDS or NIPS network.
Speaker 2 (08:54):
Based right, and that's about protecting the network holistically. It's
looking at general traffic. It's monitoring raw and switches and
sending all that data to a central log monitor. It's
cheaper and it gives you that broad general protection.
Speaker 1 (09:07):
So you do a risk assessment to figure out where
you need that concentrated, more expensive host based protection.
Speaker 2 (09:12):
Always you put your strongest defenses where your most valuable
assets are.
Speaker 1 (09:17):
Finally, let's get into how these systems actually find threats.
The detection methods. They're two main flavors, right, signature based
and heuristics based yep.
Speaker 2 (09:26):
And most modern systems will actually try to use a
combination of both.
Speaker 1 (09:29):
So what's signature based?
Speaker 2 (09:31):
Signature base is like having a database of criminal mugshots.
It uses patterns or signatures from known malware and known attacks.
It compares all the traffic against that database, and if
it finds a match, it blocks it.
Speaker 1 (09:44):
It's fast, it's efficient, but it can only catch things
it already knows about.
Speaker 2 (09:49):
Precisely, it can only catch known criminals. It has no
way of stopping a brand new attack.
Speaker 1 (09:54):
And that is where heuristics comes in.
Speaker 2 (09:56):
Exactly. A heuristics based system isn't looking for known threat yet,
it's looking for anomalist behavior.
Speaker 1 (10:03):
How does it know it's anomalous.
Speaker 2 (10:04):
You have to establish a baseline first. You let the
system watch your network during normal operation to learn what
normal looks like. Then it uses machine learning to compare
current traffic against that baseline.
Speaker 1 (10:15):
So if something deviates too far from normal.
Speaker 2 (10:18):
It flags it as a potential threat, even if it's
a piece of malware that has never been seen before.
That's how you get protection against those brand new zero
day attacks.
Speaker 1 (10:26):
The trade off I assume is false positives.
Speaker 2 (10:29):
A lot more false positives, yeah, because you're flagging unusual behavior,
not a specific piece of code. So it creates more
work for your security team to investigate those alerts. But
that capability is absolutely essential today.
Speaker 1 (10:41):
So this deep dive has really shown that we've had
to move so far beyond simple filters. A modern perimeter
needs that defense in depth strategy. You need the NNGFW
doing the heavy lifting on filtering, but then you need
that integrated IDs and IPS providing real time detection and prevention.
Speaker 2 (10:59):
And it has to be based on a mix of
those known signatures and the behavioral heuristics you need.
Speaker 1 (11:04):
Both, and that strategic alignment is everything, isn't it.
Speaker 2 (11:07):
At the end of the day, That's what it all
comes down to. Every choice, whether to take the performance
hit for DPI, whether to use host based or network
based systems, your detection style, it all has to flow
directly from the unique risks and threats your organization actually faces.
Speaker 1 (11:21):
That leaves us with one final thought for you to consider.
Imagine a massive coordinated botnet attack. It's leveraging a brand new,
never before seeing vulnerability. No security company in the world
has a signature for it. Yet which detection style, signature
based or heuristics based, would be more likely to successfully
mitigate that initial threat? And why that's your homework. Thanks
(11:42):
for joining us.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com