Despite bold claims and billions of dollars invested, legacy protections like traditional and next-generation firewalls, intrusion prevention systems, anti-virus, and Web gateways no longer stop advanced malware or targeted APT attacks. These systems rely too heavily on signatures, known patterns of misbehavior, and reputation to be effective at accurately identifying and blocking advanced targeted attacks. This leaves a gaping hole in network defenses that remain vulnerable to today's new breed of cyber attacks.
In the following pages, we review how each technology has been victimized and bypassed by today's cyber attacks.
Next-generation firewalls (NGFWs) have proven to be incapable of stopping advanced malware and targeted attacks. While NGFWs typically take a more application-centric approach to traffic classification, they do not detect nor block the new breed of advanced attacks such as zero-day, targeted attacks or advanced persistent threat (APT) attacks.
At their core, NGFWs' anti-malware technologies rely on traditional anti-virus and IPS signatures, reputation analysis, and URL blacklists. These approaches are reactive and have proven incapable of stopping advanced threats. With more than 286 million new malware variants surfacing in 2010 alone, it is no wonder NGFWs, like traditional firewalls, fall short when it comes to next-generation threats.
NGFW vendors have tacitly conceded this point and are now augmenting their products with cloud-based analysis of binaries and DLLs and "rapid" hourly updates of the firewall signature set.
Fundamentally, cloud-based analysis does not provide advanced malware protection.
Does not stop Web page attacks
NGFW cloud-based analysis does not analyze document and file formats for malware (PDFs, Microsoft documents, image formats) used to exploit application vulnerabilities.
Does not stop email-based attacks
NGFW cloud-based analysis does not analyze emails for malware, so it cannot stop spear phishing attacks. Spear phishing is a primary mechanism used in targeted APT attacks.
Cannot address encrypted binaries
NGFW cloud-based analysis is based on the premise that malware binaries will be transmitted in the clear and that there is no need to detect the exploit phase that actually initiates a binary download.
Too slow and reactive
Hourly updates of attack signatures are too slow even if they manage to detect a new attack binary. FireEye research has found that 90% of binaries morph within one hour and initiate callbacks within minutes of compromise to download further malware infections.
In the following pages, we review how each technology has been victimized and bypassed by today's cyber attacks.
Next-generation firewalls (NGFWs) have proven to be incapable of stopping advanced malware and targeted attacks. While NGFWs typically take a more application-centric approach to traffic classification, they do not detect nor block the new breed of advanced attacks such as zero-day, targeted attacks or advanced persistent threat (APT) attacks.
At their core, NGFWs' anti-malware technologies rely on traditional anti-virus and IPS signatures, reputation analysis, and URL blacklists. These approaches are reactive and have proven incapable of stopping advanced threats. With more than 286 million new malware variants surfacing in 2010 alone, it is no wonder NGFWs, like traditional firewalls, fall short when it comes to next-generation threats.
NGFW vendors have tacitly conceded this point and are now augmenting their products with cloud-based analysis of binaries and DLLs and "rapid" hourly updates of the firewall signature set.
Fundamentally, cloud-based analysis does not provide advanced malware protection.
Does not stop Web page attacks
NGFW cloud-based analysis does not analyze document and file formats for malware (PDFs, Microsoft documents, image formats) used to exploit application vulnerabilities.
Does not stop email-based attacks
NGFW cloud-based analysis does not analyze emails for malware, so it cannot stop spear phishing attacks. Spear phishing is a primary mechanism used in targeted APT attacks.
Cannot address encrypted binaries
NGFW cloud-based analysis is based on the premise that malware binaries will be transmitted in the clear and that there is no need to detect the exploit phase that actually initiates a binary download.
Too slow and reactive
Hourly updates of attack signatures are too slow even if they manage to detect a new attack binary. FireEye research has found that 90% of binaries morph within one hour and initiate callbacks within minutes of compromise to download further malware infections.
