How to use RSA keywords to view the application of threat intelligence to NGFW Products

How to use RSA keywords to view the application of threat intelligence to NGFW Products

RSA 2016 has just concluded at the moskon Exhibition Center in San Francisco. As the vane of the information security industry, this RSA Conference will discuss the development trend of the information security industry with the theme of Connect to Protect.

Interpreting the key words of this year's RSA Conference

How can I interpret this translation as a slightly sick subject? Perhaps we can take a look at the theme entitled "Sleep" delivered by Amit Yoran, president of the RSA conference. Amit believes: "Security Defense is a failed strategy. In the future, the industry should invest more in security detection technology. Threat intelligence, as an important means to improve security detection capabilities, is naturally more important. According to the hot buzzwords most frequently used by exhibitors when introducing their products, this year, everyone seems more willing to associate threat intelligence with Detection), "Response" (Response.

 

Amit Yoran, president of the RSA Conference)

In this regard, domestic security insiders interpret Connect as a popular buzzword in China-interconnection. "The cloud management end is interconnected and security is visible ". Specifically, it uses cloud computing technology's powerful data mining and association capabilities, peer (terminal) and pipe (pipeline, or generalized network boundary) the security logs uploaded by the deployed devices are analyzed globally for Modeling and Analysis of Abnormal behaviors. This gives the security protection system global visibility. The visibility here refers to the use of massive threat intelligence generated by the cloud to identify the status of network threats, especially the advanced security threats that are not visible on the island devices under the traditional security protection system architecture. The highly intelligent use of cloud threat intelligence and big data to identify increasingly complex threats has become a recognized technology development direction in the industry.

In the NGFW product category, threat intelligence is nothing new. As early as 2014, the White Paper "China's next generation firewall Development Trends Research" jointly published by well-known market research institutions IDC and wangkang proposed that NGFW must prepare five core elements to defend against new security threats, one of them is external security intelligence: "The local computing performance and detection capability of the firewall are always limited. NGFW should be able to interact with external cloud computing, in addition, the big data analysis technology can be used to cope with unknown threats not included in the threat feature library." The concept is simple and easy to understand. However, when it comes to the implementation of threat intelligence on NGFW products, although it does not have to go through the 9th and 8th hardships like the lessons learned by westday, it also needs to go through three difficult hurdles.

Three barriers that impede the implementation of threat intelligence on NGFW 1. Intelligence Source

One of the foundations of threat intelligence is big data analysis. Big Data is essentially a "big" word, that is, it must be supported by a wealth of raw data.

In this regard, emerging Internet enterprises have inherent advantages in recent years, because large Internet companies can use hundreds of millions of terminals as probe devices to collect big data, its billions of virus samples, DNS resolution records, and other data sources are unmatched by traditional security companies.

However, traditional security enterprises do not have any advantages in data collection. Traditional security enterprises rely mainly on NGFW and other security devices for Big Data Collection. through monitoring, defense, and data mining, they can generate threat intelligence that is more accurate, timely, and applicable.

In the long run, it is the general trend for vendors to share their strengths and weaknesses. The linkage between NGFW and cloud threat intelligence will also become a point of fit between traditional security vendors and Internet companies. For example, NGFW of wangkang has introduced a large number of 360 threat intelligence, greatly improving the accuracy and timeliness of threat detection. In turn, thousands of wangkang NGFW probe devices distributed all over the country can also use the collected Security Log Data to feed back 360 threat intelligence libraries.

2. Data integration barriers

For the understanding of threat intelligence, different vendors still have many different opinions, and the understanding may be incomplete or inaccurate. For example, some vendors consider IP address blacklists, malicious URL lists, malicious software hashing lists, virus signatures, IPS signature rules, and so on as threat intelligence, some vendors think that only information that meets certain standards, is easy to share, and is easy to be executed by programs is called threat intelligence.

This means that it is not easy for any vendor to integrate threat intelligence from multiple platform sources. Even if Intelligence Integration is achieved, the data source will inevitably contain a large amount of data noise.

This requires that NGFW must be able to perform secondary extraction from the raw data on the basis of big data collection when introducing external threat intelligence, and establish various types of indicators, such as basic indicators and application layer indicators, then, based on the association analysis between indicators and the changes of each indicator, the credibility evaluation mechanism is established through big data analysis to detect the information security situation. Otherwise, the data can only be data, it will never be threat intelligence. In short, the threat intelligence derived from big data looks beautiful and is not easy to use on NGFW. Only vendors with secondary data processing and analysis and modeling capabilities can turn data into valuable threat intelligence for NGFW.

3. monetization hurdle

How to convert the analysis results of threat intelligence into operational security practices on NGFW, that is, the "interconnection" mentioned above ". The most practical value of threat intelligence for NGFW is that it can form an effective security solution to improve the functionality of existing products. Otherwise, it is no different from "idling ". At present, many threat intelligence are only applied on the cloud or server, which is far from enough to help users cope with security threats.

Threat intelligence is mainly used to quickly discover problems and provide users with a basis for rapid response. It is linked with the existing NGFW defense system to achieve rapid discovery, timely response, and coordinated defense, in this way, the value of threat intelligence can be maximized-the intelligence that NGFW devices can possess can perceive and adjust the network threat status in real time, greatly improving defense capabilities.

Summary

From the past few years, threat intelligence has been transformed into more and more mature products and solutions at this year's RSA exhibition, this reflects the transition from the traditional "defense" to the current "fast detection and response"-centered security defense thinking.

NGFW combines the strongest External Brain of threat intelligence to build a fast identification, network-wide visualization, and rapid response system for security events, forming a closed loop of security event handling and management, this is a successful practice of threat intelligence technology in solving emerging security threats on the NGFW product, and a specific interpretation of the subject of Connect to Protect.