Highspeed Threat and Geographic Filtering with Threat Intelligence Gateways – an interview with Bandura Cyber CSO, Todd Weller

bandura-tw

Bandura Cyber solves a variety of network security use cases for customers seeking to deploy a threat intelligence gateway. First, it can protect them by filtering 100% of all available hostile threat intelligence. I’ve found that large enterprises don’t deploy all of their threat intelligence to their firewalls because of performance impact and small business doesn’t buy threat feeds or know how to make use of them. Second, it can prevent and report traffic to or from countries, including hostile countries and countries with no business reason to be communicating with. For example, Bandura Cyber offers a very low-cost solution that can block all traffic communication with Russia that can be deployed to election infrastructure by entry level IT staff. And third, it can act as a control plane for orchestration products or managed detection and response firms that don’t have permission to modify firewall configurations. In this blog post, I asked Bandura Cyber Chief Strategy Office, Todd Weller, for an overview of the Threat Intelligence Gateway industry and more information about Bandura Cyber. Bandura Cyber is a Gula Tech Adventures portfolio company.
What is a Threat Intelligence Gateway and do I need one if I already have a Firewall?

Great question! Let’s start with what a Threat Intelligence Gateway (TIG) is. At its core a TIG is a network security gateway that filters inbound and outbound network traffic based on a large volume of IP and domain indicators from multiple threat intelligence sources. The TIG is making an allow or deny decision based on a combination of blacklisting, whitelisting, reputation score, GEO-IP and/or organization based on Autonomous System Number (ASN).

So, at the core we are filtering network traffic based on threat intelligence. However, to many of our customers the TIG is more like a Threat Intelligence Platform (TIP) that can take action. This is because we are providing “out of the box” access to a large volume of threat intelligence from commercial, open source, government, and industry sources. This threat intelligence is automatically updated, which is critical because of the dynamic nature of threats (i.e. an IP might be malicious now but benign in a few minutes). The threat intelligence is aggregated in a central place and the open nature of our solution enables customers to integrate additional sources of threat intelligence via standards like STIX/TAXII. Finally, we have the critical action piece. That includes prevention, detection, and automated response based on integrations with SIEM, SOAR and other security systems.

Sophisticated security organizations that are using a large volume of threat intelligence likely have a TIP and, in this case, they use the TIG to take action in an automated and scalable way that they can’t do with their firewall. Many next generation firewalls (NGFW) are significantly limited in terms of the volume of third-party threat intelligence indicators they can integrate and process for performance reasons. Even if you set this aside, managing and maintaining dynamic blacklists and reputation feeds in NGFWs is cumbersome. To validate this use case, I can share with you that we have a large healthcare company and a large energy company that use Anomali for their TIP and are using our TIG for enforcement because they couldn’t do it in their NGFWs.

Now for customers that aren’t using lots of threat intelligence it’s a bit of a different story. They don’t have the enforcement problem because they aren’t using a lot of threat intel. In this case, it’s really about educating customers that while their NGFW provides a great foundation for network protection it’s just not adequate to defend against today’s threats. The main angle here is that while NGFWs provide a lot of threat intelligence it’s their own intelligence from their sensors and customer base. Despite the footprint that large cyber vendors have, it’s still only one view of the threat landscape and a broader view based on a wide array of threat intelligence is required.

I’ll add a final point which is TIGs do not replace NGFWs, they complement them. TIGs don’t do deep packet inspection (DPI). What drives our ability to filter against a massive volume of IP and domain indicators is that we are looking largely at the packet header. As you know once you go deeper into the packet this requires significant processing power. That’s evident in the performance degradation you see in a NGFW when you turn on IPS, URL filtering, etc. In many cases, the deployment of a TIG results in greater efficiency of a NGFW.

Where do you deploy Threat Intelligence Gateways?

TIGs are predominantly deployed ahead of the firewall. Here the TIG is a first line of defense blocking malicious and unwanted connections before they hit the firewall. The TIG also serves as a last line of defense blocking malicious and unwanted outbound connections that get through the firewall. Blocking these connections before they hit the firewall frees up the firewall from having to expend expensive DPI inspection cycles on known threats. Many customers also use the TIG’s GEO-IP capabilities, which also offloads this processing from the firewall.

While this is the predominant deployment, a TIG can also be deployed behind the firewall and other ingress/egress points of a network where you want to control access. Clearly, the biggest use case of the TIG is at ingress/egress points where a private network connects to the internet.

What type of customers get the most benefit from Threat Intelligence Gateways?

What is most exciting to me is that we are seeing customers of all sizes and security sophistication deploying the TIG and seeing benefits. Again, this will vary by use case.

Most of our customers are deploying the TIG as another layer of protection and they value all of the threat intelligence that comes with the solution. This adds another layer of visibility and network protection. Many of these customers also are using some level of third-party threat intelligence, which often is an industry feed from their industry sharing ISAC or ISAO. These customers find value in using the TIG to automate the management of the threat feed and the ability to take action with it to protect their network.

For larger and more sophisticated security organizations that are threat intelligence power users, they are predominantly integrating their own threat intelligence into the TIG. Their main problem is detecting and blocking in a scalable and automated way.

Regardless of use case, the benefits of a TIG coalesce around several areas including improved protection, reduced staff workload (threat feed management, managing and maintaining blacklists, access control lists, and firewall policies), and getting more out of existing security investments (improved firewall and DPI performance).

Eastwind-example

In the above screen shot, the impact of Bandura Cyber can be seen immediately as viewed through an Eastwind Networks (recently acquired by NetScout) console. The area circled shows how an entire class of alerts disappears after being filtered by Bandura. This type of filtering dramatically increases the efficiency of your SOC.

Which threat intelligence providers do you work with and does the Bandura Cyber TIG come out of the box with threat intelligence?

We work with a wide range of threat intelligence providers and I expect this list to grow over time. As far as what we are providing “out of the box,” we provide an IP reputation feed from Webroot, a domain blacklist powered by DomainTools, a variety of open source blacklists, government feeds like DHS’ Automated Indicator Sharing (AIS) and Cyber Information Sharing and Collaboration Program (CISCP) feeds, and we also enable easy integration of ISAC/ISAO feeds from organizations like FS-ISAC, MS-ISAC, and others. All of this comes standard. We also have a premium threat feed subscription that includes Proofpoint’s Emerging Threats IP and Domain Reputation feeds.

The Bandura Cyber TIG is a very open platform so if a customer is already using threat intelligence feeds or a TIP we can easily integrate this threat intelligence into the TIG.

Bandura Cyber also supports geographic filtering. How popular with customers is this and what sort of use cases do they provide?

The majority of our customers use our GEO-IP capabilities. While some firewalls have improved the ease of use of their GEO-IP features, many of them are still not easy to use. We also see many customers wanting to offload the GEO-IP from their firewalls to free up firewall processor cycles and to reduce the manual workload associated with list management (ACL, blacklist, etc.).

Having a solid GEO-IP policy in place is a critical first line of defense. If a country has no business being on your network then why let traffic from that country on it? We have a customer that is using Fortinet firewalls and they were having performance issues and having a tough time getting visibility into what traffic was traversing their network. They installed a Bandura Cyber TIG and quickly saw that 20% of their network traffic was from three countries that had no business being on their network. They shut that down and as a result saw the CPU utilization of their Fortinet firewalls drop to 30% from 70%.

Now GEO-IP clearly has limitations. Business is global today so it may not be practical for many businesses to block entire countries. Also, from a threat perspective, we know that many threat actors will spoof their IP addresses and that many attacks originate from IPs and domains in the U.S. This is why the threat intelligence aspect of the TIG is critical.

Another cool feature we have is our dynamic whitelisting capability. Back to the global business angle a lot of applications today are coming from cloud and IT environments that are global. Think AWS, Microsoft, Google, Akamai, etc. Our dynamic whitelisting capability enables you to easily whitelist the domains and associated IPs from these providers. This data is automatically updated.

Bandura Cyber TIG's connection logs are very much like enhance flow logs that include network connection info (ports & IPs), but also the ASN, geography and threat categorization. Normally this requires a lot of heavy lifting for customers to enrich their logs to get this data. How are customers leveraging Bandura and their SIEMs, SOARS and data lakes?

Our TIG logs every connection request and as you indicated the logs are rich with information. Many of our customers use SIEMs and/or log management solutions and are exporting the logs from Bandura Cyber TIG via syslog to those solutions. This provides them with another point of context they can correlate and analyze with logs from their other security devices. Many of these customers are also interested in bi-directional integrations so that malicious IPs and domains detected by SIEM, SOAR and other systems can be automatically blocked by our TIG. Over the next few months, you will see us integrate with many more SIEMs and SOAR systems. In many cases, SIEM and SOAR are converging (Splunk/Phantom, IBM QRadar/Resilient, etc.).

Below is an example log of a dropped packet with easily parsed fields including the ASN and country.

<30>packet_log: 2019-06-04T14:13:57.276402-0400 action=dropped, direction=inbound, group_uid=GRP_DEF_INGRESS, group="DEFAULT_INBOUND", proto=ICMP, country="UNITED STATES", as_num=36646, as_name="Yahoo", reason=ip_rep, src=98.136.97.44, dst=192.168.1.13

How can readers learn more about the Bandura Cyber TIG or try one out?

The best way to learn more is to visit our website at
www.banduracyber.com. We recently published a whitepaper which is An In-Depth Guide To Threat Intelligence Gateways. Trying a Bandura Cyber TIG is also easy. We offer free 30-day trials with no risk or commitment.