A recent report by the Economist Intelligence Unit indicates that many organizations lack confidence in their intrusion detection and response procedures. Specific concerns include rapid detection of new incidents, particularly involving advanced threats, and handling of accidental incidents involving employees.
Increasingly, unified threat management (UTM) products are supporting new and sophisticated prevention and detection features that can be used to help address these concerns. This tip outlines these emerging UTM features and explains how an organization can take advantage of them to prevent intrusions from succeeding and to speed the detection of incidents that may occur.
Data loss prevention
Data loss prevention (DLP) technologies specialize in detecting and blocking attempts to exfiltrate sensitive data from within an organization to external locations. Examples of sensitive data that DLP can protect include social security numbers, credit card numbers, medical records and intellectual property. Although many people think of DLP as a text-based technology, focused on email messages and word processing documents, it also has the capability to analyze audio, video and other non-text forms of files.
UTM, therefore, is a natural place to deploy a DLP technology to study the contents of outbound traffic and be sure that network-based exfiltration, whether intentional or accidental, is prevented.
To do this, first configure DLP in a test mode, so that it records but does not block suspicious activity. This way, the security team has the opportunity to refine the DLP rule sets without inadvertently blocking benign traffic. Once the DLP has been tuned, it can be switched to regular mode so it will block suspicious traffic.
Certain vendors' UTM products can work in collaboration with a cloud-based sandboxing service. If an organization's UTM sees an executable attempting to pass through it that it deems suspicious, the UTM can temporarily suspend transmission of that executable and forward a copy to the cloud-based sandbox for further evaluation. The sandbox provides a safe, isolated environment for running the executable and analyzing its behavior so the UTM can decide whether to allow or deny the executable.
Using a cloud-based sandboxing service is invaluable for identifying advanced and emerging malware, particularly if the UTM is positioned to monitor traffic attempting to enter the organization's networks. However, some organizations have policies that prohibit transmitting any executable files via email and other mechanisms. In environments where unauthorized executables are already blocked, using cloud-based sandboxing will waste resources without providing more security.
Another feature some UTM products offer is Quality of Service (QoS) enforcement. This allows some or all network services passing through the UTM to have their bandwidth managed so that no one service consumes too much of the UTM's bandwidth. QoS enforcement can be effective at limiting the impact of some distributed denial of service (DDoS) attacks -- for example, a DDoS attack against a Web server that UTM protects would be less likely to negatively affect the bandwidth used by other servers and systems the UTM also protects.
Organizations should strongly consider monitoring network usage before activating QoS enforcement. This should be helpful in ensuring that the QoS thresholds that are set take actual usage needs into account. Otherwise traffic critical to the organization might inadvertently be slowed or stopped altogether due to bandwidth limitations.
UTM products are increasingly good at detecting and stopping advanced threats that target an organization's systems. Organizations that lack confidence in their ability to handle advanced threats should strongly consider acquiring new UTM products or activating new features in their existing UTM products to improve their intrusion detection capabilities and prevent many incidents.
What features make UTM truly enterprise-ready?
Ebook: What UTM is best for your firm?