Syndicated

There’s a lot of pressure on CISOs to button up their networks to make them impervious to breaches. That’s a mission impossible, of course. But it can lead to infosec pros looking for the perfect appliance that solves everything — like a next-generation firewall.

But in a blog U.S. security consultant Kevin Beaver reminds IT departments that NGFWs might not be the right solution for every environment, despite their advantages in being application-aware devices.

In particular, he urges security pros to ask the following questions:

  • Is integrating multiple security controls into one system going to create more of a single point of failure? What about network performance issues?
  • Are each of the individual security controls (i.e., application-layer and malware protection) truly what you need? If so, are they good enough to address the threats and vulnerabilities your business faces given your environment and its unique circumstances?
  • Are the monitoring and reporting features adequate for your real-time needs? What about for compliance and auditing?
  • How will these features help reduce your known risks?
  • How does your vendor’s support measure up? Do you feel comfortable that they’ll be there when the going gets rough? Are they forthcoming with information and quick to patch their own security flaws?

“The potential for risk investing in next-generation firewalls certainly exists — i.e., spending good money on something you didn’t need, especially when other common security basics haven’t yet been addressed,” he writes. “If you’re going to go down the path of next-generation firewalls, ask yourself — and especially prospective vendors — the hard questions.”


  • Ulf Mattsson

    I agree about the “pressure on CISOs to button up their networks to make them impervious to breaches. That’s a mission impossible, of course.” According to a study by Ponemon Institute, related to the recent spate of high-profile cyber attacks. According to the survey database security was recommended by 49% of respondents, but the study found that organizations continue to allocate the bulk of their budget (40%) to network security and only 19% to database security. Ponemon concluded that “This is often because organizations have traditionally spent money on network security and so it is earmarked in the budget and requires no further justification.”

    These are great questions, “Are each of the individual security controls (i.e., application-layer and malware protection) truly what you need?” and “Are the monitoring and reporting features adequate.” We know that less than 14% of breaches are detected by internal security tools according to the annual international breach investigations report from Verizon.

    I found great advice in a Gartner report, covering enterprise and cloud, analyzed solutions for Data Protection and Data Access Governance and the title of the report is “Market Guide for Data–Centric Audit and Protection.” I recently read another interesting Gartner report, “Big Data Needs a Data-Centric Security Focus,” concluding,” In order to avoid security chaos, Chief Information Security Officers (CISOs) need to approach big data through a data-centric approach.

    These are great questions, “What about for compliance and auditing?” and “How will these features help reduce your known risks?” Aberdeen Group reported in a very interesting study with the title “Tokenization Gets Traction” that tokenization users had 50% fewer security-related incidents than non-users and 47% of respondents are using tokenization for something other than cardholder data.

    Aberdeen also has seen a steady increase in enterprise use of tokenization as an alternative to encryption for protecting sensitive data. Tokenization will also reduce requirements for auditing and reporting according to PCI DSS since the data will be neutralized across many systems.

    We are seeing a number of common issues across recent data breaches, stealing our most sensitive data, and I think it is time to re-think our security approach and be more data-centric.

    Ulf Mattsson, CTO Protegrity