CISO Q&A: Convergence, Consolidation, and FortiOS

Whether it’s a new project, procedure, or branch location, business changes depend on a fast, secure network. And supporting major digital initiatives such as work from anywhere (WFA) or converging IT and OT networks require organizations to look closely at both the operational and security implications. As organizations move forward with projects that affect the network, they need to ensure their security can keep up with today’s complex and fast-evolving threats.

Fortinet Field CISOs, Joe Robertson, Ricardo Ferreira, and Alain Sanchez share their perspectives about how organizations can stay ahead of challenges such as new, automated attacks, the expanding attack surface, and networking and security silos. 

Why is the convergence of networking and security so important today?

Joe: For most organizations, networks and security were separate for a long time. But that was an artifact of technology history, not because they were fundamentally different environments. When you think about it, every threat traverses a network somewhere, so the network is the logical place to catch, block, and quarantine threats and malware.

The convergence of security and networking is extremely logical and has been coming for a long time now. In fact, when Fortinet started over 20 years ago, this convergence of the network and security was part of Ken Xie’s vision when he founded the company.

Ricardo: I agree. If you look at cybersecurity trends, you realize that there’s an increased need to protect data, people, and devices everywhere. When computers were linked to just a set of ethernet cables and a server somewhere, there was relatively minimal danger of attack. But now, every human being has two or three devices, and they can connect to almost anywhere in the world and be connected from almost anywhere. Networks are a victim of their success. The growth and distributed nature of networks now mean more people and devices are exposed to more threats from bad actors. The explosion of network edges, new environments, new types of clouds, and endpoints means we can’t have the same security mindset we had a few years ago. Now we need to have real-time security to be proactive in our defense.

Alain: Every convergence carries change. Remember the big wave created by voice and data convergence? Not only does it affect the infrastructure, the management platform, but also the organization, the team, the budget, and the policy. In the case of networking and security, we’re even reaching the next level of change. Such ability to literally embed security in the network unleashes creativity. CISOs can become the “inspirers” in an organization. Like a race car with excellent brakes, the converged security and network discipline, can turn the corner of innovation faster.

The terms consolidation and convergence are often used interchangeably. Could you explain the difference?

Joe: Convergence is about different interacting technologies that are no longer separated. I mentioned the convergence of networking and security, but you also see convergence in networks that connect with each other, such as the convergence of operational technology with traditional IT networks.

Consolidation is something totally different. It is talking about product consolidation. For example, your organization might have a lot of products from different vendors in the network environment. Each of those products behaves differently and has different interfaces, management consoles, and configuration methods. Having so many products makes it difficult for the technical team to manage everything. So consolidation is about reducing the number of vendors, so there are fewer consoles and interfaces to deal with. Of course, the assumption is that a given vendor uses a single interface for multiple types of security or network devices.

Ricardo: Risk management can be an important aspect of consolidation. Risk management is a top priority for CISOs; as such it’s important to have a consolidated single source of truth that shows the risk profile, so data-driven security decisions are appropriate to the organization’s risk appetite. Consolidating products also consolidates security data sources across your environment, to be viewed through a single dashboard.

Joe: Also, in a highly regulated environment, such as banking, having documentation of your status and proof that you are following the regulations is essential. Providing proof of compliance is easier to do in a consolidated environment than if you’ve got dozens of different devices. And because environments are so dynamic, having real-time visibility into your risk and compliance posture is critical.

Alain: Consolidation addresses a particular pain point of the IT and security community: too many point solutions, too many platforms, too many correlations to make between heterogeneous platforms. The typical number of different network and security vendors averages 60. Convergence calls for a multi-domain convergence that, as said earlier embraces technology, protocols, but also operations and budget planning.

How can you detect unknown threats before they infiltrate the network?

Alain: Artificial intelligence (AI), and more specifically Machine Learning (ML), play a significant role as a proactive detection defense line. The main idea is to create a map of what baseline traffic looks like. It’s like recognizing the way you drive, typical revs of changing gear, itinerary, parking habits. So that when the network is stressed in a different way the gap between baseline traffic and actual is detected. Someone might have stolen your car keys (access credentials in the IT world) and consequently gotten access to your car, but the way the vehicle is driven, it is clear, it is not you.

Ricardo: As threats evolve, it’s essential to have a platform powered by artificial intelligence that consumes security-enriched data such as threat intelligence. In FortiOS 7.2, platform features like in-line sandboxing, inline CASB, advanced protection for OT and IoT, and many others consume threat intelligence data from Fortiguard Labs. Fortiguard Labs analyzes more than 100 billion security events per day, which are translated into security-enriched data to detect unknown threats, contributing to an organization’s resilience.

The other benefit is that automation with AI improves scalability. If you are relying only on people to review logs or risk profiles, it doesn’t scale. But automating with AI using the threat intelligence from FortiGuard Labs helps ensure that the platform can react proactively to those threats and block them effectively.

How are threats evolving?

Joe: Something you need to keep in mind is the dwell time of an attacker. That’s the amount of time an attacker has access to the network and is rooting around in it. The problem is that in the past, dwell time was measured in months. Reducing that time period to days, hours, or minutes is one of the significant advances of FortiOS 7.2.

Because the rate of exploit is increasing and attacks are happening more quickly, there’s simply too much data for people to go through in a security operations center (SOC). That’s why using AI and ML to stop unknown threats is so important.

Ricardo: Building on what Joe said, according to the Global Cybersecurity Outlook 2022 from the World Economic Forum, the average time it takes an organization to detect a threat is more than 280 days. Think about the damage an attacker can do with access to systems in all that time. That statistic highlights the need for automation with AI and ML to detect novel threats but also to counteract existing threats. People tend to forget about the old threats, but if you look at statistics from FortiGuard Labs, new threats are present, but outdated threats are still making the rounds as well. They don’t just go away. Attackers continue to use old methods because those old methods still work when people don’t patch or update their systems.

Joe: Another reason for the AI advancements in FortiOS 7.2 is because the bad guys are using AI too. They are using it to create new malware variants. They’re creating not just hundreds but thousands and tens of thousands of versions of the same malware that’s just different enough that signature-based tools don’t detect it. That’s why we need to use AI to catch the malware that’s being generated by AI.

Alain: A next generation of threats are emerging that take advantage of the very innovation that propels digital acceleration. In this perspective Log4j is quite representative of this new generation of threat. For starters, being able to reproduce in a remote server all the conditions of a crash is extremely useful. Like the forensic police would take notes, pictures, and samples of a crime scene to make sense of it all in a remote lab, the process exploited by the Log4j attack weaponizes this process. Today we are witnessing a whole family of attacks that turn innovation into weapons. Hence the importance of a holistic cybersecurity platform that addresses the various steps involved in the attack scenarios.

Sourced from Fortinet

How to Select a Network Firewall—A Guide for SMBs

While it’s impossible to foresee how growth and expansion will affect your network and security requirements, making a wise investment is still possible. Regardless of your configuration, a firewall still serves as the critical inspection point for all network traffic. The right firewall will help prepare your business for growth by consolidating the number of products you must manage, reducing costs and cycles, and making the overall management of your network infrastructure more effortless and cost-efficient.

The challenge is sifting through the vast array of firewall options to find the best one for your organization now and that can grow with you as your organization and network expand. So, what questions do you need to consider when choosing a firewall for your business? Here are some critical considerations:

Does the throughput match your business needs?

As anyone can tell you, throughput demands are a moving target. Yesterday’s ultraperformance is today’s baseline requirement. As the volume and maturity of users, devices, and applications increase, bandwidth demands naturally intensify. Your firewall must be able to quickly identify applications, scale to process and secure increasing network traffic demands, especially now as most traffic is encrypted hitting 95% as estimated by Google’s latest Transparency report. Decrypting SSL including the latest TLS1.3, is the key to identify bad actors hiding in those encrypted paths.

What type of inspection do you require from your firewall?

Generic CPUs were never developed to perform specialized inspection, analysis, correlation, and response tasks modern firewalls need to deliver—including things like performing deep inspection of encrypted traffic that can quickly overwhelm generic CPUs. Just as advanced graphics demand specialized GPUs to render rich video streams, the increasingly sophisticated technologies and tactics used by today’s cybercriminals demand more processing power. Effectively analyzing streaming traffic in real-time requires a much more specialized and intensive process that most firewalls cannot deliver.

The second issue is longevity. Selecting a firewall should be a long-term investment. But even though most businesses expect their technology to last two to four years, over half end up purchasing additional tools and workarounds every one to two years to either fill gaps in their existing solution or compensate for creeping performance issues according to research. The best rule of thumb is to make an educated guess about your bandwidth requirements in three years, double it, and then select a firewall that is very comfortable with securing that volume of traffic.

How quickly and effectively can it analyze traffic for threats?

Your firewall serves as the critical inspection point for all network traffic. And in today’s application-centric business environment, performance is vital. Unfortunately, few firewalls were designed to meet the digital performance needs of today’s small businesses. Getting one fast enough is almost always cost-prohibitive. Performance is determined by the device’s central processing unit (CPU) and its alignment with its underlying operating system. Therefore, a key consideration is whether its CPU can support the specialized functions of high-performance security inspection or if it’s built around generic processors being asked to do something they weren’t designed to do.

Do you want a multivendor solution or one from a single vendor?

Multivendor: A multivendor, best-of-breed strategy is not wrong. But it is more complex. Look for solutions built using common standards and open APIs to reduce the time and effort required to develop and maintain workarounds to help discrete solutions operate more like a system. And if not managed correctly, vendor sprawl can render your entire security environment less effective by fragmenting visibility and control, especially when security devices deployed at different network edges struggle to share threat intelligence. Cybercriminals are experts at finding and exploiting security gaps and areas of weakness. Such gaps are most commonly due to misconfigurations and a lack of interoperability and deep integration between security products.

Single vendor: Solutions provided by a single vendor, especially when supported by a common OS, can significantly reduce deployment time, simplify management, and improve operational efficiency. Centralized orchestration also helps eliminate configuration errors and reduce the potential for human error. But perhaps the most significant advantage is that a deeply integrated system is the only way to implement the automation needed for instant threat detection and remediation. The challenge is that many single-vendor platforms often include sub-par components that diminish the effectiveness of the entire system. Look for vendors who regularly put each security element through rigorous, public testing and that publish specs based on real-world conditions so you can make fair comparisons between solutions.

Non-Negotiables for NGFWs

While most firewalls include nice-to-have features vendors promote to differentiate their solution, you need to focus on the fundamentals. If those don’t meet your requirements, none of the bells and whistles are worth your time or money. At a minimum, your firewall must provide:

  1. Decryption: To inspect traffic, a firewall must be able to read it. Which means it must first be decrypted. But given the need to maintain optimal user experience, decryption, inspection, and re-encryption needs to happen in as close to real-time as possible. Look carefully at this because many firewall vendors won’t even publish their performance numbers for inspecting encrypted traffic because they are so bad.
  2. Advanced Threat Protection: Because the threat landscape is evolving so rapidly and moving to smaller targets, your firewall must combine traditional threat-matching signatures with advanced AI and machine-learning capabilities to identify all threats, new or old and protect organizations from known, zero-day and unknown threats.
  3. Content Filtering: The most effective way to prevent users from being infected by malicious websites and downloading ransomware is to prevent them from going there in the first place. This requires AI/ML powered web and content filtering. With video becoming a predominant tool for human communication, inspecting video traffic becomes a core pillar of any security policy.
  4. Endpoint Integration: Employees with unpatched applications give hackers a backdoor to install malware.. Built-in network access control and endpoint visibility can enforce access policy based on endpoint risk and hygiene assessments, forcing the end-user to update and patch their system appropriately before being allowed on the network. Once on board, endpoints can share threat intelligence within the ecosystem and prevent other users from falling victim to the previously seen malware.
  5. Sandboxing: Sandboxing opens and “detonates” files and attachments unknown to AV inspection to determine if they are malicious. The challenge is that most sandbox solutions allow files to pass through, requiring IT teams to track them down and remove them if they are deemed to be malicious. Inline sandboxing will enable you to hold a potentially malicious file until a final verdict is received to proactively block previously unknown threats.
  6. IoT visibility and control: The future is increasingly connected and IoT must be factored in. Your firewall should be able to perform automated discovery, real-time segmentation, and policy enforcement for IoT devices. This includes IoT device and OS detection and tracking, vulnerability correlation, and virtual patching.
  7. Remote Access: Providing secure access to remote workers is a fundamental requirement of any firewall. An effective VPN solution needs to not only be fast, but able to scale as users move between on-premises and remote work. But VPN is just the start. It does not provide the sort of advanced protections—such as access control and application monitoring—that today’s hybrid networks require. Built-in ZTNA extends VPN functionality by ensuring per-session user and device access to applications and resources. This protects against threats that exploit less inspected VPN tunnels or newly deployed application protocols in order to avoid detection. And additional integration with a security client and coordination with cloud-based services further ensures that every user anywhere complies with the same access policy. 
  8. Secure SD-WAN: Few standalone SD-WAN solutions include security. Look for a firewall that not only natively supports SD-WAN but that can seamlessly apply security to connections. Converging connectivity with security opens up new possibilities for advanced routing and functionality that enables and optimizes user experience without ever compromising on protection.

Your Firewall Must Support a Larger Security Framework

A security framework, where every component is designed to work together as an integrated fabric from the beginning, enhances the sharing of threat intelligence and indicators of compromise to better detect and automatically respond to threats quickly and accurately. The right firewall solution should operate seamlessly within a comprehensive security framework that can span and adapt to your evolving needs.

Choosing the right firewall provides the peace of mind that comes from knowing that your security works now and will continue to protect and sustain your business in the future—even as technologies and business strategies continue to evolve. Additionally, working with a vendor who understands your needs now and tomorrow ensures longevity, prevents unnecessary workarounds, and avoids the rip and replace conversations down the road that can derail a business.

Find out how the Fortinet Security Fabric is the industry’s highest-performing cybersecurity platform, powered by FortiOS, with a rich open ecosystem delivering broad, integrated, and automated protection across an organization’s entire digital attack surface.

Curious to learn more? Check out our Firewall Buyer’s Guide now.

Sourced from Fortinet