Introducing the Unified Management concepts and the advantages of security product consolidation

Historically, security-conscious enterprises were practicing defense-in-depth by layering and combining multiple solutions in the hope of preventing systems and network compromise. While this approach was viable 10 years ago, it is getting progressively more difficult to maintain it.

Let's look at the evolution of the threats over time to get a better idea of why this is so by using the following diagram:

Figure 1.2 – Attack generations and types, escalation, and the response over time

In addition to the complexity and advances of the attacks, the numbers of bad actors, as well as the number of different attacks, are increasing exponentially. The field of offensive cybersecurity is attracting an ever-increasing number of people, not all of them ethical hackers. This contributes to the snowballing effect and the number of compromised systems, networks, and companies. The latest batch of attacks focusing on the supply chain is yet another manifestation of this trend.

The sheer number of cybersecurity vendors and point solutions, each trying to address different problem areas, makes it a virtual impossibility for smaller teams to manage them effectively. It takes years to gain proficiency with a single product, let alone multiple ones. Add to this the rapid development cycles of each vendor trying to keep up with evolving capabilities of cybercriminals and offerings by competition, and you will have to spend most of your time learning about new features and changes in all of these products, while at the same time fighting compatibility issues.

For a while, the combination of Security Information and Event Management (SIEM) solutions as hubs for the consolidation of logs, their correlation, and Security Orchestration Automation and Response (SOAR) actions based on pre-defined conditions looked like a possible solution to this problem. However, these options failed to address the multi-vendor cost of human capital, further complicating the operations of smaller security teams. They are now primarily relegated to larger enterprises, carrier networks, and Managed Security Services Providers (MSSPs) that can afford to keep staffed Security Operations Centers (SOCs) and dedicated data science and analytics specialists. For most other companies, SIEMs are either becoming log graveyards or are mostly used for after-the-fact investigations and audits, but not for proactive threat prevention.

Important Note

For the organizations that do utilize SIEMs, Check Point has out-of-the-box integration with ArcSight, LogRhythm, QRadar, RSA, McAfee, Splunk, and Sumologic, and its log exporter can be configured to work with any syslog-, CEF-, LEEF-, and JSON-compliant product. There is also a dedicated Check Point app for Splunk (https://sc1.checkpoint.com/documents/App_for_Splunk/html_frameset.htm) for seamless integration.

Serious advances in active prevention or response have also been made by several dedicated Endpoint Detection and Response (EDR) vendors. Unfortunately, the EDRs are relying on the installation of their agents on managed endpoints. Components of the infrastructure that do not have the agents remain unprotected.

All the networking gear, printers, copiers, conference room equipment, CCTV, building access and environmental controls, and other innumerable Internet of Things (IoT) devices are the shadow army that could be exploited and used for attacks or snooping on your infrastructure. The same applies to all devices on which the OS or firmware is controlled by the vendor or those that are supplied by service providers or business peers.

To compensate, EDR vendors are now actively expanding their integration with partners and going through the rapid acquisitions of complementary businesses to improve the coverage of their products.

Recognizing that the effective prevention of complex modern attacks requires more than just loosely coupled integration between various security tools, in 2017, Check Point developed and introduced its Infinity architecture. Tightly integrated products covering all aspects of security infrastructure with common management and enforcement policies dramatically improve detection and prevention rates.

Check Point was perfectly positioned to address these challenges since its ThreatCloud is one of the most established and largest commercial worldwide threat detection networks. The likelihood of Check Point encountering new attacks or variants of exploits closer to home is pretty good because of its huge global presence. The quality of the data is great since the product coverage extends from networks to endpoints, mobile, cloud, IoT, and industrial systems. Its analytics are supercharged by the ML and AI to identify malware DNA, a set of unique code segments and behavior characteristics that associates each newly encountered malware with a previously known malware family whenever such similarities can be identified. This helps to predict and prevent other, non-immediately apparent attack capabilities and vectors of emerging zero-day threats.

Having all these abilities provided by products from the same security vendor, as well as using common terminology, configuration, logging, analysis, management interfaces, and forensics capabilities, eliminates the complexity and the overhead of multiple point solutions. It also significantly improves your chances of deterrence and the containment of cyber attacks.

In January 2018, the MITRE Corporation released Adversarial Tactics, Techniques, and Common Knowledge version 1 (ATT&CK v1), a framework that validated Check Point's vision for unified security. And in the same month, Check Point announced Infinity Total Protection, a simple, all-inclusive, per-user, per-year subscription covering all of its products, including hardware, software, 24x7 premium support, and network security, as well as endpoint, mobile, cloud, and data security with real-time threat prevention.

Competitors realizing the advantages of this approach adopted similar strategies and a new term, Extended Detection and Response (XDR), was coined.

Important Note

Although it is unlikely that your organization is relying on a single vendor's solutions for all or even most of its cybersecurity needs, strategic consolidation resulting in massive benefits should be considered.

Most likely, Check Point firewalls in your environment are a part of the heterogeneous security infrastructure consisting of multiple point products. In this case, it is imperative to understand their roles, capabilities, and limitations in order to extract maximum value from the product while keeping track of what it is not designed or configured to do, and where complementary security solutions should be applied.

Network segmentation, network access control, threat prevention for individual network segments, categories, and hosts continue to remain some of the key elements of overall sound security posture. Having the benefit of threat intelligence generated by sensors present in all categories of information technology covered by the Infinity architecture makes Check Point firewalls some of the most effective threat prevention and detection tools in your cybersecurity arsenal.

Important Note

Check Point's mantra is prevention first, so it is often the case that engineers must, on purpose, disable prevention in the demo environments to showcase the product's detection capabilities at multiple points in the attack's kill chain.

Now that we know that vendor consolidation may yield better overall results by offering unified visibility of attacks, let's look at what the Security Management architecture can do for the administration of the Check Point infrastructure.