UTM & Next Generation Firewalls

The term UTM firewall or simply UTM (Unified Threat management) is the nomenclature given to a hardware or software device capable of assembling various security functions, such as packet filtering, proxy, intrusion detection and prevention systems, protection against malware, application control, among others.

A next-generation firewall is a part of the third generation of firewall technology, combining a traditional firewall with other network device filtering functions, such as an application firewall using in-line deep packet inspection, an intrusion prevention system.

IPS/IDS & Next Generation Behavioral Analysis

An intrusion prevention system (IPS) is a form of network security that works to detect and prevent identified threats. An intrusion detection system (IDS), does only the detection part.

Network behavior analysis is the ability to identify traffic patterns that are not considered normal in the day-to-day traffic of the network. Simply put, this is the industry’s attempt to identify irregularities in the network beyond simple threshold settings for excessive traffic.

Network Access Control (NAC)

Network access control is the act of keeping unauthorized users and devices out of a private network by using enterprise security solutions. Organizations that give certain devices or users from outside of the organization occasional access to the network can use network access control to ensure that these devices meet corporate security compliance regulations.

The increasingly sanctioned use of non-corporate devices accessing corporate networks requires businesses to pay special attention to network security, including who or what is allowed access. Network security protects the functionality of the network, ensuring that only authorized users and devices have access to it, that those devices are clean, and that the users are who they say they are. Network access control, or NAC, is one aspect of network security. There are many NAC tools available, and the functions are often performed by a network access server. Effective network access control restricts access to only those devices that are authorized and compliant

with security policies, meaning they have all the required security patches and anti-intrusion software. Network operators define the security policies that decide which devices or applications comply with endpoint security requirements and will be allowed network access.

Email Security Gateway (SPAM Filter)

A spam filter is a program that is used to detect unsolicited and unwanted email and prevent those messages from getting to a user’s inbox. Like other types of filtering programs, a spam filter looks for certain criteria on which it bases judgments.

A spam filtering solution cannot be 100 percent effective. However, a business email system without spam filtering is highly vulnerable, if not unusable. It is important to stop as much spam as you can, to protect your network from the many possible risks: viruses, phishing attacks, compromised web links and other malicious content. Spam filters also protect your servers from being overloaded with non-essential emails, and the worse problem of being infected with spam software that may turn them into spam servers themselves. By preventing spam email from reaching your employees’ mailboxes, spam filters give an additional layer of protection to your users, your network, and your business.

Web Security Gateway (Proxy)

A proxy server acts as a gateway between you and the internet. It’s an intermediary server separating end users from the websites they browse. Proxy servers provide varying levels of functionality, security, and privacy depending on your use case, needs, or company policy. If you’re using a proxy server, internet traffic flows through the proxy server on its way to the address you requested. The request then comes back through that same proxy server (there are exceptions to this rule), and then the proxy server forwards the data received from the website to you.

Modern proxy servers do much more than forwarding web requests, all in the name of data security and network performance. Proxy servers act as a firewall and web filter, provide shared network connections, and cache data to speed up common requests. A good proxy server keeps users and the internal network protected from the bad stuff that lives out in the wild internet. Lastly, proxy servers can provide a high level of privacy.

Web Application Firewall (WAF)

As a reputed firewall provider in Sri Lanka, Softlogic IT offers WAF or Web Application Firewall which helps protect web applications by filtering and monitoring HTTP traffic between a web application and the Internet. It typically protects web applications from attacks such as cross-site forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among others. A WAF is a protocol layer 7 defense (in the OSI model), and is not designed to defend against all types of attacks. This method of attack mitigation is usually part of a suite of tools which together create a holistic defense against a range of attack vectors.

By deploying a WAF in front of a web application, a shield is placed between the web application and the Internet. While a proxy server protects a client machine’s identity by using an intermediary, a WAF is a type of reverse-proxy, protecting the server from exposure by having

clients pass through the WAF before reaching the server. A WAF operates through a set of rules often called policies. These policies aim to protect against vulnerabilities in the application by filtering out malicious traffic. The value of a WAF comes in part from the speed and ease with which policy modification can be implemented, allowing for faster response to varying attack vectors; during a DDoS attack, rate limiting can be quickly implemented by modifying WAF policies.

End-point Detection and Response (EDR)

Cyber security solutions in Sri Lanka such as end point detection and response, or EDR, refers to a category of tools used to detect and investigate threats on endpoint devices. EDR tools typically provide detection, analysis, investigation and response capabilities. EDR tools monitor events generated by endpoint agents to look for suspicious activity, and alerts EDR tools create help security operations analysts identify, investigate and remediate issues. EDR tools also collect telemetry data on suspicious activity and may enrich that data with other contextual information from correlated events. Through these functions, EDR is instrumental in shortening response times for incident response teams. EDR has become a critical component of the endpoint security toolkit as endpoints have become more vulnerable targets for cyberattacks. Trends such as the internet of things and the increase in mobile and remote workers have made endpoints popular entry points for cybercriminals to launch sophisticated attacks on individuals or organizations.

Data Loss Prevention (DLP)

Data loss prevention (DLP) is a set of tools and processes used to ensure that sensitive data is not lost, misused, or accessed by unauthorized users. DLP software classifies regulated, confidential and business critical data and identifies violations of policies defined by organizations or within a predefined policy pack, typically driven by regulatory compliance such as HIPAA, PCI-DSS, or GDPR. Once those violations are identified, DLP enforces remediation with alerts, encryption, and other protective actions to prevent end users from accidentally or maliciously sharing data that could put the organization at risk. Data loss prevention software and tools monitor and control endpoint activities, filter data streams on corporate networks, and monitor data in the cloud to protect data at rest, in motion, and in use. DLP also provides reporting to meet compliance and auditing requirements and identify areas of weakness and anomalies for forensics and incident response.

Privilege Access Management (PAM)

Privileged access management (PAM) consists of the cybersecurity strategies and technologies for exerting control over the elevated (“privileged”) access and permissions for users, accounts, processes, and systems across an IT environment. By dialing in the appropriate level of privileged access controls, PAM helps organizations condense their organization’s attack surface, and prevent, or at least mitigate, the damage arising from external attacks as well as from insider malfeasance or negligence. While privilege management encompasses many strategies, a central goal is the enforcement of least privilege, defined as the restriction of access rights and permissions for users, accounts, applications, systems, devices (such as IoT) and computing processes to the absolute minimum necessary to perform routine, authorized activities.

Alternatively referred to as privileged account management, privileged identity management (PIM), or just privilege management, PAM is considered by many analysts and technologists as one of the most important security projects for reducing cyber risk and achieving high security ROI. The domain of privilege management is generally accepted as falling within the broader scope of identity and access management (IAM). Together, PAM and IAM help to provide fined-grained control, visibility, and auditability over all credentials and privileges.

While IAM controls provide authentication of identities to ensure that the right user has the right access as the right time, PAM layers on more granular visibility, control, and auditing over privileged identities and activities. In this glossary post, we will cover: what privilege refers to in a computing context, types of privileges and privileged accounts/credentials, common privilege-related risks and threat vectors, privilege security best practices, and how PAM is implemented.

Security Information & Event Management (SIEM)

Security Information and Event Management (SIEM) software has been in use in various guises for over a decade and has evolved significantly during that time. SIEM solutions provide a holistic view of what is happening on a network in real-time and help IT teams to be more proactive in the fight against security threats.

What is unique about SIEM solutions is that they combine Security Event Management (SEM) – which carries out analysis of event and log data in real-time to provide event correlation, threat monitoring an incident response – with Security Information Management (SIM) which retrieves and analyzes log data and generates a report. For the organization that wants complete visibility and control over what is happening on their network in real-time, SIEM solutions are critical.

Vulnerability Management Tool

Vulnerability management is a cyclical process of identifying IT assets and correlating them with a continually updated vulnerability database to identify threats, misconfigurations, and vulnerabilities. Another aspect of vulnerability management including validating the urgency and impact of each vulnerability based on various risk factors and responding to the critical threats swiftly. Vulnerability management tools scan enterprise networks for weaknesses that may be exploited by would-be intruders.

Data Classification

Data classification, in the context of information security, is the classification of data based on its level of sensitivity and the impact to the University should that data be disclosed, altered or destroyed without authorization. The classification of data helps determine what baseline security controls are appropriate for safeguarding that data. All institutional data should be classified into one of three sensitivity levels, or classifications:

Restricted Data
Data should be classified as Restricted when the unauthorized disclosure, alteration or destruction of that data could cause a significant level of risk to the University or its affiliates. Examples of Restricted data include data protected by state or federal privacy regulations and data protected

by confidentiality agreements. The highest level of security controls should be applied to Restricted data.

Private Data
Data should be classified as Private when the unauthorized disclosure, alteration or destruction of that data could result in a moderate level of risk to the University or its affiliates. By default, all Institutional Data that is not explicitly classified as Restricted or Public data should be treated as Private data. A reasonable level of security controls should be applied to Private data.

Public Data
Data should be classified as Public when the unauthorized disclosure, alteration or destruction of that data would result in little or no risk to the University and its affiliates. Examples of Public data include press releases, course information and research publications. While little or no controls are required to protect the confidentiality of Public data, some level of control is required to prevent unauthorized modification or destruction of Public data.

Classification of data should be performed by an appropriate Data Steward. Data Stewards are senior-level employees of the University who oversee the lifecycle of one or more sets of Institutional Data. See Information Security Roles and Responsibilities for more information on the Data Steward role and associated responsibilities.

Security Operations Centre (SOC)

A Security Operation Center (SOC) is a centralized function within an organization employing people, processes, and technology to continuously monitor and improve an organization’s security posture while preventing, detecting, analyzing, and responding to cybersecurity incidents. A SOC acts like the hub or central command post, taking in telemetry from across an organization’s IT infrastructure, including its networks, devices, appliances, and information stores, wherever those assets reside. The proliferation of advanced threats places a premium on collecting context from diverse sources. Essentially, the SOC is the correlation point for every event logged within the organization that is being monitored. For each of these events, the SOC must decide how they will be managed and acted upon.