Your Next-Generation Firewalls combine the network-based protection you need to stop users from downloading viruses or letting spyware get out. These tools can also do a lot more when combined with Managed Detection and Response. In this article we focus on how we get ahead of security issues and respond by using features rarely used by NGFWs and some frequently asked questions about the service.
What We Use from NGFWs
NFGWs send us Syslog and use Application Programming Interfaces to dynamically write block rules where necessary. Managed Detection and Response or MDR is the process of detecting threats that can get through firewalls or are not fully mitigated by firewalls. For example, if a virus is detected by an NGFW the MDR will report and clean at at the source. If a NGFW can block an IP Address the MDR will help improve this design by feeding threat intelligence directly to the NGFW to block malicious IPs before they become threats.
Does the Vendor Matter?
Almost all firewalls can provide Syslog as well as allow or deny IP-based traffic. This starting point is how we collect and respond to threats using the IntelliGO MDR platform. As a result whether you are using Juniper, Fortinet, Cisco, Checkpoint, Palo Alto Networks or others you have the ability to detect and respond to threats. We don't use APIs for everything and can block IPs right at the endpoints so as a baseline we can detect and respond to malicious traffic even if it isn't the firewall that reports it as malicious.
Do you need access to the Firewalls?
Many designs used to require that firewalls have special capabilities or require special access to the systems via SSH or SNMP to work. Syslog forwards the information to the IntelliGO platform without accounts being created or any significant changes required.
I have a SIEM or MSSP am I already doing MDR?
If you're already capturing information in a Security Information and Event Management (SIEM) product or have a Managed Security Service Provider testing if you have MDR is simple. You can test by downloading a test virus and see which tools block them, the firewall, the anti-virus or the SIEM. If you are successful at clicking the link and downloading without notification the virus then these tools are not managing detection or response. The test virus helps our team look through the information we're collecting from your tools and discover if they are effectively configured to alert and for us to respond to threats.
How do I test IntelliGO MDR?
Our evaluation process is deeper than network detection but not difficult to see for yourself. We use a Prevention Posture Assessment which is a free report we collect using your Firewalls, Endpoints and our Scanning technology. See a copy of the report at the bottom of this blog or Request a Demo.