The Centripetal Blog

Automatic Enforcement: A Security Operation Analysts’ Best Friend

Posted by Colin Little on September 11, 2018

Blog_9_11_18Have you ever arrived to work in the morning and found that a malicious botnet has aggressively attacked your network, and now your team needs to quickly update ACLs with thousands of Indicators of Compromise, check log files, pen-test public facing infrastructure, etc.? Not with a Centripetal RuleGATE enforcement gateway in place you haven’t!

This is a story about one of our large poster-child clients in the banking industry. The client had worked closely with us to achieve an ideal shielding posture and customized their corporate network security policy to block specific traffic that they were concerned about. One of the worries this client shared with us was traffic involving countries listed in the International Traffic in Arms Regulations (ITAR), such as China, North Korea, Syria, etc. While the geographic location of the source or destination of electronic communication is interesting, it is typically not considered threat intelligence by itself, so this choice seemed unorthodox at the time.

This untraditional choice led to the most amazing thing I’ve ever seen our Centripetal CleanINTERNET service do: Block an active malicious threat with zero threat intelligence associated.

On Thursday morning, our client walked in and sat down at their desk as they usually do. Drank some coffee, caught up on email and fell into their typical routine. There were no fires to put out, no alarms and all seemed just fine. What DID happen that morning is a calm phone discussion with our cybersecurity team where we informed them that twice, at 8:19 pm the previous night and 4:23 am that morning, the RuleGATE blocked over 10,300 IPs all from the same ITAR country attempting to brute-force into TCP port 23 (Telnet). The would-be criminal attempted approximately 75,000 user-name and password combinations and is the largest attempt by volume of events that I have seen. The best part is the attacker did not even get a response back, because the RuleGATE was able to easily and automatically enforce the client’s desired security posture.

The overarching question I am typically asked at this point is, “Yeah, but can’t my Firewall do that?”. Yes, of course it can, but this question ignores a plethora of others: How effectively can your Firewall team manage the ACL amid other priorities? What is the time-to-implementation and cost-of-implementation when one includes change management procedures and all the resources needed? What about remote sites and users? How about public-facing infrastructure? Those of us seasoned in IT, as well as cyber security, know the corporate firewall is not a magic wand anymore.

In summary, CleanINTERNET with the RuleGATE enforcement gateway is a perfect addition to your security stack, nicely complimenting other components in the perimeter. It is a welcomed addition that offers unmatched automatic protection against both known malicious threats and active threat actors located in hostile nation states. 

Tags: Intelligence, Enforcement, QuickThreat, CleanINTERNET, Theat Intelligence