Understanding the MITRE ATT&CK Framework and Evaluations – Part 1

/0 Comments/in , /by

The world as we know it is changing around us. The pandemic has acted as a major driver for digital adoption, and the need to increase the risk barrier has kept security teams on their toes. As traditional security techniques and methods evolve, there is a need to re-evaluate the way we think about detecting and reacting to a security incident.

At SonicWall, we are enthusiastic supporters of the work on the MITRE Engenuity ATT&CK framework, which seeks to define and continually expand a common cybersecurity language that describes how adversaries operate. This matters to you because ATT&CK Evaluations are both a unifier and a force multiplier for the people on security’s front line.

What Is the ATT&CK Framework?

The cyber adversaries we deal with today exhibit complex behaviors while trying to evade the defenses we have implemented. They develop increasingly sophisticated methodologies and approaches to achieve their objectives. They weave legitimate and atypical behaviors into different attack tapestries. And they all know what they’re after.

ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). MITRE Engenuity ATT&CK is a globally accessible knowledge base of cybercriminal behavior based on real-world observations. Its purpose is to be a common language whose components are used in endless combinations to describe how threat actors operate.

Consider this generic example for an attack methodology targeting exfiltration:


Tactics represent the “why” of an ATT&CK technique or sub-technique. We can describe the attack methodology as employing five Tactics — step 1: initial access through to step 5: exfiltration. The MITRE Engenuity ATT&CK framework currently consists of 14 tactics as seen in the Enterprise navigator tool.

The second key concept is the Techniques or Sub-Techniques employed within each tactical phase. For example, to achieve initial access, the adversary may send a phishing email with a link to a compromised website that takes advantage of an unpatched browser flaw. The ATT&CK framework currently consists of 200+ techniques and sub-techniques organized under the 14 tactics.

Procedures are the specific ways the adversary implements the techniques or sub-techniques. For example, a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed-in-the-wild use of techniques. The ATT&CK framework has a documented list of 129 threat actor groups that cover a very broad set of procedures (using software or otherwise).

For more details, we recommend you take the guided tour from the ATT&CK website.

Why Do MITRE Engenuity ATT&CK Evaluations Matter?

MITRE Engenuity ATT&CK Evaluations emulations are constructed to mimic an adversary’s known TTPs. The emulations are conducted in a controlled lab environment to determine each participating vendor’s product efficacy. The aim is to put together a complete, logical attack simulation that moves through all the stages of a comprehensive, successful attack — from initial compromise to persistence, lateral movement, data exfiltration and so on.

Doing so offers three main benefits:

  1. We gain insight into the adversary’s game plan in terms of combinations of tactics and techniques.
  2. We can clearly communicate the exact nature of a threat and respond faster with greater insight.
  3. When we understand who our typical adversaries are and how they attack us, we can proactively design defenses to blunt them.

MITRE Engenuity points out that it is a “mid-level adversary model,” meaning that it is not too generalized and not too specific. High-level models like the Lockheed Martin Cyber Kill Chain illustrate adversary goals, but aren’t specific about how the goals are achieved. Conversely, exploit and malware databases specifically define IoC “jigsaw pieces” in a giant puzzle but aren’t necessarily connected to how the bad guys use them, nor do they typically identify who the bad guys are.

Conclusion

ATT&CK Evaluations focus on how detections occurred as each test moves through its steps. In its evaluation guide, MITRE Engenuity points out that not every detection is of the same quality. It’s pretty clear that, while a “Telemetry” detection is minimally processed data related to an adversary behavior, a “Technique” detection sits at the other end of the quality spectrum — it’s information-rich and orients the analyst at a glance. Consistent technique-driven detections are ideal for organizations that want more out of their tools.

In general, vendor tools ideally should automate real-time context creation related to adversary moves and bubble that up into the tool with as few alerts as possible. The more Techniques a tool can automatically provide and then aggregate into single incident alerts, the more the tool is automating the security function. This is critical for driving mean time to respond to as close to zero as possible.

In Part 2, we’ll take a look at the value the ATT&CK framework delivers to security leaders and decision-makers, and how SonicWall’s Capture Client powered by SentinelOne’s technology delivers capabilities that epitomize the ATT&CK framework. 

BEC Attacks: Inside a $26 Billion Scam

/0 Comments/in , /by

Why would cybercriminals employ obfuscation tools, launch multi-stage cyberattacks, encrypt endpoints and haggle over ransom amounts … when they could just ask for the money? This is the concept behind Business Email Compromise (BEC) attacks — a type of cyberattack that has grown dramatically over the past few years.

The U.S. federal government’s Internet Complaint Center (IC3), which has been tracking these attacks since 2013, has dubbed BEC attacks the “$26 billion scam” — though this moniker is likely out of date due to escalating attack volumes and increased reliance on email throughout the pandemic.

And though high-profile ransomware attacks continue to dominate headlines, far more money is lost to BEC attacks. For example, in 2020, BEC attacks accounted for $1.8 billion in the U.S. alone, and an estimated 40% of cybercrime losses globally.

The Anatomy of a BEC Attack

While they’re considered a type of phishing attack, BEC attacks don’t rely on malicious code or links. Instead, they let social engineering do the heavy lifting. These attacks specifically target organizations that perform legitimate transfer-of-funds requests, and almost exclusively appeal to seniority to secure compliance.

According to the Osterman white paper sponsored by SonicWall, “How to Deal with Business Email Compromise,” BEC threat actors create email addresses that mimic those used by senior executives, use free services such as Gmail to create email addresses that appear to be an executive’s personal account, or, less commonly, gain access to executives’ actual corporate email accounts using phishing attacks or other means.

Image describing phishing

Above is a BEC email I’ve received. Note the appeal to authority — the message appears to come from SonicWall’s CEO, despite originating from an outside address — as well as the sense of urgency throughout. This is a rather clunky example; many of these emails are much more sophisticated in both language and execution.

Once the attacker has a plausible email account from which to operate, they use social engineering tactics to request the target either divert payment on a valid invoice to the criminal’s bank account, solicit payment via fake invoice or divert company payroll to a fraudulent bank account.

Since these attacks appeal to a sense of urgency and appear to come from a CEO, CFO or someone else in charge, many targets are eager to comply with the requests as quickly as possible. Once they do, the company is out a large sum of money, and the cybercriminal celebrates another payday.

How Common are BEC attacks?

BEC attacks have been recorded in every state in the U.S., as well as 177 countries around the world. Based on the latest report from IC3, nearly 20,000 of these attacks were reported in 2020 alone — likely an undercount, given that Osterman’s research found that four out of five organizations were targeted by at least one BEC attack in 2021. For mid-sized businesses (those with 500-2,500 email users), that number rose to nine out of 10.

Worse, almost 60% of the organizations surveyed reported being the victims of a successful or almost successful BEC attack. For those who were successfully targeted, the costs were significant: a combination of direct costs and indirect costs brought the total financial impact of a successful BEC incident to $114,762. Unfortunately, the direct costs, while significant for an individual organization, are often too small to trigger help from law enforcement agencies and insurance companies.

BEC Attacks Can Be Stopped (But Probably Not in the Way You Think.)

Many other attacks rely on malicious links and code, which can be spotted by anti-malware solutions and secure email gateways. But the sort of social engineering tactics used in BEC attacks — particularly those from a legitimate email address — often cannot be caught by these solutions.

Even so, while three-quarters of respondents say that protecting against these attacks is important to them, many are still depending primarily on technologies that were never designed to stop BEC attacks.

There’s not a lot you can do to prevent being among the 80% (and growing) of companies targeted by BEC attacks each year, but there’s plenty of other things you can do to safeguard your organization’s finances. But they all fall under three primary pillars: People, Process and Technology.

Technology is your first line of defense against BEC attacks. Many solutions claim the ability to combat BEC attacks, but their effectiveness varies widely. For best protection, look for one that will both block BEC attacks and guide employees.

Notice in the example above how there’s an alert warning that the email originated from outside the organization? While simple, these sorts of alerts can make the difference between a BEC attempt that’s ultimately successful, and one that’s scrutinized and deleted upon receipt.

Particularly in companies that are still relying on traditional technology protections, employee training an indispensable backup protection. Employees should be coached to look for spoofed email addresses, uncharacteristic grammar and syntax, and an unusual sense of urgency.

In the case of particularly sophisticated attempts, processes should be in place in case a BEC attempt makes it into the inbox and isn’t identified by the recipient as suspect. Policies such as a multi-person review of requests to change bank account details or mandated out-of-band confirmations are often successful as a last line of defense against BEC.

 

Ransomware is Everywhere

/0 Comments/in , /by

There’s no question that ransomware is on the rise. In the 2022 SonicWall Cyber Threat Report, SonicWall Capture Labs threat researchers reported 623.3 million ransomware attacks globally, a 105% year-over-year increase. And many industries saw triple- and even quadruple-digit spikes, such as government (+1,885%), healthcare (+755%) and education (+152%).

If your organization hasn’t yet dealt with an attack like this, however, it’s easy to see ransomware as an unusual and far-off problem. While this may have been true 10 years ago, today ransomware touches every facet of our lives.

To illustrate both the pervasiveness of ransomware, as well as its ability to disrupt the lives of an average person, we’ve constructed an average day that any business traveler might experience:

At 7 a.m., the alarm on your Apple iPhone jolts you awake to start another day. You suds up with some Avon body wash, pull on your Guess slacks and a Boggi Milano blazer, and grab your Kenneth Cole briefcase before heading out the door.

Once inside your Honda Passport, you tune in to your favorite sports podcast, where they’re recapping last night’s San Francisco 49ers game. You become so immersed in the discussion you almost forget to stop for fuel — you grab a Coke while you’re there, just in case you’re waiting a while for your flight.

Once you get to the airport, you check in, then look for a quiet place to get some work done. Fortunately, at this point the lounge is deserted. You dig out your Bose earbuds and stream some Radiohead from your laptop while you wait for boarding.

Your flight is uneventful, and the crowds at Hartsfield-Jackson International are almost as sparse as the ones at Cleveland Hopkins International. But unfortunately, you’re completely famished by this point. There’s a McDonalds on Concourse A, and you order a cheeseburger.

The evening is young and you consider going out, but it’s been a long day. On your way to check in at the Ritz Carlton, you decide to stop at a Barnes and Noble. You grab a graphic novel and treat yourself to a box of SweeTarts to enjoy during your quiet night in.

According to the cable listings, there’s an NBA game on TV, but it doesn’t start until 9 p.m. — giving you a few minutes to log in to Kronos and get a head start on expense reports. With a full day of meetings ahead of you, you enjoy a hot shower, pull on your pajamas and slippers, and head off to bed.

While the number of organizations affected by ransomware grows every day, yours doesn’t have to be one of them. Part of avoiding ransomware is knowing how ransomware groups operate, what industries they target and where they’re likely to hit next. For a comprehensive look at SonicWall’s exclusive ransomware data for the past year, download the 2022 SonicWall Cyber Threat Report.

Capture Client 3.7: Rapid Threat Hunting with Deep Visibility and Storylines

/0 Comments/in , /by

As a threat hunter, your main mission is to understand the behavior of your endpoints and to capture abnormal behavior with rapid mitigation actions. You need the ability to, with a single click, search your fleet for indicators such as those mapped by the MITRE ATT&CK framework. You also need the ability to automate threat hunts for known attacks according to your own criteria.

With SonicWall Capture Client’s new Storylines capability, you can do all this and more, faster than ever before. Let’s take a look.

What is a Storyline?

Capture Client’s Deep Visibility offers rapid threat hunting capabilities thanks to SentinelOne’s patented Storylines technology. Each autonomous agent builds a model of its endpoint infrastructure and real-time running behavior.

The Storyline ID is an ID given to a group of related events in this model. When you find an abnormal event that seems relevant, use the Storyline ID to quickly find all related processes, files, threads, events and other data with a single query.

With Storylines, Deep Visibility returns full, contextualized data — including context, relationships and activities — allowing you to swiftly understand the root cause behind a threat with one search.

Image describing a query

The Storylines are continuously updated in real time as new telemetry data is ingested, providing a full picture of activity on an endpoint over time. This allows greater visibility, enables easy threat hunting and saves time.

Deep Visibility Comes with Ease of Use

Threat hunting in the Management console’s graphical user interface is powerful and intuitive. The Deep Visibility query language is based on a user-friendly SQL subset common on many other tools.

The interface assists in building the correct syntax by providing completion suggestions and a one-click command palette. This saves time and spares threat hunters — even those unfamiliar with the syntax — the pain of remembering how to construct queries.

A visual indicator shows whether the syntax is valid or not, eliminating time spent waiting for a bad query to return an error.

For example, users can search for a common “Living off the Land” technique by running a query across a 12-month period to return every process that added a net user:

Image describing common technique

(We also provide a great cheatsheet to rapidly power up your team’s threat hunting capabilities here.)

Use Case: Responding to Incidents

Suppose you’ve seen a report of a new Indicator of Compromise (IOC) in your threat intel feeds. Has your organization been exposed to it? With Storylines, you can quickly find out with a simple query across your environment. Here’s how:

In the Console’s Forensics view, copy the hash of the detection. In the Visibility view, begin typing in the query search field and select the appropriate hash algorithm from the command palette. Select or type =, then paste the hash to complete the query.

Image describing visibility view

The results will show all endpoints that ever had the file installed. Constructing powerful, threat hunting queries is that simple, even for members of your team with little to no experience with SQL-style syntax.

Deep Visibility = Fast Results

Forget about using query time to grab a cup of coffee: Deep Visibility returns results lightning fast. And thanks to its Streaming mode, you can preview the results of subqueries before the complete query is done.

Deep Visibility query results show detailed information from all your endpoints, displaying attributes like path, Process ID, True Context ID and much more.

With Deep Visibility, you can consume the data earlier, filter the data more easily, pivot for new drill-down queries, and understand the overall story much more quickly than with other EDR products.

Quicker Query of MITRE Behavioral Indicators

Deep Visibility makes hunting for MITRE ATT&CK TTPs fast and painless. It’s as easy as entering the MITRE ID.

For example, you could search your entire fleet for any process or event with behavioral characteristics of process injection with one simple query:

IndicatorDescription Contains “T1055”

There’s no need to form separate queries for different platforms. With Deep Visibility, a single query will return results from all your endpoints regardless of whether they are running Windows, Linux or macOS.

Image describing all results

Stay Ahead with Automated Hunts

Deep Visibility is designed to lighten the load on your team in every way, including giving you tools such as Watchlist, which allows you to set up and run custom threat hunting searches on your own schedule.

Creating a Watchlist is simplicity itself. In the Visibility view of the Management console, run your query. Then, click “Save new set,” choose a name for the Watchlist, and choose who should be notified. That’s it. The threat hunt will run across your environment at the specified timing interval and the recipients will receive alerts of all results.

With Storyline Automated Response (STAR) Custom Rules, you can save Deep Visibility queries or define new ones, let the queries run periodically and get notifications when a query returns results. This helps ensure your organization is secure regardless of whether you or your team are on duty.

Deep Insight at Every Level

Deep Visibility is built for granularity, allowing you to drill down on any piece of information from a query result.

Each column shows an alphabetical, filterable list of the matching items. Expanding the cell displays details; for most of these details, you can open a submenu and drill down even further. Or just use the selected details to run a new query.

Conclusion

As detailed in the 2022 SonicWall Cyber Threat Report, attacks of all types are on the rise. So it’s never been more important to proactively hunt for threats and find suspicious behaviors in its early stages — or to ensure your SOC has the tools to be as agile and efficient as possible.

SentinelOne’s Deep Visibility capabilities are available with Capture Client Premier. Click here for a free trial of Capture Client to see how Deep Visibility’s ease of use, speed and context can greatly improve your mean-time-to-detection and free up your analysts’ time.

Don’t Let Global Supply Chain Issues Impact Your Security

/0 Comments/in , , , , , , /by

Switch to SonicWall and secure your environment today without supply chain delays.

Every so often, we get clear examples of why it pays to be prepared. But, as the pandemic continues to impact the global workforce, it also reveals how interconnected and fragile the global supply chain can be.

A recent survey found that 75% of companies have had negative or strongly negative impacts on their businesses due to disruption from the COVID-19 pandemic. Especially vulnerable and consequential in this tale has been the computer chips shortage and its effect on security vendors. Many firms do not have the product in their inventory to meet their customers’ demands. To remedy these problems, vendors are trying many approaches, ranging from delaying upgrades, upselling more expensive products, cutting functionalities to outright EOL-ing (End-Of-Life) some products.

In the pantheon of cybersecurity, such delays can be catastrophic. As ransomware gangs roam global networks seemingly unopposed, shortages and supply disruptions impose a full range of unpleasant experiences, from uncertainty to total disruption of their network security expansion plans. The situation is increasingly problematic as delays expose networks to unnecessary risk as attackers take advantage of known and fixable gaps in security. Network managers understand, but who can blame them for seeking out more reliable sources?

Not all Security Vendors Are Impacted Equally by Shortages

The fact is, not all security vendors are impacted at the same level. Some had the foresight to manage the situation mitigating the risk and effect of global shortages and delays. For SonicWall, we got busy working diligently to minimize disruptions and maintain a robust product supply. At the earliest signs of shortages, we started working with our partners to strategically manage our supply positions. Collaborating diligently with our suppliers, we identified crucial parts and increased our supply in anticipation of a strong rebound. As a result, SonicWall is fulfilling 95% of orders within three days of receiving them.

Benjamin Franklin wrote, “By failing to prepare, you are preparing to fail.” We’ve taken that adage to heart by working closely with our suppliers to identify shortages in the supply chain and redesigned our solutions to take advantage of more readily available parts without sacrificing the quality or durability of our products. These preparatory efforts were well worth it, given the severity of the chip shortage that persists. Having successfully met global challenges in the supply chain allows us to respond to our customer needs more readily with the solutions they need.

The Rewards of Being Prepared

By being prepared, we acted on our customer’s behalf. The reward for all our work is a strong inventory of products, while many of our competitors struggle to fill theirs. If your current security vendor is giving you excuses and can’t offer you the solution you need in a timely manner, it is time to talk to SonicWall. We are ready to deliver the products you need and work with you to implement them now.

Contact Us for more information.

How Unified Cloud Simplifies Network Switch Management.

/0 Comments/in , /by

SonicWall Wireless Network Manager (WNM) unifies and simplifies network switches, access points, and network-wide configuration control.

Network managers are busy and getting busier. Not only do they have record-breaking cyberthreats and new security mandates piling up, but they also have the day-to-day tasks of managing resources, provisioning assets, and monitoring the entire network ecology. Then there are the productivity issues of having to do it all and not get lost in layers of software accounts and user interfaces.

Network switches help control the complexity. Switches are an essential tool for connecting computers, servers, and other network resources. They’re also a primary means of controlling devices and traffic and adjusting a network’s security profile whenever necessary.

Unified cloud management is the natural next step in managing network switches. At a very simple level, unified cloud management facilitates configuration and monitoring thousands of switch ports instantaneously over the web. But, dive deeper, and there is you a panoply of capability and functionality that allow IT teams to work smarter – accomplishing major tasks with just a few simple clicks on a cloud-based interface and without deploying a staff of on-site smart hands to guide processes.

Next Level Network Switch Management

SonicWall Wireless Network Manager (WNM) is the “next level” unified cloud management system. WNM is designed to give IT teams an intuitive tool for one-touch wireless and switching network management capabilities while giving them data-rich analytics and easy onboarding workflows from a single pane of glass. In addition, WNM’s cloud-based infrastructure helps simplify access, control and troubleshooting by unifying multiple tenants, locations and zones.

From one interface, managers provision remote sites, deploy network-wide configuration changes and manage campus and distributed networks. SonicWall WNM significantly reduces dedicated technical training and deploying dedicated staff to smart-touch devices and other resources by working via the cloud.

In addition, cloud-managed switches and access points have additional cloud-based management functionality. For example, they automatically discover wired and wireless devices connected to a network and then draw the topology that enables network administrators to troubleshoot issues remotely quickly.

WNM supports thousands of SonicWave Access points and SonicWall Switches without the cost of complex overlay management systems. With the release of WNM 3.5, administrators can control SonicWall switches and existing SonicWave access points all at once. Onboarding and deployment of SonicWall switches and access points are automatic and networks are up in minutes.

Single-pane-of-glass Network Management

We mentioned WNM’s single-pane-of-glass design. What this means is that WNM provides an intuitive dashboard that not only simplifies control but also unifies visual data. In addition, it comes as an integrated part of the SonicWall Capture Security Center ecosystem, where IT teams can efficiently and effectively manage just about every aspect of networks of any size.

Administrators can drill down to specific managed devices for granular data and status, plus examine a detailed view of network hierarchy right down to single policies created at the tenant level that are pushed down to various locations and zones. In addition, WNM is highly scalable, from a single site to global enterprise networks with tens of thousands of managed devices supporting multiple tenants.

Stable and Reliable Operations

WNM delivers the stability and reliability of the cloud. During an Internet outage, access points and switches can continue to work without WNM, ensuring business continuity. Two-factor authentication and packet encryption heighten security. Automatic firmware and security updates keep managed devices up to date. Selectively apply Production, Beta or Patch firmware on each managed device as needed. Automatically send reports to multiple recipients at the same time.

Zero-Touch Deployment and Advanced Analysis Tools

With WNM and Zero-Touch Deployment, an array of SonicWall switches can be up and running in minutes. Register and onboard the devices from anywhere with the SonicExpress app. Plus, WNM’s topology tool provides network topology maps and managed device statistics for quick visual analysis of every aspect of the network.

Lower Total Cost of Ownership

SonicWall Wireless Network Manager drives down the total cost of ownership by shifting capital expenditures to operating expenses. Wireless Network Manager cuts out the cost and maintenance of redundant hardware-based controllers and optimizes data center rack space. In addition, its intuitive interface reduces training and administrative overhead costs.

Even with a limited staff, and no matter the size of your network, SonicWall Wireless Network Manager offers unified visibility and control in a secure, Wi-Fi cloud-managed solution. To learn more, visit sonicwall.com/wnm.

SonicWall NSsp 15700 vs. Fortinet FG 3600E

/0 Comments/in /by

Choosing between two leading enterprise firewalls

Legacy cybersecurity solutions are no match for today’s hyper-distributed businesses. Safeguarding against modern threats requires stronger secure gateways capable of protecting a radically redefined perimeter. To stay ahead of the evolving threats, it’s time for security professionals to embrace modern Next-Generation Firewalls (NGFW).

The firewalls of today are vastly more agile, more capable, and more powerful than when the technology debuted 20 years ago. But not all firewalls are created equal — they come in different form factors, network interfaces and security packages. These packages may or may not include services such as IPS, application control, content filtering, anti-malware, DNS security and cloud management. To further complicate matters, there are enough firewall vendors in the market today that it can be difficult for the average customer to choose the right solution for their environment.

In March 2021, SonicWall commissioned Tolly Group to compare SonicWall NSa 2700 with the Fortinet FG 100F — and their report showed the NSa 2700 is a better choice for medium enterprises. Then, in July 2021, Tolly Group compared the price and performance of two firewalls designed for larger enterprises — SonicWall’s NSsp 15700 to the Fortinet FG 3600E. The two firewalls have a similar form factor and are comparable from a single appliance price point.

When choosing the right security solution, there are three key considerations: price, performance and protection. The ideal choice is the device that costs the least while providing similar performance and a comparable or better feature set than the alternative. Tolly used the published numbers and prices from both vendors to calculate the Total Cost of Ownership (TCO) for a 3-year, High-Availability appliance model with comparable security features. The full report is here. Here are a few of the key findings:

SonicWall’s three-year TCO is less than half that of Fortinet

This report compares SonicWall’s NSsp 15700 Total Secure Essential Edition with Fortinet FG-3600E Unified Threat Protection, both configured in HA mode. The SonicWall solution has a significantly lower TCO mainly because SonicWall does not require the purchase of a firewall license for the second unit. At $885,000, the Fortinet FG 3600E 3-year TCO is more than two times the $440,200 price of the SonicWall NSsp 15700 (see Figure 1).

SonicWall’s advertised threat prevention throughput is more than 2.5 times that of Fortinet

When looking at product data sheets, it’s not uncommon to be overwhelmed with multiple performance numbers. When evaluating a security appliance, you should look for performance numbers that will most closely replicate how you will use the solution in your environment. In the case of a firewall, that number is usually threat protection/prevention with most security features turned on.

While the two firewalls have similar form factor and price per appliance, SonicWall’s solution offers 80 Gbps threat prevention throughput, compared to Fortinet’s 30 Gbps.

SonicWall has a dramatically lower price-to-performance ratio

At the end of the day, what is most important to an organization is how much they have to spend to protect their environment while maximizing performance. For a firewall, that measure is commonly referred to as the price-to-performance ratio and is calculated by dividing the TCO by the relevant performance benchmark.

As detailed in Table 1, the cost of protecting each gigabit per second of network traffic for Fortinet ($29,500) is 5.5 times higher than SonicWall ($5,368).

Conclusion

Firewalls have different pricing, packages, performance, bells and whistles, which can make it difficult to choose between them. Given that a firewall purchase is a long-term investment, it is important to obtain and compare the three- to five-year total cost of ownership as opposed to just looking at list prices. It is clear that SonicWall firewalls, including both the NSa 2700 for medium enterprises and the NSsp 15700 for large enterprises, outperform comparable Fortinet firewalls at a lower total cost of ownership.

SD-WAN and VPN Orchestrations: Fast-Tracking Enterprise Growth

/0 Comments/in , , /by

If you’re planning to onboard multiple branches or refresh existing sites with newer firewalls, SonicWall now offers options to help you effortlessly fast-track the process.

We recently announced the expansion of our Network Security Manager version 2.3, which introduced three essential firewall management capabilities: Template Variables, SD-WAN, and VPN Orchestration and Monitoring. These new features help facilitate the rapid deployment, provisioning and central management of your enterprise-wide SD-Branch operations globally.

Template Variables

Here’s a typical use case for Template Variables: Say a security operating center (SOC) for a large enterprise retailer wants to quickly build out hundreds of store locations using a single template configuration, eliminating manual configuration at each site. The administrator seeks an easy-to-use tool to automatically assign a unique interface, subnet, gateway IP and static routes to the firewall, all while keeping all other settings and policies consistent across all sites. NSM 2.3’s new Template Variables feature enables them to do precisely this.

When configuring a Template using Template Variables to assign a device-specific value — such as an IP address, subnet and gateway IP, and static route — the admin can make specific firewall parameters requiring a unique value into a variable object within a template configuration. For example, the Template Variables object “testv4Obj” in Figure 1 shows that it can be any octet of the IP address.

For the firewall device named “test,” the second, third and fourth octet are set as variable objects. So, when the Template with Template Variables configuration is committed and deployed, NSM resolves the device-unique value to the associated firewall device. This occurs when the Template gets pushed across multiple devices or device groups.

In this scenario, “test” is assigned an IP address of 10.5.5.10, while “demo_tz670_gen7” is given the value 10.101.1.10. Template Variables preserve the uniqueness of the device-specific value during the commit and deploy process.

Other examples of such parameters are DNS Server IP, Hostname, FDQN, etc. You can also use variables inside access rules in the form of address objects.

Whether you have a single site or hundreds of sites, the Template Variable within the Template configuration workflow makes building out any number of sites super-fast. It does this by auto-provisioning device-specific configurations for each firewall. As a result, distributed enterprises can onboard and secure new branch facilities quickly and easily, eliminating separate manual setups for each device at every location.

SD-WAN Orchestration and Monitoring

The use case for the SD-WAN Orchestration feature is similar to that of Template Variables. A typical scenario is a distributed enterprise SOC that wants to operationalize multiple branches with SD-WAN connectivity to communicate with one another.

The admin wants to — from one place — centrally deploy, provision and manage SD-WAN networks and application routing services across all sites. The goal in a case like this is to ensure business-critical applications never slow down or shut off and that they continually operate at peak performance. The NSM 2.3 SD-WAN Orchestration feature enables the enterprise SOC to do all that.

Using an intuitive, self-guided workflow, administrators can build, operate and manage an enterprise-wide SD-WAN network. This is done by establishing and enforcing application-based traffic and other traffic steering configurations across and between thousands of sites, all with minimal effort.

SD-WAN Monitoring feature lets admins proactively observe the health and performance of their SD-WAN environment, such as interface status, utilization and performance service level. The information allows network infrastructure teams to:

  1. Troubleshoot and resolve issues quickly
  2. Ensure consistent SD-WAN configurations across all sites
  3. Drive the optimal level of WAN and application performance

VPN Orchestration and Monitoring

Setting up and configuring VPNs in a distributed enterprise with multi-location and multi-cloud networks can be burdensome. It may even be problematic for specific deployment scenarios and less experienced administrators. Enterprise SOCs want to make this process easier for their network admins — and they expect a simple and procedural way to set up VPN settings and policies so that any network admin at any skill level can configure everything via a streamlined process. Once VPN tunnels are established across the enterprise, enterprise SOCs also demand visibility into all network traffic going through the VPN tunnels.

The NSM 2.3 VPN Orchestration feature helps admins establish site-to-site connectivity and communication quickly and without errors by using a repeatable, self-guided workflow. This feature enables them to centrally configure VPN settings and policies using a wizard-based, step-by-step setup process.

Additionally, the VPN Monitoring feature gives admins complete visibility into their entire VPN environment’s activities, health and performance. Admins can leverage this information to monitor connection status, data transfers and bandwidth consumed over those VPN tunnels. At the same time, alerts allow admins to proactively maintain the integrity of VPN connections, ensuring continuous connectivity between sites.

New SonicWall NSsp 13700 Firewall: Security for Large Enterprises

/0 Comments/in /by

The enterprise perimeter now extends to anywhere that work gets done. Remote-first and boundless workforces are the new business reality, and the hyper-distributed business is here to stay. These and other shifts resulting from the COVID-19 pandemic have not and will not end any time soon. But an increase in attacks, combined with more employees working from home, puts organizations at a much higher risk.

The so-called “new business normal” didn’t happen in a vacuum — it created a new normal for cybercriminals, as well. These threat actors have been redoubling their efforts, often specifically targeting remote workers.

Today’s distributed IT reality is creating an unprecedented explosion of exposure points across organizations. As exposure points continue to multiply, business risks continue to escalate. Regardless of whether your entry points are on premises, in the cloud, in the data center, at a branch office or in a home office, each one needs to be protected from today’s increasingly sophisticated threats.

Ransomware continues to be both the preferred tool for cybercriminals and the most formidible threat to corporations. According to the 2021 SonicWall Cyber Threat Report, a staggering 304.6 million ransomware attacks occurred in 2020, compared to 121.4 million in 2019.

To best solve these challenges, enterprises need to be able to deploy enterprise-grade security technologies while minimizing costs. The SonicWall Network Security services platform (NSsp) high-end firewall series delivers the advanced threat protection, fast speeds and budget-friendly price that large enterprises, data centers and service providers demand.

Introducing SonicWall NSsp 13700: a NGFW for Enterprises, Government, Higher Ed and MSSPs

The SonicWall NSsp 13700 is a next-generation firewall (NGFW) with multiple 100/40/25/10/5/2.5/1.0 GbE interfaces, capable of processing millions of connections. Its high-speed connectivity and large port density — coupled with superior IPS and TLS1.3 inspection support — make the new NSsp 13700 an ideal threat protection platform for enterprise internet edge and data center deployments.

SonicWall NSsp 13700 combines validated security effectiveness and best-in-class price performance in a high-end, single-rack-mountable NGFW appliance.

What’s New

High-speed connectivity, port density and performance

NSsp 13700 is an energy-efficient, reliable appliance in a compact 1U appliance. Powered by the next-generation SonicOS 7.0.1 operating system, it is capable of processing millions of encrypted and unencrypted connections to deliver the uncompromised security required for large organizations.

The high-port-density NSsp 13700 includes 2x100GbE, 8x25GbE, 8×10/5/2.5/1GbE and 16x1GbE interfaces. It features a dedicated management port, 512GB of built-in storage, redundant power supplies and fans.

Specifications at a glance:

  • 45.5 Gbps of threat prevention throughput
  • 57 Gbps of application inspection throughput
  • 48 Gbps of IPS throughput
  • 16.5 Gbps of TLS inspection throughput
  • 14 million stateful connections
  • 12 million DPI connections
  • 100/40/25/10 GbE interfaces
  • Redundant power supply and fans

Powered by the new SonicOS 7.0.1

The SonicWall NSsp 13700 runs on SonicOS 7.0.1, a new operating system built from the ground up to deliver a modern user interface, intuitive workflows and user-first design principles. SonicOS 7.0 provides multiple features that facilitate enterprise-level workflows, as well as easy configuration and simplified and flexible management — all of which allow enterprises to improve both their security and their operational efficiency.

SonicOS 7.0.1 features:

  • Sandboxing using Reassembly-Free Deep Packet Inspection® (RFDPI) and Real-Time Deep Memory Inspection™ (RTDMI) technology
  • Secure SD-WAN
  • High Availability
  • TLS 1.3 support
  • DNS Security
  • Gateway Anti-Virus, Intrusion Prevention and Application Control
  • Capture ATP Multi-Engine Sandboxing
  • URL Filtering
  • Error-free change management with Network Security Manager (NSM)
  • New intuitive dashboards , single-pane-of-glass management
  • New application framework
  • Enhanced APIs
  • Configuration audit
  • Notification center providing actionable alerts
  • Usage statistics for rules, objects and services

More details about the new SonicOS 7.0.1 can be found here.

Overall Solution Value

With the introduction of the new NSsp 13700 NGFW, SonicWall continues its commitment to providing enterprise-class security at a very reasonable TCO, all without compromising performance.

The SonicWall NSsp 13700 provides enterprises and data centers with scalable, deep security at multi-gigabit speeds. And by eliminating additional HA firewall license and security services costs, the NSsp 13700 offers huge cost savings.

To learn more about the new NSsp 13700, watch this video or visit www.sonicwall.com/nssp.

 

SonicWall NSa 4700 and 6700: The Newest Next-Generation Firewalls for Medium Enterprises

/0 Comments/in /by

When it comes to solving business challenges, enterprises are generally eager to adopt new technologies, such as cloud computing, workforce mobility and automation. But now, more than a year after the COVID-19 pandemic massively accelerated the adoption of digital technologies, many enterprises are finding their digital transformation journey laden with new challenges — including a surge in connected devices, encrypted connections, bandwidth needs and continually evolving evasive attacks.

This increase in new potential threat vectors has driven a spike in just about every form of attack. Today, emboldened cybercriminals are launching increasingly sophisticated zero-day attacks, ransomware and more — many of which evade traditional perimeter defenses.

To meet these challenges, IT directors need a highly reliable next-generation firewall (NGFW) — one that can not only scale to support millions of connections, but can also scan these connections for threats over multi-gigabit speeds without compromising performance. It also must be cost-effective, easily manageable, capable of handling high bandwidth, and able to support multiple networks and clouds.

Introducing the SonicWall NSa 4700 and 6700: Gen 7 NGFWs with high-speed connectivity and performance

The SonicWall Network Security Appliance (NSa) 4700 and 6700 NGFWs feature high-speed connectivity, including multiple 1, 2.5, 5, 10, 25 and 40 GbE ports. They protect mid-size networks with comprehensive integrated security services, such as malware analysis, encrypted traffic inspection, cloud application security and URL filtering. These NGFWs also support centralized management with a truly intuitive single-user interface, significantly improving operational efficiency.

SonicWall NSa 4700 and 6700 run on the new SonicOS 7.0, and include advanced networking features such as high availability, SD-WAN and dynamic routing. These firewalls combine validated security effectiveness and best-in-class price performance in a single rack unit appliance.

In short, medium enterprises can now get the performance, networking and security capabilities they need from their NGFWs without breaking the bank.

Figure 1 – NSa 4700 Hardware: Closer Look

 

Figure 2 – NSa 6700 Hardware: Closer Look

 

NSa 4700 and 6700 Next-Generation Firewall Highlights

Appliance at a glance

The NSa 4700 and 6700 are energy-efficient, reliable appliances in a compact 1U form factor. They’re capable of processing millions of connections while delivering multi-gigabit application inspection and threat prevention throughput.

Here are a few of the high-level features that make NSa 4700 and 6700 attractive options for medium and distributed enterprises:

Hardware

NSa 4700

NSa 6700
Interfaces 6 x 10G/5G/2.5G/1G (SFP+); 24 x 1GbE (Cu) 2x40G; 8x25G, 4x10G/5G/2.5G/1G (SFP+), 4 x 10G/5G/2.5G/1G (Cu); 16 x 1GbE (Cu)
Built-in Storage 128 GB 256 GB
Redundant Power Supplies Yes
Management Ports 1 GbE 1 GbE
USB Ports 2 2

 

Performance

NSa 4700

NSa 6700
Firewall inspection throughput 18 Gbps 36 Gbps
Threat prevention throughput 9.5 Gbps 19 Gbps
Application inspection throughput 11 Gbps 20 Gbps
IPS throughput 10 Gbps 20 Gbps
DPI SSL throughput 5 Gbps 9 Gbps
VPN throughput 11 Gbps 19 Gbps
Site-to-site VPN tunnels 4,000 6,000
IPSec VPN client licenses 500 standard, non-shareable/3,000 Max 2,000 standard, non-shareable/6,000 Max
SSL VPN client licenses 2 Bundled/1,000 Max 2 Bundled/1,500 Max
Maximum Connections (SPI/DPI/DPI SSL) 4M/2M/350K 8M/6M/750K

Powered by the new SonicOS 7.0

The SonicWall NS4700 and 6700 run on SonicOS 7.0, the latest version of our SonicOS operating system. This OS was built from the ground up to deliver a modern user interface, intuitive workflows and user-first design principles. It provides multiple features designed to facilitate enterprise-level workflows, easy configuration, and simplified and flexible management — all of which allow enterprises to improve security and operational efficiency.

SonicOS 7.0 features:

More details about the new SonicOS 7.0 can be found here.

NSa 4700 and 6700 Deployment Options

SonicWall NSa 4700 and 6700 have two main deployment options:

Internet Edge Deployment

In this standard deployment option, SonicWall NSa protects private networks from malicious internet traffic, allowing you to:

  • Deploy a proven NGFW solution with highest performance and port density (including 40 GbE connectivity) in its class
  • Gain visibility and inspect encrypted traffic, including TLS 1.3, to block evasive threats coming from the Internet — all without compromising performance
  • Protect your enterprise with integrated security, including malware analysis, cloud app security, URL filtering and sandboxing services

Medium and Distributed Enterprise Deployment

The SonicWall NSsupports SD-WAN and can be centrally managed, making it an ideal fit for medium and distributed enterprises. By leveraging NSa’s high port density, which includes 10, 25 and 40 GbE connectivity, enterprises can support distributed branches and wide area networks. This deployment allows organizations to:

  • Provide direct, secure internet access to distributed branch offices instead of backhauling through corporate headquarters
  • Allow distributed branches to securely access internal resources in corporate headquarters or in a public cloud, significantly improving application latency
  • Reduce complexity and improve operations by using a central management system, which is accessed through an intuitive, single-pane-of-glass user interface

Overall Solution Value

The new NSa 4700 and 6700 offers enterprises a best-in-class next-generation firewall with high speed and port density, all at a lower total cost of ownership. With integrated security services like malware analysis, URL Filtering and sandboxing, the newest NSas deliver superb protection from advanced threats.

To learn more about the new Generation 7 NSa Series, watch the video or click here.