The security industry likes to create acronyms – IAM, UTM, NGFW, MFA, EDR, etc. Perhaps it comes from the general human tendency of wanting to simply define complex topics. In an ever-changing industry, like information security, these acronyms and groupings create major challenges over time. Each year there are new threats, and with that comes more innovation and different approaches to security – all of which we try to initially force into predefined groupings – often diluting the value of the evolving technologies and confusing end-users. One such example is the ongoing attempt to force network security platforms into two distinct groups: Next-Generation Firewall (NGFW) and Unified Threat Management (UTM) appliances. The confusion between the two has become so apparent that analysts at last year’s Gartner’s Security and Risk Management Summit held a roundtable discussion on the very topic. The fact is that most end customers just want good security that solves their network security threats – they care less about NGFW and UTM. Today, I hope to both clear up some of that confusion, and share some data that quantitatively illustrates why UTM protections measurably increase your security efficacy.
UTM vs. NGFW; What’s the Difference?
At one point in time, when analysts first defined these two product segments, they had clear feature delineations in mind. At the highest level, NGFW appliances were firewalls with Intrusion prevention systems (IPS) and application control, whereas UTM appliances were firewalls with IPS, antivirus (AV), URL filtering, and anti-spam capabilities. However, over time both markets have organically evolved and changed. Now both solutions share a similar core set of capabilities. For instance, some NGFW solutions have added new security controls (like malware detection), which used to fall into the UTM camp. Meanwhile, UTMs have adopted all of the security features that helped define the NGFW market—such as application control—and have even added additional new security services to the mix.
This melding of feature sets between NGFW and UTM has made it a bit more difficult to differentiate products, but I think one high level description holds true. UTM solutions focus on unifying as many security controls as possible in one place, making them easier and more cost effective to manage, whereas NGFW solutions focus on only consolidating a limited subset of controls; specifically, ones that make the most sense in certain use cases, such as in a big data center environment. In plain English, UTM solutions tend to include more types of security controls than NGFWs.
How Layered UTM Security Improves Overall Defense
In essence, UTM’s core value proposition is that it combines many security controls in one place, increasing your overall security efficacy, and making layered security attainable for some organizations that couldn’t implement it otherwise. To really appreciate this, you need to understand why layered security improves your overall defense efficacy.
Ultimately, there are two reasons UTM layered security offers the best defense:
- No single security control is infallible – History has proven that information security is a constant arms race. The good guys invent a new security control that blocks an attack at first, but the bad guys react and find new ways to evade those defenses. Antivirus (AV) is a great example of this. The industry started with signature-based solutions that originally did a good job, but eventually the bad guys evolved, and reacted with new evasion techniques that bypassed reactive signature-based solutions. Today, we have more advanced, behavioral-based AV solutions, but already attackers are exploring ways to trick these new solutions. The point is, no matter how great a security control might seem, attackers will find ways around it, which is why it’s important to have the additional layers of security a UTM appliance provides to pick up the slack.
- There are different stages to a modern, blended attacks – You can break down modern network attacks into multiple stages. For example, the initial attack delivery, the exploit portion of the attack, the payload or malware delivery, the call home to the attacker, and so on. Security experts often refer to these stages as the Kill Chain. The importance of these stages is twofold; First, each stage is an additional opportunity for you to catch the attack. If you miss the first stage, you might still stop the second. Also, each of these stages requires a different type of defense. For instance, IPS isn’t intended to catch malware, but rather block software exploits. WatchGuard’s UTM appliances break the Kill Chain by incorporating all the different types of defenses necessary for each stage of an attack, and by layering them together so that a miss at one stage doesn’t rule out a block at another stage. Simply put, the more stages of an attack you protect against, the more effective your overall defense is, even when new threats bypass one defense.
At WatchGuard we care less about what you call what we do – UTM, multi-layered security, NGFW – we care more for the fact that we have created a mechanism to catch all the various stages of a modern network attack, and by layering these protections together, we give you multiple opportunities to block the threat even when one defense fails.
Don’t Just Take My Word for It!
On a theoretical level, it’s pretty easy to understand the value that WatchGuard’s layered UTM solutions provide, but analytical, scientific-minded people require quantifiable proof before they believe in any theory. Fortunately, NSS Labs, one of the world’s leading independent security product testing laboratories, has recently released a new threat warning service and testing methodology that proves the value of layered UTM security.
NSS Labs’ Cyber Advanced Warning System (CAWS) enables vendors and end-users alike to view how effectively a variety of network security solutions are blocking real-time security threats. The system enables subscribers to view the efficacy of different solutions operating under different profiles: the base profile only enables specific so-called NGFW features as defined earlier in this blog, as well as the advanced profile, where a vendor can enable value-added UTM services such as I described in the example above, and which we provide at WatchGuard.
WatchGuard has actively participated in the CAWS service for the past few months, and it not only has helped us increase our security efficacy, but has also provided a very quantifiably measure of why UTM defenses works. Here’s a chart showing WatchGuard’s “block rate” results for about a month of new CAWS attacks:
In the chart above, the lower, orange line represents a traditional NGFW, that primarily only uses IPS to catch threats. However, the upper, muddy-yellow line represents our product using the full UTM feature set, which includes antimalware services like GAV and APT Blocker, as well as all our URL filtering services.
What’s important to note is the drop in our IPS only block rate during January 31st. While there could be a few reasons for this, it’s typically indicative of a new attack that our IPS didn’t catch. So why would I highlight this IPS miss? Well, looks at the yellow, UTM line… its block rate stays relatively high, despite the fact that IPS might have temporarily missed something new. Whether or not our daily IPS efficacy goes up or down, our full UTM defenses still catch well over 90% of the new threats each day, this further reinforces the importance of a layered approach to security as dips in IPS efficacy is not unique to WatchGuard.
Some have claimed, defense-in-depth, or layered security is dead. They make this declaration out of frustration, because lately we’ve seen so many organizations get compromised despite some defenses. However, I believe layered security is still the most effective way to prevent the majority of attacks. Breaches will still happen because no defense is infallible, but WatchGuard’s NSS Labs’ CAWS testing proves that having the layered security of a UTM appliance increases your overall security efficacy, and can even successfully block an attack when one layer of security misses. — Corey Nachreiner, CISSP (@SecAdept)