Cyber Security Products

Introduction

• In today’s digital world, certain cybersecurity tools are essential for organizations looking to protect themselves from an ever-growing range of threats.

• Some of the most common tools you’ll find in most businesses include firewalls, SIEM (Security Information and Event Management), antivirus, EDR (Endpoint Detection and Response), IAM (Identity and Access Management), WAF (Web Application Firewall), and DLP (Data Loss Prevention). Each of these tools has a unique role.

• The market for these tools has some big players, such as well-known vendors like Fortinet, CrowdStrike, Forcepoint, IBM, and Splunk.

• Typically, organizations rely on cybersecurity specialists, engineers, or L1 support staff, titles may vary, but the objectives and tasks are usually the same, to maintain these tools and ensure they meet the company’s security needs. These professionals handle everything from configuring the tools to translating business requirements into actionable settings.

Network Security Solutions

• These tools are the first line of defense, controlling traffic and spotting problems at different points in your network.

Firewalls

• Firewalls act as barriers between trusted and untrusted networks. Their purpose is to prevent malicious traffic from entering a network.

• A firewall can be either hardware or software.

• Leading vendors in this domain include Palo Alto, Fortinet, and Cloudflare.

Traditional Firewall

• Traditional firewalls filter traffic based on IP addresses, protocols, and ports.

• They operate at OSI layers 3 (network) and 4 (transport), using packet filtering to allow or block traffic based on these criteria.

• Typically, they are placed at the border of a network.

Next-Generation Firewalls (NGFWs)

• They extend their capabilities to layer 7 (application), using deep packet inspection (DPI) to analyze packet contents, application control to manage specific apps, and intrusion prevention to detect and block attacks.

Web Application Firewalls (WAFs)

• They protect web applications by inspecting HTTP requests and responses. They guard against attacks like SQL injection and cross-site scripting (XSS).

Intrusion Detection/Prevention Systems (IDS/IPS)

• Intrusion Detection Systems (IDS) monitor network traffic to detect malicious activity. Unlike an Intrusion Prevention System (IPS), which not only detects but also prevents malicious activity, an IDS only identifies it.

• IDS/IPS can be thought of as the second line of defense after a firewall. They are typically placed between the firewall and the switch to inspect traffic that has passed through the firewall before it reaches the internal network. They can be software or hardware.

• Top vendors include OSSEC, Tripwire, and Cisco.

• There are a few differences between IDS and IPS:

Intrusion Detection System (IDS)	Intrusion Prevention System (IPS)
Placed outside the line of communication (Out-of-band)	Placed in the direct line of communication (Inline)
Monitor and notify only.	Monitor and automatically take action.
Detects using signature.	Detection happens through signature and also statistical anomaly-based detection

• Note that IDS/IPS can also be host-based, meaning they are installed on individual endpoints rather than on the network. In this case, they function similarly to Endpoint Detection and Response (EDR) systems, which are discussed below.

Host Security Solutions

• So far, we’ve looked at systems that protect the network. In this section, we’ll go through systems that protect the endpoints.

Antivirus & EDR/XDR

• Antivirus software detects, prevents, and removes malware using signature-based and heuristic analysis. It protects endpoints from various types of malware, including viruses and worms.

• Top vendors include Norton, McAfee, Kaspersky, CrowdStrike, and SentinelOne.

• EDR can be seen as the newer generation of antivirus software. EDRs monitor endpoints to detect, investigate, and respond to advanced threats. The differences between antivirus and EDR include:

  • Antivirus is usually limited to file and program integrity, while EDR covers a wider range of threats and attacks.

  • Antivirus focuses only on removing the danger, while EDR includes real-time containment and detailed investigation tools.

  • Antivirus uses signatures to identify malicious files, while EDR uses behavioral patterns and anomaly detection to identify advanced threats.

Note that some modern antivirus solutions have the capabilities of EDRs.

• XDR represents the next evolution beyond EDR by integrating data from multiple security layers, including networks, cloud, and applications. XDR platforms collect data from multiple sources, including endpoint agents, network collectors, and direct API connections from cloud services. Many XDR platforms are built "cloud-native" and use "API-First Architectures" for easy connections.

Other Security Solutions

• Besides network and endpoint defenses, other important security tools are crucial for a complete cybersecurity plan. These deal with data, information, and overall security management.

Security Information and Event Management (SIEM)

• SIEM is a system that collects, aggregates, and analyzes security data from various sources, enabling real-time threat detection and response.

• SIEM solutions start by collecting logs from endpoints, servers, applications, and network devices. It then uses predefined rules to trigger alerts. Finally, it provides dashboards and alerts for real-time visibility.

• Top vendors include Splunk, IBM QRadar, LogRhythm

• SIEM is used in security operations centers (SOCs) for monitoring, threat detection, and incident response, especially in large organizations with complex IT environments. Sometimes, it’s also outsourced to a managed SOC provider.

Data Loss Prevention (DLP)

• DLP tools prevent unauthorized access, use, or transmission of sensitive data, such as personally identifiable information (PII) or intellectual property.

• DLP solutions can be deployed on endpoints or within the network.

• Top providers include Symantec, McAfee, and Forcepoint.

Mail Security

• Mail security solutions protect email systems from spam, phishing, malware, and other email-based threats. These solutions filter incoming and outgoing emails for malicious content, use threat intelligence to identify phishing attempts, and provide encryption and DLP for email communications.

• Top providers include Proofpoint, Mimecast, and Cisco Email Security.

Identity and Access Management (IAM) & Privileged Access Management (PAM)

• As digital systems expand and become more interconnected, managing access rights becomes increasingly critical. Identity and Access Management (IAM) and Privileged Access Management (PAM) are two key systems that handle this, but they focus on different areas.

Identity and Access Management (IAM)

• IAM is a core system that helps organizations manage digital identities and control who can access their resources. Its main goal is to ensure that only the right people, devices, and systems can access specific applications, data, and other company assets.

• IAM solutions can be cloud-based, hosted by Identity Providers (IDPs), or hybrid, mixing cloud and on-premises setups.

Privileged Access Management (PAM)

• PAM is a cybersecurity strategy focused on securing privileged access accounts. While IAM manages access for all users, PAM specifically secures high-risk, privileged accounts. PAM can be considered as a subset of IAM.

Patch Management

• Patch management is the systematic process of developing, testing, and deploying software updates, or "patches," across an organization.

• The process typically begins with identifying all IT assets, such as servers, desktops, laptops, and routers, to determine what needs patching.

• Next, assets are prioritized based on risk, policies are set for deployment, and patches are tested before being rolled out widely.

Mobile Device Management (MDM)

• Mobile Device Management (MDM) is a system for managing mobile devices like smartphones, tablets, and laptops. Organizations use software to remotely monitor, manage, and secure these devices.

• MDM systems consist of a server (either cloud-hosted or on-premises) where policies are defined and profiles are pushed, and an agent or management profile on each device that enforces those policies.

Virutal Private Networks (VPNs)

• Virtual Private Networks (VPNs) are a cornerstone of network security, delivering secure, encrypted connections over untrusted networks like the internet. They enable users to access a private network remotely, as if they were directly connected to it.

• When a user starts a VPN connection, their device contacts a VPN server to create an encrypted tunnel. All data traveling through this tunnel is encrypted, safeguarding it from interception and alteration. The VPN server then routes the user’s traffic to the private network, granting access to internal resources securely.

• There are 2 types of VPNs:

  • Remote Access VPNs: These allow individual users to connect to a private network from remote locations. They’re widely used by employees to securely access company resources while working from home or traveling.

  • Site-to-Site VPNs: These link entire networks, such as connecting branch offices to a central headquarters. They establish a secure bridge between locations for seamless, protected communication.

Simple Network Sample

Sample Network