WIXLIB

36lawsuit. A December 2014 breach at a leading media andentertainment company resulted in online leaks of sensitiveemployee information as well as full copies of movies yet to7be released in theatres. In May of this year, the IRSdisclosed that cybercriminals had gained access to the taxreturns of approximately 104,000 individuals, using thatinformation to request 15,000 fake refunds totaling 508million. Breaches perpetrated by insiders capturedheadlines as well: The Pvt. Chelsea Manning/WikiLeaksand Edward Snowden/NSA data breaches had internationalimplications and consequences. In both of these high-profile9breaches, the “trusted user” paradigm was exploited.The harsh reality of the current threat landscape meanssecurity professionals should assume:›It’s no longer a question of if your organization willexperience a security breach, but when. Eighty-sevenpercent of the IT security professionals surveyed saidtheir organizations had experienced at least one breachwithin the past 12 months; 23% had six or more incidents.But what about the 13% who indicated their organizationswere breach-free? They could be very fortunate, but amore likely scenario is that they’ve actually beenFIGURE 2Both Internal And External Sources Pose CredibleThreats“What were the most common ways in which thebreach(es) occurred in the past 12 months?”(Select all that apply)Lost/stolen asset (e.g., smartphone,tablet, laptop, external hard drive,USB flash drive, etc.)55%External attack targetingour organization44%Internal incident within abusiness partner/third-partysupplier’s organization43%Internal incident withinour organization42%External attack targeting a businesspartner/third-party supplier38%Base: 130 IT security decision-makers at midlevel US organizations thathave implemented a next-generation firewall and have experienced abreach in data security over the past 12 monthsSource: A commissioned study conducted by Forrester Consulting onbehalf of Fortinet, May 2015compromised and just don’t know it yet. Some attackscan extend over several months before being discovered,and in many cases, a third party — not the breached10organization — unearths the incident. To say you havenever been breached is no longer an honest statement,as most organizations just don’t know.››The threat is everywhere. The “extended enterprise”means cybercriminals have multiple access pointsthrough which breaches can occur. Among thoseorganizations surveyed that had experienced a breachwithin the past year, internal incidents were as likely to bea source of breaches as external attacks (see Figure 2).Continued investment in network security ismandatory. With constantly shifting threat vectors, moresophisticated attacks, and well-organized attackers,organizations need to invest in security infrastructure andstrategies to ensure their organizations are protected. Inthe study, 96% of the security professionals we surveyedreported increases in their network security andoperations budgets for 2015; 67% increased budgets by6% or more.Say Goodbye To “Trust But Verify”And Adopt Zero TrustThis rapidly changing threat landscape necessitates a newapproach to network security. Protecting the perimeter is notenough — security professionals need to take a long, hardlook at the measures they have in place and identify gaps inprotection.THE TRUST MODEL IS BROKENFor years, security professionals based their networksecurity approach on the premise that as long as they hadstrong protections in place at the perimeter, malicious forceswould not be able to penetrate it. This is no longer aneffective way to enforce security. Once attackers get pastperimeter security measures, they have access toeverything on your organization’s network.Within the network perimeter, it is more difficult todistinguish “trusted” from “untrusted” network traffic. Currentsecurity devices are designed with the assumption that“trusted” and “untrusted” network interfaces are easilyidentified — ports are actually labeled with thesedesignations. But it is a mistake to assume that any user ordevice within your network perimeter is trustworthy.Furthermore, Forrester has found that while many

4organizations say they take a “trust but verify” approach tointernal network traffic, most “trust” but fail to “verify” due tothe difficulty in actually executing verifications. Hanging yoursecurity hat on a “trust but verify” model for internal trafficleaves your network vulnerable — not only from externalagents penetrating the perimeter, but to malicious insiders11in positions of “trust.”appliances can be placed at the center of the network — infront of the data they need to protect — rather than at theedge of the network, which is a core tenet of Zero Trust.This provides visibility into data access and greatlyincreases your chances of discovering an intrusion before itescalates into a data breach. Survey data reveals that:›ZERO TRUST IS THE ANSWERIf the current trust model is broken, what can organizationsdo to fix it? Security professionals must abandon the ideathat users, devices, and networks can be classified as“trusted” and “untrusted” and adopt a new approach, whereall network traffic is untrusted. Forrester calls this newmodel “Zero Trust.” In a Zero Trust approach to security:››››Trust is never assumed. Never assuming trust forcesyou to constantly monitor all network traffic forquestionable activity and classify data and policies basedupon the information captured.Sensitive data is always protected. Zero Trust takes asingular approach to data protection, regardless of devicetype, location, or user: Devices are securely connected atall times. And just because a device is located on atrusted network, doesn’t mean it has unlimited access todata. This approach means security professionals musthave more granular control over data access.Security teams fully understand the data they’reprotecting. It’s impossible to create — never mindenforce — an effective security strategy if you don’t haveinsight into your organization’s most sensitive or harmfuldata. Zero Trust is data-centric: Sensitive data isprotected by microperimeters of control, securityprofessionals have full visibility into these assets, andthere is an in-depth understanding of how the business12uses the data.Next-Generation Firewalls Are TheCornerstone Of Zero TrustAdvances in firewalls make the Zero Trust infrastructurepossible. In a Zero Trust network, next-generation firewallsact as “segmentation gateways,” taking security controlsfound in individual point products (firewalls, intrusionprevention systems, web application firewalls, contentfiltering gateways, network access controls, VPN gateways,and other encryption products) and embedding them in a13single solution. Unlike traditional firewalls, these powerfulNGFW adoption is poised for growth. According to a2014 Forrester survey on global security trends, midlevelorganizations (defined as 500 to 4,999 employees) in theUS are already taking steps toward Zero Trust. While50% of organizations had implemented NGFWs or hadplans to expand their implementation, another 22%14planned to adopt NGFWs within the next 12 months.NGFWs provide effective protection against today’ssecurity threats. Today’s security teams are challengedwith continuously protecting their organizations from ahost of threats. Operating system vulnerabilities, malware,mobile application intrusions, web/software applicationexploits, database/content/data management systemcompromises, among other types of breaches, threatenenterprise networks every day (see Figure 3). BecauseNGFWs can be deployed in front of sensitive data, theyare very effective in protecting against these threats.Best Practices For Evaluating ANext-Generation FirewallTo take the first step on the road to Zero Trust, it is critical tolay the groundwork by implementing a NGFW. Before youjump in, however, it is important to weigh business andtechnology considerations, have in-depth insight into yourcurrent environment, and fully evaluate and test vendorsolutions. Forrester’s study identified the following bestpractices:›Get a clear understanding of the implications ofimplementing a NGFW on both your infrastructureand staffing and budgetary resources. It may seem likea no-brainer, but it is important to not only evaluate thetechnical aspects of a NGFW implementation, but theimpact on resources as well. Technical factors, such asperformance, security effectiveness, compatibility, andflexibility of the platform, were top of mind among surveyrespondents when evaluating NGFWs, but they alsofactored in cost, implementation time, and the ITresources needed to manage the solution (see Figure 4).

5FIGURE 3Next-Generation Firewalls Combat Multiple Threats“Which types of security breaches or attackspose the greatest threat to your organizationon a daily or weekly basis?”*(Select all that apply)“How effective was your NGFW in protectingagainst the following threats?”(Respondents indicating “extremely effective”)Operating systemvulnerabilities attacked47%Database/content/data managementsystem compromise N 79Malware (i.e., viruses,worms, botnets)45%Mobile applications intrusionN 82Mobile application intrusion44%Web/software applicationsexploits N 9054%Web/software applicationsexploited43%Malware (i.e., viruses, worms,botnets) N 7953%71%63%Database/content/datamanagement system compromise34%Drive-by downloadsN 4652%Website vandalized or sitecontent manipulated33%Operating systemvulnerabilities attacks N 9051%Phishing28%Denial of service attacksN 5547%Denial of service attacks26%PhishingN 6146%Vandalizing of website ormanipulation of site content N 6245%Drive-by downloads21%*Base: 150 IT security decision-makers at midlevel US organizations that have implemented a next-generation firewallSource: A commissioned study conducted by Forrester Consulting on behalf of Fortinet, May 2015FIGURE 4Consider Both Infrastructure And Resource Implications“How important are the following factors when evaluating an NGFW solution?”5 — Extremely important431 — Not important2Product performance (throughput, latency, reliability)51%Security effectiveness50%Flexibility of firewall platform48%Trusted provider/brandCompatibility with current infrastructureIT resources required to manage the solutionCost47%39%43% 7%40%42%Reporting capabilities39%Implementation time39%Base: 150 IT security decision-makers at midlevel US organizations that have implemented a next-generation firewall(percentages may not total 100 because of rounding)Source: A commissioned study conducted by Forrester Consulting on behalf of Fortinet, May 201512%43% 10%45%43%9%47% 7%47%9%48%9%52%46%9%15%

6›››Get the right feature fit. Failure to understand whichfeatures are most appropriate and will provide the bestfunctionality for your organization can lead to challengesand gaps in protection down the line. Next-generationfirewalls offer security professionals a single solution forintegrating multiple functions traditionally found instandalone products. The vast majority of surveyrespondents placed high priority (a 4 or 5 rating on a 5point scale, where 5 was “top priority”) on all NGFWproduct features during the evaluation phase. Once theyimplemented the NGFW, however, most used just selectfeatures (see Figure 5). They pointed to configurationchallenges (61%), too much noise (40%), and aslowdown in throughput (39%) as the primary reasons forusing fewer features. This implies a limited understandingof NGFW functionality and immature adoption. If you arerunning point products with capabilities redundant with aNGFW, you may encounter inefficacies. Furthermore,only utilizing antivirus tools and not using advanced threatcapabilities, user IDs, and an intrusion prevention system(IPS) will leave your organization open to advancedthreats. Make sure your security team is familiar withNGFW capabilities, eliminate redundancies that causeconfiguration and performance issues, and take fulladvantage of the available features to ensure yournetwork is protected against the full spectrum of threatsIdentify the contenders. Do your homework. Identify theNGFW vendor solutions that best fit your requirements.Sixty-one percent of the security professionals wesurveyed would consider a broader selection of vendors ifthey could do it again. Start by doing some researchonline, reading analyst evaluations, and consulting peersat other organizations. Once you’ve identified potentialvendors, utilize product demos, a proof of concept, andbake-offs to better understand vendor solutionfunctionality (see Figure 6). Third-party testing will alsohelp generate your shortlist by providing you withunbiased, side-by-side product comparisons. Eighty-eightpercent of the security professionals surveyed relied onthird-party testing when evaluating NGFW solutions.Test before you buy. Don’t rely on third-party tests alone— be sure to thoroughly test solutions in your ownenvironment. Take a lesson from survey respondents: Ifthey could go back in time, 71% said they would conductmore extensive testing of capabilities. Some key tests tolook at are performance, including performance withapplication controls activated, raw packet processingperformance, and “real world” traffic; stability andFIGURE 5Organizations Are Using Limited NGFW Features“Once you implemented your NGFW, which of thefollowing product features were actually used?”(Select all that apply)Antivirus63%Application control51%Authentication50%Networking capabilities47%Wireless networking43%IP reputation43%Web filter42%Antispam41%Stateful firewall41%Advanced threat capability(i.e., sandbox)40%SSL decryption39%User ID38%VPN37%Port densityIPS27%24%Base: 150 IT security decision-makers at midlevel US organizations thathave implemented a next-generation firewallSource: A commissioned study conducted by Forrester Consulting onbehalf of Fortinet, May 2015reliability, such as persistence of data, high availability,and power fail, among others; and security effectiveness,including firewall policy enforcement, application control,user/group identity aware policies, and an IPS. For adetailed list of tests, see Appendix C.

7FIGURE 6Do Your Research To Generate A Shortlist“To what degree does your organization rely on the following whenevaluating selection criteria for NGFW solutions?”5 — We rely heavily on this for purchase decisions43Online research251%1 — We do not rely on this at all38% 10% 1%Third-party testing43%Product demo43%47% 9%Comparing the preferred solution againstanother comparable solution (e.g., a bake-offbetween two or more vendors)42%48% 9% 1%Proof of concept (from a single vendor)45% 9%39%3%1%1%50% 9% 1%References provided by the vendor36%49%14%Peer referral35%49% 11%1%1%3%1%Base: 150 IT security decision-makers at midlevel US organizations that have implemented a next-generation firewall(percentages may not total 100 because of rounding)Source: A commissioned study conducted by Forrester Consulting on behalf of Fortinet, May 2015›Create data-centric microperimeters. As you plan yourNGFW implementation, it is important to identify keypoints in your network for deployment. Eighty-one percentof the security professionals surveyed deployed a NGFWon the network edge, protecting against web-basedthreats (see Figure 7). But a Zero Trust approach meansprotections need to be placed in the center of the network,in front of your organization’s most sensitive data. Fifty-sixpercent of survey respondents deployed NGFWs in frontof dedicated network segments, effectively creatingmicroperimeters, and 49% deployed them in the datacenter — an indication that midlevel enterprises are wellon their way to adopting Zero Trust.Zero Trust is becoming widely adopted by leading, cutting15edge organizations. As data breaches continue todevastate businesses and governments, more securityorganizations are under pressure to create new ways ofprotecting their critical data by turning to a Zero Trust datacentric network security model powered by NGFW16technology.FIGURE 7Next-Generation Firewall Deployment“Where within your organization’s infrastructurewas the NGFW deployed?”(Select all that apply)Network edge, inline at majoregress points (e.g., DMZ,behind VPN platform, etc.)In front of dedicatednetwork segmentsIn the data center81%56%ZeroTrust49%Base: 150 IT security decision-makers at midlevel US organizations thathave implemented a next-generation firewallSource: A commissioned study conducted by Forrester Consulting onbehalf of Fortinet, May 2015

8Key RecommendationsToday’s mutating threat landscape renders traditional security controls and approaches ineffective. The definition of“user” now goes beyond the traditional enterprise, to an extended enterprise consisting of customers, businesspartners, and contractors. In this new world, former notions of trust — including the mantra “trust but verify” — areoutdated. Security professionals must abandon the idea that users, devices, and networks can be classified as“trusted” and “untrusted” and adopt a new approach, where all network traffic is untrusted. Forrester calls this newmodel “Zero Trust.” With Zero Trust, you constantly monitor all network traffic for questionable activity and classify dataand policies based upon the information captured and require more granular control over data access. In a Zero Trustnetwork, next-generation firewalls act as “segmentation gateways.” Unlike traditional firewalls, NGFWs can be placedat the center of the network — in front of the data they need to protect — rather than at the edge of the network, whichis a core tenet of Zero Trust. To select your NGFW, consider the following best practices in your evaluation:›››››Evaluate the impact on resources and staff in addition to technical specifications. Factor in the ITresources needed to manage the solution, what performance you will need, how long it will take to implement,and at what cost. This will help to reduce issues relating to reporting, maintenance, implementation, andperformance.Understand which features are most appropriate for your organization. NGFWs take security controls foundin individual point products (firewalls, intrusion prevention systems, web application firewalls, content-filteringgateways, network access control, VPN gateways, and other encryption products) and embed them in a singlesolution. Determine which capabilities and features you need. This will help to reduce challenges and gaps inprotection after deployment, as well as eliminate redundancies with other technology solutions.Consider a broad range of vendors. Compare and contrast via product demos, a proof of concept, and bakeoffs to better understand vendor solution features. Third-party testing can also provide additional insight to help innarrowing down your shortlist and criteria for evaluation.Test multiple solutions before you buy one. Test and compare solutions in your environment or based on yourrequirements before you make your choice. Key tests would evaluate performance, stability and reliability, andsecurity effectiveness.Identify key points in your network for deployment. Deployed on the network edge, your NGFW will protectagainst web-based threats. To take a Zero Trust approach, deploy your NGFW in front of your most sensitivedata, such as in front of a dedicated network segment or data center.

9Next StepsZero Trust is a fundamentally different approach and way of thinking for information security. Next-generation firewallsare a key enabler for implementing and applying Zero Trust concepts. However, it’s more than a matter of justdeploying a NGFW. As you embark on your Zero Trust journey and begin to evaluate NGFWs:›››Evangelize Zero Trust to gain internal support, particularly from executives. Change how your organizationthinks about trust concepts and conventional wisdom about information security. Illustrate why traditional notionsare outdated and ineffective in today’s threat landscape and extended enterprise. Explain how a Zero Truststrategy addresses traditional security’s shortcomings, and the necessary steps involved with implementing thisstrategy.Start a cross-functional Zero Trust working group. Involve representatives from security, networking,application development, and enterprise architecture. To implement Zero Trust concepts and technologies thatsupport this model of information security, you will need everyone on board and working together to brainstormand whiteboard the immediate and long-term uses of a Zero Trust network architecture.Map out your data flows. Start by identifying and classifying your most sensitive data. Map how this data flowsacross your networ

organizations with next-generation firewall implementations. KEY FINDINGS Forrester's study yielded four best practices for organizations considering investing in a next-generation firewall: › Conduct an honest internal assessment. Many of the challenges security professionals cited with implementation and performance of NGFWs can be