Confessions from a Firewall Vendor: under Pressure

Sophos has provided a candid insider report on the pressures firewall vendors are currently under, as they face increasingly skilled attackers focused on exploiting zero-day vulnerabilities in firewall and VPN devices.

In its report, Sophos details an adversary operation named "Pacific Rim", where China state-sponsored threat actors have been found researching, developing and deploying zero-day exploits against Sophos firewall appliances for more than 5 years. The length of the operation shows how determined and focused the threat actors are on edge network devices, which have become high-value targets that well-resourced adversaries use for both initial access and persistence.

Although most other firewall vendors are silent, it’s an open secret that each one is struggling, while security and customer trust has been eroded in the last couple of years.

The decades old model where firewall 'boxes' are installed and controlled by customers (or even MSSPs) on their premises is becoming increasingly unsustainable: remote telemetry and response capabilities are too slow in the face of offensive activities acting in real-time and targeting thousands of 'boxes' dispersed worldwide. This approach also gives attackers much more leverage in reverse engineering the systems, as shown in the report.

This is why vendors are turning to an as-a-service model via ZTNA/SASE private access, hosted on the vendor’s side, so they can at least react a bit faster to what has unfortunately become a routine level of adversarial activity.

Read full report here.

Pictured below: a selection of recent vulnerabilities in edge network devices and apps, with an indication of approximately how long they were exploited in the wild before discovery (and hopefully patching).