• In the previous course, you saw how a Next-Generation Firewall (NGFW) inspects traffic and blocks threats at the network edge.

    Next-Generation Firewall with integrated IPS blocking an attack hidden inside legitimate HTTPS traffic from an external user

    Figure 1 – A NGFW inspects and blocks known threats at the network edge

    A firewall alone is not enough.
    Modern attacks unfold over time, so your security needs to cover more than a single inspection point.
    This coordinated approach is called threat defense.

    Every major vendor has its own implementation.
    The one you need to know here is Cisco's.

    The Attack Continuum

    Cisco describes threat defense using a framework called the attack continuum.
    The idea is that every attack has three phases, and each phase needs different capabilities.

    The three phases of the attack continuum: Before prevention, During detection and blocking, After containment and remediation

    Figure 2 – The attack continuum covers Before, During, and After

    Each phase has its own goals:

    • Before, you know your assets, apply security policies, and reduce the attack surface

    • During, you detect active threats, stop malware execution, and block exploits in real time

    • After, you scope the breach, contain the threat, and remediate what was compromised

    No single product covers all three phases.
    Threat defense is the set of tools that, together, fills every phase of the continuum.

    Answer the question below

    Which phase of the attack continuum covers containment and remediation?

    Why One Device Is Not Enough

    A Next-Generation Firewall mostly operates in the During phase.
    It inspects and blocks traffic in real time as it passes through your network.

    A NGFW placed on the During phase of the attack continuum, with question marks on the Before and After phases

    Figure 3 – A single firewall covers only the During phase

    Two questions remain open on the sides of the continuum.
    On the Before side: which tool checks files before execution, and who provides the intelligence?
    On the After side: which tool detects threats already inside your network?

    In the Cisco portfolio, three products cover these gaps:

    • Cisco Talos for threat intelligence

    • Cisco AMP (Malware Defense) for file-level defense

    • Network Analytics (Stealthwatch) for post-breach detection

    Answer the question below

    Which phase of the attack continuum does a single NGFW mostly cover?