CASE 95 · MARQUEE · 2024
Egress inspection that actually stops the data exfil chains.
A crypto exchange had egress inspection from a legacy third-party appliance that handled traffic-by-IP but did not understand TLS-encrypted command-and-control patterns. After a near-miss with a compromised dependency, we deployed AWS Network Firewall with managed rule groups and got coverage that matched the modern threat model.
Crypto exchange
SECURITY
2024
RESULTS
What changed, by the numbers.
C2 DOMAINS BLOCKED
1,143
INSPECTION COVERAGE
100%
FALSE POSITIVES
< 5 / wk
LATENCY OVERHEAD
< 8ms
HOW IT WENT
The near-miss had been benign — a transitive npm dependency had been compromised, but the malicious payload was caught by another control before exfiltration completed. The post-mortem question was: would our egress inspection have caught it if the other control hadn’t? The honest answer was probably not.
AWS Network Firewall with managed rule groups (including the AWS Threat Signatures group) inspected every north-south flow. TLS inspection used a customer-managed CA so we could see into encrypted traffic where policy permitted. GuardDuty findings cross-referenced Network Firewall logs in Security Hub.
In the first thirty days the firewall blocked 1,143 known C2 domain queries, most from supply-chain incidents in obscure transitive dependencies. False-positive rate stayed under five per week. Latency overhead at p95 is under 8ms — nobody noticed.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.