In a recent issue of Dark Reading, there is an article entitled "Five Ways To Better Hunt The Zebras In Your Network". We spend a lot of time setting up rule sets to ensure lots of data is dropped. But are we actually doing the job properly? The following quote indicates that our job as security people is never complete:
“If the firewall is doing its job and dropping traffic, and you trust the technology that you have purchased, why are we focusing all of our attention on the traffic that is being dropped and not on the traffic that is getting through?”
It is the traffic getting through which may or may not be totally legitimate.
Another article in the same issue indicates some ways of being able to confirm the legitimacy of the traffic getting through. One has to start by base-lining the traffic: who is usually communicating with what. Then as time progresses, and connectivity trends change, the trend changes need to be examined individually and dealt with appropriately, either at the firewall level, the originating machine level, or from the user perspective.