Guardicore Centra Security Platform Verified as Citrix Ready

Micro-segmentation Solution Enables Strong Security for Citrix Virtual Apps and Desktops by Isolating Workloads and Preventing Lateral Movement

Boston, Mass. and Tel Aviv, Israel – November 12, 2019 – Guardicore, a leader in internal data center and cloud security, today announced its solution has been verified as Citrix® Ready. The Citrix Ready technology partner program offers robust testing, verification, and joint marketing for Digital Workspace, Networking, and Analytics solutions – with over 30,000 verifications listed in the Citrix Ready Marketplace. Guardicore completed a rigorous testing and verification process for its Guardicore Centra security platform to ensure compatibility with Citrix Virtual Apps and Desktops, providing confidence in joint solution compatibility.

“Using Guardicore Centra’s micro-segmentation capabilities, Citrix customers can now more effectively create and enforce policies that isolate Citrix Virtual Apps and Desktops securely, delivering a Zero Trust approach and preventing unauthorized access as well as lateral movement,” said Sharon Besser, Vice President of Business Development, Guardicore. “By integrating with critical technologies from Citrix and other members of our partner ecosystem we enable customers to maximize the value of existing investments while transforming security in the cloud and software-defined data center.”

“The Guardicore Centra security platform delivers a simple and intuitive way to apply micro-segmentation controls to reduce the attack surface, detect, and control breaches,” said John Panagulias, Director, Citrix Ready. “With this integration and Citrix Ready validation, we can offer customers integrated security solutions that combine Guardicore Centra with Citrix Virtual Apps and Desktops to protect virtual workloads while enhancing productivity.”

Virtual desktop infrastructure deployments require effective security controls that can scale without losing visibility and control. Unlike traditional deployments where end-user machines can be physically isolated from the data center and controlled and monitored, securing virtual environments requires a different approach, especially when applying principles of Zero Trust. Micro-segmentation is central to the network virtualization paradigm. It enables better security for these environments by isolating workloads from each other, controlling and enforcing security policies that prevent lateral movement attacks. Guardicore augments Citrix Virtual Apps and Citrix Virtual Desktops with micro-segmentation, using its advanced capabilities for flows, applications and users to create secure zones that enhance the application of Zero Trust without compromising productivity or user experience.

Available now, Guardicore Centra supports Citrix Virtual Apps and Desktops, and older versions of Citrix XenApp and Citrix XenDesktop. Guardicore Centra for Citrix products can be found immediately in the Citrix Ready Marketplace.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Using Zero Trust Security to Ease Compliance

Data privacy in cyber-security is a hugely regulated sector. New regulations such as the California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR) have added to the list of compliance mandates that already included PCI-DSS for financial data and HIPAA for patient information. Many enterprises now have compliance officers or even teams established, who have a heavy workload in achieving and proving compliance for these regulations, in order to be prepared for an audit and to put best-practices into place.

As data centers have become increasingly complex and dynamic, this workload has increased exponentially. Visibility is understandably hard to achieve in a heterogeneous environment, and if you don’t know where your data is – how can you secure it?

Traditional Perimeter Security Causes Problems for Compliance

If your business relies on perimeter-based security, any breach is a breach of your whole network. Everything is equally accessible once an attacker has made it through your external perimeter. This security model cannot distinguish between types of data or applications, and does not define or visualize critical assets, giving everything in your data center an equal amount of protection.

This reality is a struggle for any IT or Security teams responsible for compliance. Multiple compliance authorities enforce strict controls over the management of customer data, including how it is held, deleted, shared and accessed. Personally identifiable information (PII) and anywhere that financial information is stored (eg: CDE) needs added security measures or governance for compliance mandates, and yet these are often left unidentified, let alone secured. This is made more complicated today by a growing amount of data that resides or communicates outside of the firewall, for example in the cloud. Visibility is the first hurdle, and many enterprises fall immediately at the challenge.

On top of this, with border controls alone, as soon as your perimeter is breached, all your data is up for grabs by attackers who can make lateral movements inside your network. Even if you could see what you have, perimeter security simply can’t protect critical data that falls in scope for compliance at the required level.

Zero Trust as a Solution for Compliance

Many enterprises know that a Zero Trust model would provide a stronger security posture, and are worried about the movement of east-west traffic that remains unprotected, but think of moving to a Zero Trust paradigm as an incredibly complex initiative. Segmenting applications, writing policy for different areas of the business, establishing what access to give permissions to and where, it sounds like it would complicate security, not make it simpler.

However, when completed intelligently, principal analyst at Forrester Research, Renee Murphy explains how a Zero Trust model actually makes security and compliance a whole lot easier. “You end up with a less complex environment and doing less work overall. Once you know what [your data] is, where it is and how important it is, you can [then] put your efforts towards it.”

For this to be successful, and remain simple, your Zero Trust model’s implementation needs to start with visibility. Data classification is not an IT problem, it’s a business problem, and the business needs to be able to automatically discover all assets and data, both in real-time, and with historical baselines for comparison and policy creation.

Your partner in creating a Zero Trust model should be able to provide an automatic map of all applications, databases, communications and flows, including dependencies and relationships. This needs to be both deep, providing granular insight, and also broad, across your hybrid environment covering everything from legacy on-premises to container systems.

Furthermore, pick a vendor with good granular enforcement capabilities. The best protection leaves the least possible exposure. Policies that can lock compliance environments down farther than port and IP are required. Seek those that can create policies at the process, user, and domain name level.

Not only does this provide the best starting point for Zero Trust initiatives, but it also means that compliance becomes far easier as a result of best-in-class documentation and records at every stage.

Regardless of which standard you wish to comply with, utilizing the Zero Trust model for visibility and segmentation to effectively limit scope and resources is essential. For example the PCI-DSS Security Council has come out with the Information Supplement: Guidance for PCI DSS Scoping and Network Segmentation Guidance Scoping in which this is directly called out.

When You Establish Zero Trust, All Data Can be Treated Unequally

Once visibility is established, and you have an accurate view of your network, you can easily identify what needs protecting. Compliance mandates are usually very clear about what data is in scope and out of scope, and only insist on what is in scope keeping to regulations. While perimeter security made it impossible to apportion security differently throughout your data center, this is where micro-segmentation and zero-trust thrive.

With zero trust, your security strategy can recognize that not everything is created equally. Some data or applications need more security and governance than others, and while certain assets need to be watched and controlled closely, others can be left with minimal controls.

With the right partner in place, enterprises can use a distributed firewall to prioritize where to put their compliance, moving from the most essential tasks forward. Granular rules can be put in place, down to process level or based on user-identity, strictly enforcing micro-perimeters around systems and data that are in scope. This is a much easier task than ‘protect everything, all the time.’

Demonstrating Compliance using a Zero Trust Environment

Adopting a Zero Trust mentality is also a really strong way to show auditors that you’re doing your part. A huge part of compliance is being able to guarantee that even in case of a breach, you have taken all reasonable steps to ensure that your data was protected from malicious intent. Each time an east-west movement is attempted, this communication is checked and verified. As such, your enterprise has never assumed that broad permissions are enough to guarantee a safe connection, and with micro-segmentation, you have reduced the attack surface as much as possible. This process also provides an audit trail, making incident response and documentation much simpler in case of a breach.

Consider partnering with a vendor that includes monitoring and analytics, as well as breach detection and incident response, to lower the chance of a cyber-attack, and create a plan for any events that violate policy or suggest malicious intent. This can dramatically improve your chances of an attack, as well as help to bolster a robust compliance checklist.

The days of relying on perimeter-based controls to stay compliant and secure are long gone. In a world where Zero Trust models are gaining acceptance and improving security posture so widely, enterprises need to do more to prove that they are compliant with the latest regulations.

The Zero Trust framework acknowledges that internal threats are now almost a guarantee, and enterprises need to protect sensitive data and crown jewel applications with more than just border control alone. Remaining compliant is an important yardstick to measure the security of your infrastructure against, and Zero Trust is an effective model to achieve that compliance.

Want to read more about implementing cloud security toward an effective Zero Trust model? Get our white paper about how to move toward a Zero Trust framework faster.
Read More

Guardicore Achieves Microsoft IP Co-Sell Status: Available for Download on the Azure Marketplace – Here’s What That Means for You

A couple of weeks ago we announced that the Guardicore Centra security platform is available in the Microsoft Azure Marketplace. As you might know, Centra was available in the marketplace before, as Guardicore has worked with Microsoft for a very long time, providing various integrations as well as research for Azure and Azure Stack. Now, the latest version of Centra is available and Guardicore has achieved an IP Co-Sell status.

One of the most important capabilities that we developed for Azure provides Centra with real-time integration to Azure orchestration. This provides metadata on the assets deployed in your Azure cloud environment, complementing the information provided by Guardicore agents.

For example, information coming from orchestration may include data that can’t be collected from the VM itself, including: Source Image, Instance Name, Private DNS name, Instance Id, Instance Type , Security groups, Architecture, Power State, Private IP Address and Subscription Name.

Using this information, Centra will accelerate security migration from an on-premises data center to Azure.

In addition, we are very proud that Guardicore has achieved the Microsoft IP Co-Sell status. This designation recognizes that Guardicore has demonstrated its proven technology and deep expertise that helps customers achieve their cloud security goals. Achieving this status demonstrates our commitment to the Microsoft partner ecosystem. It also proves our ability to deliver innovative solutions that help forward-thinking enterprise customers to secure their business-critical applications and data with quick time to value, reduce the cost and burden of compliance, and securely embrace cloud adoption.

Where to Start? Moving from the Theory of Zero Trust to Making it Work in Practice

Going back many years, perimeter controls were traditionally adequate for protecting enterprise networks that held critical assets and data. The hypothesis was that if you had strong external perimeter controls, watching your ingress and egress should be adequate for protection. If you were a more sophisticated or larger entity, there would be additional fundamental separation points between portions of your environment. However these were still viewed and functioned as additional perimeter points, merely concentric circles of trust with the ability, more or less, to move freely about. In cases where threats occurred within your environment, you would hope to catch them as they crossed one of these rudimentary borders.

The Moment I Realized that Perimeters Aren’t Enough

This practice worked moderately well for a while. However, around fifteen years ago, security practitioners began to feel a nascent itch, a feeling that this was not enough. I personally remember working on a case, a hospital – attacked by a very early spear phishing attack that mimicked a help desk request for a password reset. Clicking on a URL in a very official looking email, staff were sent to a fakebut official looking website where these hospital professionals were prompted to reset their credentials – or so they thought. Instead, the attack began. This was before the days of the Darknet and we even caught the German hacker boasting about what he had done – sharing the phishing email and fake website on a hacker messaging board. I worked for a company that had a fantastic IPS solution and upon deploying it, we were able to quickly catch the individual’s exfils. At first, we seemed to be winning. We cut the attacker off from major portions of a botnet that resided on the cafeteria cash registers, most of the doctors machines and to my horror, even on the automated pharmacy fulfillment computers. Two weeks later, I received a call, the attacker was back,trying to get around the IPS device in new ways. While we were able to suppress the attack for the most part, I finally had to explain to the hospital IT staff that my IPS was merely at the entrances and exits of their network and that to really stop these attacks, we needed to look at all of the machines and applications that resided within their environment. We needed the ability to look at traffic before it made its way to and from the exits. This was to be the first of many realizations for me that the reliance on perimeter-based security was slowly and surely eroding.

In the years since, the concept of a perimeter has all but completely eroded. Of course, it took quite a while for the larger population to accept. This was helped along by the business and application interdependencies that bring vendors, contractors, distributors and applications through your enterprise as well as the emergence of cloud and cloud like provisioning utilized by Dev Ops. The concept of being able to have true perimeters as a main method of prevention is no longer tangible.

It was this reality that spurred the creation of Forrester’s Zero Trust model- almost a decade ago. The basic premise is that no person or device is automatically given access or trusted without verification. In theory, this is simple. In practice, however, especially in data centers that have become increasingly hybrid and complex, this can get complicated fast.

Visibility is Foundational for Zero Trust

A cornerstone of Zero Trust is to ‘assume access.’ This means that any enterprise should assume than an attacker has already breached the perimeter. This could be through stealing credentials, a phishing scam, basic hygiene issues like poor passwords, account control and patching regimen, an IoT or third-party device, a brute force attack, or literally limitless other new vectors that make up today’s dynamic data centers.

Protecting your digital crown jewels through this complex landscape is getting increasingly tough. From isolating sensitive data for compliance or customer security, to protecting the critical assets that your operation relies on to run smoothly, you need to be able to visualize, segment and enforce rules to create an air-tight path for communications through your ecosystem.

As John Kindervag, founder of Zero Trust once said, in removing “the Soft Chewy Center” and moving towards a Zero Trust environment, visibility is step one. Without having an accurate, real-time and historical map of your entire infrastructure, including on-premises and both public and private clouds, it’s impossible to be sure that you aren’t experiencing gaps or blind spots. As Forrester analyst Chase Cunningham mandates in the ZTX Ecosystem Strategic Plan, “Visibility is the key in defending any valuable asset. You can’t protect the invisible. The more visibility you have into your network across your business ecosystem, the better chance you have to quickly detect the tell-tale signs of a breach in progress and to stop it.”

What Should Enterprises Be Seeing to Enable a Zero Trust Model?

Visibility itself is a broad term. Here are some practical necessities that are the building blocks of Zero Trust, and that your map should include.

  • Automated logging and monitoring: With an automated map of your whole infrastructure that updates without the need for manual support, your business has an always-accurate visualization of your data center. When something changes unexpectedly, this is immediately visible.
  • Classification of critical assets and data: Your stakeholders need to be able to read what they can see. Labeling and classification are therefore an integral element of visibility. Flexible labeling and grouping of assets streamlines visibility, and later, policy creation.
  • Relationships and dependencies: The best illustration of the relationships and dependencies of assets, applications and flows will give insight all the way down to process level.
  • Context: This starts with historical data as well as real-time, so that enterprises can establish baselines to use for smart policy creation. Your context can be enhanced with orchestration metadata from the cloud or third-party APIs, imported automatically to give more understanding to what you’re visualizing.

Next Step… Segmentation!

Identifying all resources across all environments is just step one, but it’s an essential first step for a successful approach to establishing a Zero Trust model. Without visibility into users, their devices, workloads across all environments, applications, and data itself, moving onto segmentation is like grasping in the dark.

In contrast, with visibility at the start, it’s intuitive to sit down and identify your enterprise’s most critical assets, decide on your unique access permissions and grouping strategy for resources, and to make intelligent and dynamic modifications to policy at the speed of change.

Want to read more about visibility and Zero Trust? Get our white paper about how to move toward a Zero Trust framework faster.

Read More

Guardicore Infection Monkey for Zero Trust

Guardicore Labs provided assistance in a ransomware investigation. We analysed the decryption process of the IEncrypt ransomware and provided a safe-to-use version of the attackers’ decryptor.

Banco BASE Selects Guardicore Centra Security Platform to Protect Critical Banking Applications

Guardicore Chosen for Superior Visibility and Segmentation Policy Management to Reduce Risks

Boston, Mass. and Tel Aviv, Israel – October 22, 2019 – Guardicore, a leader in internal data center and cloud security, today announced that Banco BASE, a Mexican financial group and a leader in financing and foreign trade industries, is deploying Guardicore’s Centra Security Platform to provide advanced data center security.

“Banco BASE has built its success by providing the most innovative financial solutions, with agile and personalized service,” said Prudencio Frigolet Gómez. Director of Technology and  Operations at Banco BASE. “A big part of our commitment to our customers is ensuring the protection of their critical data and availability of services. Guardicore Centra gives our IT team deep visibility into east-west traffic for our critical banking applications and the ability to reduce risk with micro-segmentation.”  

Banco BASE is part of the Mexican Financial Group Grupo Financiero BASE. With over 32 years of experience, Banco BASE provides products for corporate and private banking, including loans, investments, digital accounts and currency exchange. 

“We are honored Banco BASE has selected Guardicore to help protect their most critical applications,” said Pavel Gurvich, co-founder and CEO of Guardicore. “Banco BASE quickly recognized that a new, software-defined approach to segmentation is essential for reducing risk and simplifying ongoing policy management for critical applications and payment systems like SWIFT.”

Guardicore’s flagship product, the Centra Security Platform, is a comprehensive data center and cloud security solution that delivers the simplest and most intuitive way to apply micro-segmentation controls to reduce the attack surface and detect and control breaches within east-west traffic. It provides deep visibility into application dependencies and flows and enforcement of network and individual process level policies to isolate and segment critical applications and infrastructure.

About Banco BASE

For nearly three decades, Banco BASE has specialized in providing companies with financial advice solutions, to help them grow and achieve their goals, through a strong services portfolio, including Foreign Currency, Hedging Instruments, Credit, Digital Accounts and Investments. We deliver very efficient financial services due to our network of offices in Mexico’s major cities from which we cover all the country; plus, we have as well a representation office in Toronto, Canada. Furthermore, we have correspondence relationships with the world’s main banks and most Mexican banks, which ensure our transparency, reliability and transaction swiftness.

Our credentials include: Rated by Standard & Poor´s, since February 2000 and by Fitch Ratings since 2006 always increasing our ratings; Approximately 2,000 FX transactions per day and a daily trading volume of USD $450 million; Members of the Association of Certified Anti-Money Laundering Specialist (ACAMS) and founders of the Monterrey-Mexico Chapter; Placed among the 500 most important companies in Mexico, and a “Super Empresa” (one of the best places to work for) by Expansion Magazine (A Time Inc. Enterprise). Our best recommendation comes from our more than 20,000 satisfied national and international customers.

For more information, visit www.bancobase.com 

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Limitations of Azure Security Groups: Policy Creation Across Multiple vNets

In our previous post, we discussed the limitations of Cloud Security Groups and flow logs within a specific vNet. In today’s post, we will focus on another specific scenario and use case that is common to most organizations, discussing Cloud Security Group limitations across multiple regions and vNets. We will then deep dive into Guardicore’s value in this scenario.

In a recent analysis, Gartner mentions the inherent incompatibility between existing monitoring tools and the cloud providers’ native monitoring platforms and data handling solutions. Gartner explains that an organization’s own monitoring strategies must evolve to accommodate these differences.

As the infrastructure monitoring feature sets offered by cloud providers’ native tools are continuing to evolve and mature, Gartner comments that “Gaps still exist between the capabilities of these tools and the monitoring requirements of many production applications… Remediation mechanisms can still require significant development and integration efforts, or the introduction of a third-party tool or service.”

To understand the challenges faced when using native monitoring tools, in this post I’ll again share details from an experiment that was performed by one of our customers. The customer created a simulation of multiple applications running in Azure, and created security policies between these applications.

The lab setup

Let’s look at the simulation environment. There are multiple Azure subscriptions, and within each subscription, there is a Virtual Network (VNet). In this case, SubscriptionA is the Production environment based in the Brazil region, and SubscriptionB is the Development environment, based in West Europe. Each has its own vNet. Both VNets are peered together.

ASGs:
The team created 3 Application Security Groups (ASGs). Note that the locations correspond to the locations used for the Virtual Networks (VNets).

The customer wanted to test the following scenario:
Block all communication from the CMS application over port 80, unless CMS communicates over this port with the SWIFT and Billing applications.

However, CMS application servers reside in the West Europe region, and the Swift and Billing application servers reside in the Brazil South region.

In this scenario, with 2 Virtual Networks (vNets), our customer wanted to know, will an Application Security Group (ASG) that exists in one Virtual Network (VNet), be available for reference in the opposite Virtual Network’s (vNet’s) Network Security Group (NSG)? Would it be possible to create a rule with an ASG for the CMS App servers to the SWIFT & Billing applications even though they are in separate vNets?

The limitations and constraints of using Azure Security Groups were immediately clear

The team attempted to add a new inbound security rule from the CMS servers’ ASG to the SWIFT servers’ ASG. As you can see from the screenshot, the only Application Security Group (ASG) that appears in the list of options, is the local one, CMS servers ASGs.

Let’s explore what happened above. According to the documentation provided by Azure:
Each subscription in Azure is assigned to a specific, single, region.
Multiple subscriptions cannot share the same vNet.
NSGs can only be applied within a vNet.

Thus each region must contain a single vNet, and each region will have its own specific NSGs in place. The team attempted a few options to troubleshoot this issue using Security Groups.

First, they attempted to use ASGs to resolve this and create policies cross regions. However, the customer came up against the following Azure rule.
All network interfaces assigned to an ASG have to exist in the same vNet. You cannot add network interfaces from different vNets to the same application security group.
If your application spans cross regions or vNets, you cannot create a single ASG to include all servers within this application. A similar rule applies when application dependencies cross regions. ASGs therefore couldn’t solve the problem with policy creation.

Next, the customer tried combining two ASGs from different vNets to achieve this policy. Again, Azure rules made this impossible, as you can see below.
If you specify an application security group as the source and destination in a security rule, the network interfaces in both application security groups must exist in the same virtual network. For example, if AsgLogic contained network interfaces from VNet1, and AsgDb contained network interfaces from VNet2, you could not assign AsgLogic as the source and AsgDb as the destination in a rule. All network interfaces for both the source and destination application security groups need to exist in the same virtual network.

Simply put, according to Azure documentation, it is not possible to create an NSG containing two ASGs from different vNets.

Thus if your application spans multiple vNets, using a single ASG for all application components is not an option, nor is combining two ASGs in an NSG. You’ll see the same problem when application dependencies cross regions, like in the case of our CMS, SWIFT and billing applications above.

Bottom line: It is not possible to create NSG rules, using ASGs for cross-region and vNet traffic.

Introducing Guardicore to the Simulation

The team had an entirely different experience when using Guardicore Centra to enforce the required policy settings.

The team had already been using Guardicore Centra for visibility to explore the network. In fact, this visibility had helped the team realize they needed to permit the CMS application to communicate with SWIFT over port 8080 in the first place. The team was therefore immediately able to view the real traffic between both regions/vNets and within each region/vNet, visualizing the connections between the CMS application in West Europe and the SWIFT and Billing application in the Brazil region.

With Guardicore, policies are created based on labels, and are therefore decoupled from the underlying infrastructure, supporting seamless migration of policies alongside workloads, wherever they may go in the future. As the customer planned to test migrating the CMS application to AWS, policies were created based on the environments and applications, not based on the infrastructure or the underlying “Cloud” context.

A critical layer added to Guardicore Centra’s visibility is labeling and grouping. This context enables deep comprehension of application dependencies. While Centra provides a standard hierarchy that many customers follow, our labeling approach is highly customizable. Flexible grouping enables you to see your data center in the context of how you as a business speak about your data center.

Labeling decouples the IP address from the segmentation process and enables application migration between environments, seamlessly, without the need to change the policies in place. With this functionality, the lab team were able to put the required policies into place.

 

One of the most impactful things we can do to make Guardicore’s visualization relevant to your organization quickly, is integrate with any existing sources of metadata, such as data center or cloud orchestration tools or configuration management databases. In the case above, all labels were received automatically from the existing Azure orchestration tags.

As Guardicore does not rely on the underlying infrastructure to enforce policies, such as Security Groups or endpoint firewalls, policies are completely decoupled from the underlying infrastructure. This enables the creation of a single policy across the whole environment, and covers those use cases that are cross environment, too. In the case of Azure, it allowed our customer to simulate policies that cross vNet and Region, while doing so seamlessly from a single pane of glass.

Guardicore Now Available in the Microsoft Azure Marketplace

Microsoft Azure customers worldwide now gain access to the Guardicore Centra security platform to take advantage of the scalability, reliability, and agility of Azure to drive application development and shape business strategies

Boston, Mass. and Tel Aviv, Israel – October 8, 2019 – Guardicore, a leader in internal data center and cloud security, today announced the availability of its Guardicore Centra security platform in the Microsoft Azure Marketplace, an online store providing applications and services for use on Azure. Guardicore customers can now take advantage of the scalability, high availability, and security of Azure, with streamlined deployment and management.

Guardicore Centra helps accelerate security migration from an on-premises data center to Azure. Additionally, it supports hybrid clouds and can protect legacy applications for those customers that prefer to keep such applications in their traditional data centers while migrating other applications to Azure. The Guardicore Centra security platform is also among the first cloud and data center micro-segmentation solutions in the market to achieve Microsoft IP Co-Sell status. This designation recognizes that Guardicore has demonstrated proven technology and deep expertise that helps customers achieve their cloud security goals.

“By implementing Guardicore Centra, combined with the range of powerful tools from Microsoft Azure, customers are able to gain the highest level of visibility and implement micro-segmentation for enhanced security. And they can do it faster and more effectively than traditional firewall technology with our simple-to-deploy overlay that can go to the cloud, stay on-premise, or do both at the same time,” said Pavel Gurvich, CEO and cofounder, Guardicore. “Achieving this status demonstrates our commitment to the Microsoft partner ecosystem and our ability to deliver innovative solutions that help forward-thinking enterprise customers to secure their business-critical applications and data quickly, reduce the cost and burden of compliance, and secure cloud adoption.”

Sajan Parihar, Senior Director, Microsoft Azure Platform at Microsoft Corp said, “We’re pleased to welcome Guardicore and the Guardicore Centra security platform to the Microsoft Azure Marketplace, which gives our partners great exposure to cloud customers around the globe. Azure Marketplace offers world-class quality experiences from global trusted partners with solutions tested to work seamlessly with Azure.”

The Azure Marketplace is an online market for buying and selling cloud solutions certified to run on Azure. The Azure Marketplace helps connect companies seeking innovative, cloud-based solutions with partners who have developed solutions that are ready to use.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Trials and Tribulations – A Practical Look at the Challenges of Azure Security Groups and Flow Logs

Cloud Security Groups are the firewalls of the cloud. They are built-in and provide basic access control functionality as part of the shared responsibility model. However, Cloud Security Groups do not provide the same protection or functionality that enterprises have come to expect with on-premises deployments. While Next-Generation firewalls protect and segment applications on premises’ perimeter (mostly), AWS, Azure, and GCP do not mirror this in the cloud. Segmenting applications using Cloud Security Groups is done in a restricted manner, supporting only layer 4 traffic, ports and IPs. This means that to benefit from application-aware security capabilities with your cloud applications you will need an additional set of controls which is not available with the built-in functionality of Cloud Security Groups.

The basic function that Cloud Security Groups should provide is network separation, so they can be best compared to what VLANs provides on premises, Access Control Lists on switches and endpoint FWs. Unfortunately, like VLANs, ACLs and endpoint FWs, Cloud Security Groups come with similar ailments and limitations. This makes using them complex, expensive and ultimately ineffective for modern networks that are hybrid and require adequate segmentation. To create application aware policies, and micro-segment an application, you need to visualize application dependencies, which Cloud Security Groups do not support. Furthermore, if your application dependencies cross regions within the same cloud provider or between clouds and on premises, application security groups are ineffective by design. We will touch on this topic in upcoming posts.

In today’s post we will focus on a specific scenario and use case that is common to most organizations, discussing Cloud Security Groups and flow logs limitations within a specific vNet, and illustrating what Guardicore’s value is in this scenario.

Experiment: Simulate a SWIFT Application Migration to Azure

Let’s look at the details from an experiment performed by one of our customers during a simulation of a SWIFT application migration to Azure.

Our customer used a subscription in Azure, in the Southern region of Brazil. Within the subscription, there is a Virtual Network (vNet). The vNet includes a Subnet 10.0.2.0/24 with various application servers that serve different roles.

This customer attempted to simulate the migration of their SWIFT application to Azure given the subscription above. General segmentation rules for their migrated SWIFT application were set using both NSGs (Network Security Groups) & ASGs (Application Security Groups). These were used to administrate and control network traffic within the virtual network (vNet) and specifically to segment this application.

Let’s review the difference:

  • An NSG is the Azure resource that is used to enforce and control the network traffic. NSGs control access by permitting or denying network traffic. All traffic entering or leaving your Azure network can be processed via an NSG.
  • An ASG is an object reference within a Network Security Group. ASGs are used within an NSG to apply a network security rule to a specific workload or group of VMs. An ASG is a “network object,” and explicit IP addresses are added to this object. This provides the capability to group VMs into associated groups or workloads.

The lab setup:
The cloud setup in this experiment included a single vNet, with a single Subnet, which has its own Network Security Group (NSG) assigned.

ASGs

  • Notice that they are all contained within the same Resource Group, and belong to the Location of the vNet (Brazil South).

NSGs:

The following NSG rules were in place for the simulated migrated SWIFT Application:

  • Load Balancers to Web Servers, over specific ports, allow.
  • Web Servers to Databases, over specific ports, allow.
  • Deny all else between SWIFT servers.

The problem:

A SWIFT application team member in charge of the simulation project called the cloud security team telling them a critical backup operation had stopped working on the migrated application, and he suspects the connection is blocked. The cloud network team, at this point, had to verify the root cause of the problem, partially through process of elimination, out of several possible options:

  1. The application team member was wrong, it’s not a policy issue but a configuration issue within the application.
  2. The ASGs are misconfigured while NSGs are configured correctly.
  3. The ASGs are configured correctly but the NSGs are misconfigured or missing a rule.

The cloud team began the process of elimination. They used Azure flow logs to try to detect the possible blocked connections. The following is an example of such a log:

Using the Microsoft Azure Log Analytics platform, the cloud team sifted through the data, with no success. They were searching for a blocked connection that could potentially be the backup process. The blocked connection was non-detectable. The cloud team members therefore dismissed the issue as a misconfiguration in the application.

The SWIFT team member insisted it was not an application issue and several days passed with no solution, all while the SWIFT backup operation kept failing. In a live environment, this stalemate would have been a catastrophe, with team members likely working around the clock to find the blocked connection, or prove misconfiguration in the application itself. In many cases an incident like this would lead to removing the security policy for the sake of business continuity as millions of dollars are at stake daily.

After many debates and an escalation of the incident, it was decided- based on the Protect team’s recommendation- to leverage Guardicore Centra in the Azure cloud environment to help with the investigation and migration simulation project.

Using Guardicore Centra, the team used Reveal to filter for all failed connections related to the SWIFT application. This immediately revealed an attempted failed connection, between the SWIFT load balancer and the SWIFT databases. The connection failed due to missing allow security groups. There was no NSG in place to allow SWIFT LBs to talk to SWIFT DBs in the policy.

The filters in Reveal

 

Discovering the process

Guardicore was able to provide visibility down to the process level for further context and identification of the failed backup process.

Application Context is a Necessity

The reason the flow logs were inadequate to detect the connection was that IPs were constantly changing as the application scaled up and down and the migration simulation project moved forward. Throughout this, the teams had no context of when the backup operation was supposed to occur or what servers initiated these attempted connections, therefore the search came up empty handed. They were searching for what they thought would reveal the failed connections. As flow logs are limited to IPs and ports, they were unable to search based on application context.

The cloud team decided to use Guardicore Centra to manage the migration and segmentation of the SWIFT application simulation for ease of management and ease of maintenance. Additionally, they added process and user context to the rules for more granular security and testing. Guardicore Centra enabled comparing the on-premises application deployment with the cloud setup to make sure all configurations were in place.

The team then went on to use Guardicore Centra to simulate the SWIFT policy over real SWIFT traffic. Making sure they are not blocking additional critical services, and will not inadvertently block these in the future.

 

Guardicore Centra provided the cloud security team with:

  • Visibility and speed to detect the relevant blocked flows
  • Process and user context to identify the failed operation as the backup operation
  • Ability to receive real-time alerts on any policy violation
  • Applying process level rules & user level rules required for the critical SWIFT Application
  • Simulation and testing capabilities to simulate the policies over real application traffic before blocking

All of these features are not available in Azure. These limitations cause serious implications, such as the backup operation failure and no ability to adequately investigate and resolve the issue.

Furthermore, as part of general environment hygiene, our customer attempted to add several rules to govern the whole vNet, blocking Telnet and insecure FTP. For Telnet, our customer could add a block rule in Azure on port 23; For FTP, an issue was raised. FTP can communicate over high range ports that many other applications will need to use, how could it be blocked? Using Guardicore, a simple block rule over the ftpd process was put in place with no port restriction, immediately blocking any insecure ftp communication at process level regardless of the ports used.

Visibility is key to any successful application migration project. Understanding your application dependencies is a critical step, enabling setting up the application successfully in the cloud. Guardicore Centra provides rich context for each connection, powerful filtering capabilities, flexible timeframes and more. We collect all the flows, show successful, failed, and blocked connections, and store historical data, not just short windows of it, to be able to support many use cases. These include troubleshooting, forensics, compliance and of course, segmentation. This enables us to help our customers migrate to the cloud 30x faster and achieve their segmentation and application migration goals across any infrastructure.

Ophir Harpaz of Guardicore Wins Rising Star Leadership Award from SC Media

Boston, Mass. and Tel Aviv, Israel – September 23, 2019 – Guardicore, a leader in internal data center and cloud security, today announced that Ophir Harpaz, Security Researcher, Guardicore has been named a winner in the third-annual SC Media Reboot Leadership Awards, earning the distinction in the Rising Star category. A total of 50 honorees were revealed as part of a special editorial section published today at SC Magazine.

“Ophir represents the very best of what it means to be a contributing member of the information security community. Her curiosity leads her forward daily to uncover the most dangerous tools and techniques employed by today’s adversaries, and to share her findings through blog posts, workshops and talks. She is passionate about leveraging her position to elevate and educate young women and her fellow researchers and dedicates her time freely to pass on all she has already learned,” said Ofri Ziv, Vice President of Research, Guardicore and Head of Guardicore Labs. “We applaud her for her achievements and look forward to her continued success.”

The Reboot Leadership Awards are an adjunct to SC Media’s annual Reboot coverage that takes place each December when SC Media recognizes the best and brightest cybersecurity luminaries and organizations. The Reboot Leadership Awards are offered similar accolades. The winners are honored with a special section on SC Media’s website and in their December Reboot edition.

The contenders who were nominated faced a thorough judging process conducted by SC Media’s editorial team. This included a review of their professional backgrounds, references and work undertaken to benefit the wider industry, as well as any other research deemed necessary. Winners were chosen based on their outstanding service, qualifications and advancements in the cybersecurity industry.

“There were no shortage of quality nominations this year as we reviewed the various candidates for our coveted Reboot Awards,” said Teri Robinson, executive editor, SC Media. “However, after a thorough evaluation process, it was clear that Ophir truly distinguished herself through her valuable contributions and industry influence.”

Ophir is becoming one of the world’s foremost experts in cybercrime research, preventing millions of dollars of damage for some of the world’s most valuable companies. Most recently, she has led research on the Nansh0u crypto mining and Smominru botnet campaigns, as well as took part in the development of Guardicore’s publicly available Cyber Threat Intelligence threat feed. She is also an active member of Baot, a community for women in software development and research positions in the Israeli high tech industry, and dedicates copious time to education and contribute to the world. She is a true believer in the information security world being a community. As part of that approach, she runs the website begin.re, a popular resource for learning reverse engineering, and regularly shares insights from her daily life in cybersecurity via social media. In fact, Ophir was selected by Sentinel One as one of 21 Twitter profiles worth following and by Cybersecurity Ventures’ Cybercrime Magazine as one of the industry’s recommended list of women to follow on Twitter.

About SC Media

SC Media is cybersecurity. They’ve lived it for over 30 years, sharing industry expert guidance and insight, in-depth features, timely news and independent product reviews in various content forms in partnership with and for top-level information security executives and their technical teams. SC Media arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies. They deliver breaking news, comprehensive analysis, cutting-edge features, contributions from thought leaders, and the best, most extensive collection of product reviews in the business. Whether through their comprehensive website, magazine, in-depth ebooks, newsletters, or regularly scheduled digital and live events, such as their SC Awards program and their RiskSec conference, their readers gain all the relevant information they need to safeguard their organizations and, ultimately, contribute to their longevity and success.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.