Guardicore Raises $60 Million; Continues to Build Momentum in Cloud and Data Center Security

Led by New Investor Qumra, Funding Fuels Company Growth and Continued Disruption in Firewall and Data Center Markets

Boston, Mass. and Tel Aviv, Israel – May 21, 2019 – Guardicore, a leader in internal data center and cloud security, today announced it has raised $60 million in Series C funding, bringing the company’s total funding to $110 million. This more than doubles the total capital raised to date and represents an endorsement of Guardicore’s current momentum as the company continues to disrupt the broader firewall and data center markets.

“Any organization has critical IT assets that need to be secured. Our distributed, software-defined segmentation solution is the simplest way to secure these assets whether they reside in the cloud or on premises. The days of being chained to legacy firewalls are over,” said Pavel Gurvich, CEO and co-founder of Guardicore.  

New investor Qumra Capital led the round and was joined by other new investors DTCP, Partech, and ClalTech, Access Industries’ vehicle for Israeli technology investments. Existing investors Battery Ventures, 83North, TPG Growth, and Greenfield Partners also participated in the round. Guardicore will leverage the funds to fuel continued growth and accelerate investments in sales, marketing and customer service as it seeks to expand delivery of its Guardicore Centra security platform to enterprise organizations seeking to protect dynamic data center and cloud infrastructure environments. Ram Metser, Executive Chairman of Segterra, Inc., an innovative digital health analytics company, and former CEO of Guardium, Inc., a dominant database security company acquired by IBM, also joined the Guardicore board of directors.

Continued Gurvich, “Since our last round of funding, we have successfully been able to articulate our vision and demonstrate that the market is ripe for disruption. With consistent revenue growth the past three years and large-scale deployments with numerous Fortune 500 customers, we have proven that our product is more intuitive, flexible, and makes security easier to apply than traditional firewall technology currently being used to protect internal and cloud infrastructure. We are displacing incumbent players and newcomers alike as we strive to help our enterprise customers quickly secure their business-critical applications and data, reduce the cost and burden of compliance and secure cloud adoption.”

“Deutsche Bank is committed to the highest standards of security and a high priority for us is implementing tight network segmentation in our on-premise and cloud environments. Guardicore gives us an effective way to protect our critical assets through segmentation,” said Alan Meirzon, Director, Chief Information Security Office at Deutsche Bank, a Guardicore customer.

“Guardicore is changing the way enterprises approach data center security with modern segmentation capabilities that overcome the inherent inefficiencies of traditional techniques and results in stronger security for enterprise environments,” said Boaz Dinte, founding partner of Qumra Capital, investing in exceptional late-stage companies. “Guardicore is disrupting the market and is well positioned to capitalize on the broader opportunities this presents. We were compelled to invest as the lead in this round because we believe Guardicore will play a critical role in shaping the future of enterprise security, helping organizations better protect vital systems and data as we evolve our digital information society.”

“Guardicore is led by an exceptionally strong team with deep tech know-how and has demonstrated consistent growth and momentum since inception. With wide-spread adoption of distributed and hybrid infrastructures, we need a new paradigm for enterprise security outside of classic perimeters,” said Irit Kahan, Managing Director at DTCP, a global investment platform with c. $1.7 billion assets under management from Deutsche Telekom and other institutional investors. “The company’s unique market positioning and attractive roster of customers across the US and Europe, including some of the largest Fortune 500 names, have validated the value and scale of Guardicore’s approach and strong capabilities.”

Guardicore protects data centers of large and mid-sized enterprises across North America, South America, and EMEA in financial, healthcare and retail industries, including global, blue-chip brands.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Guardicore Raises $60 Million; Funding Fuels Company Growth and Continued Disruption

Today I am excited to share that we have secured a Series C funding round of $60 million, bringing our total funding to more than $110 million. The latest round was led by Qumra Capital and was joined by other new investors DTCP, Partech, and ClalTech. Existing investors Battery Ventures, 83North, TPG Growth, and Greenfield Partners also participated in the round.

Since we launched the company in 2015, Guardicore has been focused on a single vision for providing a new, innovative way to protect critical assets in the cloud and data center. Our focus, and our incredible team, has earned the trust of some of the world’s most respected brands by helping them protect what matters most to their business. As the confidence our customers have in us has grown, so has our business, which has demonstrated consistent year-over-year growth for the past three years.

Our growth is due to our ability to deliver on a new approach to secure data centers and clouds using distributed, software-defined segmentation. This approach aligns with the transformation of the modern data center, driven by cloud, hybrid cloud, and PaaS adoption. As a result, we have delivered a solution that redefines the role of firewalls and implementing Zero Trust security frameworks. More dynamic, agile, and practical security techniques are required to complement or even replace the next-generation firewall technologies. We are delivering this and give our customers the ability to innovate rapidly with the confidence their security posture can keep up with the pace of change.

Continued Innovation

The movement of critical workloads into virtualized, hybrid cloud environments, industry compliance requirements and the increase of data center breaches demands a new approach to security that moves away from legacy firewalls and other perimeter-based security products to a new, software-defined approach. This movement continues to inspire our innovations and ensure that our customers have a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment.

Our innovation is evident in several areas of the company. First, we have been able to quickly add new innovative technology into our Centra solution, working in close partnership with our customers. For example, we deliver expansive coverage of data center, cloud infrastructure and operating environments, and simpler and more intuitive ways to define application dependencies and segmentation policies. This gives our customers the right level of protection for critical applications and workloads in virtually any environment.

Second, our Guardicore Labs global research team continues to provide deep insights into the latest exploits and vulnerabilities that matter to the data center. They also equip industry with access to open source tools like Infection Monkey, and Cyber Threat Intelligence (CTI) that allows security teams to keep track of potential threats that are happening in real time.

We have also continued to build out other areas of our business, such as our partner ecosystem, which earned the five-star partner program rating from CRN since its inception two years ago, as well as our technology alliances, which include relationships with leading cloud / IaaS infrastructure players such as AWS, Azure, and Nutanix.

Looking Ahead

We are proud of our past, but even more excited about our future. While there is always more work to do, we are in a unique position to lead the market with not only great technology, but a strong roster of customers, partners and, most importantly, a team of Guardicorians that challenge the status quo every single day to deliver the most innovative solutions to meet the new requirements of a cloud-centric era. I truly believe that we have the best team in the business.

Finally, as we celebrate this important milestone, I want to say thanks to our customers who have made Guardicore their trusted security partner. It is our mission to continue to earn your trust by
ensuring you maximize the value of your security investments beyond your goals and expectations.

4 of the Most Devastating Data Center Breaches of the Past 5 Years. (And How They Could Have Been Prevented)

In our last blog about data center hygiene, I talked about how most hackers are getting into your data centers in pretty standard, and more importantly, preventable ways. You can read more in depth about hacks and security with some interesting perspectives and thought leadership from our Guardicore Labs team, who research and write about the truly interesting campaigns they discover and analyze. In this article, however, I want to focus on four of the most talked about breaches of the past few years. By looking at what was stolen, who was impacted, how the data center breaches occurred, and what the tangible damage was, we should be able to see a pattern in how these attacks were perpetrated, and how they could have been stopped.

Equifax – What Happened?

The amount of data stolen was huge, including 148 million American names, dates of birth and social security numbers, 15 million British names, dates of birth and driving license and financial details, and an unknown number of PII belonging to Canadians and Australians. Home addresses, genders, passport details and taxpayer ID cards were stolen, as well as payment card information.

The damage to Equifax continues to grow. The stock drop alone cost the company $4 billion, alongside scrapped bonuses and IT costs of $242.7 million. There are 19 class action lawsuits pending against the company, and fines outstanding from US and Canadian regulatory commissions. The UK have fined the company £500,000, (US$660,000) which is the maximum they could levy prior to new GDPR regulations.

How Could it Have Been Prevented?

The initial entry point for the Equifax attackers was an unpatched vulnerability in their front-end web services, specifically in Apache Struts 2.0. According to the US House of Representatives, “The company’s failure to implement basic security protocols, including file integrity monitoring and network segmentation, allowed attackers to access and remove large amounts of data.” To understand more about this advice, see our deep dive on the Equifax failures.

Segmentation was obviously a core problem for Equifax- the lack of segmentation allowed the attackers to move with ease to critical areas once they made it through the perimeter. This was made worse by poor data hygiene, something we mentioned in our previous blog. The hackers were able to steal the data because of an out-of-date digital certificate, which had expired more than 19 months before the breach.

Equifax have also been criticized for their lack of proper incident response, a problem we see in many data center breaches. As early as August 2016, Equifax was warned about vulnerabilities, and told about flaws in their data center. Allegedly, the company did nothing, even when they learned that hackers had broken into their computer system and when they observed and blocked what they called “suspicious network traffic.” This dangerous inaction is not only illegal, but borders on negligence.

Target – What Happened?

100 million customers were affected by the 2013 Target data center breach, with data exposed including mailing addresses, names, email addresses, phone numbers and credit and debit card account data. This information could then be used to hack consumer accounts or launch phishing scams. Financial data stolen was complete, including account numbers, CVV codes and expiration dates.

Target also suffered a drop in their stock price as a result of the data center breach, with hundreds of lawsuits and around $3.6 billion worth of fines levied against them. The most unique outcome of this in comparison to other data center breaches is that it caused a total change to the retail industry. Card payment systems and Point of Sale systems were changed, the EMV chip was adopted, and a new protocol began with the tokenization of transactions.

How Can Data Center Breaches like the Target Attack be Avoided?

Third party vendors and services can be the weakest link in your ecosystem, without you even knowing it. For Target, the hack of their HVAC vendor network was the entry point for the hackers. With the right amount of visibility, the company could have seen that this was a risky connection, and a potential breach point. Once inside the Target network, the financial data was accessible to the attackers because it was not segmented for PCI compliance. Lastly, poorly patched Point of Sale systems could have been protected with better account management.

While the company was warned of the breach in advance, the CISO at Target was concerned about losing revenue during the all-important holiday season, so delayed the incident response.

Yahoo – What Happened?

The largest breach of its kind, 1 billion records were exposed in 2014 when Russian hackers infiltrated the Yahoo network. Among the data stolen was email addresses, usernames, phone numbers, security questions and encrypted passwords. This information has since been used in hundreds of attacks worldwide. Shockingly, Yahoo failed to notify anyone about the breach until 2016, and there is still not a clear answer to how the network was breached.

In 2018, the SEC fined them $50 million, and as with all data center breaches that affect this many individuals, there is likely to be more financial and legal consequences on the way.

Marriott – What Happened?

It can be hard to gauge the damage of an attack, especially when the company in question is less than upfront about the situation. Attackers breached the network of the Starwood systems, owned by Marriott hotels, during 2014, which means they achieved a dwell time of at least 1441 days. The hackers were Chinese intelligence services, with the motive of tracking people of interest and espionage.

The data stolen includes the names, phone numbers, email addresses, dates of birth and passport information of guests at the hotel, providing clear benefits for intelligence agencies who want insight into people’s movements, meetings, and credentials. It can also be used to create counterfeit passports, with real identification information. The secrecy around this attack, and the length of the dwell time means that the consequences are likely to be harsh. The GDPR breach alone will cost Marriott $915 million, while US federal investigations are still underway before further fines can be given.

Gaining Visibility and Control over Data Center Breaches like Yahoo and Marriott

Now let’s look again at our data center security checklist from the previous blog. In all of these cases, solving the issues on the checklist could have reduced risk and perhaps even prevented these data center breaches. Starting with visibility, identify your critical assets and digital crown jewels, so that you know where segmentation can make a difference. Ensure that areas of compliance are near the top of your to-do list. Protect your data center from the weakest links, namely the third-party vendors, suppliers and distributors who could be putting you at risk. Lastly, alongside underlying data hygiene, make sure you have an incident response plan that is up to date and tried and tested.

Want to learn more about how segmentation and micro-segmentation can help you achieve early wins for your company? Check out our white paper on smart segmentation.

Read More

Interested in research? Follow the exploits uncovered by Guardicore Labs here. You can also check out Infection Monkey, a free, open source vulnerability assessment tool that works across premises, vSphere, multiple clouds and containers. A recent addition- look up potential threatening domains and IPs using our cutting-edge Cyber Threat Intelligence.

May 2019’s Patch Tuesday: Must-Knows for Every Data Center

Guardicore Labs provided assistance in a ransomware investigation. We analysed the decryption process of the IEncrypt ransomware and provided a safe-to-use version of the attackers’ decryptor.

Containers vs Virtual Machines – Your Cheat Sheet to Know the Differences

Docker, Kubernetes, and even Windows Server Containers have seen a huge rise in popularity the last few years. With the application container market having a projected CAGR (Compound Annual Growth Rate) of 32.9% between 2018 to 2023, we can expect that trend to continue. Containers have a huge impact on application delivery and are a real game changer for DevOps teams.

However, despite the popularity of containerization, there is still significant confusion and misunderstanding about how containers work and the difference between containers and virtual machines. This also leads to ambiguity in how to properly secure infrastructure that uses containers.

In this piece, we’ll provide a crash course on containers vs virtual machines by comparing the two, describing some common use cases for both, and providing some insights to help you keep both your virtual machines and containers secure.

What are Virtual Machines?

VMware’s description of a virtual machine as a “software computer” is a succinct way to describe the concept. A virtual machine is effectively an operating system or other similar computing environment that runs on top of software (a hypervisor) as opposed to directly on top of bare metal computer hardware (e.g. a server).

To better conceptualize what a virtual machine is, it’s useful to understand what a hypervisor is. A hypervisor is a special type of operating system that enables a single physical computer or server to run multiple virtual machines with different operating systems. The virtual machines are logically isolated from one another and the hypervisor virtualizes the underlying hardware and gives the virtual machines virtual compute resources (CPU, RAM, Storage, etc.) to work with. Two of the most popular hypervisors today are Windows HyperV and VMware’s ESXi.

In short, hypervisors abstract away the hardware layer so virtual machines can run independent of the underlying hardware resources. This technology has enabled huge strides in virtualization and cloud computing over the last two decades.

Note: If you’re interested in learning more about the nuts and bolts of hypervisors, it is important to note that what we’ve described here is a “Type 1” hypervisor. There are also “Type 2” hypervisors (e.g. Virtual Box or VMware Fusion) that can run on-top of standard operating systems (e.g. Windows 10).

What are Containers?

A container is a means of packaging an application and all its dependencies into a single unit that can run anywhere the corresponding container engine is. To conceptualize this, we can compare what a container engine does for containers to what a hypervisor does for virtual machines. While a hypervisor abstracts away hardware for the virtual machines so they can run an operating system, a container engine abstracts away an operating system so containers can run applications.

If you’re new to the world of containers and containerization, there is likely a ton of new terminology you need to get up to speed on, so here is a quick reference:

  • Docker. One of the biggest players in the world of containers and makers of the Docker Engine. However, there are many other options for using containers such as LXC Linux Containers and CoreOS rkt.
  • Kubernetes. A popular orchestration system for managing containers. Kubernetes will often be written as “K8s” for short. Other less popular orchestration tools include Docker Swarm and Apache Marathon.
  • Cluster. A group of containers that has a “master” machine that enables orchestration and one or more worker machines that actually run pods.
  • Pods. Pods are one or more containers in a cluster with shared resources that are deployed for a specific purpose.

Understanding the differences between containers vs virtual machines becomes easier when you view them from the standpoint of what is being abstracted away to provide the technology. With virtual machines, you’re abstracting away the hardware that would have previously been provided by a server and running your operating system. With containers you’re abstracting away the operating system that has been provided by your virtual machine (or server) and running your application (e.g. MySQL, Apache, NGINX, etc.).

Use Cases for Containers vs Virtual Machines

At this point, you may be asking: “why bother with containers if I already have virtual machines”? While that is a common thought process, it’s important to understand that each technology has valid use cases and there is plenty of room for both in the modern data center.

Many of the benefits of containers stem from the fact they only include the binaries, libraries, other required dependencies, and your app – no other overhead. It should be noted that all containers on the same host share the same operating system kernel. This makes them significantly smaller than virtual machines and more lightweight. As a result, containers boot quicker, ease application delivery, and help maximize efficient utilization of server resources. This means containers make sense for use cases such as:

  • Microservices
  • Web applications
  • DevOps testing
  • Maximization of the amount of apps you can deploy per server

Virtual machines on the other hand are larger and boot slower, but they are logically isolated from one another (with their own kernel) and can run multiple applications if needed. They also give you all the benefits of a full-blown operating system. This means virtual machines make sense for use cases such as:

  • Running multiple applications together
  • Monolithic applications
  • Complete logical isolation between apps
  • Legacy apps that require old operating systems

It’s also important to note that the topic of containers vs virtual machines is not zero-sum and the two can be used together. For example, you can install the Ubuntu Operating System on a virtual machine, install the Docker Engine on Ubuntu, and then run containers on top of the Docker Engine.

Security Challenges of Containers vs Virtual Machines

As data centers and hybrid cloud infrastructures integrate containers into an already complex ecosystem that includes virtual machines running on-premises and a variety of cloud services providers, keeping up with security can be difficult.

While virtual machines do offer logical isolation of kernels, there are still a myriad of challenges associated with virtual machines including: limited visibility to virtual networks, sprawl leading to expanded attack surfaces, and hypervisor security. These problems only become more magnified as your infrastructure scales and becomes more complex. Without the proper tools, adequate visibility and security is more challenging.

This is where Guardicore Centra can help. Centra enables enterprises to gain process-level visibility over the entirety of their infrastructure, whether virtual machines are deployed on-premises, in the cloud, or a mixture of both. Further, micro-segmentation helps limit the spread of threats and meet compliance requirements.

Micro-segmentation is particularly important when you begin to consider the challenges associated with container security. Containers running on the same operating system share the same kernel. This means that a single compromised container could lead to the host operating system and all the other containers on the host being compromised as well. Micro-segmentation can help limit the lateral movement of breaches and further harden a hybrid cloud infrastructure that uses containers.

Interested in Learning More About Securing Your Infrastructure?

That was our quick “cheat sheet” regarding containers vs virtual machines. We hope you enjoyed it! If you’d like to learn more about Docker security, check out our 5 Docker Security Best Practices to Avoid Breaches article. To learn more about securing modern infrastructure, check out our white paper on securing modern data centers and clouds. If you’d like to learn more about how Centra can help secure your hybrid cloud infrastructure, contact us today.

Easy Ways to Greatly Reduce Risk in Today’s Data Centers

Whether your infrastructure is on premises, in the cloud, or a combination of hybrid cloud, there are core characteristics of breached data centers that make them vulnerable to attack. These data centers are easier to penetrate and utilize, making them higher value targets for opportunistic hackers to exploit.

The truth is, protection is not that complicated. There are common, easily fixable data center problems that come up again and again in the biggest breaches, and best practices that can be easily implemented to provide significant risk reduction for your company against these kinds of threats. While security professionals often feel inundated with content that discusses ideas like “IT ecosystems are increasingly complex and fast-changing, and are therefore so difficult to secure” this is – in most cases, simply wrong.

What Are the Attackers Looking For?

Data centers offer the biggest bang for the criminal’s buck, whether that’s harvesting PII or other sensitive information such as technical intellectual property and best practices. Beyond direct gain, data centers offer a wealth of processing power which many attackers hijack for additional revenue opportunities to resell to other criminal groups. The black market for cyber-crime is continuously growing, with examples such as DDoS-as-a-service, and RAT-as-a-service giving attackers access to your compute infrastructure, to inject malware or to achieve remote access. We’ve even seen victims become the “false flag” bounce network to obfuscate an attack’s origin. Using hijacked resources for cryptocurrency mining is a steadily growing threat as well, up 459% in 2018.

The Simple Fixes That if Ignored, make a Data Center Easy to Compromise

Just over three years ago, In proposing a Zero Trust model, John Kindervag of Forrester said that we need to move to architectures with “no more chewy centers.” When we look broadly at data centers there are several things that lead them naturally to be what we don’t want, very soft in the middle. By making small changes, we can turn these deficits into enterprise positives, doing much to prevent future attacks from occurring and catching them quicker when they do happen.

  1. Good hygiene: Far too often attacks in data centers start by taking advantage of poor hygiene. By merely shoring up the below, attackers would have a much more difficult time getting in.
    1. Better patching acumen – doing a better job at finding unpatched vulnerabilities in applications.
    2. Better password and account management and enabling two factor authentication – many attacks come from simple brute force password attacks against single factor authentication applications.
    3. Better automation including OS, Application and kernel checks – while we have become very good at applying DevOps scripting in the form of auto-provisioning and managing playbooks/scripts like chef, puppet, ansible, we have not always added easy to incorporate OS, application and kernel update checks into those scripts. Instead of spinning up new automations that are only as good as the day they were born, it would be very easy to perpetually – and automatically update these scripts with these added checks cutting down exploitable vulnerabilities easily.
  2. Better segmentation & micro-segmentation – when an enterprise incorporates modern segmentation techniques – even if sparingly, it finds its risk greatly reduced. What makes these modern segmentation techniques different than what we have used in the past? Several things.
    1. Segmentation that is platform-agnostic and which provides visibility and enforcement to all platforms quickly and easily – Today’s data centers are heterogeneous in nature. Enterprises have embraced modern hypervisors and operating systems, containers and clouds, as well as serverless technology. Most enterprises also contain a good number of legacy systems and EoL operating systems such as Solaris, HP/UX, AIX, EoL Windows or EoL Linux as well.
    2. Segmentation that can be automated and works like your DevOps-based enterprise – Traditional security devices such as legacy firewalls, ACLs, and VLANs are extremely resource-intensive and impossible to manage in this kind of complex and dynamic environment. In some cases, such as in a hybrid cloud infrastructure, legacy security is not just insufficient, it’s unfeasible as a solution altogether. Enterprises need visibility across all of your platforms easily and seamlessly. Micro-segmentation technology is built for the dynamic and platform-agnostic nature of today’s enterprises, without the need for manual moves, adds, changes, or deletes. What is extremely important to understand – these modern techniques have been proven time and time again to be able to be implemented 30x faster than legacy techniques can be deployed and maintained.
    3. Segmentation – even when applied sparingly in “just a start” manner – this begins to reduce attack surface greatly. Grabbing these low hanging fruit makes it easy. Such examples include, but are not limited to:
      1. Isolating/securing off a compliance mandated environments
      2. Segmenting your “critical crown jewels” applications
      3. Sectioning off your vendors, suppliers, distributors, contractors off from the rest of the enterprise
      4. Securing off critical enterprise services and applications like remote access, network services and others
  3. Adequate Incident Response Plans & Practice – the final critical ingredient that can easily change an enterprise data center posture is having a well-thought -out incident response plan. One which incorporates not only the technical staff but also the business and legal parties that need to be involved as well. These plans should be practiced with incident response drills planned and run to establish blind spots or gaps in security.

Don’t believe everything you hear. Many of today’s biggest breaches are entirely preventable. In my next blog, I’ll take a look at four of the most devastating data center breaches from the last five years, and see how the checklist above could have made all the difference.

Interested in learning more about how to secure modern data centers and hybrid cloud environments?

Check out our White Paper on re-evaluating your security architecture

Determining security posture, and how micro-segmentation can improve it

As the recent Quora breach that compromised 100 million user accounts demonstrates, the threat of a cyber attack is ever present in the modern IT environment. Cybercrime and data breaches continue to plague small businesses and enterprises alike, and network security teams are constantly working to stay one step ahead of an attack. This is no easy task since intrusion attempts occur daily and are constantly evolving to find the smallest weakness to exploit.

Attackers can employ direct attacks on data centers and clouds, enact crypto-jacking threats to mine cryptocurrency, devise advanced persistent threat (APT) attacks to extract data while remaining hidden within a network, or even add fileless malware to manipulate in-memory vulnerabilities and access sensitive system resources.

For these reasons, it’s more important than ever for IT teams to evaluate their current security posture to ensure the safety of their sensitive information and assets. This is particularly true in hybrid cloud environments where discrete platforms take siloed approaches to security that can make infrastructure-wide visibility and a holistic approach to security policies extremely difficult. In this piece, we’ll dive into the basics of security posture and explain how Guardicore Centra can help you improve yours.

Security posture defined

Security posture is the overall defensive capability a business has over its computing system infrastructure. Also referred to as cybersecurity posture, the term focuses not only on hardware and software resources, but also the people, policies, and processes in place to maintain security. It is then necessary to prioritize what areas require the most protection, managing the greatest risk, identify weaknesses, and have incident response and disaster recovery plans in place in the event a breach does occur. All of these factors determine the effectiveness, or lack thereof, of an organization’s security posture.

Identifying the areas that deserve attention

In order to determine an organization’s security posture, first it’s the responsibility of a security team to have complete and thorough understanding of the risks associated with the operation of their computing systems. Research must be conducted to quantify attack surfaces, determine risk tolerance, and identify areas within the infrastructure that require more focus.

This planning stage is particularly difficult when attempting to account for the complexities that come with a hybrid cloud infrastructure, as the dynamics of a hybrid cloud make it difficult to get a holistic view of enterprise information systems. Often different policies and controls are in place for different endpoints that exist in different clouds or on-premises.

All of this internal assessment and process scrutiny is essential to develop a foundation for a robust security posture. However, the right tools are required to enforce policies that support it. Modern integrated security techniques such as micro-segmentation and process-level visibility, which are enabled by solutions like Guardicore Centra, help enterprises ensure that they are effectively implementing their strategy and capable of meeting the security challenges of the modern hybrid cloud.

The impact of enhanced visibility on security posture

The heterogeneous nature of a hybrid cloud environment makes it difficult to scale security policies, since there usually is not an effective way to account for the entire infrastructure. Further, because you are dealing with multiple platforms and varying security controls, the possibility of blind spots and oversights increases.

The visualization features of Guardicore Centra were created with these challenges in mind. Using Centra, enterprises can drill down and rapidly discover specific applications and flows within a network, regardless of the particular platform a given node may be running on. Since Guardicore can provide visibility to the process level and enable inspection of systems down to the TCP/UDP port level, blind spots that may otherwise become exploit targets can be eliminated. In a hybrid cloud environment this means you are able to automatically and rapidly learn how applications behave within your network to build a baseline of expected behavior, and better understand how to harden your infrastructure.

The value of micro-segmentation

Given that the greater potential for lateral movement an attacker can perform after a breach, the more damage they can do, it is easy to conceptualize the value of micro-segmentation. We’re all familiar with the benefits of network segmentation using techniques such as access control lists, firewalls and VLANs, and micro-segmentation brings these down to the most granular levels and applies them across the entire hybrid cloud infrastructure. For users of Centra, this means least-access policies can be implemented that limit access to specific groups of users (e.g. database admins), restrict access to certain applications (e.g. a MySQL database server), and restrict access to specific ports (e.g. TCP 3306), with the flexibility of process-level context and cross-platform coverage.

As an added benefit, Centra suggests rules based on analysis of historical data, and development of robust policies becomes significantly easier. By removing complexity, enabling micro-segmentation, and providing process-level visibility, Centra reduces blind spots and limits exposed attack surfaces, two key components of improving security posture.

The importance of threat detection and proactive responses

In addition to enhanced visibility and micro-segmentation, identifying unrecognized and malicious intrusions and reducing dwell-time is an important part of improving security posture. A pragmatic, modern organization understands that despite the best laid plans, breaches may occur and if and when they do, they must be rapidly detected, contained, and remediated.

To this end, Centra is uniquely capable of meeting the breach detection and incident response challenges enterprises with hybrid cloud infrastructures face. Centra uses three different detection methods (Dynamic Deception, Reputation Analysis, and Policy-Based Detection) to rapidly identify and react to attacks. By doing so, Centra helps ensure that in the event a security breach does occur, you are able to reduce the damage and minimize dwell time. This proactive approach to threat detection and response rounds out the Centra offering and helps you ensure your hybrid cloud infrastructure is secure and flexible enough to meet the challenges of modern IT security without sacrificing the performance of your infrastructure or adding unnecessary complexity.

Interested in learning more?

Guardicore Centra can help you significantly enhance your security posture, particularly in complex, difficult-to-manage, hybrid cloud environments. The benefits of hybrid cloud infrastructure are clear from a capex and scalability standpoint, but the tech is not without inherent risk. Hybrid cloud suffers with a myriad of siloed approaches to security policies and controls for reducing attack surfaces in an environment.

Adopting a proactive approach to security and leveraging security solutions that enable micro-segmentation are important steps towards enhancing your security posture and protecting your systems from falling victim to the next data breach.

To learn more about how micro-segmentation can benefit your enterprise, check out the micro-segmentation hub, or set up a demo to see Guardicore Centra in action.

Want to learn more about securing your hybrid cloud environment and strengthening your security posture? Get our white paper on best practices for the technical champion.

Read More

You don’t have to be mature in order to be more secure – cloud, maturity, and micro-segmentation

Whether you’ve transitioned to the cloud, are still using on-prem servers, or are operating on a hybrid system, you need security services that are up to the task of protecting all your assets. Naturally, you want the best protection for your business assets. In the cybersecurity world, it’s generally agreed that micro-segmentation is the foundation for truly powerful, flexible, and complete cloud network security. The trouble is that conventional wisdom might tell you that you aren’t yet ready for it.

If you are using a public cloud or VMware NSX-V, you already have a limited set of basic micro-segmentation capabilities built-in with your cloud infrastructure, using security groups and DFW (NSX-V). But security requirements, the way that you have built your network, or your use of multiple vendors require more than a limited set of basic capabilities.

The greatest security benefits can be accessed by enterprises that can unleash the full potential of micro-segmentation beyond layers 3 and 4 of the OSI model, and use application-aware micro-segmentation. Generally, your cloud security choices will be based on the cloud maturity level of your organization. It’s assumed that enterprises that aren’t yet fully mature, according to typical cloud maturity models, won’t have the resources to implement the most advanced cloud security solutions.

But what if that’s not the case? Perhaps a different way of thinking about organizational maturity would show that you can enjoy at least some of the benefits of advanced cloud security systems. Take a closer look at a different way to assess your enterprise’s maturity.

A different way to think about your organizational maturity

Larger organizations already have a solid understanding of their maturity. They constantly monitor and reevaluate their maturity profile, so as to make the best decisions about cloud services and cloud security options. We like to compare an organization learning about the best cloud security services to people who are learning to ski.

When an adult learns how to ski, they’ll begin by buying ski equipment and signing up for ski lessons. Then they’ll spend some time learning how to use their skis and getting used to the feeling of wearing them, before they’re taught to actually ski. It could take a few lessons until an adult skis downhill. If they don’t have strong core muscles and a good sense of balance, they are likely to be sent away to improve their general fitness before trying something new. But when a child learns how to ski, they usually learn much faster than an adult, without taking as long to adjust to the new movements.

Just like an adult needs to be strong enough to learn to ski, an organization needs to be strong enough to implement cloud security services. While adults check their fitness with exercises and tests, organizations check their fitness using cloud maturity models. But typical cloud maturity models might not give an accurate picture of your maturity profile. They usually use 4, 5, or 6 levels of maturity to evaluate your organization in a number of different areas. If your enterprise hasn’t reached a particular level in enough areas, you’ll have to build up your maturity before you can implement an advanced cloud security solution.

At Guardicore, we take a different approach. We developed a solution that yields high security dividends, even if the security capabilities of your organization are not fully mature.

Assessing the maturity of ‘immature’ organizations

Most cloud security providers assume that a newer enterprise doesn’t have the maturity to use advanced cloud security systems. But we view newer enterprises like children who learn to ski. Children have less fear and more flexibility than an adult. They don’t worry about falling, and when they do fall, they simply get up and carry on. The consequences of falling can be a lot more serious for adults. In the same way, newer enterprises can be more agile, less risk-averse, and more able to try something new than an older enterprise that appears to be more mature.

Newer organizations often have these advantages:

  • Fewer silos between departments
  • Better visibility into a less complex environment
  • A much higher tolerance for risk that enables them to test new cloud services and structures, due to a lower investment in existing architecture and processes
  • A more agile and streamlined environment
  • A lighter burden of inherited infrastructure
  • A more unified environment that isn’t weakened by a patchwork of legacy items

While a newer enterprise might not be ready to run a full package of advanced cloud security solutions, it could be agile enough to implement many or most of the security features while it continues to mature. Guardicore allows young organizations to leapfrog the functions that they aren’t yet ready for, while still taking advantage of the superior protection offered by micro-segmentation. Like a child learning to ski, we’ll help you enjoy the blue runs sooner, even if you can’t yet head off-piste.

Organizational maturity in ‘mature’ organizations

Although an older, longer-established organization might seem more cloud mature, it may not be ready for advanced cloud security systems. Many older enterprises aren’t even sure what is within their own ecosystem. They face data silos, duplicate workflows, and cumbersome business processes. Factors holding them back can include:

  • Inefficient workflows
  • Long-winded work processes
  • Strange and divisive infrastructure
  • Awkward legacy environments
  • Business information that is siloed in various departments
  • Complex architectures

Here, Guardicore Centra will be instrumental in bridging the immaturity gap: It provides deep visibility through clear visualization of the entire environment, even those parts that are siloed. Guardicore Centra delivers benefits for multiple teams, and its policy engine supports (almost) any kind of organizational security policy.

What’s more, Guardicore supports phased deployment. It is not an all-or-nothing solution. An organization that can’t yet run a full set of advanced cloud security services still needs the best protection it can get for its business environment. In these situations, Guardicore helps implement only those features that your organization is ready for, while making alternative security arrangements for the rest of your enterprise. By taking it slowly, you can grow into your cloud capabilities and gradually implement the full functionality of micro-segmentation.

Flexible cloud security solutions for every organization

Guardicore’s advanced cloud security solutions provide the highest level of protection for your critical business assets. They are flexible enough to handle legacy infrastructure and complex environments, while allowing for varying levels of cloud maturity.

Whether you are a ‘young’ organization that’s not seen as cloud-mature, or an older enterprise struggling with organizational immaturity, Guardicore can help you to get your skis on. As long as you have a realistic understanding of your organization’s requirements and capabilities, you can apply the right Guardicore security solution to your business and enjoy superior protection without breaking a leg.

Lessons Learned from One of the Largest Bank Heists in Mexico

News report: $20M was stolen from Mexican banks, with the initial intention to steal $150M. Automatically we are drawn to think of a “Casa de Papel” style heist, bank robbers wearing masks hijacking a bank and stealing money from an underground vault. This time, the bank robbers were hackers, the vault is the SPEI application and well, no mask was needed. The hackers were able to figuratively “walk right in” and take the money. Nothing was stopping them from entering the back door and moving laterally until they reached the SPEI application.

Central bank Banco de México, also known as Banxico, has published an official report detailing the attack, the techniques used by the attackers and how they were able to compromise several banks in Mexico to steal $20M. The report clearly emphasizes how easy it was for the attackers to reach their goal, due to insecure network architecture and lack of controls.

The bank heist was directed at the Mexican financial system called SPEI, Mexico’s domestic money transfer platform, managed by Banxico. Once the attackers found their initial entrance into the network, they started moving laterally to find the “crown jewels”, the SPEI application servers. The report states that the lack of network segmentation enabled the intruders to use that initial access to go deeper in the network with little to no interference and reach the SPEI transaction servers easily. Moreover, the SPEI app itself and its different components had bugs and lacked adequate validation checks of communication between the application servers. This meant that within the application the attackers could create an infrastructure of control that eventually enabled them to create bogus transactions and extract the money they were after.

Questions arise: what can be learned from this heist? How do we prevent the next one? Attackers will always find their way in to the network, so how do you prevent them from getting the gold?

Follow Advice to Remain Compliant

When it comes to protecting valuable customer information and achieving regulatory compliance, organizations such as PCI-DSS and SWIFT recommend the following basic steps: system integrity monitoring, vulnerability management, and segmentation and application control. For financial information, PCI-DSS regulations enforce file integrity monitoring on your Cardholder Data Environment itself, to examine the way that files change, establish the origin of such changes, and determine if they are suspicious in nature. SWIFT regulations require customers to “Restrict internet access and protect critical systems from the general IT environment” as well as encourage companies to implement internal segmentation within each secure zone to further reduce the attack surface.

Let’s look at a few guidelines, as detailed by SWIFT while incorporating our general advice on remaining compliant in a hybrid environment.

  • Inbound and outbound connectivity for the secure zone is fully limited.
    Transport layer stateful firewalls are used to create logical separation at the boundary of the secure zone.
  • No “allow any” firewall rules are implemented, and all network flows are explicitly authorized.
    Operators connect from dedicated operator PCs located within the secure zone (that is, PCs located within the secure zone, and used only for secure zone purposes).
  • SWIFT systems within the secure zone restrict administrative access to only expected ports, protocols, and originating IPs.
  • Internal segmentation is implemented between components in the secure zone to further reduce the risk.

SPEI servers, that serve a similar function to SWIFT application servers should adhere to similar regulatory requirements, and as elaborated on by Banxico in the official analysis report, such regulations are forming for this critical application.

Don’t Rely on Traditional Security Controls

The protocols detailed above are recommended by security experts and compliance regulations worldwide, so it’s safe to assume the Mexican bank teams were aware of the benefits of such controls. Many of them have even been open about their attempts to implement these kinds of controls with traditionally available tools such as VLANS and endpoint FWs. This has proven to be a long, costly and tiresome process, sometimes requiring 9 months of work to segment a single SWIFT application! Would you take 9 months to install a metal gate around your vault and between your vault compartments? I didn’t think so…

Guardicore Centra is set on resolving this challenge. Moving away from traditional segmentation methods to use micro-segmentation that provides foundational actionable data center visibility, this technology shows quick time to value, with controls down to the process level. Our customers, including Santander Brasil and BancoDelBajio in Mexico, benefit from early wins like protecting critical assets or achieving regulatory compliance, avoiding the trap of “all or nothing segmentation” that can happen when competitors do not implement a phased approach.

Guardicore provides the whole package to secure the data center, including real-time and historical visibility down to the process level, segmentation and micro-segmentation supporting various segmentation use cases, and breach detection and response, to thoroughly strengthen our client’s security posture overall.

Micro-segmentation is more achievable than ever before. Let’s upgrade your company’s security practices to prevent attackers from gaining access to sensitive information and crown jewels in your hybrid data center. Request a demo now or read more about smart segmentation.

Read More

Micro-Segmentation: Getting Done Faster With Machine Learning

Building micro-segmentation policies around workloads to address compliance, reduce attack surfaces and prevent threat propagation between machines is on every organization’s security agenda and made it to the CISO’s 2019 shortlist. Many times, deploying segmentation policies in hybrid data centers proves harder than it looks. At Guardicore, we are very proud of our ability to assist customers segment and micro-segment their clouds and data centers quickly, protecting their workloads across any environment and achieving fast return on security investments.

But, we always think that there is room for improvement. Analyzing the different assignments that are involved with the task of micro-segmentation, we have identified several steps that can be accelerated with more sophisticated code. Using data that was collected from our customers and studied by Guardicore Labs, we added machine learning capabilities that accelerate micro-segmentation.

In order to properly micro-segment a large environment, one should discover all the workloads, create application dependency mappings, classify the workloads and label accordingly. Next, one is required to understand how the application is tiered and its behavior in order to set micro-segmentation policies both for its internal components as well as the other entities it is serving.

This is where our machine learning capabilities can assist.

We are taking advantage of the fact that in Guardicore deployments we collect information about every flow in the network. Discovery is automatic, creating a visualization of all application communications and dependencies. The visualized map shows how workloads are communicating. The algorithms use this data and model the network as an annotated graph and use our customized unsupervised machine learning technique to cluster similar workloads into groups, based on communication patterns. Then, Centra can perform the following tasks:

  • Automatic classification of workloads
  • Automatic label creation for applications and their tiers
  • Automatic rule suggestion for flow level-segmentation and process level micro-segmentation

Here is an example of running classification from Reveal’s data center map:

running classification from Reveal with ML

Below is a visualization of results of automatic workload classification:

results of automatic workload classification with machine learning

 

And this is how this looks in Reveal, at the application tier:

Reveal view with ML

 

Want to learn more about our solution? Contact us.