Guardicore at RSA: AI-Powered Segmentation, Cloud Native Security

Guardicore’s mission has always been about helping our users protect their critical assets everywhere. This week we’re announcing two new capabilities in our Centra Security Platform that further deliver on that mission: Support for cloud-native resources and AI-powered segmentation. Both capabilities are designed to help security architects segment their assets faster and protect their PaaS resources.

AI-Powered Segmentation 

Centra’s AI-powered segmentation reduces the time it takes to create a segmentation policy for a new or existing application by making it easier to label assets and create the matching rules for them. While we have always been providing an intuitive and simplified segmentation workflow, with our upcoming Centra 5.0 release we’re leveraging AI to automate and further simplify this process. 

Powered by Real Data 

Our AI-based algorithm is capable of ‘learning’ tens of thousands of applications and millions of flows, allowing us to provide: 1) tailored policy templates based on the customer’s assets and 2) automatic labels tailored to the customer’s environment. Automatic labeling is done by an analysis of an asset’s network flows. The fact that our network flows have context up to the process level allows us to provide accurate suggestions.

Introducing Guardicore Centra Policy Store

Guardicore Centra Policy Store

Our Policy Store offers out-of-the-box policy segmentation templates for known ‘household’ applications along with templates for common segmentation use cases. A partial list of household apps include Active Directory, Exchange, Splunk and even Windows operating systems. Common use cases currently include ringfencing, environment segmentation, whitelisting outbound flows etc.

To make it even simpler, we provide recommendations on which applications to segment first, based on our ability to ‘learn’ your environment. Our vision is to create a community around our Policy Store. By providing a flexible policy mechanism we’re hoping customers will upload their own templates to extend the power of the collective cloud. We’ve heard some great ideas for this community in RSA from people who are eager to start building and sharing their own templates. We’re looking forward to seeing the creative stuff our users come up with!

Automatic Labeling Suggestions

Guardicore Centra automatically discovers, scopes and provides recommendations for how to label an application which is typically the trickiest part of any segmentation project. Our auto labeling is based on network flows analysis down to the process level.

Guardicore Centra Auto-Labeling

Automatic Policy Recommendations

Recommendations for segmentation rules are provided based on known application behavior and a predefined set of policy templates for common applications. For example, for Active Directory users, Guardicore Centra will detect your Active Directory servers and then provide a predefined set of rules for securing them, requiring minimal intervention on your side.

Guardicore Centra Policy Rules Dashboard

Security for Cloud-Native Applications

Building on our broad security coverage across hybrid data center environments, we’re adding protection for cloud-native applications, including serverless computing and Platform as a Service (PaaS). This enables security teams to remove major blindspots in their environments and achieve the same deep level of visibility and control into their cloud-native applications with the Guardicore Centra Security Platform.

The Ever-Changing Datacenter Landscape Requires Security to Adapt

Cloud-native is rapidly becoming the new standard for quickly building and scaling new business applications and optimizing existing ones. Until now, providing adequate protection of PaaS services such as AWS S3, Azure SQL, and GCP Cloud Run has required standalone security tools to gain visibility into these resources and understand access patterns.  Guardicore has greatly simplified this by integrating cloud-native support into its Centra Security Platform, eliminating the need for processing data from multiple disparate resources. 

Superior Cloud-Native Visibility & Access Control

The Guardicore Centra Security Platform enables IT security teams to visualize access to PaaS services, providing a visual map of all interactions between those services, including end-to-end application flows.

Visualizing Session Flow across Cloud Native Resources

Under the Hood

We use multiple data collection methods for cloud-native applications, including cloud APIs, Guardicore agents, and code instrumentation mechanisms for serverless functions. This allows us to turn a collection of disparate logs into a single comprehensible map. We provide a single pane of glass to visualize all cloud resources in use, providing a way to apply a single access policy.

From Cloud Logs to Guardicore Centra Map

From Network Flows to Application Flows

We are able to provide our Centra customers the ability to map their cloud-native resources from the same console they’re using to manage other environments. Instead of trying to make sense of multiple cloud logs, our customers get a single map of their cloud application flows that is easy to understand and manage.

Connect with Us

We’ve gotten some great feedback from RSA visitors and are extremely excited to add these groundbreaking capabilities to make segmentation even easier and relevant to everyone. These features are in early availability for select customers today. If you have thoughts or feedback or if you want to see a demo, talk to us. 

Monkey See, Centra Do: How to Assess Your Zero Trust Status and Mitigate

Monkey emulates malicious user activity; Centra blocks with user identity policies

Zero Trust is a top concern for many companies in recent years but how do you get started with Zero Trust? How do you know what your Zero Trust status is and then act upon it? At Guardicore we wanted to help you assess your Zero Trust status and allow you to easily mitigate gaps. We do this by combining our Breach and Attack Simulation tool – the Guardicore Infection Monkey – with our flagship product Guardicore Centra that provides advanced firewall and segmentation capabilities.


With its newly added Zero Trust assessment capabilities, The Infection Monkey now tests networks against the Forrester ZTX (Zero Trust eXtended) framework and provides a Zero Trust Status Report with actionable data and recommendations to help you make Zero Trust decisions. Centra is then able to address some of the main issues raised by the Monkey’s report, mostly around data, networks, people and visibility components. In this post, we’ll walk you through the testing and mitigation of the ZTX People component.

How do the Guardicore Infection Monkey and Centra Work Together? 

 The idea is simple: We let the Infection Monkey scan your network and generate a Zero Trust Status Report indicating the areas that leave your company vulnerable to risk. Using Centra’s policy engine we suggest segmentation rules that mitigate the problems the Monkey has alerted on in its report. We then run the Infection Monkey again to verify that Centra has addressed the gaps indicated at the Monkey’s previous report.

Here’s the flow with the People component:

Monkey Centra ZT Workflow

“Monkey See” – and generates a report

Here is the Infection Monkey Zero Trust Status Report after it has scanned a sample network. To test the People component, the Monkey tried and successfully managed to create a new user that communicated with the internet. This means that the network’s policies were too permissive. Looks like everyone was able to go out to the Internet uninterruptedly here 😈

Zero Trust Venn diagram with the People pillar marked in red

The failed test is indicated in red: 

Zero Trust report with a People test marked as Fail

Clicking the Events section in the Report provides more details:

Detailed Event log about the People test

“Centra Do” – and creates security policy 

Using Guardicore Centra’s user-based policies it is possible to control user access to datacenter and cloud resources. We do this by integrating with Active Directory security groups. Based on user memberships in those security groups, we allow users different access to different resources. This way users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. See this video to learn more about Centra’s user-based rules. 

To mitigate the issue raised by the Monkey, we created 2 user-based rules in Centra. One that allows only the Developers user group to access the Internet and one that blocks all other users. Naturally, this can be applied to any other group of users.  

Centra segmentation rules that alert on unauthorized communication

Replaying the Scenario 

We ran the Monkey again after applying Centra’s user-based rules and this time the Monkey’s Zero Trust Status Report showed no security issues in the People component:  

Zero Trust Venn diagram with all pillars coloured green

Guardicore Centra Reveal map shows the unsanctioned user is now blocked when trying to access the Internet:

Centra’s Reveal map showing the blocked communication attempt

The log shows how the new user that previously managed to access the Internet is now blocked. 

How to Get Guardicore Infection Monkey and Centra Working Together In Your Environment

If you’d like to see how the Infection Monkey and Centra work together, contact us to Get a Demo. To download the Infection Monkey for Zero Trust, click here. If you would like to learn more about Centra and/or the Infection Monkey capabilities, Contact Us

Guardicore Earns Multiple Industry Awards at RSA Demonstrating Continued Innovation in Cloud Security

Cyber Defense Magazine, Info Security Products Guide and CRN Award Guardicore with Top Honors

Boston, Mass. and Tel Aviv, Israel – February 24, 2020 – Guardicore, a leader in internal data center and cloud security, received multiple awards for innovation in cybersecurity from industry media at the 2020 RSA Conference. Cyber Defense Magazine named Guardicore the Market Leader in Cloud Security. The 16th Annual 2020 Info Security PG’s Global Excellence Awards also named Guardicore as the Gold award winner for the Most Innovative Security Software of the Year and the Bronze award for the Most Innovative Cloud Security. These awards follow Guardicore’s recent recognition by CRN® as one of the 100 Coolest Cloud Companies for 2020, acknowledging the executive leadership team and the innovative Guardicore Centra Security Platform, and Guardicore’s subsequent recognition by Forbes as the Best Cloud Computing Company to work for in 2020 based on an analysis of CRN and Glassdoor rankings. 

“Modern businesses want to utilize the benefits of cloud services, and understandably are concerned about how to maintain security for their IT assets in native cloud, hybrid cloud and multi-cloud environments. Our distributed, software-defined segmentation solution is the simplest way to secure these assets and makes it possible to oversee the security of all data center and cloud workloads. This recognition by Cyber Defense Magazine, Info Security Products Guide, and CRN validates our team’s dedication to keeping up with the pace of IT innovation and success with our channel partners by providing security simply wherever the enterprise  needs it,” stated Pavel Gurvich, CEO and co-founder at Guardicore.

Guardicore Centra is a comprehensive data center and cloud security solution that delivers the simplest and most intuitive way to apply micro-segmentation controls to reduce attack surface and detect and control breaches within east-west traffic. It provides deep visibility into application dependencies and flows and enforcement of network and individual process level policies to isolate and segment critical applications and infrastructure. Guardicore Centra’s AI-powered segmentation makes asset classification even easier and reduces the time and effort needed to apply a segmentation policy to new or existing applications.

About Cyber Defense InfoSec Awards

This is Cyber Defense Magazine’s eighth year of honoring InfoSec innovators from around the globe. Our submission requirements are for any startup, early-stage, later stage or public companies in the INFORMATION SECURITY (INFOSEC) space who believe they have a unique and compelling value proposition for their product or service.  In this program, we are particularly interested in highlighting cybersecurity companies who have a presence outside of the USA and/or a more global focus. Learn more at www.cyberdefenseawards.com

About Info Security PG’s Global Excellence Awards

The Channel Company enables breakthrough IT channel performance with our dominant media, engaging events, expert consulting and education and innovative marketing services and platforms. As the channel catalyst, we connect and empower technology suppliers, solution providers and end users. Backed by more than 30 years of unequalled channel experience, we draw from our deep knowledge to envision innovative new solutions for ever-evolving challenges in the technology marketplace. www.thechannelco.com

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Welcome to San Francisco. RSA 2020, Here We Come!

Since the early 1990s, RSA Conference has established itself as the destination where the world talks security.

I’ve attended RSA Conference for more than 15 years with roles at various companies: large and small, newly created and already established, public and private, stealthy or well-known. And even though the city I liked a lot is changing its face I still like to attend this event in San Francisco: I enjoy watching how our industry is growing and changing. The RSAC as we like to name it, feels like a big, warm, sometimes cheezy overcrowded wedding. RSAC is where the global security “community” participates in our annual networking events.

The “action” takes place on the expo floor, the surrounding restaurants where one can meet teammates he hasn’t seen for a while as well as the hotel bars and suites. The weather is expected to be sunny so I expect a lot of casual meetings on the surroundings of the Moscone Center.

For me, the real value is the networking opportunity and our (read:my) ability to learn new things from anyone that is willing to talk with me: job seekers, tire-kickers, prospects, ecosystem partners, colleagues and customers. The collective intelligence that is surrounding us is amazing and invaluable.

Obviously I was quite disappointed to learn about IBM Security’s decision not to attend the conference. I am sure that it was not an easy decision and yet, in my opinion it is a mistake and I’m happy to explain my reasons to anyone that will DM me.

And of course, we will be demonstrating our newest innovations. In my opinion, we have achieved some product achievements that will really blow your mind. I’m looking forward to meeting you all at the conference ! See us at the Guardicore Booth #4319, North Hall, Moscone Center.

Hybrid Cloud Security on Your Terms

Mellanox and Guardicore Deliver Agentless and High-Performance Micro-segmentation for Securing Hybrid Cloud Environments

This article was created and published in partnership with Itay Ozery, Director of Product Marketing at Mellanox Technologies

The face of the enterprise datacenter has changed dramatically in recent years. Business-critical applications, data confidentiality and the advent of digital products and services are among the driving forces behind today’s emerging data-center architectures. Sometimes it is easy to think about this change as transformation from 10G to 25G, 40G and 100G but actually it is more than that.


The face of the enterprise datacenter has changed dramatically in recent years. Business-critical applications, data confidentiality and the advent of digital products and services are among the driving forces behind today’s emerging data-center architectures. Sometimes it is easy to think about this change as transformation from 10G to 25G, 40G and 100G but actually it is more than that.

Although public cloud adoption is progressing rapidly, public offerings have not taken over a big piece of the enterprise pie. A recent Gartner research report indicates that less than 20% of total IT expenditure was allocated to public clouds in 2019. Bank of America’s CEO stated in late 2019 that the financial services corporation had saved $2 Billion per year by building its own cloud infrastructure. Aside from the dominant cost factors, some workloads must remain on-premise, due to regulatory and/or compliance reasons, while other legacy applications cannot be migrated to the cloud due to their nature/design. Breaking it all down, the prevailing approach of most enterprise leaders today, and most likely in the years to come is a hybrid-cloud strategy that typically involves a multi-tiered IT environment comprising both on-premises datacenter(s) and cloud service provider(s).

While hybrid clouds provide a cost-effective and agile solution, they also expose organizations to a cyber threat landscape that is broad and continuously changing, fast beyond what the guards can respond to with traditional security tools. Thus, a holistic approach is needed for enterprises to enhance their security postures and achieve robust and complete protection. Only solutions that protect all types of workloads, at any speed and against both current and future threats, can deliver the highest levels of security, integrity and reliability in the hybrid cloud era.

Micro-segmentation Emerges to Secure Hybrid Clouds

Micro-segmentation is an emerging datacenter and cloud security best practice that enables enforcement of fine-grained security policies for any network in a multi-, hybrid cloud environment. It provides many advantages over the traditional approaches of using VLANs for network segmentation and firewalls for application separation. Micro-segmentation uses software-defined controls, running on each node to provide individual workload isolation and protection reducing risks and simplifying security management. These advantages are key as enterprises adopt a hybrid cloud approach consisting of cloud services from one or multiple vendors while maintaining their own datacenters. The rise of cloud-native applications where microservices architectures and containers create new communication frameworks reinforce the need for elastic micro-segmentation implementation. Guardicore, a leader in the internal datacenter and cloud security realm , offers Centra, a comprehensive hybrid cloud security solution that delivers the simplest and most intuitive way to apply micro-segmentation controls to reduce the attack surface and detect and control breaches within east-west traffic.

Our network visualization providing flow and application-level monitoring, is both the basis for resilient micro-segmentation, and achievable through a variety of agent- and network-based techniques. However, there could be use cases when deploying agents is neither possible nor desired due to the nature of the application, identity of the workload owner and even intercompany organization challenges. Some application environments, like in high-frequency trading, are optimized for high-performance, low-latency transactions. In such use cases, even a minimal 3% impact renders the use of agents inefficient and thus, cannot be tolerated. Other businesses with a track record of failed agent deployment may be reluctant to try a different one. The result is a lack of visibility, which leaves enterprises with infrastructure silos where security policy enforcement cannot be applied.

So, here’s an idea: what if we could leverage the intelligent I/O processing units (IPU) from Mellanox to gain visibility into every workload, and enforce micro-segmentation without installing agents, impact performance or increase network latency?

Software-Defined Micro-segmentation Meets Hardware-Defined Isolation and Acceleration

The combination of Mellanox’s BlueField IPU-based SmartNICs with Guardicore Centra Security Platform creates a unique value proposition: No need to install agents on servers. No impact on server/application performance. A software-defined, hardware-native security policy enforcement at wire speed, fully isolated from the workload itself. The joint solution is ideally positioned to those environments in which deploying agents is not permitted:

  • HFT, latency-sensitive applications
  • Bare-metal clouds
  • Mainframe
  • Network-attached storage

Summary

We are excited to partner with Mellanox to deliver an agentless and high-performance micro-segmentation solution for hybrid cloud environments. This solution offering is the result of best-of-breed silicon capabilities, software IP and amazing engineering teams at our companies and is the first out of many innovative cyber security solutions we bring to market – stay tuned for more in 2020 and beyond!

Mellanox will be presenting our joint solution at the upcoming RSA Conference, February 24-27 in San Francisco, CA (North Hall #4525)

Guardicore’s booth is located few meters away – North Hall #4324

Learn more about agentless, high-performance micro-segmentation for securing hybrid cloud environments:

Guardicore Expands Its Centra Security Platform to Protect Cloud Native Applications and Simplify Segmentation Policy

Guardicore Centra Version 5 Introduces Expanded Coverage for Cloud-Native Applications and PaaS and AI-Powered Segmentation

Boston, Mass. and Tel Aviv, Israel – February 21, 2020 – Guardicore, a leader in internal data center and cloud security, today announced several new capabilities in its Guardicore Centra Security Platform designed to help security architects visualize, segment, and protect cloud-native applications while further simplifying the process for reducing risk to mission-critical business applications through segmentation. 

Building on its broad security coverage across hybrid data center environments, Guardicore protects cloud-native applications, including serverless computing and Platform as a Service (PaaS). This enables security teams to visualize and control access to cloud-native applications from the same Guardicore Centra Security Platform where they secure applications running on bare metal systems, virtual servers, Infrastructure as a Service (IaaS) and containers. This provides security professionals with a single platform, giving them a single view of all applications and flows, and a single, consistent dashboard to create, update and enforce policies, dramatically simplifying security policy management in hybrid data center and cloud environments.

“Cloud-native application development is rapidly becoming the new standard for quickly building and scaling new business applications and optimizing existing ones,” said Pavel Gurvich, Co-founder and CEO, Guardicore. “Until now, providing adequate protection of PaaS services such as AWS S3, Azure SQL, and GCP Cloud Run has required standalone security tools to properly visualize access to these services and apply access control policies, resulting in inefficient security policy management across hybrid environments. Guardicore has simplified this by integrating cloud-native support into the Guardicore Centra Security Platform. This allows security to keep up with the pace of DevOps while maintaining the appropriate levels of security to protect sensitive data and applications.”

Security for Cloud-Native Applications

The Guardicore Centra Security Platform secures the production and operational elements of cloud-native applications by enabling IT security teams to visualize access to PaaS services, by  user, system or cloud service, providing a visual map of all interactions between those services, including application flows. Guardicore segmentation policies then control access to cloud resources to ensure only sanctioned users and systems are allowed, blocking any unauthorized access, and reducing the attack surface of cloud-native applications. 

Guardicore Centra uses multiple methods for data collection and policy enforcement for cloud-native applications, including cloud-native access control policies, cloud APIs, Guardicore agents, and utilizing code instrumentation mechanisms for serverless functions. This provides the ultimate flexibility in how to apply least privilege and reduce the attack surface of cloud-native services.

AI-Powered Segmentation

Whether deployed in existing on-premises data centers or in the cloud, segmenting applications often requires IT to manually classify assets and write segmentation rules to achieve the proper level of security. Guardicore already provides an intuitive, integrated workflow to minimize manual effort, but by leveraging AI, Guardicore Centra version 5 further accelerates and simplifies segmentation and ongoing policy management.  Guardicore Centra’s AI-powered segmentation makes asset classification even easier and reduces the time and effort needed to apply a segmentation policy to new or existing applications.

Based on intelligence collected from tens of thousands of applications and millions of flows from Guardicore customers, and combined with AI-based algorithms, Guardicore Centra provides asset classification and policy assistance in three main areas:

  1. Automatic prioritization recommendations for application segmentation. Guardicore Centra automatically provides recommendations on which applications to segment first, based on Guardicore’s continuous analysis of the applications that represent the greatest risk reduction opportunities.
  2. Scoping and classifying applications.  To help reduce or even eliminate manual processes for labeling assets and components of a particular application, Guardicore Centra automatically discovers, scopes and provides recommendations for how to label an application for easy and seamless classification.
  3. Automatic segmentation policy recommendations. Guardicore Centra provides segmentation rule recommendations based on known application behavior and a pre-defined set of policy templates for common applications. For example, for Splunk users, Guardicore Centra will provide a pre-defined set of rules for securing this application with minimal to no human intervention. This provides a quick and easy way to reduce the risk without having to write new rules or rewrite rules for another application. 

Guardicore will preview new features at the RSA Conference in San Francisco, CA, February 24, 2020 – February 27 in Guardicore Booth #4319.

About Guardicore Centra

Guardicore Centra is a comprehensive data center and cloud security solution that delivers the simplest way to apply micro-segmentation controls to reduce the attack surface and detect and control breaches within east-west traffic. It provides deep visibility into application dependencies and enforces network and process-level policies to protect critical applications, in any environment.

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Guardicore Threat Intelligence Firewall Hardens Security Policies in Modern Data Centers

Integrated with Guardicore Centra, Smart Firewall Continually Updated with Global and Local Source Data

Boston, Mass. and Tel Aviv, Israel – February 20, 2020 – Guardicore, a leader in internal data center and cloud security, today announced the availability of its Guardicore Threat Intelligence Firewall feature, integrated into its Guardicore Centra Security Platform. The Threat Intelligence Firewall goes beyond traditional firewall measures to help harden security profiles in complex cloud environments. Managed through Guardicore Centra’s segmentation rules dashboard, it identifies and blocks incoming and outgoing connections to known malicious IPs, limiting the network attack surface and eliminating attacker activity before it reaches critical assets in the data center.

 “With our Threat Intelligence Firewall, we eliminate suspicious activity before it even reaches our customers’ data centers,” said Ofri Ziv, Guardicore Vice President of Research and head of Guardicore Labs. “Automatically configured in Guardicore Centra, our Threat Intelligence Firewall is a smart firewall that is continually updated with new data about malicious IP addresses and domains, collected by threat intelligence sensors deployed in live production data centers and cloud deployments across the globe. By identifying, flagging and/or blocking the latest attack, scan, and command and control (C&C) threats, it gives customers the ability to easily and confidently reduce risk by preventing bad actors from gaining access to the data center environment.”

With this new feature, Guardicore Centra is the only host-based segmentation platform to block traffic from malicious IP addresses identified through both its global network and local customer sources. Guardicore Threat Intelligence Firewall adds another layer of defense for security teams using the Guardicore Centra Security Platform to deploy simple and intuitive micro-segmentation controls that reduce the attack surface and detect and respond to breaches within east-west traffic. Guardicore customers benefit from:

  • Early warning about a compromised environment through instant block or alert:
    Instant notifications provide accurate and real-time information that a customer environment has been compromised, allowing faster response.
  • Up-to-date intelligence about the newest threats:
    Lists of malicious IPs are updated daily with the latest attack, scan, and C&C IPs.
  • Reduced exposure to malicious actors:
    Drastically reduce your attack surface to malicious actors that attempt to attack, scan, or make a C&C connection with your organization.

The Guardicore Threat Intelligence Firewall leverages data consumed from Guardicore’s Cyber Threat Intelligence feed, a publicly available resource tracking potential threats specific to data center and cloud infrastructure, eliminating false positives. For more details visit Guardicore’s blog

About Guardicore

Guardicore is a data center and cloud security company that protects your organization’s core assets using flexible, quickly deployed, and easy to understand micro-segmentation controls. Our solutions provide a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment. For more information, visit www.guardicore.com.

Introducing Guardicore Threat Intelligence Firewall

The Threat Intelligence Firewall is a new Guardicore Centra feature that blocks incoming and outgoing connections to known malicious IPs, eliminating malicious activity before it reaches your data center. To be up-to-date with the most recent threats, the list of known malicious IPs is updated once a day. 

Guardicore’s Threat Intelligence Firewall is based on our recently launched CyberThreat Intelligence (CTI), a service that offers unique information on malicious IP addresses and domains. The data is collected by Guardicore’s threat intelligence sensors installed in multiple data centers, organizations and cloud providers worldwide. More.

What Types of IP Addresses We Block

Guardicore’s Threat Intelligence Firewall blocks three types of IP addresses: 

Attackers IPs
An Attacker IP is a machine that has managed to breach Guardicore’s threat intelligence sensors and executes attacks on them such as malware dropping, scanning internal subnets, modifying system files etc.  


Scanners IPs
A Scanner IP is a machine that accesses one or more services across one or more subnets monitored by Threat Intelligence Sensors. This way we prevent the mere possibility of scanning your network which is normally one of the first steps of an attacker while looking for easy targets. 


C&C IPs
A C&C IP is a machine that attackers connect to after breaching our Threat Intelligence Sensors. This way we prevent the attacker from communicating with its C&C servers which will ultimately cut the chain of attack.

These three types of IP addresses are grouped into three labels – Top Attackers, Top Scanners and Top C&C:

The Guardicore Threat Intelligence labels

Stopping Attackers at Bay

Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications. We block incoming and outgoing connections to and from any port and process.

Threat Intelligence Firewall Block Policy Rules

Example of the TI FW block policy rules

The Threat Intelligence Firewall rules take precedence over standard Allow, Alert, and Block rules so they don’t conflict with any other security policies you may have in place. 

How do I know if a connection was blocked by the Threat Intelligence Firewall?

For any firewall blocked connection an incident is created. The Threat Intelligence Firewall incidents are located under Centra’s Policy Violations section and are tagged with the Threat Intelligence Firewall tag. But what does a Threat Intelligence Firewall incident mean? Well, it depends. Let’s distinguish between policy violation incidents that are generated by an inbound connection as opposed to an outbound connection. 

Inbound Connection Incident

If an inbound connection has been blocked, you shouldn’t be worried – you’ve been scanned by a compromised server. Check Guardicore Cyber Threat Intelligence to find out more about the attack you’ve just avoided. 

A policy violation incident generated by an inbound connection.

Outbound Connection Incident

An outbound connection to a malicious destination means that you’ve probably been hacked. In that case, you should find the source of the attack. Consult with Guardicore Labs security experts at labs@guardicore.com.

How to Get Guardicore Threat Intelligence Firewall

This feature is an enhancement offered to Guardicore customers upon request. If you are interested in this solution, contact our customer success team at support@guardicore.com. If you’re not yet a customer and interested in more information, contact us at labs@guardicore.com.