Monkey emulates malicious user activity; Centra blocks with user identity policies
Zero Trust is a top concern for many companies in recent years but how do you get started with Zero Trust? How do you know what your Zero Trust status is and then act upon it? At Guardicore we wanted to help you assess your Zero Trust status and allow you to easily mitigate gaps. We do this by combining our Breach and Attack Simulation tool – the Guardicore Infection Monkey – with our flagship product Guardicore Centra that provides advanced firewall and segmentation capabilities.
With its newly added Zero Trust assessment capabilities, The Infection Monkey now tests networks against the Forrester ZTX (Zero Trust eXtended) framework and provides a Zero Trust Status Report with actionable data and recommendations to help you make Zero Trust decisions. Centra is then able to address some of the main issues raised by the Monkey’s report, mostly around data, networks, people and visibility components. In this post, we’ll walk you through the testing and mitigation of the ZTX People component.
How do the Guardicore Infection Monkey and Centra Work Together?
The idea is simple: We let the Infection Monkey scan your network and generate a Zero Trust Status Report indicating the areas that leave your company vulnerable to risk. Using Centra’s policy engine we suggest segmentation rules that mitigate the problems the Monkey has alerted on in its report. We then run the Infection Monkey again to verify that Centra has addressed the gaps indicated at the Monkey’s previous report.
Here’s the flow with the People component:
“Monkey See” – and generates a report
Here is the Infection Monkey Zero Trust Status Report after it has scanned a sample network. To test the People component, the Monkey tried and successfully managed to create a new user that communicated with the internet. This means that the network’s policies were too permissive. Looks like everyone was able to go out to the Internet uninterruptedly here 😈
The failed test is indicated in red:
Clicking the Events section in the Report provides more details:
“Centra Do” – and creates security policy
Using Guardicore Centra’s user-based policies it is possible to control user access to datacenter and cloud resources. We do this by integrating with Active Directory security groups. Based on user memberships in those security groups, we allow users different access to different resources. This way users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. See this video to learn more about Centra’s user-based rules.
To mitigate the issue raised by the Monkey, we created 2 user-based rules in Centra. One that allows only the Developers user group to access the Internet and one that blocks all other users. Naturally, this can be applied to any other group of users.
Replaying the Scenario
We ran the Monkey again after applying Centra’s user-based rules and this time the Monkey’s Zero Trust Status Report showed no security issues in the People component:
Guardicore Centra Reveal map shows the unsanctioned user is now blocked when trying to access the Internet:
The log shows how the new user that previously managed to access the Internet is now blocked.
How to Get Guardicore Infection Monkey and Centra Working Together In Your Environment
If you’d like to see how the Infection Monkey and Centra work together, contact us to Get a Demo. To download the Infection Monkey for Zero Trust, click here. If you would like to learn more about Centra and/or the Infection Monkey capabilities, Contact Us.