Guardicore Insight: Adding Best-in-Class Osquery Visibility to Secure Your Workloads

What if you had a single solution that was able to detect non-compliant and high-risk endpoints and servers, assess their level of exposure, and then immediately secure these servers and endpoints with laser-sharp segmentation policies?

Guardicore Insight enables you to do just that. 

We are excited to announce Guardicore Insight, a powerful agent add-on, integrated into Guardicore Centra. As its name suggests, Guardicore Insight provides security teams enhanced insight into endpoints and servers across all operating systems and environments that allows it to detect non-compliant and high risk assets. Insight is able to collect current real-time context from all endpoints and servers such as OS patch levels, network connections, running processes and more.

But, unlike similar asset management solutions, Guardicore Insight doesn’t stop there. 

Security teams can then set policies and permissions to restrict access of these vulnerable assets and strengthen compliance across the organization. For example, users can be granted access only if their workstations meet the security standards of the organization; or all endpoints that access corporate resources must have up-to-date EDR installed. This level of policy granularity is impossible to achieve with traditional network firewalls. 

Additional compliance tasks that can be supported with Guardicore Insight include producing hardening status reports, policy compliance audits and other reporting needs.

Why Guardicore Insight is unique

The power of Guardicore Insight lies in its unique integration with Guardicore Centra, a software-based segmentation solution.
Powered by Osquery, Guardicore Insight allows security teams to create segmentation policies based on sophisticated queries across all endpoints and servers, assess the level of risk by visualizing network connections, and then based on the results, assign a current state policy to mitigate the risk. This ability is unmatched by any network firewall or segmentation solution in the market today.

Single solution, 3 critical capabilities | Guardicore Insight

How Can Guardicore Insight help you secure your endpoints and servers?

Guardicore Insight detects security and compliance gaps and mitigates them using Centra’s segmentation policy. Main use cases include compliance, asset management, incident response including ransomware mitigation and more.

Eliminate security compliance gaps

As a security administrator, you want to ensure that all your assets meet the security and compliance standards of your organization. You also want the ability to set a stricter access policy for those assets that do not meet these standards. For example, you want to ensure that all assets operate in compliance with Cyber Security best practices, such as the Center for Internet Security (CIS). 

One of the CIS standards calls for preventing the use of SMBv1, the old version of the Server message Block protocol Windows uses for file sharing on a local network, known to be abused in ransomware attacks. With Guardicore Insight, you can quickly detect all systems that accept SMBv1 connections and group them under a dedicated label. Once you have the defined label, you can apply policy rules to block all SMBv1 connections to these assets to reduce the attack surface, allowing your IT team the time they need to fix the violation at scale. 

Guardicore Insight provides you with 3 unique capabilities no other solution provides:

Detect  – Using Insight you can query all your Windows assets to identify which ones receive SMBv1 connections. Use the following query: 

SELECT *
FROM registry
WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' 
AND data == 1;

Guardicore Reveal to gain visibility and assess risk exposure

Assess – Using Guardicore Reveal, you can gain visibility and assess the level of risk of these assets by investigating all SMBv1 connections made to them.  

Secure  – Finally, using the label you have created, you can create a policy rule to completely block all the SMB connections to the vulnerable asset.
Policy rule to block SMBv1 connections to vulnerable assets

Shorten the vulnerability exposure window

Security patch deployment is one of the hardest tasks for an IT organization of any size but at the same time, one of the most important ones to keep systems and applications secure against recent vulnerabilities and attacks.

When a zero-day vulnerability such as the Solarwinds vulnerability is discovered, naturally the long-term solution is to apply the hotfix, but sometimes it takes time to get the security patch or test it in your production environment. With Guardicore Insight you can provide a workaround solution and immediately limit SolarWinds servers’ communication to and from the internet using a simple Block rule.

 You can use the following query to identify the vulnerable SolarWinds assets: 

Select *	
From hash
Where path = 'C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll'
AND sha256 in
('32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77',
'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6',
'019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134',
'ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c',
'c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77',
'dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b',
'eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed');

Reduce endpoint security risk

As a security admin you’re faced with the challenging task of ensuring that all the endpoints in your organization – often amounting to thousands – are secure. One of the ways to do it is to install an antivirus software on each of your endpoints. 

The following query may help you ensure that all your endpoints have an antivirus software installed:

SELECT hostname 
FROM system_info 
WHERE (SELECT COUNT(*) 
    FROM windows_security_products 
WHERE type='Antivirus' AND state='On') == 0;

What’s next

We invite you to try this new capability on your network to see the power of this feature. Please contact our Customer Success team or your Sales director for further details. 

5 Things You Didn’t Know You Could Do with Guardicore Centra

In this post we’re providing a list of useful tips that our customers love and can make working with Guardicore Centra even simpler: how to quarantine assets with one simple segmentation rule, auto-complete rule labels, integrate external threat feeds and more. 

      1. Quarantine Assets

To allow your SOC team quick quarantine capabilities, create a new label called “Quarantine” and use it to build a quarantine policy. For example, you can block all outgoing traffic from machines belonging to that label. Then, create a SIEM automation which automatically populates this label with assets when quarantine is needed.

Here’s the segmentation rule that blocks ongoing traffic from a machine to the Quarantine label:

Asses risk with Reveal

      2. Auto-complete labels 

When manually creating segmentation rules whose source and/or destination consists of multiple intersecting labels (e,g, Product & Billing), Centra provides a quick way to work with these labels. Instead of writing full label names like Env:Prodution&App:Billing , you can start typing the values in the following way Prod&Bill and Centra will auto-complete your input and suggest full label names.
label auto-complete

      3. Select multiple objects in Guardicore Reveal

To quickly select a portion of any Reveal map (including multiple labels, assets and flows) use the “S” key to switch between the hand & selection functionality. For example, you can use this to drag and drop multiple objects to a different location, or to suggest segmentation rules for multiple flows. To use this, make sure you’re in Policy mode. More keyboard shortcuts can be found by clicking the “hand” icon on the lower right part of the Reveal Explore screen.
Reveal shortcuts

      4. Fast forward maps: Using the fast forward Reveal map Fast Forward  button in Reveal can actually help you recreate the same map with the most recent data, based on an existing filter instead of creating multiple maps. 

Reveal map with 1h data

      5.Integrate external threat feeds: If your organization owns proprietary or 3rd party threat feeds, these can be easily integrated into the Centra threat engine to expand the threat list. Please reach out to support@guardicore.com if you are interested in exploring this option.

For more information about Guardicore Centra visit the Guardicore Centra Product page. 

Preventing and Responding to Supply Chain Attacks with Effective Segmentation

The recent SolarWinds incident is a stark reminder that we all should re-evaluate the blind trust we put into third-party components inside our networks. 

While the SolarWinds incident is fresh in many of our minds, it’s far from the first successful supply chain attack in the annals of cybersecurity. In 2011, another incident occurred which led to the blacklisting and bankruptcy of Dutch certificate authority DigiNotar after a security breach enabled a malicious actor to issue more than 500 certificates fraudulently. 

Modern supply chain attacks are among the most intricate and effective cybersecurity threats enterprises face today – what can organizations do to improve their defenses?

Wikipedia describes this type of threat as follows, “a supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector.”

To properly assess our ability to handle an incident, like the recent SolarWinds attack, it’s important to be aware of our preventative and responsive security capabilities. Unfortunately, we know the odds of preventing complex zero-day and supply chain attacks with perimeter security alone are slim. We, instead, should also focus our attention on how far and wide attackers can reach once they breach the walls of our digital fortresses. 

Prevention Best Practices

To ensure prevention, you should leverage micro-segmentation and the Zero Trust framework in your security strategy. If we look at the SolarWinds incident as a case study, we can identify how applying these concepts to application behavior could prevent or disrupt the attack flow.

In the recent supply chain attack, the SolarWinds client was deployed across various systems inside the network (as intended) and had no restrictions on what it could access inside or outside the network, regardless of host.

Two simple actions could have potentially helped organizations:

  1. The first stage of the attack involved pulling the secondary binary from the attack server. If the SolarWinds binary had only been able to access known SolarWinds addresses instead of the ones leveraged by the malicious actors, organizations could have broken the attack chain earlier.
  2. Even if first chain prevention failed and the Sunburst malware successfully deployed the binary, it would still need to communicate with its command-and-control and run commands on the targeted network. If an organization had effective segmentation policies applied to its SolarWinds application, this activity could have been blocked or a non-compliance alert generated for security teams to investigate.

Response Best Practices

From a response perspective, it’s not only about the speed of the response to a given incident. It’s also about having the right tools to surgically stop the attack without disrupting the business and to have data in place to actually assess the breadth and depth of the attack. Dwell time can be days or months, which can mean a far deeper attack footprint than originally assumed.

In ‘simpler’ cybersecurity incidents, such as ransomware attacks, attackers may encrypt files, making their impact and presence on a network obvious. However, in more advanced scenarios, such as supply chain attacks, it may be some time before a previously unknown breach is discovered. Since time will have passed, it’s essential to have the proper tools to mitigate the attack and chronologically investigate the attacker’s actions around your network.

How can Guardicore help?

Preventing the Attack

  • Realize a Zero Trust network – When onboarding a new application or reviewing an existing one, Guardicore segmentation policies can be configured to allow only the required access to a predefined or learned list of assets, domains and ports.Realize a Zero Trust network
  • Crown jewel protection – Reduce risk by protecting your critical assets with granular segmentation policies instead of focusing on each potential third-party application.Crown jewel protection
  • Guardicore dynamic deception technology – Guardicore’s dynamic deception technology allows organizations to detect unknown malicious behavior by simulating a live system on the network to detect lateral movement of malicious actors.
    Guardicore dynamic deception technology
  • Guardicore Threat Intelligence Feed – Apply a built-in list of rules as protection against a curated, constantly updating list of threats.
    Guardicore Threat Intelligence Feed

Responding to the attack

  • Guardicore Reveal – The Reveal map is a powerful tool that allows you to filter and view specific assets (Windows, Linux) and process behavior across time. For example, you can use it to explore the past behavior of a newly discovered malicious binary.
    Guardicore Reveal
     Guardicore Reveal
  • Rapid policy enforcement – Apply segmentation policies on both Windows and Linux within minutes of discovering a threat opposed to days and sometimes weeks due to infrastructure and routing limitations.
  • Guardicore Insight – Proactively query each system (Windows or Linux) on your network for any property about it and respond based on the result. For example,
    • Query for specific software installed or the presence of specific files for a given path
    • Quarantine systems with forbidden or vulnerable software. 
    • Detect and block known indicators of compromise (IoC).

Guardicore Insight

Want to improve your security posture against supply chain attacks? Request a demo today to learn more about effective prevention and response with Guardicore Centra.