Guardicore Insight: Adding Best-in-Class Osquery Visibility to Secure Your Workloads

What if you had a single solution that was able to detect non-compliant and high-risk endpoints and servers, assess their level of exposure, and then immediately secure these servers and endpoints with laser-sharp segmentation policies?

Guardicore Insight enables you to do just that. 

We are excited to announce Guardicore Insight, a powerful agent add-on, integrated into Guardicore Centra. As its name suggests, Guardicore Insight provides security teams enhanced insight into endpoints and servers across all operating systems and environments that allows it to detect non-compliant and high risk assets. Insight is able to collect current real-time context from all endpoints and servers such as OS patch levels, network connections, running processes and more.

But, unlike similar asset management solutions, Guardicore Insight doesn’t stop there. 

Security teams can then set policies and permissions to restrict access of these vulnerable assets and strengthen compliance across the organization. For example, users can be granted access only if their workstations meet the security standards of the organization; or all endpoints that access corporate resources must have up-to-date EDR installed. This level of policy granularity is impossible to achieve with traditional network firewalls. 

Additional compliance tasks that can be supported with Guardicore Insight include producing hardening status reports, policy compliance audits and other reporting needs.

Why Guardicore Insight is unique

The power of Guardicore Insight lies in its unique integration with Guardicore Centra, a software-based segmentation solution.
Powered by Osquery, Guardicore Insight allows security teams to create segmentation policies based on sophisticated queries across all endpoints and servers, assess the level of risk by visualizing network connections, and then based on the results, assign a current state policy to mitigate the risk. This ability is unmatched by any network firewall or segmentation solution in the market today.

How Can Guardicore Insight help you secure your endpoints and servers?

Guardicore Insight detects security and compliance gaps and mitigates them using Centra’s segmentation policy. Main use cases include compliance, asset management, incident response including ransomware mitigation and more.

Eliminate security compliance gaps

As a security administrator, you want to ensure that all your assets meet the security and compliance standards of your organization. You also want the ability to set a stricter access policy for those assets that do not meet these standards. For example, you want to ensure that all assets operate in compliance with Cyber Security best practices, such as the Center for Internet Security (CIS). 

One of the CIS standards calls for preventing the use of SMBv1, the old version of the Server message Block protocol Windows uses for file sharing on a local network, known to be abused in ransomware attacks. With Guardicore Insight, you can quickly detect all systems that accept SMBv1 connections and group them under a dedicated label. Once you have the defined label, you can apply policy rules to block all SMBv1 connections to these assets to reduce the attack surface, allowing your IT team the time they need to fix the violation at scale. 

Guardicore Insight provides you with 3 unique capabilities no other solution provides:

Detect  – Using Insight you can query all your Windows assets to identify which ones receive SMBv1 connections. Use the following query: 

SELECT *
FROM registry
WHERE path = 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters\SMB1' 
AND data == 1;
Guardicore Reveal to gain visibility and assess risk exposure

Assess – Using Guardicore Reveal, you can gain visibility and assess the level of risk of these assets by investigating all SMBv1 connections made to them.  

Policy rule to block SMBv1 connections to vulnerable assets

Secure  – Finally, using the label you have created, you can create a policy rule to completely block all the SMB connections to the vulnerable asset.

Shorten the vulnerability exposure window

Security patch deployment is one of the hardest tasks for an IT organization of any size but at the same time, one of the most important ones to keep systems and applications secure against recent vulnerabilities and attacks.

When a zero-day vulnerability such as the Solarwinds vulnerability is discovered, naturally the long-term solution is to apply the hotfix, but sometimes it takes time to get the security patch or test it in your production environment. With Guardicore Insight you can provide a workaround solution and immediately limit SolarWinds servers’ communication to and from the internet using a simple Block rule.

 You can use the following query to identify the vulnerable SolarWinds assets: 

Select *	
From hash
Where path = 'C:\Program Files (x86)\SolarWinds\Orion\SolarWinds.Orion.Core.BusinessLayer.dll'
AND sha256 in
('32519b85c0b422e4656de6e6c41878e95fd95026267daab4215ee59c107d6c77',
'ce77d116a074dab7a22a0fd4f2c1ab475f16eec42e1ded3c0b0aa8211fe858d6',
'019085a76ba7126fff22770d71bd901c325fc68ac55aa743327984e89f4b0134',
'ac1b2b89e60707a20e9eb1ca480bc3410ead40643b386d624c5d21b47c02917c',
'c09040d35630d75dfef0f804f320f8b3d16a481071076918e9b236a321c1ea77',
'dab758bf98d9b36fa057a66cd0284737abf89857b73ca89280267ee7caf62f3b',
'eb6fab5a2964c5817fb239a7a5079cabca0a00464fb3e07155f28b0a57a2c0ed');

Reduce endpoint security risk

As a security admin you’re faced with the challenging task of ensuring that all the endpoints in your organization – often amounting to thousands – are secure. One of the ways to do it is to install an antivirus software on each of your endpoints. 

The following query may help you ensure that all your endpoints have an antivirus software installed:

SELECT hostname 
FROM system_info 
WHERE (SELECT COUNT(*) 
    FROM windows_security_products 
WHERE type='Antivirus' AND state='On') == 0;

What’s next

We invite you to try this new capability on your network to see the power of this feature. Please contact our Customer Success team or your Sales director for further details. 

From Guardicore's
Resource Center

Managed threat hunting delivered by Guardicore Labs
Synchronize and automate security across your entire network.
 

Subscribe To Our Newsletter

No spam, we promise. We’re only going to send you insights on how to reduce risk in your data center and clouds.

See Centra in Action

Reduce your attack surface and prevent lateral movement with fast and simple segmentation that works everywhere.

See Guardicore Centra in Action

Schedule a demo customized to your specific security needs