Preventing and Responding to Supply Chain Attacks with Effective Segmentation

The recent SolarWinds incident is a stark reminder that we all should re-evaluate the blind trust we put into third-party components inside our networks. 

While the SolarWinds incident is fresh in many of our minds, it’s far from the first successful supply chain attack in the annals of cybersecurity. In 2011, another incident occurred which led to the blacklisting and bankruptcy of Dutch certificate authority DigiNotar after a security breach enabled a malicious actor to issue more than 500 certificates fraudulently. 

Modern supply chain attacks are among the most intricate and effective cybersecurity threats enterprises face today – what can organizations do to improve their defenses?

Wikipedia describes this type of threat as follows, “a supply chain attack is a cyber-attack that seeks to damage an organization by targeting less-secure elements in the supply chain. A supply chain attack can occur in any industry, from the financial sector, oil industry or government sector.”

To properly assess our ability to handle an incident, like the recent SolarWinds attack, it’s important to be aware of our preventative and responsive security capabilities. Unfortunately, we know the odds of preventing complex zero-day and supply chain attacks with perimeter security alone are slim. We, instead, should also focus our attention on how far and wide attackers can reach once they breach the walls of our digital fortresses. 

Prevention Best Practices

To ensure prevention, you should leverage micro-segmentation and the Zero Trust framework in your security strategy. If we look at the SolarWinds incident as a case study, we can identify how applying these concepts to application behavior could prevent or disrupt the attack flow.

In the recent supply chain attack, the SolarWinds client was deployed across various systems inside the network (as intended) and had no restrictions on what it could access inside or outside the network, regardless of host.

Two simple actions could have potentially helped organizations:

  1. The first stage of the attack involved pulling the secondary binary from the attack server. If the SolarWinds binary had only been able to access known SolarWinds addresses instead of the ones leveraged by the malicious actors, organizations could have broken the attack chain earlier.
  2. Even if first chain prevention failed and the Sunburst malware successfully deployed the binary, it would still need to communicate with its command-and-control and run commands on the targeted network. If an organization had effective segmentation policies applied to its SolarWinds application, this activity could have been blocked or a non-compliance alert generated for security teams to investigate.

Response Best Practices

From a response perspective, it’s not only about the speed of the response to a given incident. It’s also about having the right tools to surgically stop the attack without disrupting the business and to have data in place to actually assess the breadth and depth of the attack. Dwell time can be days or months, which can mean a far deeper attack footprint than originally assumed.

In ‘simpler’ cybersecurity incidents, such as ransomware attacks, attackers may encrypt files, making their impact and presence on a network obvious. However, in more advanced scenarios, such as supply chain attacks, it may be some time before a previously unknown breach is discovered. Since time will have passed, it’s essential to have the proper tools to mitigate the attack and chronologically investigate the attacker’s actions around your network.

How can Guardicore help?

Preventing the Attack

  • Realize a Zero Trust network – When onboarding a new application or reviewing an existing one, Guardicore segmentation policies can be configured to allow only the required access to a predefined or learned list of assets, domains and ports.Realize a Zero Trust network
  • Crown jewel protection – Reduce risk by protecting your critical assets with granular segmentation policies instead of focusing on each potential third-party application.Crown jewel protection
  • Guardicore dynamic deception technology – Guardicore’s dynamic deception technology allows organizations to detect unknown malicious behavior by simulating a live system on the network to detect lateral movement of malicious actors.
    Guardicore dynamic deception technology
  • Guardicore Threat Intelligence Feed – Apply a built-in list of rules as protection against a curated, constantly updating list of threats.
    Guardicore Threat Intelligence Feed

Responding to the attack

  • Guardicore Reveal – The Reveal map is a powerful tool that allows you to filter and view specific assets (Windows, Linux) and process behavior across time. For example, you can use it to explore the past behavior of a newly discovered malicious binary.
    Guardicore Reveal
     Guardicore Reveal
  • Rapid policy enforcement – Apply segmentation policies on both Windows and Linux within minutes of discovering a threat opposed to days and sometimes weeks due to infrastructure and routing limitations.
  • Guardicore Insight – Proactively query each system (Windows or Linux) on your network for any property about it and respond based on the result. For example,
    • Query for specific software installed or the presence of specific files for a given path
    • Quarantine systems with forbidden or vulnerable software. 
    • Detect and block known indicators of compromise (IoC).

Guardicore Insight

Want to improve your security posture against supply chain attacks? Request a demo today to learn more about effective prevention and response with Guardicore Centra.

Ransomware, Critical Infrastructure and COVID-19: Confronting the New Reality of Nation-State Threats

Over the past decade, we have seen just how destructive cyberattacks have become. It seems every time we turn around, there are new methods surfacing that can often make us question our decisions and actions, and how we can continue to improve. But while we have seen nation-state attacks become more advanced, especially attacks using lateral movement such as unsanctioned east-west traffic and increased dwell time, there is also a silver lining. We can often learn more from the organizations that have been successful in circumventing even the most sophisticated cyberattacks. This is true even in cases of ransomware, critical infrastructure and the latest attacks – biotech research and COVID-19 vaccines.

Ransomware is consistently a huge challenge for many industries from financial services to healthcare and others, and the data shows a disturbing trend. A recent survey, The State of Ransomware, by the cybersecurity company, Sophos, reveals that 51% of organizations were hit by ransomware in the last year, and hackers succeeded in encrypting the data in 73% of those attacks. However, only 26% of ransomware victims whose data was encrypted got their data back by paying the ransom. And according to Verizon’s Data Breach studies into industrial espionage attacks against the private sector, the volume of nation-state actors increased from being 12% of the perpetrators of such attacks in 2018, to 23% in the 2019 study and to 38% in the 2020 study. There is no escaping the fact that nation-states are increasingly engaged in hacking.

From what I’ve witnessed as a cybersecurity consultant, nation-states are better at hiding than ever before. State hackers use various sophisticated techniques such as acting through proxy layers, avoiding attribution by manipulating data, and using clever toolkits and other means to mislead forensics. One of the best examples of this is the Wannacry ransomware that wreaked havoc across the world in 2017 and throughout 2018. It used EternalBlue, a cyberattack exploit developed by the United States National Security Agency (NSA). It was leaked by the hacker group, Shadow Brokers in April of 2017, just one month after Microsoft released patches for the vulnerability. Wannacry was especially nasty due to its self-propagating nature, meaning it has the ability to move itself from machine to machine, or network to network, spreading the infection entirely on its own.

When Consequences Turn Deadly

Nation-state actors have become brazen in their attacks, and we see evidence of this in the use of many different methods to carry out attacks that have even resulted in fatalities.

In the past, ransomware-focused criminal organizations would avoid targets where human lives would be at risk. But now, even hospitals are seen as acceptable. In September 2020, a ransomware attack on the German Düsseldorf University Clinic led to a death of a patient. German law enforcement is seeking prosecution of the Russian attackers involved in that attack. The same criminal gang was also responsible for attacking and taking down all 250 facilities of US based UHS healthcare.

Nation-state actors have also targeted critical infrastructure that aims to hurt or even kill citizens of the target countries. From April to July of 2020, Israel’s water supplies were threatened three separate times by nation-state hackers (suspected to be Iran). The industrial controls of Israeli water processing facilities were attacked in an attempt to alter the injection of treatment chemicals to unsafe levels. The attack was so disconcerting, a cyber counterattack was levied against Iran (allegedly initiated by Israel) that disrupted port traffic at the Port of Shahid Rajaee.

These examples are a far cry from the typical nation-state attacks of the past – intelligence, influence, disinformation, propaganda and espionage. If we were once under the impression that investing in cybersecurity was strictly a decision based on the risk of data and financial loss, it’s time to reevaluate. We have entered an age where attacks could truly lead to devastating consequences, certainly to enterprise survival and now even to the safety and lives of people.

The Latest Biotech Hit: COVID-19 Vaccine

In the throes of the COVID-19 epidemic the US, Canada and the United Kingdom all reported attempts by Russian and Chinese state actors to steal, manipulate and even obstruct the development of the COVID-19 vaccine. First warnings of such activity came from a joint CISA/FBI PSA to the vaccine research community in May 2020. By July, the US Department of Justice issued an indictment for two Chinese nationals working for the People’s Republic of China. They were not only charged with attempted theft but attempted destruction of vaccine research held in the United States, Australia, Belgium, Germany, Japan, Lithuania, the Netherlands, South Korea, Spain, Sweden, and the United Kingdom.

How We Can Win the War With Segmentation

In cybersecurity, we are constantly inundated with stories of failures. Reports of data breaches seem to be much more popular with the media, while safe, secure organizations that are successfully protecting themselves and blocking attacks aren’t considered headline news. However, this is doing the industry and companies across the world a huge disservice. In a way, we are victims of reverse-survivor bias. While it’s important that we continue to stay vigilant and recognize these threats as real, there are many tangible things that companies and government organizations are currently doing to mitigate threats, minimize damages and recover gracefully.

Here are seven ways you can protect your organization from nation-state threats:

  1. Better Vulnerability and Patching Regimen:
    Add vulnerability and patching checks to end users, public facing and data center environments, and should be included and automated wherever possible.They should also be incorporated into devops playbooks as new instances are spun out and/or modified. They should be incorporated into switch/route and other infrastructure devices as well, since we’ve seen a rise in focus here among attackers.
  2. Incorporate Multi-factor Authentication:
    Brute force password cracking is one of the easiest direct assaults seen on end user and application environments, yet it’s easy to enforce the use of strong passwords and to implement two factor authentication.
  3. Privileged Accounts and Expiration Controls:
    These can be easily added to overall enterprise security. New attacks often take advantage of the user they ride in on. Or, they can take advantage of an account that should have been used for a specific, scheduled purpose and subsequently deleted. Even with administrative accounts, one could easily work with reduced privileges – only invoking a higher “sudo” when needed.
  4. Certificate Management and Control:
    Many attackers take advantage of poor certificate management to propagate across an enterprise. By taking better control of certificate management you take away the ability of hackers to fool your workloads into trusting them.
  5. Core Service Controls:
    By better securing DNS, Remote Access, Active Directory and other critical enterprise services you prevent attacks from doing major damage.
  6. Micro-segmentation Practices:
    As Zero Trust discusses, the end of the enterprise edge is nigh. We need to move away from the reliance on perimeter firewalls and edge security and instead shore up our software-based segmentation throughout our enterprise workflow. With software-based segmentation, you replace the complexity of VLANs, firewalls and cloud security groups with a platform agnostic, simplified, fast and granular method to segment across your entire environment. Even when applied sparingly you decrease an attacker’s ability to land and even more to move laterally across the environment.
  7. Better and Redundant Backup and Restore Procedures:
    This is especially important today when ransomware and nation-state attacks are concerned. The ability to restore systems means you avoid costly downtime and restore without paying a ransom.

Setting Expectations: Plan, Practice and Survive

Adding to the seven focus areas, by far the most important indicator of whether you’ll succeed or fail, comes down to whether you’ve set expectations within your enterprise. Staff and executives need to accept that at some point you will be breached. They need to understand that it’s not a matter of if but when. With that in mind, you must also have a well thought out and practiced incident response plan that includes non-technical and executive staff. By doing such, you maximize your ability to respond, remediate and to recover gracefully.

While attackers seem so troublesome, we have everything in our grasp to defend against them. With just a little effort we will indeed survive and flourish.

To learn more about how Guardicore can help, get a free attack surface reduction analysis for your organization.

SUNBURST Backdoor: Unfolding Information on the SolarWinds Attack Campaign

On December 13th, major news outlets began reporting that a highly-sophisticated supply chain attack had targeted and successfully breached two major U.S. agencies, gaining access to internal email traffic.

Emerging details reveal that threat actors behind this attack campaign gained access to these agencies and other organizations across different verticals and geographies by executing a supply chain attack trojanizing SolarWinds Orion business software updates and using them to distribute malware. The SolarWinds attack campaign post-breach activity has included lateral movement within networks and instances of successful data exfiltration.

FireEye, currently tracking the campaign closely, summarized details about the malware, SUNBURST, in a recent, comprehensive post:

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

Who is impacted by the SolarWinds attack campaign?

While the threat actors have only targeted a portion of the customer base so far, this backdoor gives them potential access to every organization using the vulnerable Solarwinds products. Organizations using any product from the list below should assume network compromise and activate their incident response plans promptly if they have not already.

A known list of affected versions:

  • Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1, including:
  • Application Centric Monitor (ACM)
  • Database Performance Analyzer Integration Module (DPAIM)
  • Enterprise Operations Console (EOC)
  • High Availability (HA)
  • IP Address Manager (IPAM)
  • Log Analyzer (LA)
  • Network Automation Manager (NAM)
  • Network Configuration Manager (NCM)
  • Network Operations Manager (NOM)
  • Network Performance Monitor (NPM)
  • NetFlow Traffic Analyzer (NTA)
  • Server & Application Monitor (SAM)
  • Server Configuration Monitor (SCM)
  • Storage Resource Monitor (SCM)
  • User Device Tracker (UDT)
  • Virtualization Manager (VMAN)
  • VoIP & Network Quality Manager (VNQM)
  • Web Performance Monitor (WPM)

SolarWinds continues to update the list of affected products. It’s recommended that you verify as soon as possible what software versions you have installed (instructions can be found on the SolarWinds website).

Mitigation Recommendations

New threat and mitigation information continues to emerge. However, we have notified all customers with known instances of Solarwinds Orion software installed on network areas with Guardicore Centra coverage, giving them the following recommendations:

  1. Update your affected software based on the latest SolarWinds recommendations
  2. Until a hotfix is installed, we recommend you immediately limit SolarWinds servers’ communication to and from the internet using a Centra policy Override block rule.
  3. Ring-fence all servers running SolarWinds.
  4. Search the indicators of compromise provided by FireEye in your network to identify possible threat activity. This can be done with Guardicore Insight (available from Guaridocre Centra v35 release).

Reducing attack surface and preventing unauthorized lateral movement can significantly reduce the impact of similar attack campaigns on your organization in the future. To learn more about your risk reduction potential, request an attack surface analysis today.

How Technological Innovation Has Changed Security As We Know It

Technological innovation has changed security as we know it. We live in a fast-paced, digital world, and agile enterprises have embraced the rapid delivery of new technology and digital services as a means to stay competitive. At the center of this transformation is a DevOps model and the move to cloud computing for faster and more efficient delivery of digital services. This transformation has made the pace at which security was delivered in the last 20 years irrelevant. Subsequently, this change makes organizations choose between agility and security. 

I see many organizations who’s pace of innovation is significantly hurt by the legacy firewalls they rely upon for security and compliance. Their DevOps race cars are shackled to old school network security appliances. Sadly, the legacy firewalls are also not very effective in stopping modern threats. So organizations are often both exposed and slow as a result of relying on legacy firewall appliances for security.

Technological innovation and firewall facts

To gain a deeper understanding of our observations, Guardicore sponsored a research project with the Ponemon institute. We surveyed over 600 security professionals in the United States about how they use legacy firewalls in their organizations. One of the most obvious trends we saw was that legacy firewalls are ineffective in protecting applications and data in the cloud. Another big finding was that legacy firewalls kill flexibility and speed. Both of these are clearly detrimental to businesses.

Allow me to explain further. As organizations flock to cloud and hybrid infrastructures, applications often migrate among different environments, increasing inter-segment traffic. The rapid proliferation of applications is creating an ever-larger attack surface for hackers to target. These services bypassed the stateful firewalls on the perimeter as they delivered information and files directly to the end user. 

As for why this is happening, the answer is that legacy firewalls simply haven’t kept up with today’s world. In fact, the last true innovation in firewall appliances was a good 15 years ago, and the IT landscape has profoundly changed since then.

Legacy firewalls are out; software-based segmentation is in

Digital transformation has presented the world of business  with many exciting opportunities. At the same time, it has pushed legacy firewalls way past their originally intended purpose. 

As the first line of defense against outside intrusion, legacy firewalls have been, without question, a boon to the evolution of the internet. However, as data breaches proliferated, organizations quickly realized they couldn’t just protect against outside threats. After all, what would happen once someone got past perimeter defences? Clearly they had to do something to mitigate threats inside their networks and data centers as well. 

This led to the concept of segmentation — the creation of restricted “zones” for groups of applications in the network environment. Network and data center segmentation has typically taken the form of virtual local area networks or VLANs, partitioned and secured by the same firewall technology that enforces north-south traffic at the perimeter. However, as technologies continue to evolve, these methods have become lengthy, costly, and complex. 

Here’s how VLANs work (or don’t)

If you’ve been using VLANs up until now, you’ll know how ineffective they are when it comes to protecting legacy systems. VLANs usually place all legacy systems into one segment. What does that mean? A single breach puts them all of the segments in the line of fire. Yeah – it’s not good.

VLANs rely on firewall rules that are difficult to maintain and do not leverage sufficient automation. This often results in organizations accepting loose policy that leaves your environment open to risk. Without visibility, your security teams can’t enforce tight policy and flows, not only among the legacy systems themselves, but also between the legacy systems and the rest of a modern infrastructure.

It’s time to rethink firewalls

I’m excited to share that here at Guardicore, we are revolutionizing the segmentation field by delivering distributed firewall controls that are completely decoupled from the underlying infrastructure. This modern-day approach removes the most significant obstacles to security efficiency: slow implementation and severe operational impact.

As Buckminster Fuller once said, “We are called to be architects of the future, not its victims.” 

The industry changes we have witnessed over the past three decades are precisely why we founded Guardicore. We ourselves come from a background where we have experienced the same challenges you are experiencing, and we are thrilled to embrace and share the innovations of the future. We continue to hold the vision and the goal of reinventing enterprise security to place greater emphasis on security beyond the traditional network perimeter. This makes our organizations and ultimately, all of us, safer. 

Now is the time to embrace better alternatives to legacy firewalls. Together, let’s enable rapid innovation and digital transformation while also protecting those digital assets that matter most. 

To learn more about the findings in this report and our solution, please download our free ebook, “Rethink Your Firewalls to Meet the Needs of Digital Transformation”. We look forward to sharing this journey to success together. Here’s to technological innovation – and the successful security that supports it!


The dangers of firewall misconfigurations – and how to avoid them

According to Gartner, “through 2023, at least 99% of cloud security failures will be the customer’s fault.” Firewall issues are one of the top reasons why this is the case.
The extreme pace of change and increasingly swift adoption of hybrid cloud has network security struggling to keep up. Many enterprises are attempting to protect themselves with network firewalls, putting themselves at increasing risk of configuration errors and policy gaps. In fact, Gartner says:

“Through 2023, 99% of firewall breaches will be caused by firewall misconfigurations, not firewall flaws.”

What are the most common causes of firewall misconfigurations?

Network firewalls are not easy to update. Keeping rules up to date when environments and applications are dynamic and complex is almost impossible.

Because of this challenge, firewall policy is often behind the current status of your applications and data. This means you are increasing risk in your data center until you manage to manually set the rules. Moreover, those rules may well become obsolete again almost immediately, so you can never truly stem the issue of growing risk.

At the same time, companies have to deal with compliance mandates and governance, which are just as strict on the cloud environments as on-premises environments. While the increased agility of a hybrid cloud ecosystem is helpful for streamlining business processes, the speed of change has caused many organizations to fall badly short of compliance requirements.

It’s especially difficult to get full visibility into hybrid cloud environments – and without visibility, you can easily fall prey to blind spots resulting from misconfigurations. Take the Capital One breach, for example, where hackers could exfiltrate “data through a ‘misconfiguration’ of a firewall on a web application. That allowed the hacker to communicate with the server where Capital One was storing its information and, eventually, obtain customer files.” The result was the loss of the personal data of more than 100 million people, including tens of millions of credit card applications.

What are the most common firewall misconfigurations?

Wondering what some of the most common firewall misconfigurations are? Here are the ones that we see time and again:

  • EC2 instances: Configuring security groups incorrectly can lead to unnecessary risk. AWS itself reports that “Among the most egregious were AWS Security Groups configured to leave SSH wide open to the Internet in 73 percent of the companies analysed.” Any approach that relies on IP addresses that constantly change is going to be error-prone.
  • VPC access: Of course, your business doesn’t want anyone on the internet to be able to access your VPCs. That said, this is a common mistake. Many businesses use ACLs to manage the problem, but it can be time-consuming and leave blind spots.
  • Services permissions: It often happens that unnecessary services are left running on the firewall, opening up enterprises to risk and broadening the attack surface. When devices are configured from the start with the principle of zero-trust and least privilege, this removes that risk. It also ensures that devices can only do the specific function you need them for.
  • Inconsistent authentication: Enterprises often have networks that work across multiple geographies and locations, as well as different environments. Consistent authentication across these different places is a cornerstone of good firewall hygiene. If some requirements are weaker than others, the misalignment creates vulnerable areas of the enterprise that can be leveraged like an unlocked door. The result is that your business will be open to attacks.

What’s the best firewall alternative?

Because of all the issues mentioned above, many businesses have decided that it’s time to look for a firewall alternative. Modern organizations need a security solution that is faster, easier to manage, less error-prone, and more conducive to today’s hybrid cloud and complex environments. That’s where a software-defined micro-segmentation solution like Guardicore Centra comes in.

“With Guardicore, we were not only able to secure 45 applications without interruption in just 6 weeks, we also got a more agile, cost-effective, and secure solution than our legacy firewall provider.”

— David E. Stennett, Sr. Infrastructure Engineer, The HoneyBaked Ham Company

honeybaked ham

Read the full story

Whereas network firewalls can be a hurdle to speed and agility, software-defined segmentation is an enabler. The overlay approach to micro-segmentation does not rely on IP addresses, and is therefore completely decoupled from the underlying infrastructure. This structure allows policies to follow the workload, no matter what environment you are using. Therefore, security can move at the speed of innovation – and lower costs at the same time.

This fast pace is bolstered by automation. And, of course, automation slashes the rate of manual changes and updates – and therefore misconfigurations and errors. Automation supports real-time risk mitigation, even across multi-vendor security environments.

How can you gain visibility into firewall misconfigurations?

Understanding firewall misconfigurations starts with mapping connections, because you can’t protect what you can’t see (or don’t even know exists). In addition to providing stronger, faster security, using a solution like Guardicore Centra enables you to gain granular insights into your communications and connections. That way you can see misconfigurations at a glance, identify unusual behavior, solve open ports or broad permissions, and tackle issues such as inconsistent authentication procedures.

Moreover, Guardicore Centra goes beyond visibility to provide the security that you need to support a Zero Trust-based framework. Specifically, Guardicore covers the main pillars of Zero Trust by securing:

  • People with user-based policies.
  • Endpoints through security policies and enforcing compliance using OSQuery.
  • Workloads in any environment by providing policies that follow the workload and are not tethered to a specific infrastructure.
  • Networks and devices by securing device access to the data center.

Why do you need software-based segmentation vs native cloud controls?

For those of you who rely on the built-in firewall capabilities of cloud providers – hopefully by now you know that software-based segmentation does much more to secure business environments than can be achieved by native cloud controls alone.

Native cloud controls are outside of the visibility and control of network security teams. Those teams need visibility in order to manage connectivity for business-critical applications or micro-segmentation projects. Perhaps this is why Gartner acknowledges that, “Agent-based micro-segmentation has become the standard for micro-segmentation platforms.”

How do you dynamically scale security while avoiding misconfigurations?

Once you’ve mapped out connections, you’re well placed to create consistent policies that follow the workload. You can then avoid playing continuous catchup with network firewalls that simply weren’t built for dynamic, auto-scaling environments or DevOps pipelines and agility. If, by chance, you should miss a misconfiguration, a strong micro-segmentation approach enables you to isolate critical assets and data so that a potential breach can be contained and mitigated, fast.

Leave legacy firewalls behind and lower risk in your own environment

Chances are good that you already have firewall misconfigurations that are opening you up to unnecessary risk. Hybrid cloud environments have added another layer of complexity to today’s data centers, creating even more opportunities for firewall misconfigurations.

Guardicore Centra is one tool that covers any environment and provides superior security capabilities, offering the flexible, fast, and cost-effective protection today’s businesses require. Guardicore enables you to take the challenges of a hybrid data center head on, providing visibility and control where you need it the most.

Ready to find out more about how to reduce risk in your own environment? Sign up today for a free personalized Risk Reduction Assessment Report to find out how much you can shrink your attack surface using Guardicore’s software-based segmentation solution.

Attack Surface Reduction Analysis

Get a no-touch, zero-impact, personalized report that quantifies risk reduction from using software-based segmentation in your own environment

Quantify Your Risk Reduction

Migrating to the Cloud Fast and Securely

There are numerous different ways to make your move to the cloud. According to Gartner, the five most common techniques are rehosting, refactoring, revising, rebuilding, or replacing. Yet every one of those options has a few commonalities: you will always need to understand what assets will be involved, how they communicate, and the ways they interact with your broader IT environment.

After helping organizations of all sizes and complexity levels simplify and accelerate their cloud migration projects, Guardicore has identified five simple steps that can streamline those common points. Following these steps helps assure a fast migration while also enabling you to ensure that security and compliance policies extend to the new infrastructure

5 simple steps to a fast and secure cloud migration

Ready for a sneak preview? Check out this short video for the quick overview before diving into the detailed instructions for how to achieve a fast and secure cloud migration.

1. Map application workloads

Typically, 73% of cloud migrations take more than a year to complete1. Even migrating a single application can take as long as four months2. However, with Guardicore, you can drastically speed up the timeline of your project from step one.

Once installed, Guardicore Centra automatically generates a detailed map of activity across all your environments. Process-level activity is correlated with network events, giving you a visual view of all workloads.
You can then drill down for more detail, including granular information on specific assets and processes. This helps you determine what elements you need to consider during your migration, so you can accurately scope your project.

2. Identify service dependencies

Many applications have service dependencies that they rely on to operate, such as DNS, active directory, or update services. These need to be documented and correctly configured as a part of the migration process.

For instance, you may not want your newly migrated cloud application to have access to the on-premises active directory for security or compliance reasons. Therefore, rehosting it or setting up another instance may be a better option for your business.

Guardicore can help you determine what dependencies exist today. Once those dependencies are identified, you can make a proactive and informed decision on how you would like to set up these services before you migrate. In this way you can avoid unplanned delays.

Guardicore provides detailed insights into service and business dependencies

3. Identify business dependences

In addition to ensuring service dependencies are taken care of, other elements in your environment likely require access to the newly migrated asset to keep your business running as usual. One common use case for financial services organizations, for instance, is the need for billing, accounting, and SWIFT applications to communicate with a banking application migrated to the cloud.

In order to ensure that everything continues operating as expected post-migration, Guardicore provides you with the granular visibility you need to understand communication between each relevant element. This includes insights into connections between protocols, ports, and processes.

This visibility lets you plan how to configure for today’s dependencies. It also helps you decide whether or not to make a change moving forward (like creating a cloud instance of an accounting application in order to avoid an on-premises-to-cloud dependency). Moreover, it allows you avoid potential outages that can occur when you decommission on-premises versions of applications after a migration.

4. Migrate your assets to the cloud

Once you’ve gone through the process of mapping assets and thoroughly understanding dependencies, you can confidently begin your cloud migration. During this time, you can also define any segmentation policies needed to further reduce risk and ensure compliance.

Guardicore Risk Reduction Analysis Report

See how micro-segmentation can shrink attack surface up to 99%

Learn about our free, no-touch, zero-impact, personalized report that quantifies risk reduction from using software-based segmentation in your own environment



Because Guardicore presents real-time and historical network data in a centralized platform, it’s easy to spot communication flows that might increase risk or result in non-compliance. You can then limit exchanges between assets as needed.

There is an additional bonus to defining policies before undergoing a cloud migration. Since Guardicore operates independently of the underlying infrastructure, policies follow the workloads. Thus, existing security controls carry over to the cloud. There, they can be fine-tuned for an asset’s new environment, saving even more time.

“The entire segmenting of the Somos infrastructure, applications, and data had been completed when we entered the new environment.”

Alex Amorim – Information Security Manager

5. Check and validate your cloud migration

After you’ve completed your cloud migration, it’s important to do one last thorough check. Now is the time to validate that you have accounted for all dependencies and that the correct security policies are in place.

Once you’ve confirmed everything is as it should be, you can securely shut down any on-premises assets you want to decommission. All that’s left is to toast to a successful migration!

Congratulations on completing your fast and secure cloud migration!

Going through these five steps with Guardicore Centra can drastically simplify and speed up your migration to the cloud. Ready to see that kind of success in action for yourself? Check out this five-minute walkthrough of moving an e-commerce application to the cloud:

Can you reduce your attack surface to zero?

As network changes take place faster and faster, attack surfaces grow at a corresponding pace, increasing business vulnerability.

It’s critical to:

  • Articulate the risks brought on by a large attack surface.
  • Visualize how radically software-based segmentation can reduce your attack surface.
  • Quantify the risk reduction so others across the business can understand the value of taking action.

But can you reduce your attack surface to zero? And what exactly are we talking about here when we reference the attack surface?

What is an application attack surface?

Application attack surfaces are the communications not restricted between endpoints in the network and an open port on one of the servers of the application in review. The bigger the attack surface, the more vulnerable your environment is. For example, a successful ransomware attack starts from an attacker leveraging the ability to (a): penetrate the network by leveraging non-monitored communication paths1 and (b): move laterally, targeting critical data or high privileged services and propagating ransomware across entire networks, before encrypting all they can (including your backups).

Reducing the attack surface by exposing only needed services/ports to the smallest group of clients is essential to stopping this type of attack from penetrating your network. A well micro-segmented network will prevent the attackers from moving laterally within the network, gaining growing control over more assets. Unfortunately, this is just one possible attack vector – there are others.

So, can you reduce your attack surface to zero?

Given all the issues that can be brought on by having a broad attack surface, it seems like the answer would be to shut the attack surface down.

Unfortunately, you can’t really reduce your attack surface to zero – unless you can:

  • Disconnect all communication paths between the internet and all of the servers in your network (including IoT devices).
  • Prevent anyone with access to your organization’s IT infrastructure (including network systems, laptops, virtual environments, databases, business applications, etc.) from uploading, downloading, opening emails, clicking on links, connecting their own devices, or making any changes to set configurations.
  • Hire only people who make zero mistakes, 100% of the time.

Assuming connectivity with the outside world is required and human errors are here to stay, how can you realistically protect your critical applications to ensure business continuity and growth? The answer is to reduce the attack surface to a minimum using software-based segmentation. Make sure the only open communication paths between an application’s servers/processes and other applications, users, or internet sources are allowed and monitored by your set policy.

Software-based segmentation brings instant visibility for attack surface reduction

Learn how Guardicore can help

How do I prove the value of attack surface reduction to management?

Even if you know the benefits of using software-based segmentation to reduce your attack surface, demonstrating the risk reduction value of segmentation to management can be a challenge. That’s where Guardicore’s Risk Reduction Assessment Report comes in.

The report enables security teams to visualize and understand their applications’ attack surface by seeing which other assets can communicate with the application’s servers. The report then provides a view of what the attack surface looks like once unnecessary communication paths are closed and the attack surface has been minimized.

The personalized report is based on a zero-impact process that enables Guardicore to analyze your own applications. There is no required software installation and we are at no point connected to your environment. The report is based on netstat type data we receive from the organization we work with on the report. The business requesting the report chooses which application and servers to collect data from.

There are a few ways to collect us the data:

  • Open-source data collector script
  • A Netflow file
  • A PCAP file containing packet network data
  • Guardicore agents (as part of a PoC process)

The result is a document that visually demonstrates:

  • The way software-based segmentation reduces the risks of a flat network.
  • The quantified value of segmentation in your own business environment.
  • The logic behind the generation of the graphs and numbers in the report.

How do I get a personalized report analyzing my business applications’ risk reduction potential?

Ready to try the Risk Reduction Assessment Report out for yourself? Sign up today to find out how much you can reduce your attack surface using Guardicore’s software-based segmentation solution.

Get Your Attack Surface Reduction Report


How does Guardicore Centra help reduce the accessibility of the attack surface?

Guardicore Centra’s software-based segmentation enables enterprises to reap the benefits of risk reduction while supporting agile DevOps and rapid application deployment. The solution delivers optimal security at a faster speed with greater security efficacy.

Guardicore’s micro-segmentation is performed at the workload level rather than at the infrastructure level. Therefore, it can be implemented consistently throughout a hybrid cloud infrastructure and it adapts seamlessly as environments change or workloads relocate.

Micro-segmentation lets security teams create granular policies that segment applications from one another and/or segment tiers within an application. As a result, companies can accomplish such goals as:

  • Slow or block attackers’ efforts to move laterally.
  • Create a security boundary around assets with compliance or regulatory requirements.
  • Enforce corporate security policies and best practices throughout the infrastructure.
  • Apply Zero Trust principles throughout the infrastructure, even as the business extends from the data center to one or more cloud platforms.

This focus on preventing lateral movement through in-depth governance of applications and flows reduces the available attack surface even as IT infrastructure grows and diversifies.

What can I do to kickstart my program?

Now that you understand the importance of reducing the accessibility of the attack surface, here are a few things you can do get started:

  1. Read more about attack surface reduction: Download the paper about how to demonstrate the importance of minimizing the attack surface.
  2. Get the attack surface reduction report: Sign up for your personalized report today.
  3. Receive a Guardicore demo: See how Guardicore’s software-based segmentation solution, Guardicore Centra, can help you today.

1 For example by using weak points such as internet-facing servers and remote-desktop logins or people unintentionally downloading malicious payloads

Guardicore Supports The New Data Center Architecture with NVIDIA BlueField-2 DPUs

We saw the early signs about two years ago: while everyone was talking about cloud migration and moving faster to the cloud, there were enterprises that increased their investments in the on-premises data center, and they continue to do so even in this current era.

Over the past months since the COVID-19 pandemic first entered our lives and work from home transitioned from being a tentative reality to a necessity, organizations are moving faster to the cloud, but there are still a lot of applications and workloads that must remain on premises. We write a lot about critical applications that still run on legacy Unix, old Windows operating systems, ancient Linux and other veteran OS that cannot be migrated to the cloud but while many may have assumed that soon enough enterprises will manage to migrate all workloads to the cloud, that is not the case.

As enterprises are embracing new technologies and cloud computing microservices architectures, there’s a shift inside the data center. Not every application can be migrated, and some applications explicitly should not be moved to the cloud. Some of the reasons are clear: there’s more need for speed, higher throughput, and lower latency. Some aspects are less visible: like how containers and container operating systems are installed and deployed, and overall cost of running highly complicated applications in the cloud. As an example, there are a growing number of instances of Kubernetes being deployed on bare-metal servers due to better performance and lower latency and reliance on hardware accelerators.

Coupled with more requirements for using AI and other machine learning algorithms, these developments are leading to faster adaptation of new hardware and software infrastructure like NVIDIA GPU accelerated computing at the edge, faster connectivity, bigger pipes and overall, faster, simplified and more agile computing.

The modern application runs inside the data center and within the edge. It has extensions to the cloud and must operate as a well-defined single unit under new architecture.

While networking architects were busy redesigning the data center, the security architects realized that the firewall as we know it is no longer adequate to protect the modern data center, and new technologies are necessary to enable the required level of security and risk mitigation. There are many limitations that prevent traditional firewalls and even newer firewall-as-a-service solutions from addressing their needs.

First and most obvious, firewalls can protect only the traffic that they can inspect. This means mostly North-South traffic. Now, imagine that you have hundreds or more servers running at 10, 40, 100 and even 200 Gbps. How can your firewall support that amount of traffic? TOR architecture to steer and redirect traffic is not relevant for this new design and can’t be used. Moreover, the existing policy management paradigms built for static designs are not suitable for this new architecture that supports a dynamic and fast-changing application environment.

There are many other limitations, each of which frankly deserves a blog of its own. But in the interim, we all should accept the fact that some aspects of the firewall market and some of its current deployment scenarios are about to change dramatically. The winds of change have begun to blow.

In contrast, software-defined segmentation allows companies to apply workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. It is extremely effective at detecting and blocking lateral movement in data center, cloud, and hybrid-cloud environments.

And then DPUs and SmartNICs were invented.

Data processing units (or DPUs) are changing how and where data center security is performed. DPU-based SmartNICs fuel the new architectural redesign. It started with hyperscalers, large service providers and tier-1 cloud service providers (CSPs) that discovered the benefits of having a managed device that can free up expensive CPU cycles. They all like how SmartNICs are providing added-value services beyond core networking functionality. As a reminder here are some of its capabilities:

  • Offloading network functions
  • Providing security-related processing
  • Tcp offloading to dedicated engines that free up CPU cores
  • Improving networking performance
  • Providing cryptography capabilities like faster encryption

And there are even more security services like workload isolation, secure boot and protecting customers workloads from other tenants.

Partnering with NVIDIA, Guardicore pioneered the concept of using SmartNICs for micro-segmentation to enable the best of both worlds: accelerating performance and functionality while providing secure segmentation capabilities for the new data center.

Using Guardicore with NVIDIA BlueField-2 DPU will allow enterprise customers to embrace the new and cover the old with software-defined segmentation for hardware, providing a faster, more granular way for enterprises to protect their critical assets. Projects that in the past may have spanned many years can now be done in a matter of a few weeks with this new approach, quickly reducing risk and validating compliance.

Guardicore is working with NVIDIA to provide a solution that, just like your DevOps practices, is decoupled from any particular infrastructure, and is both automatable and auto-scalable. On top of this, it provides equal visibility and control across the board in a granular way, so that speed and innovation can thrive, with security an equal partner in the triangle of success.

We are also working with NVIDIA on new BlueField-2 DPU integrations to support the new data center architecture. Doing so with this integration we enable enterprise customers to accelerate their application, innovate faster and deliver competitive solutions to the market.

NSPM and Simplified Security and Governance for Hybrid Clouds – What does the Guardicore and AlgoSec Integration Mean for You?

Getting the most out of your network firewalls has never been a simple task for enterprise environments. As organizations increasingly move to the cloud and operations become more dynamic and complex, the requirements, and the stakes, are rising.

Over the years, I’ve seen improper management of firewalls open organizations up to various types of risk as a result of employee error and oversight. This can have varying consequences, from large-scale data breaches, to fines and penalties due to non-compliance. What do Network Security Policy Management (NSPM) vendors do to help, and is this technology enough on its own?

Learn more about how micro-segmentation helps you reduce risk.

Why do Companies Need Network Security Policy Management (NSPM)?

Inconsistent or inaccurate firewall policies impact the functionality of business applications, cause compliance gaps, and make an organization vulnerable to cyber attacks.

In response to these fears, Network Security Policy Management companies such as AlgoSec, one of the early pioneers of this category, were born. I have had many chances to work with AlgoSec and their team over the last 15 years and it is amazing to see how the product, and actually the market that they have created, is adapting as the IT landscape changes. More recently however, the rise in internal traffic moving East-West inside the data center has created a need for something more. Let’s look at what this means in practice.

Amplifying Firewall Complexity in the Hybrid Cloud, Data Center and Edge

When implemented well, NSPM provides visibility over complex traffic and communication, adds sophisticated automation capabilities for network firewall policies that are spread over multiple devices or locations, and eases compliance with various regulatory requirements for specific industry needs. Tight governance over your perimeter firewall works to keep North-South attacks that move in and out of the data center at bay. But when it comes to a hybrid data center, traditional perimeter firewalls do nothing to address this risk.

In a hybrid cloud data center, visibility and control become more of a struggle than ever. Some of the reasons why, include:

  • Different environments to consider, from on-premises to public or private clouds, each with evolving requirements.
  • The majority of traffic moving East-West, because of third-party vendors, employee devices, and increased exposure via the public cloud.
  • DevOps teams pushing for faster innovation and the deployment of new features via rapid application development.

The more complexity, the more risk, so the hybrid cloud ecosystem needs to be secure from the earliest possible stages.

Dedicated micro-segmentation solutions like Guardicore have risen to this challenge. With a smart segmentation solution, your organization can create access policies inside hybrid enterprise environments that leverage a zero-trust model. Enterprises tend to start with projects that bring quick time to value, such as ring fencing critical applications that hold the most sensitive data or systems.

As a smart, software-based segmentation vendor, we provide new and essential firewall capabilities, dynamic and flexible enough to meet any use case or scale. Of course, the perimeter firewall is still necessary, and needs concurrent and tight governance and control. Therefore, the best segmentation solutions that address hybrid cloud complexity will integrate seamlessly with best-of-breed NSPM solutions.

Simplifying Complexity with a Two-step Integration

According to Gartner, “Despite there being multiple network security vendors with centralized managers, network security teams are struggling to manage these multiple and multi-vendor policies and to have complete visibility across different environments. Maintaining continuous compliance is becoming a bigger challenge.”

A challenge that, here at Guardicore, we’re happy to meet. Guardicore Centra integrates easily with AlgoSec to make it simpler to manage governance and firewall rulesets across a hybrid enterprise environment. Guardicore customers can continue to use their existing perimeter firewalls for North-South traffic alongside Centra’s precise labeling and segmentation policies for managing and controlling all communications that move East-West.

The AlgoSec Policy Exporter integration with Guardicore can be used to export all labels and files from Guardicore Centra, converting them into two easy to manage CSV files, one for endpoint machines and another for rules. The security team now has these policies and labeling rules to forward to any other managed devices within the data center, consolidating existing policies and governance. This integration also provides your enterprise with full visibility of dynamic policies across the data center, even in hybrid environments.

No Firewall Left Behind: Adding Visibility and Control Across a Hybrid Ecosystem

Internal firewall management and control are essential in today’s hybrid cloud data centers, but they don’t negate the need for existing traditional perimeter firewalls. Managing this complex arrangement are NSPM industry leaders such as AlgoSec that can seamlessly visualize, automate and organize policies from multiple firewall vendors across the data center.

By using AlgoSec with Guardicore Centra, our customers have access to the simplest and strongest segmentation choice when managing East-West traffic without adding complexity to firewall management overall.

Want to learn more about segmenting East-West traffic for your hybrid cloud data center?

Download the White Paper here

How to Prove the Savings of Software-Based Segmentation vs Legacy Firewalls

Many companies have discovered to their dismay that using firewalls to segment their networks is a complex, ineffective, and expensive process – especially when it comes to a hybrid cloud environment. In addition to the burdensome upfront cost of firewalls and hardware, there are the heavy downstream costs of project management, labor, maintenance, and prolonged asset exposure due to lengthy implementation times.

Guardicore Centra’s software-based segmentation enables enterprises to avoid those issues. Instead, organizations can reap the benefits of agile DevOps, rapid application deployment, and the cloud, delivering optimal security at a far lower total cost of ownership than traditional methods. Yet how can you prove the savings of software-based segmentation – before you make the switch?

Evaluating the full cost of technology and people is essential when making important, effective decisions. This is particularly true with impactful projects like segmentation, which have long-lasting impact. That’s why we developed the Guardicore Firewall Cost Savings Calculator. The calculator lets you compare legacy firewall segmentation with software-based segmentation and gain a comprehensive understanding of where the time and cost savings come from, using data that’s relevant to your own environment.

Why is segmentation so hard with legacy firewalls?

Let’s take a moment to understand why segmentation is difficult and pricey with traditional firewalls. Among the reasons for the high costs and challenges are the facts that:

  • There is little visibility with traditional firewalls. As a result, segment boundary identification can take many months.
  • Segmentation with legacy firewall appliances requires network changes (VLANs) and application changes that involves tremendous effort and costly downtime.
  • Applications are dynamic and change fast, and traditional firewalls simply do not have the flexibility to accommodate those kinds of agile changes.

Luckily, software-based segmentation provides a significantly more cost-effective and efficient alternative.

HoneyBaked Ham simplifies segmentation and controls access to critical applications

With Guardicore Centra, the HoneyBaked Ham company:
– Reduced upfront costs by 50%
– Secured 45 applications in six weeks
– Reduced total project cost by 85%

Guardicore makes segmentation more efficient

Guardicore’s software-based segmentation solution is independent of the underlying infrastructure. It allows simple policy management with a single pane of glass, without relying on cumbersome network appliances.

Guardicore empowers customers to accelerate segmentation projects with:

  • Full visibility for fast segment identification
  • One solution across hybrid environments
  • No networking or application changes required
  • No application downtime required
  • Smooth integration into DevOps lifecycle with REST API

Wondering how that translates into hard data? That’s where the Firewall Cost Savings Calculator comes into play.

The Guardicore Firewall Cost Savings Calculator

The Guardicore Firewall Cost Savings Calculator was developed to quickly and easily demonstrate the extent of the savings businesses can get from using Guardicore’s software-based segmentation compared with a legacy firewall solution.

To use it, all you need to do is answer four simple questions:

  • How many unique segments are required in your environment?
  • On average, how many physical servers or virtual machines will be included in each segment?
  • To how many different locations do you expect to deploy your application?
  • Who is your firewall vendor?

Once the fields for these questions have been filled out, the calculator will automatically display the resulting savings. For a detailed breakdown of how the results were calculated, you can also read the white paper or, for a more personalized breakdown of savings you can gain in your business’ unique environment, request an individual analysis.

As one customer discovered:

“With Guardicore, we were not only able to secure 45 applications without interruption in just six weeks, we also got a more agile, cost-effective, and secure solution than our legacy firewall provider.”

~ David E. Stennett, Sr. Infrastructure Engineer, the HoneyBaked Ham Company

With Guardicore Centra, segmentation takes a mere 16 days, as opposed to 14-22 days with legacy firewalls.
With Guardicore Centra, segmentation takes a mere 16 days, as opposed to 14-22 weeks with legacy firewalls.

See the savings from software-based segmentation

Ready to be amazed? Try the Guardicore Firewall Cost Savings Calculator for yourself and discover the time and cost savings your company could be getting by switching from traditional firewalls to software-based segmentation.