How to Apply User Identity Access Management with Zero Trust

According to the 2019 State of the Internet report, hackers made 30 billion attempts to attack businesses via successfully stolen credentials in 2018. Up to 2% of these attempts were successful. From just one entry point, the attackers were then able to make movements across an enterprise network, achieve fraudulent transactions, or take advantage of the business with malicious intent.

Learn More About User Identity Access Management

Once your organization has shored up its outer walls, and segmented the core applications that are business-critical, your people are your last line of defense. However, this doesn’t make this part of your security arsenal any less essential. As the Zero Trust eXtended framework says, “Most breaches are ultimately an inside job.” You don’t need an angry employee with an axe to grind, all you need is one instance of credential theft, and a flat network that’s easy to leverage for lateral movement within your data center.

Preventing Inside and Outside Attacks with the Zero Trust Model

A strong Zero Trust security strategy will include strict enforcement of user access, as well as authentication and monitoring of user behavior and movements, both within the data center and as users connect to the web. Governance of each user’s access and their privileges means that even if the worst happens and their credentials are successfully stolen, there is no way for an attacker to escalate this breach, or to make movements outside of what that specific user is entitled to access.

Think about an HR employee for example. An individual working in the HR team will need access to all the data and applications that are relevant to their role, and might also need permissions to certain financial systems for payroll, or applications that handle candidate information for on-boarding. However, they do not need extended access to anything outside of this, including other financial applications outside of their own purview, or further sensitive data connected to current employees such as medical information. In the same way as your workloads are isolated using micro-perimeters, your user access can follow suit, allowing each employee to access just what they need, and nothing further.

Here are 6 Features of a Strong User Identity Solution Based on Zero Trust

Following the Forrester guidelines for a Zero Trust model, here’s how your security solution can check all the boxes for identity and access management, and achieve this high level of granularity and control. Whichever features you opt for, make sure that your solution can work seamlessly across any platform or infrastructure, and takes immediate effect on both active and new sessions of user activity. Without these two cornerstones, you’re starting from a place of blind spots and security gaps. With them, you’re well placed for success from the start.

  • Isolate user interactions: Using an Active Directory User Group, intelligent micro-segmentation can isolate user access exactly the way we described above, giving specific users access to certain servers and applications via specific ports and processes. This access control can be enforced between workloads in the same segment of the network, and even allows for simultaneous connections from the same server/Jumpbox.
  • Third party access management: User groups can support enforcing specific policies for each third-party connection, strengthening security where it’s weakest, while allowing the benefits of third-party integrations and partnerships. Define policies for the data center at large, as well as individual applications and workloads, providing access to just what each user needs – and no more.
  • Privileged identity management: Especially when it comes to administrative usage, this is an essential area for credential security. Admin/root access passwords are often left unchanged, and can be an open door for attackers to gain a foothold. When testing your network for weaknesses, it’s important to look at propagating using root passwords, as well as where attackers could move laterally from the initial breach.
  • Two-factor authentication: 2FA has become a baseline, heavily reducing the risk of credential compromise. If it isn’t already in place in your organization – it should be. If your managers worry that people will feel slowed down by this essential security tool, remind them of ordinary 2FA tasks that we all consider the norm, such as taking money out of an ATM with a bank card and a pin number. Soon, 2FA will be this equivalent for the workplace.
  • Web security: Phishing scams are becoming increasingly sophisticated and manipulative, and you can’t always rely on employee education to help users spot attacks ahead of time. Strong security solutions will include web security gateways that block user access ahead of time to any malicious websites.
  • User behavior analytics: You can learn a lot about the way your employees act from monitoring ‘business as usual,’ which can then help to build policy that learns from your real employees, and can alert you to anomalous actions. This could be anything from a login at an unusual time of day, to credential use when an employee should be on vacation.

Following the Zero Trust eXtended pillars is best-practice for protecting your network and its users from external and internal threats. This includes a Zero Trust model for more than just networks, applications and data alone. User Identity Access Management is a key part of your Zero Trust strategy, managing individual user access, simultaneous connections, and third-party access management. When done right, this can all be achieved from the same core technology that handles your application segmentation. This lessens the learning curve and streamlines your overall security posture with a truly holistic approach to Zero Trust.

Learn More About User Identity Access Management

Are You up to Date with the Latest Guardicore Cyber Security Ecosystem News?

2019 was an incredible year of growth and innovation for Guardicore and the world-class technology ecosystem that passionately supports it. The future for software-defined cloud and data center security transformation looks more attainable than ever. A growing number of technology vendors, both large and small, now work with us to deliver joint solutions to solve some of the biggest cyber security pain points of today’s enterprise customers.

We are honored to have some of the world’s most well-known companies as our customers, and to work together with them to secure their most critical assets as part of their digital transformation strategy. These customers build, run and manage an integrated set of applications and services to deliver a unique experience for their own internal and external customers in turn. Guardicore, alongside our technology alliance partners provides a pragmatic enterprise-ready solution that allows our customers to embrace a complex and innovative hybrid cloud environment, both culturally and through technology. As we continue to evolve in this new year, I wanted to mention and highlight a few updates.

Cloud Updates:

Guardicore is now available on the Microsoft Azure marketplace as a preferred solution after earning an IP co-sell status. Customers worldwide can now gain access to the Guardicore Centra security platform directly from the Azure marketplace.

Guardicore was selected to join the AWS’ Outpost announcement. Outposts are developed, installed and deployed by AWS on customer premises and managed as if they are part of the cloud. Read more about it in our recent blog.

Don’t miss the recent AWS and Guardicore Webinar featuring our own Dave Klein and Moe Alhassan, Partner Solutions Architect at AWS, on securing and monitoring critical assets and applications on AWS.

Native Cloud Orchestration Updates:

Guardicore now provides out-of-the-box native integration with all large Cloud Service Providers: Amazon Web Services, Microsoft Azure, Google Cloud Platform and Oracle Cloud Infrastructure. This is in addition to VMware and OpenStack integration and support for other orchestration services via built-in RESTful API. This allows our customers to truly embrace and use a hybrid cloud infrastructure, allowing them to migrate from on-premises data centers to any cloud or clouds choosing the right technology that meet their needs, whether that’s hosted servers, IaaS, PaaS or hybrid.

New Eco-system Product Certifications:

We are happy to announce that the Splunk application for Guardicore has passed the Splunk certification process. The application and the add on are now available directly from Splunkbase. Guardicore integration is available for version 7.3 and above, including the newly released Splunk version 8.x

Guardicore Centra is now listed in the SUSE catalogue which you can find here, and is a proud member of the SolidDriver program. It is also available in the IBM Global Solution Directory.

Identity Management Updates

Guardicore completed an integration as well as product certifications with Privileged Access Management solution provider CyberArk (Centra Privileged Session Management plugin available from the CyberArk marketplace) and identity providers Okta, Duo, Ping Identity, Ilex International, and Redhat SSO using SAML and Active Directory Integration. To learn more about using Guardicore Centra with CyberArk read our blog on the integration.

On-premises Virtual Desktops and Desktop-as-a-Service

Guardicore Centra is validated as Citrix ready for Citrix Virtual Apps and Desktops and is listed in the Citrix Ready Marketplace. You can read more about it in this blog. In addition, we have shared information on how Centra can be used to segment users on Amazon Workspaces (DaaS).

We’re also excited about the future innovation that will be announced and demonstrated later this year. As our technology partners continue to work with us to deliver integrated solutions, you can expect more exciting announcements. Stay tuned and keep up with our blog for the most up-to-date information.

Want to learn more about how Guardicore micro-segmentation can help you protect AWS workloads? Download our white paper on supplementing cloud security and going beyond the shared security model.

Read More

When Firewalls & Traditional Segmentation Fail, What’s the Next Big Thing?

Ask many of today’s enterprise businesses what the most important factors are to remain competitive in their industry, and you’re likely to get an answer that includes both speed and innovation. There’s always another competitor snapping at your heels, and there aren’t enough hours in the day to get down your to-do lists. The faster you can go live with new features and updates, the better.

For many, this comes at a severely high price – security. If speed and innovation are the top items on the agenda, how can you balance this with keeping your sensitive information or critical assets safe? Of course, pushing security onto the back burner is never a solution, as increased risk, compliance and internal governance mandates will continually remind us.

A fellow cybersecurity evangelist Tricia Howard and I discussed this conundrum a while back. She came up with a terrific visual representation of this dilemma which can be seen in the Penrose Triangle, below. This diagram, also known as the ‘impossible triangle’ is an optical illusion. In this drawing, the two bottom points, speed and innovation, make the top point, security, seem like it’s further away – but it’s not.

penrose triangle

Penrose “Impossible” Triangle. Used in an analogy to modern IT challenges as proposed by cyber evangelist Tricia Howard.

First, let’s look at how organizations are achieving the speed and innovation corners of this triangle, and then we can see why securing our IT environments has become more of a challenge while still an ACHIEVABLE one.

Understanding the Cloud and DevOps Best Practices

There are two key elements to the DevOps process as we know it today. The first one is simplifying management by decoupling it from underlying platforms. Instead of managing each system/platform separately, DevOps and Cloud best practices seek solutions that provide an abstraction layer. Using this layer, enterprises can work across all systems, from legacy to future-focused, without impediment. It’s streamlining that has become essential in today’s enterprises which have everything from legacy, end of life operating systems and platforms, to modern virtualized environments, clouds and containers.

Secondly, DevOps and Cloud best practices utilize automated provisioning, management and autoscaling of workloads, allowing them to work faster and smarter. These are implemented through playbooks, scripts like Chef, Puppet and Ansible to name a few.

Sounds Great, but not for Traditional Segmentation Tools

These new best practices allow enterprises to push out new features quickly, remain competitive, and act at the speed of today’s fast-paced world. However, securing these by traditional security methods is all but impossible.

Historically, organizations would use firewalls, VLANs and ACLs for on-premises systems, and then virtualized firewalls and Security Groups in their cloud environments. Without an established external perimeter, with so many advanced cyberattacks, and with dynamic change happening all the time, these have now become yesterday’s solution. Here are just some of the problems:

  • Complex to manage: Having multiple systems just isn’t realistic. Using Firewalls, VLANs and ACLs on-premises and security groups in the cloud for example means that you have multiple systems to manage, which add to management complexity, are resource intensive and do not provide the seamless visibility required. The rule-sets vary, and can even contradict one another, and you don’t know if you have gaps that could leave you open to unnecessary risk.
  • Increased maintenance: Changes for these systems need to be carried out manually, and nothing less than automation is enough for today’s complex IT environments. You may have tens of thousands of servers or communication flows to handle, and it’s impossible to do this with the human touch.
  • Low visibility: For strong security, your business needs to be able to see down to process level, include user/identity and domain name information across all systems and assets. With a lack of basic visibility, your IT teams cannot understand application and user workflows or behavior. Any simple change could cause an outage or a problem that slows down business as usual.
  • Platform-specific: For example, VLANs do not work on the cloud, or Security Groups won’t help on-premises. To ensure you have wide coverage, you need a security solution that can visualize and control everything, from the most legacy infrastructure or bare metal servers all the way through to clouds, containers and serverless computing.
  • Coarse controls: The most common traditional segmentation tools are port and IP-based, despite today’s attackers going after processes, users or workloads for their attacks. Firewalls are innately perimeter controls, so cannot be placed between most traffic points. While companies attempt to fix this by re-engineering traffic flows, this is a huge effort that can become a serious bottleneck.

Introducing Software-Defined Segmentation: An Approach That Works with DevOps From the Start

With these challenges in mind, there are security solutions that take advantage of DevOps and cloud best practices, and allow us to build an abstraction layer that simplifies visibility and control across our environment in a seamless, streamlined fashion. One that allows us to take advantage of DevOps and cloud automation to gain speed as well.

Software-defined segmentation is built to address the challenges of traditional tools for the hybrid cloud and modern data center from the start. Just like with cloud or DevOps processes, the visibility and policy management is decoupled from the underlying platforms, working on an abstraction layer across all environments and operating systems. On one unique platform, organizations can gain deep visibility and control over their entire IT ecosystem, from legacy systems through to the most future-focused technology. The insight you receive is far more granular than with any traditional segmentation tools, allowing you to see at a glance the dependencies among applications, users, and workloads, making it simple to define and enforce the right policy for your business needs. These policies can be enforced by process, user identity, and FQDN, rather than relying on port and IP that will do little to thwart today’s advanced threats.

Software-defined segmentation follows the DevOps mindset in more ways than one. It incorporates the same techniques for efficiency, innovation and speed, such as automated provisioning, management, and autoscaling. Developers can continue to embrace a ‘done once, done right’ attitude, using playbooks and scripts such as Chef, Puppet and Ansible to speed up the process from end to end, and automate faster, rather than rely on manual moves, changes, adds or deletes.

Embrace the New, but Cover the Old

Software-defined segmentation is a new age for cybersecurity, providing a faster, more granular way for enterprises to protect their critical assets. Projects that in the past may have spanned many years can now be done in a matter of a few weeks with this new approach, quickly reducing risk and validating compliance.

If your segmentation solution is stuck in the past, you’re leaving yourself open to risk, making it far easier for hackers to launch an attack, and you’re unlikely to be living up to the necessary compliance mandates for your industry.

Instead, think about a new approach that, just like your DevOps practices, is decoupled from any particular infrastructure, and is both automatable and auto-scalable. On top of this, make sure that it provides equal visibility and control across the board in a granular way, so that speed and innovation can thrive, with security an equal partner in the triangle of success.

Securing modern data centers and clouds needs a whole new approach to segmentation. To learn more about it, check out our white paper.

Download now

What’s New in Guardicore Centra Release 31

With release 31 we’re continuing to expand our firewall capabilities while making it even simpler for you to build and enforce a segmentation policy.

We’re doing this with features such as identity and FQDN policies. With Identity-based policies, security administrators can set granular, per-user access policies to applications. Domain name (FQDN) rules allow you to set policies based on the target domain name and save time and hassle on typing lists of ever-changing IP addresses. We’ve also integrated a first of its kind Threat Intelligence Firewall that automatically feeds into Centra daily updated blacklists of known bad actors to create rules that alert and block these communications.

In this release we are also shipping many customer requested features that were evaluated on the merit of improving operational efficiency, reducing policy creation time and taking Guardicore usability to higher levels.

Here are some of the highlights of the version:

User-based Rules

One key feature introduced in v31 is user-based rules. With this new firewall capability, customers can create rules based on Active Directory user groups to provide granular per-user access to applications. This allows you to control user access to data center and cloud resources. By linking your Active Directory to Centra, Centra is able to retrieve user information. Based on user membership in those Active Directory security groups, we allow users different access to different resources. This way you can make sure that users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. No additional infrastructure is required.

FQDN Rules

You can now create policies that allow access to a specific domain by its domain name rather than its IP addresses. For example, when you want to allow a server to access windowsupdate.com, instead of typing its IP or its IP lists, you can simply refer to it by its domain name. For example, when you want to allow a server to only access github.com, instead of typing its IP or its IP derivatives (dev.github.com, community.github.com, etc.) you can simply refer to it by its domain name – github.com or *.github.com. Select *.github.com to support wildcards. The ability to type a domain name saves the time and hassle of collecting all the possible IPs and keeping track of their validity.

Threat Intelligence Firewall

Guardicore is offering a threat intelligence-based firewall to Centra SaaS users. This feature uses Guardicore’s threat intelligence sensors, distributed across major cloud providers worldwide, to create blacklists of verified malicious IP addresses. Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications via malicious IP labels: top attackers, top scanners, and top CnC. To get this feature, contact Guardicore Customer Success at support@guardicore.com.

Extended support for legacy systems

Since most of our customer environments include end of life Unix, Windows and Linux that can no longer be patched and therefore pose a risk to the organization, Guardicore has expanded its operating system coverage for those legacy systems and applications. With version 31, the Guardicore Agent supports more legacy operating systems such as Redhat, Oracle and Centos 5, and has also extended its support to AIX which is a proprietary UNIX operating system commonly used by enterprise customers. Now we have the ability to extend our policy coverage to these OSes and reduce the risk they may pose.

While we listed the features that seem to be the most important, there are many more enhancements. Fthe full list of enhancements and capabilities, see the release notes that can be accessed from our customer portal.

Virtual Desktop Infrastructure (VDI) Can be Used Safely

Show me an industry that isn’t increasing its usage of Desktop Virtualization (DV) and I’ll show you an industry that doesn’t exist. While different DV technologies are available, Virtual Desktop Infrastructure and Desktop-as-a-service are the clear choice, DaaS is essentially VDI hosted in the cloud. With VDI one deploys virtual desktops in her own on-premises data centers while DaaS takes the In-house IT burden and responsibilities to the cloud.

Learn More About User Identity Access Management

From Education and Healthcare, to Financial institutions and Governmental agencies, Remote application and DaaS is growing year on year. In fact, industry experts Gartner predict that by 2023 the combined number of on premises VDI users and cloud DaaS will grow by more than 50%.

Organizations are using different types of remote desktop technologies and solutions for a number of key reasons, including operational efficiency, improving their end-point compliance and remote access opportunities, enjoying the centralized management and security backups, as well as the end-user support supplied by market leaders such as Citrix. Newer deployment models provide a popular way to streamline costs, with no need to purchase software licenses, or individual workstations, items that can quickly add up. But what about keeping your data and applications secure? How does security measure up in a VDI environment?

What is the Risk of Using a Shared Infrastructure?

Traditional data centers allow for servers to be monitored for signs of threat, and isolated where necessary. However, in a VDI environment, you’ll often find that all servers and applications are on the same infrastructure, even end-user applications and those which need more security and control. Desktops are likely to be shared among a large number of users, perhaps only a step away from critical assets, applications, and data. As all of this takes place inside the data center, you’re not covered by traditional security solutions such as perimeter firewalls that only protect the entrance to your network.

An added element to consider is traffic inspection. Most end-user application traffic is encrypted using SSL or TLS, and compliance mandates require a high level of data privacy. At the same time, for security you need to have insight into traffic and communications.

For many organizations, these risks of VDI are too great. If just one VDI machine is compromised, the attacker can make movements elsewhere within the data center, and may well go undetected because of the complex environment.

Step 1: Apply User Identity Access Management

Two powerful technologies can be used together to allow enterprise organizations to leverage VDI without worrying about security concerns. First, let’s look at User Identity Access Management.

This solution often comes hand in hand with a Zero Trust model, as the idea is that any user can only access what they need for their role or activity, and no more. Rather than simply rely on initial authentication, smart User Identity Access Management allows you to create policy based on the identity of the user that is logged in, even when multiple users are connected to the same system at the same time.

Identities can be pulled from the Active Directory, and policy will control both new sessions, and ones that are currently active. Even before a user has logged into an application, protection is in place.

active directory app protection

Step 2: Combine with Application Segmentation

A micro-segmentation solution with granularity can create control over even the most complex environment, helping you to build out your infrastructure in a secure way that gives you peace of mind when using VDI, even defining policy based on a process, label, or other asset information.

For example, using application segmentation, you can ensure that all applications and users within the VDI environment are segmented away from specific business-critical or sensitive applications in the wider data center. You can also ring-fence the VDI environment so that no attackers can achieve lateral movement elsewhere, even in case of a breach.

application segmentation and VDI

Together, you now have a powerful, unbeatable solution. First, your user is limited to only the applications and servers they are allowed to access as mandated by your User Identity Access Management policy. Secondly, each user cannot move outside of their relevant environment, an added layer of defense, without added reliance on any specific network or location.

Reducing Complexity with Visibility

Still in fear of attacker dwell time? Make sure that your security solution comes with real-time visibility into all of your active VDI sessions and their connections. You should be able to see:

    • What specific users are doing, with identification
    • Which processes are currently running and for what purposes
    • How and where the processes are communicating
    • The exact flows that are being generated
    • Which specific applications are being used, and by whom

Another Zero Trust model mandate is to ‘Assume Access’. In this situation, when the assumed breach occurs, your IT team has accurate visibility into the source of the attack, and can see in seconds, (and without any physical or virtual taps) any lateral movement attempts from the original VDI environment to the main data center.

Lose the Fear of a VDI Environment

First, restrict the access from your VDI environment. Secondly, block access by user identity. In two steps, you’re done.

Guardicore Centra makes it simple to say yes to the benefits of a VDI environment. It integrates with Citrix Virtual Apps and Desktops, and Active Directory to reduce the attack surface and improve visibility, even when considering the complex security reality of Virtual Desktop Infrastructure.

Learn More About User Identity Access Management

3 Reasons to Deploy User Identity Access Management

Segmenting critical applications is nothing new. We’ve long since established the benefits of isolating sensitive data or essential assets in the enterprise data center, preventing potential breaches from escalating, and stopping lateral movement in its tracks. User Identity Access Management is the next essential layer of control, establishing with fine-grained policy exactly which users can access various applications in the first place, and how.

Learn More About User Identity Access Management

Here are Our Top 3 Use Cases for User Identity Access Management

1. The Need to Control User Access Anywhere

Many enterprises networks currently have broad permissions to business-critical systems, dangerously coarse controls that can be taken advantage of by attackers, or even manipulated with the help of human error. Not only is this bad practice for any enterprise security posture, but it also makes it increasingly difficult for organizations to remain compliant with the latest regulatory mandates.

In contrast, strong user access management policies allow specific users to be either given access or denied entry, with granular options such as permissions over specific servers, ports and processes.

Even in cases where your organization started out with a network design that allowed all users equal access, user access can be segmented to only the applications, servers and processes to which each individual user or group is entitled. Not only will your organization keep the infrastructure of a single data center, there will be no physical changes, downtime, or additional overhead as there would be with network segmentation projects, and you will be massively simplifying the road to compliance. Take PCI-DSS for example. With strong access management, you can ensure that only those users who are allowed to view cardholder data can physically access your CDE (Cardholder Data Environment).

Just as Guardicore Centra’s segmentation follows the workload rather than any particular underlying infrastructure, our User Identity Access Management follows the individual user, enforcing user governance across any environment, from legacy and bare-metal, physical desktops and laptops, to VDI, desktop as a service (DaaS) and hybrid cloud platforms.

follow the user with identity access management

2. The Need to Manage Multiple Users Simultaneously

Think about users who are connected to the same servers at the same time, but who have different access requirements. Perhaps one employee works for HR, and needs access to sensitive personnel files stored in HR management servers, while another works for the Finance team, and is working on an accounting application. They are both administrators, and are working within the same data center.

Without User Identity Access Management policies, the traditional way to secure their access would be with multiple jumpboxes, setting up one for each, with its own network connectivity. This gets expensive and complicated, fast.

A smart access management tool removes the complexity, and streamlines the route to secure user access, even for simultaneous logins to the same server. Each admin can connect from the same jumpbox, at the same time, and yet only have access to their own application, and be blocked from any applications outside of their purview.

user identity access management ame jumpbox no problem

3. The Need to Handle Third Party Admin Access

It’s more important than ever to manage access for third-party vendors and partners, who may be connected to your network through SaaS, IoT devices, or as contractors working on your own systems. Third-party access management needs to be able to seamlessly handle and define user groups based on these examples and more. Traditional solutions that are based on IP addresses are complex to manage, especially when multiple users are logging on simultaneously to the same server. By using policy creation based on user-identity rather than IP, each user group can have its own policies defined for entry, giving specific access to every group or even individual user, and blocking them from moving any further. 

As there is no centralized firewall needed, and access is controlled at the endpoint, your organization can enforce control of users between workloads, even within the same segmented section on the network. Policies take effect immediately, for both new and active sessions, allowing you to act quickly and incisively in case of a security gap. 

Solving Three Problems with One Tool

In conjunction with the benefits of application segmentation, User Identity Access is an obvious step to enhance your data center security. Not only can you keep critical assets away from an attack, you can now enforce exactly who should be accessing these applications in the first place, wherever they reside. 

Learn More About User Identity Access Management

How to Identify Accounts and Prioritize Risk for Privileged Access Management

Privileged Access Management (PAM) is understandably a high priority for today’s enterprises. The misuse of privileged accounts can allow attackers to escalate credentials and permissions across complex IT networks, finding open paths to access critical assets or steal sensitive data. This can have a dangerous impact on an enterprise’s ability to remain compliant with third-party regulations as well as internal governance mandates.

Let’s look in more detail at deploying Privileged Access Management, and how to prioritize risk for your own business needs.

Identifying your privileged accounts and credentials

In some cases, you might have hundreds of thousands of privileged credentials in your IT ecosystem, and in an increasingly connected world, this information might exist in an attack surface that’s larger than you’ve considered before.

Your first step is visibility, ensuring that you can uncover all credentials, from passwords and SSH keys to password hashes, access keys and more, and that you can do so across your entire environment, on premises, on the cloud, and across DevOps processes.

According to CyberArk, there are 7 types of accounts you need to consider, as poor hygiene or practices with any of them makes your enterprise a target for APTs and other dangerous cybercrime.

  • Emergency accounts: Access to these accounts requires IT management approval, and is only given in case of an emergency. As a manual task, it usually does not have any security measures in place.
  • Local Administrative accounts: These accounts are shared to provide admin access to the local host or session. Whenever IT staff need to perform workstation or server maintenance, or work on network devices, mainframes and other systems, these are the accounts they will use. Password hygiene may well be poor across these accounts, as IT professionals sometimes share passwords across an organization to make access easier. This is an open door for attackers.
  • Application accounts: Privileged accounts usually have access to critical applications or databases, used to access databases, run scripts, or provide access to other applications. Passwords might be embedded and stored in plain text files, copied across multiple channels and servers.
  • Active Directory or Windows domain service: Password changes for these accounts are complex, as your business will need to sync any updates across applications and infrastructure. Because of this, many businesses fail to regularly update application account passwords. If this happens in a critical system such as your Active Directory, you have created a single point of failure.
  • Service accounts: These local or domain accounts will interact directly with the operating system using an application or service. These may even have administrative privileges depending on their roles and requirements.
  • Domain Administrative accounts: These accounts have complete control over all domain controllers, and can access and make changes to all administrative accounts within the domain. The access they have extends to all workstations and servers within the organization network, and so therefore, these credentials are under regular attack from hackers, no matter the environment involved.
  • Privileged User accounts: One of the most common forms of account access granted on an enterprise domain, with these accounts users can have admin rights for their local desktops, or across a particular system. Users might choose complex or strong passwords, but this is often the only security control in place.

Identifying the risk of each kind of account will differ from enterprise to enterprise, and depend on your own digital crown jewels and most critical assets, as well as how you store and manage data, what systems hold intellectual property or other sensitive information, and where you’ve uncovered vulnerabilities in your own unique ecosystem. It’s common to start with your highest risk accounts, and then use a phased approach to build out your PAM.

What does protecting these accounts mean in practice?

Once you’ve established the accounts and credentials you want to protect, this should be approached in a number of ways. Credentials can and should be placed in a digital vault which uses multi-factor authentication for access. The best solutions will provide encrypted video monitoring of all privileged sessions, with alerts set up against suspicious activity and an easy playback option. In case of an audit or escalation,

IT admin should be able to access granular information about each session, down to single keystrokes, escalating this to the SOC or the next level where necessary. In case of a breach, automated behavior could include suspending or terminating sessions, or automatically rotating credentials to protect from further harm.

It’s also important to think about the local administrative access, even those these might seem less dangerous at a glance. Protecting these accounts is essential if you are working towards the principle of ‘least privilege’ or a Zero Trust security model. Every endpoint could be an entry point for hackers, allowing them to make lateral moves until they hit what they’re looking for, and many users have far more permissions and access than they need to do their job each day. Look for a solution with least-privilege server protection for both Windows and *NIX, allowing you to tightly manage permissions and gain insight into activity on each user. This can go a long way to remove the coarse controls and anonymity which often exists in today’s data centers. For *NIX, it also removes the risk of unmanaged SSH keys, a known exploit that can be taken advantage of to log in with root access control.

The same mentality needs to be front and center when you’re considering third-party applications and services, many of which require access to your network. These can be hard to keep track of, so a strong monitoring solution is essential. Think about best-practice hygiene for commercial off the shelf apps, such as removing hard-coded credentials and managing and rotating these privileged accounts in your digital vault.

Protect from on-premises to cloud deployments

The vast majority of today’s enterprises are working in a hybrid reality, with a network that spans on-premises and bare metal servers all the way to cloud and container systems. Any PAM solution that you deploy needs to be able to handle both, seamlessly. Managing DevOps secrets and credentials is an important part of your strategy, and that your code can retrieve the information it needs on the fly, rather than having them hardcoded into the application. This will allow you to rotate and secure these secrets and credentials the same way that you can on premises.

Another large area to consider is SaaS. These often have wide permissions, such as CRM software like Salesforce that is used by multiple teams. Privileged business users who access these applications are one click away from sensitive customer data, and the ability to move around a network far more freely than other stakeholders. Multi-factor authentication can help here, as well as isolating access to shared IDs.

Compliance and Privileged Access Management

Many of the benefits of Privileged Access Management support compliance and internal governance strategies. Firstly, you have one centralized repository for all of your audit data, reducing costs and making reporting fat easier. By enforcing privileged access automatically and monitoring this in real-time, many audit requirements are met, protecting all systems that handle information processing across a heterogeneous environment, and enforcing visibility and control over account usage.

In case of a breach, you have immediate insight into the incident, including where the breach occurred, when it happened, exactly what took place, and how to shore up defenses in the future. It’s easy to see how the right PAM solution can support compliance with a wide range of regulatory authorities, from SWIFT, and MAS-TRM, to SOX, GDPR and ISO 27001 certification.

Partnering with the best in the business

Guardicore has recently formed a partnership with market leader CyberArk, providing customers with a Privileged Session Management solution free of charge, ensuring that all Guardicore deployments meet the high security standards held by its customers. Joint customers will be able to leverage centralized control of all their privileged accounts and credentials, without duplication or sharing.

To download the Guardicore Privileged Session Management tool, head to the CyberArk Marketplace.

No System Left Behind: Why Legacy Systems Should be Part of Your Zero Trust Strategy

The rise of digital transformation dictates that businesses move faster, innovate harder and adopt new technologies to remain competitive in their industries. Many times, it means implementation of systems using the latest IT innovation and methods. While the Zero Trust model of security has risen to the challenge for the latest technologies such as cloud, microservices or container systems, it’s essential to ensure that legacy infrastructure has not been forgotten.

Identifying the legacy systems you rely on

Moving to deploy a Zero Trust model is often triggered by digital transformation, understanding that the attack surface is increasing beyond what traditional security controls can maintain and secure. While it used to be sufficient to look at traffic as it entered and exited your environment (North-South), today’s attackers can be assumed to reside inside your network already, and so control over internal traffic East-West is essential. Practically speaking, the Zero Trust model was created for the most modern and dynamic environments, where organizations come up against phishing scams, connections with IoT devices, partnerships with third-party networks and more on a daily basis. Built to secure a digitally transformed network, it’s easy for enterprises to forget about legacy systems and let business-critical applications fall by the wayside. However, unpatched (sometimes there are simply no patches for a current vulnerability for old systems) or decades-old legacy systems are exactly where gaps in security and flaws may occur, making it far easier for attackers to make that first step into your data center.

This is where visibility for Zero Trust is so important. Starting with an accurate, real-time map of your whole infrastructure will uncover the legacy systems that you need to include in your Zero Trust journey, some of which you might not even have been aware existed in the first place. In some cases, this could spur you on to modernize the system, such as updating a machine that is using an old operating system. In other cases, it’s more complex to make changes, such as legacy AIX machines that process financial transactions, or Oracle DBs that run on Solaris servers. These systems can be business-critical, and it can be years before they can be updated or modernized, if ever.

Identifying the legacy technology that you rely on is step one. The more difficult these are to update, the more likely they are to be essential to how your business runs. In which case, these are exactly the areas you need to be sure to secure in today’s high-risk cyber landscape.

Including legacy in your Zero Trust model

Make sure that you have coverage for your legacy servers with micro-segmentation policy enforcement modules. The best micro-segmentation technology can then use a flexible policy engine to help you create policy that includes legacy systems in your Zero Trust model. As a starting point, you should be able to use your map to ascertain the servers and endpoints that are running legacy applications, and how these workloads communicate and interact with other applications and business environments. Ideally, this should be granular enough to look at the process level as well as ports and IPs. This insight can help you to recognize how an attacker could use lateral movement to hurt your business the most, or access your most sensitive data and applications.

With this information in real-time, you can avoid the challenges of traditional security solutions for legacy systems in the same way that you would for the rest of your data center. After all, if you’ve acknowledged the limitations of VLANs and other insufficient security controls for your modernized systems, why would you rely on them for legacy infrastructure that is even more business-critical, or tough to secure? Network segmentation via VLANs often results in all legacy infrastructure being placed into one segment that can be easily accessed by a single well-placed attack, and firewall rules are tough to maintain between legacy VLANs and more dynamic parts of your network.

In contrast to this traditional method, a micro-segmentation vendor that is built for a heterogeneous environment takes legacy systems into consideration from the start. Rather than dropping support for legacy operating systems, hardware, servers and applications, intelligent micro-segmentation technology provides equal visibility and control across the whole stack.

Zero Trust means zero blind spots

Your legacy systems might be quietly running in the background, but the noise of the fallout in case of a breach could silence your business for good. Don’t let your pursuit of modernization allow you to forget to include legacy infrastructure in your Zero Trust model, where sensitive data and critical applications reside, and where you might well need it the most.

Want to read more about how Guardicore micro-segmentation can take you closer to adopting a Zero Trust framework? Download our white paper on getting there faster.

Read More

Guardicore Centra Integration now available on CyberArk Marketplace

We had our first integration with CyberArk in 2016. One of our very early adopters, a CISO for a large telecommunications company, realized that Guardicore Centra was becoming a critical part of his security infrastructure and decided to integrate the two products.

The CISO understood that one of the biggest security threats for his organization was the misuse of privileged accounts with elevated permissions on IT systems. He decided to use CyberArk with Guardicore in order to manage privileged accounts and protect his critical assets. Guardicore secured access to critical assets via micro-segmentation and detection capabilities, and CyberArk managed the privileged access on these systems.

Since then, we have added additional features such as identity-based policies to provide a stronger overall solution, and many other customers have benefited from these integrated capabilities.

I am happy to update you that this integration of Guardicore Centra security platform and the CyberArk Privileged Access Security Solution has recently been made available on the CyberArk Marketplace, helping our joint customers accelerate their ability to meet compliance requirements and reduce security risk without introducing additional operational complexity.

By providing the Guardicore plug-in via the CyberArk Marketplace, customers can now more easily evolve their privileged access management programs. Our integration enables CyberArk customers to protect their hybrid cloud and data center while maintaining strong privileged access controls.

As a CyberArk C3 Alliance member, Guardicore will continue to work alongside CyberArk to deliver value to shared customers through an integrated plug-in, as part of their security stack.

Privileged access is pervasive and provides attackers the “keys to the IT kingdom.”

It is widely recognized that nearly all damaging cyber-attacks involve privileged account compromise. Attackers are then able to exploit this legitimate privileged access to establish a foothold and make lateral moves across enterprise IT infrastructure. Additionally, without least privilege, internal users might abuse their access rights. By integrating the capabilities of Guardicore Centra with the CyberArk solution, customers can be better positioned to detect and stop lateral movement using both software-defined segmentation and privileged access management.

Thinking about zero trust implementation? CyberArk combines with Guardicore to take you that much closer to the adoption of the zero trust model of security.

Want to read more about how Guardicore micro-segmentation can take you closer to adopting a zero trust framework? Download our white paper on getting there faster.

Read More

Guardicore vs. VLANs. No Contest. All That’s Left is Deciding What to Do with Your Free Time

A fast-paced business world deserves security solutions that can keep up. Speed isn’t everything, but reducing complexity and time when deploying a new strategy can be the difference between success and failure. Let’s look at the process of segmenting just one business critical application via VLANs, and then compare how it works with Guardicore Centra micro-segmentation. Then you can decide how to use all that spare time wisely.

VLANs – How Long Does it Take?

If you decide to go down the VLAN route, you will need to spend around 4-6 months preparing your network and application changes. On the networking side, teams will configure switches, connect servers, and generally get the network ready for the new VLANs. On the application side, teams will build a migration strategy, starting with discovering all the relevant infrastructure, making changes to application code where necessary and preparing any pre-existing dependent applications for the change ahead of time.

After this 6-month period, you can start to build policy. It can take anywhere from 2-4 months to submit firewall change requests and have fixes and changes signed off and approved by the firewall governance teams. Meanwhile, your critical applications remain vulnerable.

Once you’re ready to move on to policy enforcement, you’ll need to spend a weekend migrating the application to the new VLAN. This includes manually reconfiguring IP addresses, applications and integration points. Don’t forget to warn your users, as there will be some application downtime that you can’t avoid. Altogether, you’ve spent up to 10 months performing this one segmentation task.

VLANs vs Guardicore

Guardicore Centra – How Long Does it Take?

Now let’s take a look at how it works when you choose smart segmentation for hybrid cloud and modern data center security with Guardicore. The preparation time is just a few days, as opposed to half a year, while Guardicore agents are deployed onto your application. This installation is simple and painless, and works with any platform. Labeling is also done during this time, integrating with your organizational inventory such as CMDB or cloud tags. Guardicore’s Reveal platform automatically discovers all traffic and flows, giving you an accurate map of your IT ecosystem, in real time, and continues to give you historical views as you proceed as well.

As policy creation is automatic, your policy suggestions can be tested immediately, and then run in ‘alert mode’ for two weeks while you tweak your policy to make sure it’s optimized to its full potential. When you’re ready to go – pick a day and switch from alert to enforce mode, with no impact on performance, and no downtime.

You’ve Just Saved 9 Months – Let’s Use It!

With security handled, and 9 months of time to kill, here are just some of the things you could achieve in your organization.

Start a Language Lunch Club

quick segmentation - start a language lunch club

90% of employees say that taking a regular lunch break helps them to feel more productive in the afternoon. Despite this, most of us often grab a quick sandwich, or don’t even manage to get up from our desks. Why not use some of your newfound company “free time” to encourage teams to eat lunch together, socializing and enjoying some much needed down-time? This time ‘off’can give colleagues a chance to get to know one another, forming new friendships, social bonds and levels of trust between your staff. If you want to try to combine this with learning a new skill and further enriching your staff (expanding their minds and improving memory and brain function), you could start a language club where your team members can learn basic skills that can support them in reaching global customers. With 180 hours to kill – that’s a whole lot of lazy, or super-productive, lunches!

Play with Lego!

quick segmentation - play with lego

Many organizations struggle with how to make team meetings more productive, especially when everyone is always so short on time. If you’re known for sharing memes like “I survived another meeting that should have been an email,” then isn’t it time you did something about it?

Lego Serious Play is one great methodology that can get staff thinking and working outside of the box. As 80% of our brain cells are connected to our hands, building and creating can unlock hidden thoughts and ideas. It’s also a fantastic way to get input from quieter team members, as it works for both introverts and extroverts, and uses visual, kinaesthetic and auditory communication. If you have some free time left over, why not try beating the world record for the tallest Lego tower, built in Tel Aviv in 2017. You’ll have to make it to 36 meters to stand a chance though!

Put more Time into Health and Wellness

quick segmentation - put time into health and wellness

With more time in the day, there’s no need to take shortcuts that adversely affect your health. Tell your employees to skip the elevator and take the stairs, or to come in slightly later and cycle instead of jumping on available public transport. If your staff take the stairs twice a day for the whole nine months of saved time – that’s 12,600 calories, or the equivalent of 50 pieces of cheesecake!

Research has shown that employees who have work wellness programs report taking 56% fewer sick days than those without. Use some of the free time you’re saving to set up 8:30am or 5:00pm wellness classes, such as yoga, mindfulness, aerobics or Zumba and give your employees more reasons to love coming to work! Activity also encourages greater focus and productivity while on the job, so consider it a triumph to flex the muscles of your body and your mind.

Do More with Your Day Job

quick segmentation - do more with your day job

Spend some time getting to know other departments in the company, sitting down with Procurement to understand recent contracts, or heading over to R&D and having that conversation you’ve been meaning to have about Intellectual Property. Nine months makes 1440 hour-long coffee meetings! Better yet, why not plan a stint to an at least semi-exotic location to visit your offshore development teams on site? Allow yourself a bit of time out of the office while getting some all-important face-time with other members of your team.

You could also use some of your extra time to visit some customers or other stakeholders in the supply chain, identifying the risks that they pose to your organization and the mitigation you could put in place. Interested in some more informal professional development? It’s the perfect time to start a training to develop or expand a new skill, or mentoring some junior employees, or think about your own career enrichment. After all, you’ve just saved nine months!

Encourage Innovation

quick segmentation - encourage innovation

Most people have heard of Google’s 20% rule, where employees are encouraged to work on side projects, new hustles, or research for 20% of their working day. But for many companies this is a huge privilege – only possible if you have enough time in the day to get all the urgent work off your desk- which we know is never the case. But now with more time to play with, literally, you can implement some enforced innovation time. With 9 months of extra time to use up, it will take four and a half years of an hour a day before your staff have used up the surplus.

Now It’s your Turn to Innovate: What Will Your Teams Do With Their Free Time?

Why not draw up a bucket list of what you could do with an extra nine months, and how it could benefit your company?

Take a look at the seven steps to operationalize micro-segmentation so you can see just how simple it would be to get started.

Read More