Posts

From On-Prem to Cloud: The Complete AWS Security Checklist

Cloud computing has redefined how organizations handle “business as usual.” In the past, organizations were responsible for deploying, maintaining, and securing all of their own systems. However, doing this properly requires resources, and some organizations simply don’t have the necessary in-house talent to accomplish it. With the cloud, it’s now possible to rent resources from a cloud service providers (CSPs) and offload the maintenance and some of the security workload to them.

Just as the cloud is different from an on-premises deployment, security in the cloud can differ from traditional best practices as well. Below, we provide an AWS security checklist that includes the most crucial steps for implementing network security best practices within a cloud environment.

AWS Security Checklist: Step-by-Step Guide

  • Get the Whole Picture. Before you can secure the cloud, you need to know what’s in the cloud. Cloud computing is designed to be easy to use, which means that even non-technical employees can create accounts and upload sensitive data to it. Amazon does what it can to help, but poorly secured cloud storage is still a major cause of data breaches. Before your security team can secure your organization’s footprint in the cloud, they first need to do the research necessary to find any unauthorized (and potentially insecure) cloud accounts containing company data.
  • Define an AWS Audit Checklist. After you have an understanding of the scope of your organization’s cloud security deployments, it’s time to apply an AWS audit checklist to them. The purpose of this checklist is to ensure that every deployment containing your organization’s sensitive data meets the minimum standards for a secure cloud deployment. There are a variety of resources available for development of your organization’s AWS audit checklist. Amazon has provided a security checklist for cloud computing, and our piece on AWS Security Best Practices provides the information that you need for a solid foundation in cloud security. Use these resources to define a baseline for a secure AWS and then apply it to all cloud resources in your organization.
  • Improve Visibility. A CSP’s “as a Service” offerings sacrifice visibility for convenience. When using a cloud service, you lose visibility into and control over the underlying infrastructure, a situation that is very different from an on-premises deployment. Your applications may be deployed over multiple cloud instances and on servers in different sites and even different regions, making it more difficult to define clear security boundaries. Guardicore Centra’s built-in dashboard can be a major asset when trying to understand the scope and layout of your cloud resources. The tool automatically discovers applications on your cloud deployment and maps the data flows between them. This data is then presented in an intuitive user interface, making it easy to understand applications that you have running in the cloud and how they interact with one another.
  • Manage Your Attack Surface. Once you have a solid understanding of your cloud deployment, the next step is working to secure it. The concept of network segmentation to minimize the impact of a breach is nothing new, but many organizations are at a loss on how to do it in the cloud.While securing all of your application’s traffic within a particular cloud infrastructure (like AWS) or securing traffic between applications and external networks is a good start, it’s simply not enough. In the cloud, it’s necessary to implement micro-segmentation, defining policies at the application level. By defining which applications are allowed to interact and the types of interactions that are permitted, it’s possible to provide the level of security necessary for applications operating in the cloud.In an attempt to ensure the security of their applications, many organizations go too far in defining security policies. In fact, according to Gartner, 70% of segmentation projects originally suffer from over-segmentation. With Guardicore Centra, the burden of defining effective policy rules no longer rests on the members of the security team. Centra’s micro-segmentation solution provides automatic policy recommendations that can be effectively applied on any cloud infrastructure, streamlining your organization’s security policy for AWS and all other cloud deployments.
  • Empower Security Through Visualization. The success of Security Information and Event Management (SIEM) solutions demonstrates the effectiveness and importance of collating security data into an easy-to-use format for the security team. Many data breaches are enabled by a lack of understanding of the protected system or an inability to effectively analyze and cross-reference alert data.Humans operate most effectively when dealing with visual data, and Centra is designed to provide your security team with the information that they need to secure your cloud deployment. Centra’s threat detection and response technology uses dynamic detection, reputation analysis, and policy-based detection to draw analysts’ attention to where it is needed most. The Guardicore incident response dashboard aggregates all necessary details regarding the attack, empowering defenders to respond rapidly and minimize the organizational impact of an attack.

Applying the AWS Security Checklist

Protecting your organization’s sensitive data and intellectual property requires going beyond the minimum when securing your organization’s cloud deployment. Built for the cloud, Guardicore Centra is designed to provide your organization with the tools it needs to secure your AWS deployment.

To find out more, contact us today or sign up for a demo of the Centra Security Platform and see its impact on your cloud security for yourself.

Rethinking Segmentation for Better Security

Cloud services and their related security challenges will continue to grow

One of the biggest shifts in the enterprise computing industry in the past decade is the migration to the cloud. As more and more organizations discover the benefits of moving their data centers to private and public cloud environments, this trend is expected to continue dominating the enterprise landscape. Gartner projects cloud services will grow exponentially from 2019 through 2022, with Infrastructure-as-a-Service (IaaS) being the fastest growing segment of the market, already showing an increase of 27.5% in 2019 compared to 2018.

So what’s the big challenge?

The added agility of cloud infrastructure comes with a trade-off, in the form of increased complexity of cyber security. Traditional security tools were designed for on premise servers and endpoints, focusing on perimeter defense to block the attacks at the entry point. But the dynamic nature of hybrid cloud services meant that perimeter defense became insufficient. When the perimeter itself is constantly shifting, as data and workloads move back and forth among public and private clouds and on premise data centers, the attack surfaces became much larger and required network segmentation to control lateral movement within the perimeter.

From the early days of clouds, segmentation became a popular concept. Traditionally, businesses were looking to divide the network into segments and enforce some sort of access control between the segments. In practice, the way it worked was that relevant servers were put into a dedicated VLAN and routed through a firewall. The higher level of segmentation meant smaller segment size, which reduced the attack surface and limited the impact of any potential breach.

Then – the rules of the game changed! Moving from one static cloud to dynamic, hybrid cloud-based data centers

Simple segmentation by firewalls used to work in the past, when the networks were comprised of relatively large static segments. However, the “rules of the game” have changed significantly in recent years. Dynamic data centers and hybrid cloud adoption have created problems that cannot be solved with legacy firewalls, and yet achieving segmentation is now more vital than ever before. The cadence of change to the infrastructure and application services is very high, accentuating the need for granular segments with an understanding of their dependencies and impacting their security policy.

Take, for example, the 2017 Equifax breach. The US House of Representatives report on this incident pointed directly to the lack of internal segmentation as one of the key gaps that allowed the breach impact to be so big, affecting 143 million consumers.

Regulation is another driver of segmentation. One of Guardicore’s customers, a global investment bank, needed to comply with a new regulation of SWIFT – which requires all SWIFT servers to be put into a separate segment and whitelist all connection allowed in and out of this segment. Using traditional methods, it took the bank 10 months and a costly labor-intensive process to complete this change, spurring them on to find smarter segmentation methods moving forward.

The examples above demonstrate how although segmentation is a known and well understood security measure, in practice organizations struggle to implement it properly in a cost-effective way.

Adapt easily to these changes and start micro-segmentation

To deal with these challenges, micro-segmentation was born. Micro-segmentation takes enterprise security to a new level and is a step further than existing network segmentation and application segmentation methods, adding visibility and policy granularity. It typically works by establishing security policies around individual or groups of applications, regardless of where they reside in the hybrid data center. These policies dictate which applications can and cannot communicate with each other.

Micro-segmentation includes the ability to fully visualize the environment and define security policies with Layer 7 process-level precision, making it highly effective at preventing lateral movement in a hybrid cloud environment.

Take the first step in preparing your enterprise for a better data security

Want to learn more? Listen to Guardicore’s CTO and Co-founder, Ariel Zeitlin, as he walks through the challenges and the solutions to better secure your data in his latest interview with the CIO Talk Network. In this podcast, Ariel discusses the new approaches to implementing segmentation, the key aspects you need to consider when comparing different vendors and technologies, and what comes ahead of the curve for security leaders in this space.

 

Want to learn more about how to first think through, then properly implement micro-segmentation? Read our white paper on operationalizing your segmentation project.

Read More

What is AWS re:Inforce?

AWS re:Inforce is a spin-off of AWS re:Invent. Why the need for a spinoff? Legend has it that the security tracks during re:Invent got so crowded that AWS decided that the security track should have a conference of its own.

AWS re:Inforce is a different kind of conference, a highly-technical conference of curated content meant for security professionals. This is a conference where knowledge runs deep and conversations go deeper, with few marketing overtures and high-level musings. Even the vendor-sponsored presentation were very technical with interesting takeaways. If your organization is invested in AWS at any level, it’s a great conference to attend. You get two condensed days of dedicated security content for the different services, architectures, and platforms offered by AWS. The content is available for multiple levels of expertise. You also get access to the top-tier AWS experts, with whom you can consult with on your different architecture dilemmas. Being that this conference turned out to be very popular, one tip I’d give next year’s attendees is to book your desired sessions as far ahead of time as you can (at least a few weeks, if possible). In conversations with colleagues, I learned that there were many who couldn’t get into all the sessions they had wanted. So I suggest you plan well for next year.

Here are some of the takeaways from the conference that I’d like to share with you:

  1. Humans don’t scale – This is not a revolutionary new thought, it’s common knowledge in the DevOps world. However the same understanding is becoming prevalent in the security industry as well. Organizations are starting to understand that as they move to the cloud, managing security for multiple dynamic environments just doesn’t scale- both from the configuration and IR perspectives. Organizations are moving away from complaining about security personnel shortage, and instead are looking to converge their multiple security platforms into 2-3 systems that provide a wide coverage of use cases and allow a high level of automation and compatibility with common DevOps practices.
  2. Security platforms converge – Organizations are transforming their IT operations to be efficient and automated. Security has to follow suit and be an enabler instead of a road block. The end goal from a CISO perspective is to achieve governance of the whole network, not just the cloud deployments or just the on-prem ones. Vendors can no longer have separate solutions for on-prem and cloud. A single unified solution is the only viable, sustainable option.
  3. Migration is hard – Migrating your workloads to the cloud is hard, migrating your security policy is even harder. Organizations moving all or some of their workloads to AWS find it very hard to keep the same level of security posture. Running a successful migration project while not compromising on security requires changing controls that do not exist any in the cloud. The existing security tools these organizations are using are not suitable or sufficient for enforcing the same security posture in the cloud.
  4. Hit F5 on your threat model – One of the main takeaways for security practitioners on AWS is to have a fresh approach to what actually needs to be secured. Make sure that as new cloud constructs and services are adopted by the organization, you actually have the right tools or policies in place to secure them. For example, solutions like AWS Control Tower (announced GA at the time of the conference), which helps you govern your AWS environment and accounts policy. When looking at the hybrid or cloud-only topologies that require a complex network model, you realize that you would need a hybrid solution to provide an overlay policy for both your cloud and on-prem assets.
  5. API is king – As our architectures and networks become more complex the ability of a human to monitor or maintain a network is becoming unrealistic. A great example is the SOAR (security automation and remediation) space. Organizations are moving away from shiny SOCs (security operation centers) with big TVs and hordes of operators. Human operators are not an effective solution over time and especially at scale. The move to automated playbooks solves both the staffing issue and the variable quality of incident handling. Each incident is handled according to a premeditated script for that scenario, with no need to reinvent the wheel. Sometimes it’s smart to allow automation to be our friend, and make our lives easier.

As CISOs need to be able to secure their entire network, and not just the cloud elements, the same concepts should apply more widely to network security. These have been the cornerstones of building Guardicore Centra, a micro-segmentation solution that works across all environments, and can complement and secure your AWS strategy. Modern infrastructures are dynamic and can change thousands of times over a span of a day. Security policies should be just as dynamic and be applied just as fast and be able to adhere to the same cadence. Guardicore enables security practitioners to integrate with APIs and move at the speed of the organization. Tools that require your security and network engineers to define security policy only through the UI and do not provide a way to script and automate policy creation are not transitioning to the cloud.

We believe that security shouldn’t be an obstacle or a cause for delay, and so one single, unified solution is a must-have. This obviously needs to work in a hybrid and multi cloud reality, without interfering with AWS best practices for it to be beneficial and not slow you down.

Want to learn more about hybrid-cloud security? Watch this video about micro-segmentation and breach detection in an increasingly complex environment.

 

Interested in cloud security for hybrid environments? Get our white paper about protecting cloud workloads with shared security models.

Read More

Guardicore Raises $60 Million; Funding Fuels Company Growth and Continued Disruption

Today I am excited to share that we have secured a Series C funding round of $60 million, bringing our total funding to more than $110 million. The latest round was led by Qumra Capital and was joined by other new investors DTCP, Partech, and ClalTech. Existing investors Battery Ventures, 83North, TPG Growth, and Greenfield Partners also participated in the round.

Since we launched the company in 2015, Guardicore has been focused on a single vision for providing a new, innovative way to protect critical assets in the cloud and data center. Our focus, and our incredible team, has earned the trust of some of the world’s most respected brands by helping them protect what matters most to their business. As the confidence our customers have in us has grown, so has our business, which has demonstrated consistent year-over-year growth for the past three years.

Our growth is due to our ability to deliver on a new approach to secure data centers and clouds using distributed, software-defined segmentation. This approach aligns with the transformation of the modern data center, driven by cloud, hybrid cloud, and PaaS adoption. As a result, we have delivered a solution that redefines the role of firewalls and implementing Zero Trust security frameworks. More dynamic, agile, and practical security techniques are required to complement or even replace the next-generation firewall technologies. We are delivering this and give our customers the ability to innovate rapidly with the confidence their security posture can keep up with the pace of change.

Continued Innovation

The movement of critical workloads into virtualized, hybrid cloud environments, industry compliance requirements and the increase of data center breaches demands a new approach to security that moves away from legacy firewalls and other perimeter-based security products to a new, software-defined approach. This movement continues to inspire our innovations and ensure that our customers have a simpler, faster way to guarantee persistent and consistent security — for any application, in any IT environment.

Our innovation is evident in several areas of the company. First, we have been able to quickly add new innovative technology into our Centra solution, working in close partnership with our customers. For example, we deliver expansive coverage of data center, cloud infrastructure and operating environments, and simpler and more intuitive ways to define application dependencies and segmentation policies. This gives our customers the right level of protection for critical applications and workloads in virtually any environment.

Second, our Guardicore Labs global research team continues to provide deep insights into the latest exploits and vulnerabilities that matter to the data center. They also equip industry with access to open source tools like Infection Monkey, and Cyber Threat Intelligence (CTI) that allows security teams to keep track of potential threats that are happening in real time.

We have also continued to build out other areas of our business, such as our partner ecosystem, which earned the five-star partner program rating from CRN since its inception two years ago, as well as our technology alliances, which include relationships with leading cloud / IaaS infrastructure players such as AWS, Azure, and Nutanix.

Looking Ahead

We are proud of our past, but even more excited about our future. While there is always more work to do, we are in a unique position to lead the market with not only great technology, but a strong roster of customers, partners and, most importantly, a team of Guardicorians that challenge the status quo every single day to deliver the most innovative solutions to meet the new requirements of a cloud-centric era. I truly believe that we have the best team in the business.

Finally, as we celebrate this important milestone, I want to say thanks to our customers who have made Guardicore their trusted security partner. It is our mission to continue to earn your trust by
ensuring you maximize the value of your security investments beyond your goals and expectations.

Determining security posture, and how micro-segmentation can improve it

As the recent Quora breach that compromised 100 million user accounts demonstrates, the threat of a cyber attack is ever present in the modern IT environment. Cybercrime and data breaches continue to plague small businesses and enterprises alike, and network security teams are constantly working to stay one step ahead of an attack. This is no easy task since intrusion attempts occur daily and are constantly evolving to find the smallest weakness to exploit.

Attackers can employ direct attacks on data centers and clouds, enact crypto-jacking threats to mine cryptocurrency, devise advanced persistent threat (APT) attacks to extract data while remaining hidden within a network, or even add fileless malware to manipulate in-memory vulnerabilities and access sensitive system resources.

For these reasons, it’s more important than ever for IT teams to evaluate their current security posture to ensure the safety of their sensitive information and assets. This is particularly true in hybrid cloud environments where discrete platforms take siloed approaches to security that can make infrastructure-wide visibility and a holistic approach to security policies extremely difficult. In this piece, we’ll dive into the basics of security posture and explain how Guardicore Centra can help you improve yours.

Security posture defined

Security posture is the overall defensive capability a business has over its computing system infrastructure. Also referred to as cybersecurity posture, the term focuses not only on hardware and software resources, but also the people, policies, and processes in place to maintain security. It is then necessary to prioritize what areas require the most protection, managing the greatest risk, identify weaknesses, and have incident response and disaster recovery plans in place in the event a breach does occur. All of these factors determine the effectiveness, or lack thereof, of an organization’s security posture.

Identifying the areas that deserve attention

In order to determine an organization’s security posture, first it’s the responsibility of a security team to have complete and thorough understanding of the risks associated with the operation of their computing systems. Research must be conducted to quantify attack surfaces, determine risk tolerance, and identify areas within the infrastructure that require more focus.

This planning stage is particularly difficult when attempting to account for the complexities that come with a hybrid cloud infrastructure, as the dynamics of a hybrid cloud make it difficult to get a holistic view of enterprise information systems. Often different policies and controls are in place for different endpoints that exist in different clouds or on-premises.

All of this internal assessment and process scrutiny is essential to develop a foundation for a robust security posture. However, the right tools are required to enforce policies that support it. Modern integrated security techniques such as micro-segmentation and process-level visibility, which are enabled by solutions like Guardicore Centra, help enterprises ensure that they are effectively implementing their strategy and capable of meeting the security challenges of the modern hybrid cloud.

The impact of enhanced visibility on security posture

The heterogeneous nature of a hybrid cloud environment makes it difficult to scale security policies, since there usually is not an effective way to account for the entire infrastructure. Further, because you are dealing with multiple platforms and varying security controls, the possibility of blind spots and oversights increases.

The visualization features of Guardicore Centra were created with these challenges in mind. Using Centra, enterprises can drill down and rapidly discover specific applications and flows within a network, regardless of the particular platform a given node may be running on. Since Guardicore can provide visibility to the process level and enable inspection of systems down to the TCP/UDP port level, blind spots that may otherwise become exploit targets can be eliminated. In a hybrid cloud environment this means you are able to automatically and rapidly learn how applications behave within your network to build a baseline of expected behavior, and better understand how to harden your infrastructure.

The value of micro-segmentation

Given that the greater potential for lateral movement an attacker can perform after a breach, the more damage they can do, it is easy to conceptualize the value of micro-segmentation. We’re all familiar with the benefits of network segmentation using techniques such as access control lists, firewalls and VLANs, and micro-segmentation brings these down to the most granular levels and applies them across the entire hybrid cloud infrastructure. For users of Centra, this means least-access policies can be implemented that limit access to specific groups of users (e.g. database admins), restrict access to certain applications (e.g. a MySQL database server), and restrict access to specific ports (e.g. TCP 3306), with the flexibility of process-level context and cross-platform coverage.

As an added benefit, Centra suggests rules based on analysis of historical data, and development of robust policies becomes significantly easier. By removing complexity, enabling micro-segmentation, and providing process-level visibility, Centra reduces blind spots and limits exposed attack surfaces, two key components of improving security posture.

The importance of threat detection and proactive responses

In addition to enhanced visibility and micro-segmentation, identifying unrecognized and malicious intrusions and reducing dwell-time is an important part of improving security posture. A pragmatic, modern organization understands that despite the best laid plans, breaches may occur and if and when they do, they must be rapidly detected, contained, and remediated.

To this end, Centra is uniquely capable of meeting the breach detection and incident response challenges enterprises with hybrid cloud infrastructures face. Centra uses three different detection methods (Dynamic Deception, Reputation Analysis, and Policy-Based Detection) to rapidly identify and react to attacks. By doing so, Centra helps ensure that in the event a security breach does occur, you are able to reduce the damage and minimize dwell time. This proactive approach to threat detection and response rounds out the Centra offering and helps you ensure your hybrid cloud infrastructure is secure and flexible enough to meet the challenges of modern IT security without sacrificing the performance of your infrastructure or adding unnecessary complexity.

Interested in learning more?

Guardicore Centra can help you significantly enhance your security posture, particularly in complex, difficult-to-manage, hybrid cloud environments. The benefits of hybrid cloud infrastructure are clear from a capex and scalability standpoint, but the tech is not without inherent risk. Hybrid cloud suffers with a myriad of siloed approaches to security policies and controls for reducing attack surfaces in an environment.

Adopting a proactive approach to security and leveraging security solutions that enable micro-segmentation are important steps towards enhancing your security posture and protecting your systems from falling victim to the next data breach.

To learn more about how micro-segmentation can benefit your enterprise, check out the micro-segmentation hub, or set up a demo to see Guardicore Centra in action.

Want to learn more about securing your hybrid cloud environment and strengthening your security posture? Get our white paper on best practices for the technical champion.

Read More

You don’t have to be mature in order to be more secure – cloud, maturity, and micro-segmentation

Whether you’ve transitioned to the cloud, are still using on-prem servers, or are operating on a hybrid system, you need security services that are up to the task of protecting all your assets. Naturally, you want the best protection for your business assets. In the cybersecurity world, it’s generally agreed that micro-segmentation is the foundation for truly powerful, flexible, and complete cloud network security. The trouble is that conventional wisdom might tell you that you aren’t yet ready for it.

If you are using a public cloud or VMware NSX-V, you already have a limited set of basic micro-segmentation capabilities built-in with your cloud infrastructure, using security groups and DFW (NSX-V). But security requirements, the way that you have built your network, or your use of multiple vendors require more than a limited set of basic capabilities.

The greatest security benefits can be accessed by enterprises that can unleash the full potential of micro-segmentation beyond layers 3 and 4 of the OSI model, and use application-aware micro-segmentation. Generally, your cloud security choices will be based on the cloud maturity level of your organization. It’s assumed that enterprises that aren’t yet fully mature, according to typical cloud maturity models, won’t have the resources to implement the most advanced cloud security solutions.

But what if that’s not the case? Perhaps a different way of thinking about organizational maturity would show that you can enjoy at least some of the benefits of advanced cloud security systems. Take a closer look at a different way to assess your enterprise’s maturity.

A different way to think about your organizational maturity

Larger organizations already have a solid understanding of their maturity. They constantly monitor and reevaluate their maturity profile, so as to make the best decisions about cloud services and cloud security options. We like to compare an organization learning about the best cloud security services to people who are learning to ski.

When an adult learns how to ski, they’ll begin by buying ski equipment and signing up for ski lessons. Then they’ll spend some time learning how to use their skis and getting used to the feeling of wearing them, before they’re taught to actually ski. It could take a few lessons until an adult skis downhill. If they don’t have strong core muscles and a good sense of balance, they are likely to be sent away to improve their general fitness before trying something new. But when a child learns how to ski, they usually learn much faster than an adult, without taking as long to adjust to the new movements.

Just like an adult needs to be strong enough to learn to ski, an organization needs to be strong enough to implement cloud security services. While adults check their fitness with exercises and tests, organizations check their fitness using cloud maturity models. But typical cloud maturity models might not give an accurate picture of your maturity profile. They usually use 4, 5, or 6 levels of maturity to evaluate your organization in a number of different areas. If your enterprise hasn’t reached a particular level in enough areas, you’ll have to build up your maturity before you can implement an advanced cloud security solution.

At Guardicore, we take a different approach. We developed a solution that yields high security dividends, even if the security capabilities of your organization are not fully mature.

Assessing the maturity of ‘immature’ organizations

Most cloud security providers assume that a newer enterprise doesn’t have the maturity to use advanced cloud security systems. But we view newer enterprises like children who learn to ski. Children have less fear and more flexibility than an adult. They don’t worry about falling, and when they do fall, they simply get up and carry on. The consequences of falling can be a lot more serious for adults. In the same way, newer enterprises can be more agile, less risk-averse, and more able to try something new than an older enterprise that appears to be more mature.

Newer organizations often have these advantages:

  • Fewer silos between departments
  • Better visibility into a less complex environment
  • A much higher tolerance for risk that enables them to test new cloud services and structures, due to a lower investment in existing architecture and processes
  • A more agile and streamlined environment
  • A lighter burden of inherited infrastructure
  • A more unified environment that isn’t weakened by a patchwork of legacy items

While a newer enterprise might not be ready to run a full package of advanced cloud security solutions, it could be agile enough to implement many or most of the security features while it continues to mature. Guardicore allows young organizations to leapfrog the functions that they aren’t yet ready for, while still taking advantage of the superior protection offered by micro-segmentation. Like a child learning to ski, we’ll help you enjoy the blue runs sooner, even if you can’t yet head off-piste.

Organizational maturity in ‘mature’ organizations

Although an older, longer-established organization might seem more cloud mature, it may not be ready for advanced cloud security systems. Many older enterprises aren’t even sure what is within their own ecosystem. They face data silos, duplicate workflows, and cumbersome business processes. Factors holding them back can include:

  • Inefficient workflows
  • Long-winded work processes
  • Strange and divisive infrastructure
  • Awkward legacy environments
  • Business information that is siloed in various departments
  • Complex architectures

Here, Guardicore Centra will be instrumental in bridging the immaturity gap: It provides deep visibility through clear visualization of the entire environment, even those parts that are siloed. Guardicore Centra delivers benefits for multiple teams, and its policy engine supports (almost) any kind of organizational security policy.

What’s more, Guardicore supports phased deployment. It is not an all-or-nothing solution. An organization that can’t yet run a full set of advanced cloud security services still needs the best protection it can get for its business environment. In these situations, Guardicore helps implement only those features that your organization is ready for, while making alternative security arrangements for the rest of your enterprise. By taking it slowly, you can grow into your cloud capabilities and gradually implement the full functionality of micro-segmentation.

Flexible cloud security solutions for every organization

Guardicore’s advanced cloud security solutions provide the highest level of protection for your critical business assets. They are flexible enough to handle legacy infrastructure and complex environments, while allowing for varying levels of cloud maturity.

Whether you are a ‘young’ organization that’s not seen as cloud-mature, or an older enterprise struggling with organizational immaturity, Guardicore can help you to get your skis on. As long as you have a realistic understanding of your organization’s requirements and capabilities, you can apply the right Guardicore security solution to your business and enjoy superior protection without breaking a leg.

The Cloud Security Issues You Don’t Want to Ignore on AWS

According to Gartner, through 2022, 95% of cloud security failures will be the customer’s fault. Using the cloud securely on AWS means building a cloud security strategy that faces the challenges head on, with a full understanding of the shared responsibility model and its blind spots.

Securing Containers in AWS

One of the biggest issues when using AWS is securing the container network. This is due to the lack of context that the VPC has for any overlay network running on top. Amazon Security Groups can apply security policies to each cluster, but are unable to do this with individual pods, making this technology insufficient. When your business is attempting to troubleshoot or to gain better visibility into communications, insight will stop at the traffic between the hosts in the cluster rather than the pods resulting in security blind-spots.

As a result, you need two solutions to control your cloud hosted network. One handles your VM policies, while another governs your containers. As such, creating network policies for a single application that includes both containers and VMs requires using separate solutions.Your business now has two sets of controls to manage, with all the maintenance and administration that comes with it. This adds complexity and risk, when your move to the cloud was probably meant to make your infrastructure and security easier, not more complicated.

Lack of visibility in AWS

62% of IT decision makers at large enterprises believe that their on-premises security is stronger than their cloud security. On premises, these security experts feel that they have control over their IT environment and the data and communications within, and by moving to the cloud, they lose that control and visibility.

With smart micro-segmentation, this doesn’t have to be the case. Going further than AWS security groups, Guardicore Centra provides enhanced visibility, automatically discovering all applications and flows down to process level (Layer 7). It includes an AWS API that can pull orchestration data and labels to get valuable context for application mapping, and allows you to baseline your infrastructure in an intelligent and informed way, understanding how your applications behave and communicate, which in turn enables detecting and alerting on changes. As the Centra solution works across multiple cloud vendors, businesses can use it to gain visibility and apply policy controls across a heterogeneous environment without being tied to any one cloud vendor or infrastructure.

Application-Aware Policy Creation and Control

On premises, companies are used to being able to utilize NGFWs (Next-Gen Firewalls) to protect and segment applications. In the cloud, AWS doesn’t provide the same functionality. Segmenting applications can be done using AWS security groups in a restricted manner, only supporting controlling traffic down to Layer 4, ports and IPs. With Centra, you can benefit from application-aware security policies that work with dynamic AWS applications down to process level. Rather than manage two or more sets of controls, Centra works across any infrastructure, including multi-cloud and hybrid data centers or multiple IaaS providers, physical servers on premises, containers and microservices. As the policy follows the workload, enterprises can enjoy dynamic flexibility without compromising security.

One solution across all of these environments promotes an atmosphere of simplicity in your data centers, with smart labeling and grouping that provides one ‘single pane of glass’ view into the most complex of infrastructures. Your staff have easy navigation and insight into problems when they occur, and can define segmentation policy in a matter of minutes, rather than relying on trial and error.

Navigating the Blind Spots to Securely Benefit from AWS

Using AWS securely means understanding that it is your role as the customer to stay on top of securing customer data, as well as platform, application, identity and access management, and any OS, network or firewall configuration. Cloud users need to be prepared to go above and beyond to ensure that their workloads are safe, especially when working across multi or hybrid-cloud environments.

When implemented correctly, micro-segmentation offers a simple way to secure a hybrid environment, including solving the unique challenges of containers on AWS and providing the ability to create dynamic application policies down to process level. We believe the best solutions start with foundational visibility, automatically discovering all network flows and dependencies. This allows your business to take advantage of the latest technological advancements without increasing risk or complexity for your security teams.

AWS Security Best Practices

AWS is the biggest player in the public IaaS (Infrastructure as a Service) market and a critical component of the hybrid-cloud infrastructure in many enterprises. Understanding how to secure AWS resources and minimize the impact of any breaches that do occur has become more important than ever. For this reason, after closing 2018 with Infection Monkey & GuardiCore Centra’s integration into AWS Security Hub, we decided to open 2019 with a crash course on AWS security best practices.

In this piece, we’ll dive into some of the basics of AWS security, provide some tips to help you get started, and supply you with information on where you can learn more.

#1 AWS security best practice: Get familiar with the AWS shared responsibility model

Understanding the AWS security paradigm at a high level is an important part of getting started securing your AWS infrastructure. AWS uses the shared responsibility model to define who is responsible for securing what in the world of AWS. To help conceptualize the model, the public cloud infrastructure giant has come up with succinct verbiage to describe what they are responsible for and what you (the customer) are responsible for. In short:

AWS is responsible for “security of the cloud”- This means select software, hardware, and global infrastructure (think racks in physical data centers, hypervisors, switches, routers, storage, etc.) are AWS’s responsibility to secure.

Customers are responsible “for security in the cloud”- This means customers are responsible for ensuring things like customer data, applications, operating systems, firewalls, authentication, access management, etc.

Worded differently, AWS gives you the public cloud infrastructure to build upon, but it’s up to you to do so responsibly. It is expected that not everything you need will be baked into any given AWS solution. Third-party security tools like Centra can help fill those gaps. Understanding the shared responsibility model and what tools can help will allow you to ensure you’re doing your part to secure your infrastructure.

#2 AWS security best practice: Use IAM wisely

AWS Identity and Access Management (IAM) is a means of managing access to AWS resources and services, and is built-into AWS accounts. In a nutshell, IAM enables you to configure granular permissions and access rights for users, groups, and roles. Here are a few useful high-level recommendations to help you get started with IAM:

  • Grant least privilege – The principle of least privilege is a popular concept in the world of InfoSec and it is even more important to adhere to in the cloud. Only grant users and services the privileges necessary for the given set of tasks they should be legitimately responsible for, and nothing more.
  • Use IAM groups – Using groups to assign permissions to users significantly simplifies and streamlines access management.
  • Regularly rotate credentials – Enforcing expiration dates on credentials helps ensure that if a given set of credentials is compromised, there is a limited window for an attacker to access your infrastructure.
  • Limit use of root – Avoid using the Linux “root” user. Being conservative with your use of root access helps keep your infrastructure secure.
  • Use MFA – Multi-factor authentication (MFA) should be considered a must for users with high-level privileges.

#3 AWS security best practice: Disable SSH password authentication

If you’re familiar with Linux server administration in general, you’re likely familiar with the benefits of SSH keys over passwords. If you’re not, the short version is:

  • SSH keys are less susceptible to brute force attacks than passwords.
  • To compromise SSH public-key authentication used with a passphrase, an attacker would need to obtain the SSH private-key AND determine (or guess) the passphrase.
  • While SSH keys may require a little more work when it comes to key management, the pros far outweigh the cons from a security perspective.

#4 AWS security best practice: Use security groups

First, to clear up a common misconception: AWS security groups are NOT user groups or IAM groups. An AWS security group is effectively a virtual firewall. If you’re comfortable understanding the benefits of a firewall within a traditional network infrastructure, conceptualizing the benefits of AWS security groups will be intuitive.

AWS security group best practices

Now that we’ve clarified what a security group is, we’ll dive into a few AWS security group best practices to help you get started using them.

    • Minimize open ports – Unless there is a highly compelling argument to do so, only allow access to required ports on any given instance. For example, if you’re running a cluster of instances for a web-server, access to TCP ports 80 and 443 makes sense (and maybe 22 for SSH), but opening other ports is an unnecessary risk.
    • Don’t expose database ports to the Internet – In most cases, there is no need to expose the database to the Internet – doing so puts your infrastructure at risk. Use security group policies to restrict database port (e.g. TCP 3306 for MySQL) access to other specific AWS security groups.
    • Regularly audit your security group policies – Requirements change, rules that were once needed become liabilities, and people make mistakes. Regularly auditing your security rules for relevance and proper configuration help you minimize the likelihood that an outdated or misconfigured security group creates a network breach.

This is just the tip of the iceberg when it comes to AWS security group best practices. For more information, check out the AWS Security Groups User Guide and our Strategies for Protecting Cloud Workloads with Shared Security Models whitepaper.

#5 AWS security best practice: Leverage micro-segmentation

One of the most important components of securing public-cloud infrastructure, particularly in hybrid-cloud environments, is micro-segmentation. Micro-segmentation helps limit both north-south and east-west movement of breaches when they occur, which helps mitigate the spread of threats from one node to another. Further, Guardicore’s intelligent micro-segmentation solution can limit one of the biggest drivers of breach impact: dwell time. If you’re interested in learning more, check out this blog post for a crash course on micro-segmentation best practices.

How micro-segmentation complements AWS security groups

Security groups are an important part of AWS security, and micro-segmentation is excellent way to complement them and round out a hybrid-cloud security plan. A micro-segmentation solution like Guardicore Centra helps ensure you are able to implement micro-segmentation seamlessly both on-premises and in the cloud. Specific benefits of using Centra to complement AWS security groups include:

  • Enhanced visibility – Centra is able to automatically discover applications and flows, use its AWS API integration to pull labels and asset information, and provide granular visibility and baselining for your entire infrastructure.
  • Application aware policies- Next Generation Firewalls (NGFWs) are a big part of on-premises security, and Centra helps bring the same features to your AWS cloud. You wouldn’t compromise on application-aware security in a physical datacenter, and with Centra you don’t have to in the cloud either.
  • Protection across multiple cloud platforms & on-prem- It is common for the modern enterprise to have workloads scattered across multiple cloud service providers as well as physical servers on-premises. Centra is able to provide micro-segmentation for workloads running in AWS, other IaaS providers, and on physical servers in corporate offices and data centers. This helps enterprises ensure that their security is robust across the entirety of their infrastructure.

If you’re interested in learning more about the benefits of Centra for AWS, check out this solution brief (PDF).

Putting it all together: a holistic approach to AWS security

As we have seen, there is no single magic bullet when it comes to securing your AWS infrastructure. Understanding the AWS shared responsibility model enables you to know where to focus your attention, and leveraging built-in AWS features like security groups and IAM are a great start. However, there are still gaps left unaccounted for by AWS tools, and 3rd party solutions are needed to address them. Guardicore Centra provides users with micro-segmentation, breach detection & response, and application-level visibility that help round out a holistic approach to AWS security.

Want to learn more?

For more on how Guardicore Centra and micro-segmentation can help you keep your AWS resources secure,  contact us today or sign up for a demo of the Centra Security Platform.

Interested in cloud security for hybrid environments? Get our white paper about protecting cloud workloads with shared security models.

Read More

Guardicore Integrates with AWS Security Hub

Today at re:Invent, Amazon revealed the AWS Security Hub, a security service that provides AWS cloud customers with a comprehensive view of their security state within AWS. Guardicore has worked with AWS over the past weeks to provide support and integration to this service. While AWS provides some built-in security capabilities, customers require additional capabilities that can only be provided by third-party companies like Guardicore.

Both Guardicore Centra and Infection Monkey now integrate with the AWS Security Hub. This integration provides a lot of value to customers. Early feedback is extremely positive and AWS customers would find it interesting to test both integrations:

GuardiCore Centra Integration with AWS Security Hub

GuardiCore Centra, our flagship product, secures any cloud-private or public. Security Incidents will be forwarded to the AWS Security Hub and can be managed through the console or consumed by other security products.

Infection Monkey Integration with AWS Security Hub

The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. Its integration with the AWS Security Hub allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score.

Working on the integration was fun. Since both Centra and Infection Monkey have integration points and can run on AWS, adding reporting interfaces to the Security Hub was a straightforward task.

We believe that the AWS Security Hub represents a good approach, allowing for more shared security insights from more vendors in order to improve the overall security posture of your environment. It detects security findings and alerts generated by other AWS security services, other security solutions (like GuardiCore Centra and Infection Monkey) and aggregates those findings and alerts within each supported AWS region.

During the beta period the service provided integration with Amazon GuardDuty, Amazon Inspector, and Amazon Macie and added new capabilities by running CIS benchmark check for AWS workloads. We are looking forward to your feedback. Tell us- what do you think about the integration?

What is Micro-Segmentation?

Micro-segmentation is an emerging security best practice that offers a number of advantages over more established approaches like network segmentation and application segmentation. The added granularity that micro-segmentation offers is essential at a time when many organizations are adopting cloud services and new deployment options like containers that make traditional perimeter security less relevant.