Posts

The Vollgar Campaign: MS-SQL Servers Under Attack

Guardicore Labs uncovers an attack campaign that’s been under the radar for almost two years, breaching MS-SQL servers and infecting them with remote-access tools and cryptominers.

How to Stop Human and Computer Viruses In Their Tracks

Viruses of any type can spread frighteningly quickly. As we are seeing today with COVID-19, the impact that can have is both widespread and frightening. It’s especially difficult to stop the spread of viruses if you don’t already have the right structures and protocols in place.

While computer viruses don’t have life-changing effects, they can certainly have business-altering ones. Not only do they spread in similar ways to human viruses, but they also can be stopped by implementing similar measures to those we are using to halt the spread of coronavirus.

Test To Gain Visibility

Testing those people who evidence symptoms of a virus like COVID-19 gives you insight into the breadth, location, and volume of an outbreak. Similarly, gaining visibility into what is happening in your network environment enables you to manage your assets in general and to understand the what, where, and extent of issues when they occur.

Getting a clear view into what is happening on your network also empowers you to develop a fast and informed response. For instance, with NotPetya (targeted ransomware), those businesses that mapped all their SMB connections before they were compromised had a better chance of responding intelligently once they were under attack.

Quarantine / Segment

The more you can isolate infected people or applications, the faster you will be able to to limit the spread of any virus, including COVID-19. In cybersecurity, the equivalent of quarantine is segmentation.

Without a tool like Guardicore Centra, segmentation can be quite complex. Moreover, it’s difficult to implement once your systems are already infected. That’s where people who have already implemented Centra have the advantage: the better prepared a business is ahead of time, the faster a compromise can be halted.

Protect Vulnerable and Critical Resources

There is no doubt that some resources/people are more vulnerable to viruses’ effects than others. Those who have compromised immunity and the elderly in particular need to be careful.

In the cybersecurity world, the parallel is legacy systems, which can hold unknown vulnerabilities. They therefore need to be carefully protected (for instance, by ringfencing them), and, if possible, removed from any virus exposure.

Moreover, it makes sense to secure your critical resources with better protections as well. In the case of humans, this may include those running a company, medical personnel, or government officials. In the cybersecurity world there are also critical resources protecting your most sensitive data. With the right protocols in place, you can ensure their survival even under the most aggressive attack.

Using Guardicore Centra, you can quickly enforce policies when you need them, for swift protection of vulnerable and critical resources.

Implement Controls

Biological and computer viruses both often use known propagation methods. For example, viruses that attack humans often propagate through person-to-person contact. Therefore, sanitizers, hand washing, and no handshake policies are effective at slowing the spread.

Similarly, for NotPetya attacks, for instance, SMBs were the propagation paths and restricting SMB access to a bare minimum helped a lot. That’s why it’s key to be able to speedily apply the right type of policy at the right time, anywhere it’s needed. This will provide strong protections against current vulnerabilities as well as future attacks.

Use Common Sense

There really is nothing shocking about any of this advice. Most of it is common sense. Yet not every business (or person) follows these steps, and that’s when we all pay a price.

That said, if you apply these basic steps even when a virus isn’t active, you will be prepared to handle issues when they arise. Even during critical events, you will be prepared to swiftly deploy policies anywhere and keep your business – and communities – safe and running smoothly.

How To Protect Your Systems Against Critical SMB Vulnerabilities (CVE-2020-0796)

Microsoft has issued its latest set of cumulative updates for Windows for the month of March. There are a total of 117 vulnerabilities, 25 of which are rated critical.

One particular vulnerability stands out from the crowd: CVE-2020-0796. This is a critical vulnerability in the Server Message Block (SMB) protocol in new versions of Windows operating systems. This SMB vulnerability could cause a wide range of wormable attacks and potentially a new Eternal Blue. Without going into the gory details, a flaw in the new SMBv3 compression mechanism potentially allows an attacker to take down or take over a Windows system.

Potentially affected operating systems include:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Advisories on this CVE suggest patching your systems (which you should be doing regardless) as well as “Block TCP port 445 at the enterprise perimeter firewall,” which should be the case in any network. If you can’t patch your Windows system, you can manually disable the SMBv3 compression feature. That is the root of all evil in this case.

A powershell command to disable SMBv3 compression is:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Why Are SMB Vulnerabilities Problematic?

SMB vulnerabilities are not more common than any other Windows vulnerability. The SMB protocol is amazingly useful, but also one of the easiest ways to move laterally in an organization’s data center. All an attacker needs to do is gain access to one system in order to spread across the whole data center. In fact, the WannaCry campaign and EternalBlue vulnerability are great examples of how an SMB vulnerability can have a wide and crippling impact on organizations worldwide.

The question that many ask is, “How do SMB vulnerabilities still happen if we patch and deny all the SMB traffic from external networks?” Moving from theory to reality, we know that not 100% of hosts get patches. In fact, most companies are still struggling with this basic task today. In addition, networks are complex animals that can’t simply be wrangled by placing a box in an arbitrary location.

Moreover, the main reason for widespread damage in most SMB-related incidents we’ve encountered is the fact that hosts within the network can freely move laterally on any port (and specifically on 445 AKA SMB). There is no real justification for allowing this type of behavior inside the network. SMB inside the network should usually only be allowed to communicate with the DC and, in some cases, dedicated file share and backup services. In most cases, servers shouldn’t be communicating with one another over SMB.

So why not just deny the SMB traffic? The answer is that it’s hard for organizations that rely on legacy technologies like gateway firewalls. These tools only enforce traffic going between network zones, not what’s inside.

How Can SMB Vulnerabilities Be Stopped?

One of the first things we recommend to our customers is to improve their network hygiene by implementing basic best practices policies. For example, you can allow only DC, backup, and files SMB traffic. The rest of the traffic should be blocked, regardless of VLANS or network topology. More explicitly, you should deny lateral SMB traffic.

Guardicore Centra helps prevent SMB vulnerabilities by providing a simple and fast way to create and apply policies across the network. These policies allow only legitimate SMB traffic, while blocking the rest of the lateral movement between the hosts.

For example, see how this screenshot demonstrates how only legitimate SMB traffic is allowed within the network:

And here, Centra blocks the rest of the 445 traffic:

Conclusion

A simple common protocol like SMB can pose a great risk to the datacenter. However the risk of SMB vulnerabilities can be easily mitigated with three rules. Simply apply segmentation policies using a tool like Guardicore Centra to prevent lateral SMB traffic inside the datacenter.

Contact us to learn how to reduce your attack surface and prevent lateral movement with fast and simple segmentation that works everywhere.

Additional Resources

  1. Preventing SMB traffic from lateral connections and entering or leaving the network
  2. CVE-2020-0796

Secure and Cost-Efficient Work-From-Home at Scale

The outbreak of the coronavirus has created a new reality of work-from-home at scale. To cope with this, companies are required to quickly provide open access to a sizeable number of people holding varying roles and different access requirements. 

Learn More About User Identity Access Management

The result is an increased attack surface for the companies and greater risk to their business-critical applications. Protecting access to these applications can help reduce attack surface, prevent potential breaches from escalating and stop lateral movement early on.  And user identity access management can provide a fine-grained policy, identifying and enforcing exactly which users can access which applications. 

Remote Work – Security and Economic Challenges

Remote work introduces new identity assurance challenges. Companies need to make sure employees access only what they’re authorized to access. 

Aligned with the zero trust least privilege access principle, employees should only be able to access applications they need for their daily activities based on their role. This means, for example, ensuring that the SPLUNK teams connect to the SPLUNK servers only, while the Accounting teams connect only to their respective Accounting servers.

Cost is another key consideration. To handle the increased volume of remote workers, companies need to deploy more resources and increase the amount of servers used for VDI and Terminal Servers environments.

Strong User Identity Access Solution Leads to Cost Savings

To provide secure, least privilege access to users, security and network policies should be adapted to match user role and access permissions. 

Application segmentation is commonly used to make sure that users access only the applications they’re authorized to access and no more. Coupled with user identity access management, a solutions of the type Guardicore offers, it allows setting user-specific segmentation policies for each user connecting through VDI, terminal server or jumpbox. This way, each user on these shared resources is only able to access applications specific to his/her role.

This allows organizations to consolidate the use of their VDI or terminal servers while gaining significant savings, requiring no change to the infrastructure or downtime.

To allow each group of users (HR team, Billing team, etc.) access to their own application, Guardicore enforces a different network policy for each user based on their Active Directory group memberships. For example, when connecting remotely, HR team members will only be able to access HR servers and Billing team members will only be able to access their Billing servers. 

One Terminal Server, Different Access Policies

 

Cost reduction is another key benefit of using this user-based segmentation. 

Instead of a dedicated terminal server or VDI cluster per each user group, often required with traditional segmentation solutions, companies can consolidate the use of these servers for several groups of users, each with their own access policy. This way HR teams can only access HR servers, Billing teams can only access Billing servers etc’, while sharing the same infrastructure. 

 

Consolidated Use of Terminal Servers for Cost Reductions

“One of our Advisory Board customers told us that last year, they were able to cut costs on terminal servers by nearly 60 percent using Guardicore’s solution” said Lior Neudorfer, VP Product for Guardicore. “There was no longer a need for separate terminal servers for each client or contractor, which resulted in significant savings.”

Protect Your Critical Applications In Your Remote Workforce

If you would like to speak with one of our security experts about how to manage your application protection during times of change in your organization’s remote workforce, please contact us.

Learn More About User Identity Access Management

Guardicore at RSA: AI-Powered Segmentation, Cloud Native Security

Guardicore’s mission has always been about helping our users protect their critical assets everywhere. This week we’re announcing two new capabilities in our Centra Security Platform that further deliver on that mission: Support for cloud-native resources and AI-powered segmentation. Both capabilities are designed to help security architects segment their assets faster and protect their PaaS resources.

AI-Powered Segmentation 

Centra’s AI-powered segmentation reduces the time it takes to create a segmentation policy for a new or existing application by making it easier to label assets and create the matching rules for them. While we have always been providing an intuitive and simplified segmentation workflow, with our upcoming Centra 5.0 release we’re leveraging AI to automate and further simplify this process. 

Powered by Real Data 

Our AI-based algorithm is capable of ‘learning’ tens of thousands of applications and millions of flows, allowing us to provide: 1) tailored policy templates based on the customer’s assets and 2) automatic labels tailored to the customer’s environment. Automatic labeling is done by an analysis of an asset’s network flows. The fact that our network flows have context up to the process level allows us to provide accurate suggestions.

Introducing Guardicore Centra Policy Store

Guardicore Centra Policy Store

Our Policy Store offers out-of-the-box policy segmentation templates for known ‘household’ applications along with templates for common segmentation use cases. A partial list of household apps include Active Directory, Exchange, Splunk and even Windows operating systems. Common use cases currently include ringfencing, environment segmentation, whitelisting outbound flows etc.

To make it even simpler, we provide recommendations on which applications to segment first, based on our ability to ‘learn’ your environment. Our vision is to create a community around our Policy Store. By providing a flexible policy mechanism we’re hoping customers will upload their own templates to extend the power of the collective cloud. We’ve heard some great ideas for this community in RSA from people who are eager to start building and sharing their own templates. We’re looking forward to seeing the creative stuff our users come up with!

Automatic Labeling Suggestions

Guardicore Centra automatically discovers, scopes and provides recommendations for how to label an application which is typically the trickiest part of any segmentation project. Our auto labeling is based on network flows analysis down to the process level.

Guardicore Centra Auto-Labeling

Automatic Policy Recommendations

Recommendations for segmentation rules are provided based on known application behavior and a predefined set of policy templates for common applications. For example, for Active Directory users, Guardicore Centra will detect your Active Directory servers and then provide a predefined set of rules for securing them, requiring minimal intervention on your side.

Guardicore Centra Policy Rules Dashboard

Security for Cloud-Native Applications

Building on our broad security coverage across hybrid data center environments, we’re adding protection for cloud-native applications, including serverless computing and Platform as a Service (PaaS). This enables security teams to remove major blindspots in their environments and achieve the same deep level of visibility and control into their cloud-native applications with the Guardicore Centra Security Platform.

The Ever-Changing Datacenter Landscape Requires Security to Adapt

Cloud-native is rapidly becoming the new standard for quickly building and scaling new business applications and optimizing existing ones. Until now, providing adequate protection of PaaS services such as AWS S3, Azure SQL, and GCP Cloud Run has required standalone security tools to gain visibility into these resources and understand access patterns.  Guardicore has greatly simplified this by integrating cloud-native support into its Centra Security Platform, eliminating the need for processing data from multiple disparate resources. 

Superior Cloud-Native Visibility & Access Control

The Guardicore Centra Security Platform enables IT security teams to visualize access to PaaS services, providing a visual map of all interactions between those services, including end-to-end application flows.

Visualizing Session Flow across Cloud Native Resources

Under the Hood

We use multiple data collection methods for cloud-native applications, including cloud APIs, Guardicore agents, and code instrumentation mechanisms for serverless functions. This allows us to turn a collection of disparate logs into a single comprehensible map. We provide a single pane of glass to visualize all cloud resources in use, providing a way to apply a single access policy.

From Cloud Logs to Guardicore Centra Map

From Network Flows to Application Flows

We are able to provide our Centra customers the ability to map their cloud-native resources from the same console they’re using to manage other environments. Instead of trying to make sense of multiple cloud logs, our customers get a single map of their cloud application flows that is easy to understand and manage.

Connect with Us

We’ve gotten some great feedback from RSA visitors and are extremely excited to add these groundbreaking capabilities to make segmentation even easier and relevant to everyone. These features are in early availability for select customers today. If you have thoughts or feedback or if you want to see a demo, talk to us. 

How to Assess Your Zero Trust Status: Monkey See, Centra Do

Monkey emulates malicious user activity; Centra blocks with user identity policies

Zero Trust is a top concern for many companies in recent years but how do you get started with Zero Trust? How do you know what your Zero Trust status is and then act upon it? At Guardicore we wanted to help you assess your Zero Trust status and allow you to easily mitigate gaps. We do this by combining our Breach and Attack Simulation tool – the Guardicore Infection Monkey – with our flagship product Guardicore Centra that provides advanced firewall and segmentation capabilities.

With its newly added Zero Trust assessment capabilities, The Infection Monkey now tests networks against the Forrester ZTX (Zero Trust eXtended) framework and provides a Zero Trust Status Report with actionable data and recommendations to help you make Zero Trust decisions. Centra is then able to address some of the main issues raised by the Monkey’s report, mostly around data, networks, people and visibility components. In this post, we’ll walk you through the testing and mitigation of the ZTX People component.

How do the Guardicore Infection Monkey and Centra Work Together? 

 The idea is simple: We let the Infection Monkey scan your network and generate a Zero Trust Status Report indicating the areas that leave your company vulnerable to risk. Using Centra’s policy engine we suggest segmentation rules that mitigate the problems the Monkey has alerted on in its report. We then run the Infection Monkey again to verify that Centra has addressed the gaps indicated at the Monkey’s previous report.

Here’s the flow with the People component:

Monkey Centra ZT Workflow

“Monkey See” – and generates a report

Here is the Infection Monkey Zero Trust Status Report after it has scanned a sample network. To test the People component, the Monkey tried and successfully managed to create a new user that communicated with the internet. This means that the network’s policies were too permissive. Looks like everyone was able to go out to the Internet uninterruptedly here 😈

Zero Trust Venn diagram with the People pillar marked in red

The failed test is indicated in red: 

Zero Trust report with a People test marked as Fail

Clicking the Events section in the Report provides more details:

Detailed Event log about the People test

“Centra Do” – and creates security policy 

Using Guardicore Centra’s user-based policies it is possible to control user access to datacenter and cloud resources. We do this by integrating with Active Directory security groups. Based on user memberships in those security groups, we allow users different access to different resources. This way users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. See this video to learn more about Centra’s user-based rules. 

To mitigate the issue raised by the Monkey, we created 2 user-based rules in Centra. One that allows only the Developers user group to access the Internet and one that blocks all other users. Naturally, this can be applied to any other group of users.  

Centra segmentation rules that alert on unauthorized communication

Replaying the Scenario 

We ran the Monkey again after applying Centra’s user-based rules and this time the Monkey’s Zero Trust Status Report showed no security issues in the People component:  

Zero Trust Venn diagram with all pillars coloured green

Guardicore Centra Reveal map shows the unsanctioned user is now blocked when trying to access the Internet:

Centra’s Reveal map showing the blocked communication attempt

The log shows how the new user that previously managed to access the Internet is now blocked. 

How to Get Guardicore Infection Monkey and Centra Working Together In Your Environment

If you’d like to see how the Infection Monkey and Centra work together, contact us to Get a Demo. To download the Infection Monkey for Zero Trust, click here. If you would like to learn more about Centra and/or the Infection Monkey capabilities, Contact Us

Welcome to San Francisco. RSA 2020, Here We Come!

Since the early 1990s, RSA Conference has established itself as the destination where the world talks security.

I’ve attended RSA Conference for more than 15 years with roles at various companies: large and small, newly created and already established, public and private, stealthy or well-known. And even though the city I liked a lot is changing its face I still like to attend this event in San Francisco: I enjoy watching how our industry is growing and changing. The RSAC as we like to name it, feels like a big, warm, sometimes cheezy overcrowded wedding. RSAC is where the global security “community” participates in our annual networking events.

The “action” takes place on the expo floor, the surrounding restaurants where one can meet teammates he hasn’t seen for a while as well as the hotel bars and suites. The weather is expected to be sunny so I expect a lot of casual meetings on the surroundings of the Moscone Center.

For me, the real value is the networking opportunity and our (read:my) ability to learn new things from anyone that is willing to talk with me: job seekers, tire-kickers, prospects, ecosystem partners, colleagues and customers. The collective intelligence that is surrounding us is amazing and invaluable.

Obviously I was quite disappointed to learn about IBM Security’s decision not to attend the conference. I am sure that it was not an easy decision and yet, in my opinion it is a mistake and I’m happy to explain my reasons to anyone that will DM me.

And of course, we will be demonstrating our newest innovations. In my opinion, we have achieved some product achievements that will really blow your mind. I’m looking forward to meeting you all at the conference ! See us at the Guardicore Booth #4319, North Hall, Moscone Center.

Hybrid Cloud Security on Your Terms

Mellanox and Guardicore Deliver Agentless and High-Performance Micro-segmentation for Securing Hybrid Cloud Environments

This article was created and published in partnership with Itay Ozery, Director of Product Marketing at Mellanox Technologies

The face of the enterprise datacenter has changed dramatically in recent years. Business-critical applications, data confidentiality and the advent of digital products and services are among the driving forces behind today’s emerging data-center architectures. Sometimes it is easy to think about this change as transformation from 10G to 25G, 40G and 100G but actually it is more than that.

The face of the enterprise datacenter has changed dramatically in recent years. Business-critical applications, data confidentiality and the advent of digital products and services are among the driving forces behind today’s emerging data-center architectures. Sometimes it is easy to think about this change as transformation from 10G to 25G, 40G and 100G but actually it is more than that.

Although public cloud adoption is progressing rapidly, public offerings have not taken over a big piece of the enterprise pie. A recent Gartner research report indicates that less than 20% of total IT expenditure was allocated to public clouds in 2019. Bank of America’s CEO stated in late 2019 that the financial services corporation had saved $2 Billion per year by building its own cloud infrastructure. Aside from the dominant cost factors, some workloads must remain on-premise, due to regulatory and/or compliance reasons, while other legacy applications cannot be migrated to the cloud due to their nature/design. Breaking it all down, the prevailing approach of most enterprise leaders today, and most likely in the years to come is a hybrid-cloud strategy that typically involves a multi-tiered IT environment comprising both on-premises datacenter(s) and cloud service provider(s).

While hybrid clouds provide a cost-effective and agile solution, they also expose organizations to a cyber threat landscape that is broad and continuously changing, fast beyond what the guards can respond to with traditional security tools. Thus, a holistic approach is needed for enterprises to enhance their security postures and achieve robust and complete protection. Only solutions that protect all types of workloads, at any speed and against both current and future threats, can deliver the highest levels of security, integrity and reliability in the hybrid cloud era.

Micro-segmentation Emerges to Secure Hybrid Clouds

Micro-segmentation is an emerging datacenter and cloud security best practice that enables enforcement of fine-grained security policies for any network in a multi-, hybrid cloud environment. It provides many advantages over the traditional approaches of using VLANs for network segmentation and firewalls for application separation. Micro-segmentation uses software-defined controls, running on each node to provide individual workload isolation and protection reducing risks and simplifying security management. These advantages are key as enterprises adopt a hybrid cloud approach consisting of cloud services from one or multiple vendors while maintaining their own datacenters. The rise of cloud-native applications where microservices architectures and containers create new communication frameworks reinforce the need for elastic micro-segmentation implementation. Guardicore, a leader in the internal datacenter and cloud security realm , offers Centra, a comprehensive hybrid cloud security solution that delivers the simplest and most intuitive way to apply micro-segmentation controls to reduce the attack surface and detect and control breaches within east-west traffic.

Our network visualization providing flow and application-level monitoring, is both the basis for resilient micro-segmentation, and achievable through a variety of agent- and network-based techniques. However, there could be use cases when deploying agents is neither possible nor desired due to the nature of the application, identity of the workload owner and even intercompany organization challenges. Some application environments, like in high-frequency trading, are optimized for high-performance, low-latency transactions. In such use cases, even a minimal 3% impact renders the use of agents inefficient and thus, cannot be tolerated. Other businesses with a track record of failed agent deployment may be reluctant to try a different one. The result is a lack of visibility, which leaves enterprises with infrastructure silos where security policy enforcement cannot be applied.

So, here’s an idea: what if we could leverage the intelligent I/O processing units (IPU) from Mellanox to gain visibility into every workload, and enforce micro-segmentation without installing agents, impact performance or increase network latency?

Software-Defined Micro-segmentation Meets Hardware-Defined Isolation and Acceleration

The combination of Mellanox’s BlueField IPU-based SmartNICs with Guardicore Centra Security Platform creates a unique value proposition: No need to install agents on servers. No impact on server/application performance. A software-defined, hardware-native security policy enforcement at wire speed, fully isolated from the workload itself. The joint solution is ideally positioned to those environments in which deploying agents is not permitted:

  • HFT, latency-sensitive applications
  • Bare-metal clouds
  • Mainframe
  • Network-attached storage

Summary

We are excited to partner with Mellanox to deliver an agentless and high-performance micro-segmentation solution for hybrid cloud environments. This solution offering is the result of best-of-breed silicon capabilities, software IP and amazing engineering teams at our companies and is the first out of many innovative cyber security solutions we bring to market – stay tuned for more in 2020 and beyond!

Mellanox will be presenting our joint solution at the upcoming RSA Conference, February 24-27 in San Francisco, CA (North Hall #4525)

Guardicore’s booth is located few meters away – North Hall #4324

Learn more about agentless, high-performance micro-segmentation for securing hybrid cloud environments:

Introducing Guardicore Threat Intelligence Firewall

The Threat Intelligence Firewall is a new Guardicore Centra feature that blocks incoming and outgoing connections to known malicious IPs, eliminating malicious activity before it reaches your data center. To be up-to-date with the most recent threats, the list of known malicious IPs is updated once a day. 

Guardicore’s Threat Intelligence Firewall is based on our recently launched CyberThreat Intelligence (CTI), a service that offers unique information on malicious IP addresses and domains. The data is collected by Guardicore’s threat intelligence sensors installed in multiple data centers, organizations and cloud providers worldwide. More.

What Types of IP Addresses We Block

Guardicore’s Threat Intelligence Firewall blocks three types of IP addresses: 

Attackers IPs
An Attacker IP is a machine that has managed to breach Guardicore’s threat intelligence sensors and executes attacks on them such as malware dropping, scanning internal subnets, modifying system files etc.  


Scanners IPs
A Scanner IP is a machine that accesses one or more services across one or more subnets monitored by Threat Intelligence Sensors. This way we prevent the mere possibility of scanning your network which is normally one of the first steps of an attacker while looking for easy targets. 


C&C IPs
A C&C IP is a machine that attackers connect to after breaching our Threat Intelligence Sensors. This way we prevent the attacker from communicating with its C&C servers which will ultimately cut the chain of attack.

These three types of IP addresses are grouped into three labels – Top Attackers, Top Scanners and Top C&C:

The Guardicore Threat Intelligence labels

Stopping Attackers at Bay

Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications. We block incoming and outgoing connections to and from any port and process.

Threat Intelligence Firewall Block Policy Rules

Example of the TI FW block policy rules

The Threat Intelligence Firewall rules take precedence over standard Allow, Alert, and Block rules so they don’t conflict with any other security policies you may have in place. 

How do I know if a connection was blocked by the Threat Intelligence Firewall?

For any firewall blocked connection an incident is created. The Threat Intelligence Firewall incidents are located under Centra’s Policy Violations section and are tagged with the Threat Intelligence Firewall tag. But what does a Threat Intelligence Firewall incident mean? Well, it depends. Let’s distinguish between policy violation incidents that are generated by an inbound connection as opposed to an outbound connection. 

Inbound Connection Incident

If an inbound connection has been blocked, you shouldn’t be worried – you’ve been scanned by a compromised server. Check Guardicore Cyber Threat Intelligence to find out more about the attack you’ve just avoided. 

A policy violation incident generated by an inbound connection.

Outbound Connection Incident

An outbound connection to a malicious destination means that you’ve probably been hacked. In that case, you should find the source of the attack. Consult with Guardicore Labs security experts at labs@guardicore.com.

How to Get Guardicore Threat Intelligence Firewall

This feature is an enhancement offered to Guardicore customers upon request. If you are interested in this solution, contact our customer success team at support@guardicore.com. If you’re not yet a customer and interested in more information, contact us at labs@guardicore.com.

How to Apply User Identity Access Management with Zero Trust

According to the 2019 State of the Internet report, hackers made 30 billion attempts to attack businesses via successfully stolen credentials in 2018. Up to 2% of these attempts were successful. From just one entry point, the attackers were then able to make movements across an enterprise network, achieve fraudulent transactions, or take advantage of the business with malicious intent.

Learn More About User Identity Access Management

Once your organization has shored up its outer walls, and segmented the core applications that are business-critical, your people are your last line of defense. However, this doesn’t make this part of your security arsenal any less essential. As the Zero Trust eXtended framework says, “Most breaches are ultimately an inside job.” You don’t need an angry employee with an axe to grind, all you need is one instance of credential theft, and a flat network that’s easy to leverage for lateral movement within your data center.

Preventing Inside and Outside Attacks with the Zero Trust Model

A strong Zero Trust security strategy will include strict enforcement of user access, as well as authentication and monitoring of user behavior and movements, both within the data center and as users connect to the web. Governance of each user’s access and their privileges means that even if the worst happens and their credentials are successfully stolen, there is no way for an attacker to escalate this breach, or to make movements outside of what that specific user is entitled to access.

Think about an HR employee for example. An individual working in the HR team will need access to all the data and applications that are relevant to their role, and might also need permissions to certain financial systems for payroll, or applications that handle candidate information for on-boarding. However, they do not need extended access to anything outside of this, including other financial applications outside of their own purview, or further sensitive data connected to current employees such as medical information. In the same way as your workloads are isolated using micro-perimeters, your user access can follow suit, allowing each employee to access just what they need, and nothing further.

Here are 6 Features of a Strong User Identity Solution Based on Zero Trust

Following the Forrester guidelines for a Zero Trust model, here’s how your security solution can check all the boxes for identity and access management, and achieve this high level of granularity and control. Whichever features you opt for, make sure that your solution can work seamlessly across any platform or infrastructure, and takes immediate effect on both active and new sessions of user activity. Without these two cornerstones, you’re starting from a place of blind spots and security gaps. With them, you’re well placed for success from the start.

  • Isolate user interactions: Using an Active Directory User Group, intelligent micro-segmentation can isolate user access exactly the way we described above, giving specific users access to certain servers and applications via specific ports and processes. This access control can be enforced between workloads in the same segment of the network, and even allows for simultaneous connections from the same server/Jumpbox.
  • Third party access management: User groups can support enforcing specific policies for each third-party connection, strengthening security where it’s weakest, while allowing the benefits of third-party integrations and partnerships. Define policies for the data center at large, as well as individual applications and workloads, providing access to just what each user needs – and no more.
  • Privileged identity management: Especially when it comes to administrative usage, this is an essential area for credential security. Admin/root access passwords are often left unchanged, and can be an open door for attackers to gain a foothold. When testing your network for weaknesses, it’s important to look at propagating using root passwords, as well as where attackers could move laterally from the initial breach.
  • Two-factor authentication: 2FA has become a baseline, heavily reducing the risk of credential compromise. If it isn’t already in place in your organization – it should be. If your managers worry that people will feel slowed down by this essential security tool, remind them of ordinary 2FA tasks that we all consider the norm, such as taking money out of an ATM with a bank card and a pin number. Soon, 2FA will be this equivalent for the workplace.
  • Web security: Phishing scams are becoming increasingly sophisticated and manipulative, and you can’t always rely on employee education to help users spot attacks ahead of time. Strong security solutions will include web security gateways that block user access ahead of time to any malicious websites.
  • User behavior analytics: You can learn a lot about the way your employees act from monitoring ‘business as usual,’ which can then help to build policy that learns from your real employees, and can alert you to anomalous actions. This could be anything from a login at an unusual time of day, to credential use when an employee should be on vacation.

Following the Zero Trust eXtended pillars is best-practice for protecting your network and its users from external and internal threats. This includes a Zero Trust model for more than just networks, applications and data alone. User Identity Access Management is a key part of your Zero Trust strategy, managing individual user access, simultaneous connections, and third-party access management. When done right, this can all be achieved from the same core technology that handles your application segmentation. This lessens the learning curve and streamlines your overall security posture with a truly holistic approach to Zero Trust.

Learn More About User Identity Access Management