Posts

Secure Critical Applications

Today’s information security teams face two major trends that make it more challenging than ever to secure critical applications. The first is that IT infrastructure is evolving rapidly and continuously. Hybrid cloud architectures with a combination of on-premises and cloud workloads are now the norm. There are also now a multitude of application workload deployment methods, including bare-metal servers, virtualization platforms, cloud instances, and containers. This growing heterogeneity, combined with increased automation, makes it more challenging for security teams to stay current with sanctioned application usage, much less malicious activity.

The second major challenge that makes it difficult to secure critical applications is that attackers are growing more targeted and sophisticated over time. As security technologies become more effective at detecting and stopping more generic, broad-scale attacks, attackers are shifting to more deliberate techniques focused on specific targets. These efforts are aided by the rapid growth of east-west traffic in enterprise environments as application architectures become more distributed and as cloud workloads introduce additional layers of abstraction. By analyzing this east-west traffic for clues about how applications function and interact with each other, attackers can identify potential attack vectors. The large quantity of east-west traffic also provides potential cover when attacks are advanced, as attackers often attempt to blend unauthorized lateral movement in with legitimate traffic.

Securing Critical Applications with Micro-Segmentation

Implementing a sound micro-segmentation approach is one of the best steps that security teams can take to gain greater infrastructure visibility and secure critical applications. While the concept of isolating applications and application components is not new, micro-segmentation solutions like GuardiCore Centra have improved on this concept in a number of ways that help security teams overcome the challenges described above.

It’s important for organizations considering micro-segmentation to avoid becoming overwhelmed by its broad range of applications. While the flexibility that micro-segmentation offers is one of its key advantages over alternative security approaches, attempting to address every possible micro-segmentation use case on day one is impractical. The best results are often achieved through a phased approach. Focusing on the most critical applications early in a micro-segmentation rollout process is an excellent way to deliver value to the organization quickly while developing a greater understanding of how micro-segmentation can be applied to additional use cases in subsequent phases.

Process-Level Granularity

The most significant benefit that micro-segmentation provides over more traditional segmentation approaches is that it can enables visibility and control at the process level. This gives security teams much greater ability to secure critical applications by making it possible to align segmentation policies with application logic. Application-aware micro-segmentation policies that allow known legitimate flows while blocking everything else significantly reduce attackers’ ability to move laterally and blend in with legitimate east-west traffic.

Unified Data Center and Cloud Workload Protection

Another important advantage that micro-segmentation offers is a consistent policy approach for both on-premises and cloud workloads. While traditional segmentation approaches are often tied to specific environments, such as network infrastructure, a specific virtualization technology, or a specific cloud provider, micro-segmentation solutions like GuardiCore Centra are implemented at the workload level and can migrate with workloads as they move between environments. This makes it possible to secure critical applications in hybrid cloud infrastructure and prevent new security risks from being introduced as the result of infrastructure changes.

Platform Independence

In addition to providing a unified security approach across disparate environments, micro-segmentation solutions like GuardiCore Centra also work consistently across various operating systems and deployment models. This is essential at a time when many organizations have a blend of bare-metal servers, virtualized servers, containers, and cloud instances. Implementing micro-segmentation at the application level ensures that policies can persist as underlying deployment platform technologies change.

Common Workload Protection Needs

There are several categories of critical applications that exist in most organizations and are particularly challenging – and particularly important – to secure.

Protecting High-Value Targets

Every organization has infrastructure components that play a central role in governing access to other systems throughout the environment. Examples may include domain controllers, privileged access management systems, and jump servers. It is essential to have a well-considered workflow protection strategy for these systems, as a compromise will give an attacker extensive ability to move laterally in the direction of systems containing sensitive or highly valuable data. Micro-segmentation policies with process-level granularity allow security teams to tightly manage how these systems are used, reducing the risk of unauthorized use.

Cloud Workload Protection

As more workloads migrate to the cloud, traditional security controls are often supplanted by security settings provided by a specific cloud provider. While the native capabilities that cloud providers offer are often valuable, they create situations in which security teams must segment their environment one way on-premises and another way in the cloud. This creates greater potential for new security issues as a result of confusion, mis-configuration, or lack of clarity about roles and responsibilities.

The challenge is compounded when organizations use more than one cloud provider, as each has its own set of security frameworks. Because micro-segmentation is platform-independent, the introduction of cloud workloads does not significantly increase the attack surface. Moreover, micro-segmentation can be performed consistently across multiple cloud platforms as a complement to any native cloud provider security features in use, avoiding confusion and providing greater flexibility to migrate workloads between cloud providers.

New Application Deployment Technologies

While bare-metal servers, virtualized servers, and cloud instances all preserve the traditional Windows or Linux operating system deployment model, new technologies such as containers represent a fundamentally different application deployment approach with a unique set of workload protection challenges. Implementing a micro-segmentation solution that includes support for containerized applications is another step organizations can take to secure critical applications in a manner that will persist as the underlying infrastructure evolves over time.

Critical Applications in Specific Industries

Along with the general steps that all organizations should take to secure critical applications, many industries have unique workload protection challenges based on the types of data they store or their specific regulatory requirements.

Examples include:

  • Healthcare applications that store or access protected health information (PHI) for patients that is both confidential and subject to HIPAA regulation.
  • Financial services applications that contain extensive personally identifiable information (PII) and other sensitive data that is subject to industry regulations like PCI DSS.
  • Law firm applications that store sensitive information that must be protected for client confidentiality reasons.

In these and other vertical-specific scenarios, micro-segmentation technologies can be used to both enforce required regulatory boundaries within the infrastructure and gain real-time and historical visibility to support regulatory audits.

Decoupling Security from Infrastructure

While there are a variety of factors that security teams must consider when securing critical applications in their organization, workload protection efforts do not need to be complicated by IT infrastructure evolution. By using micro-segmentation to align security policies with application functionality rather than underlying infrastructure, security teams can protect key applications effectively even as deployment approaches change or diversify. In addition, the added granularity of control that micro-segmentation provides makes it easier to address organization- or industry-specific security requirements effectively and consistently.

For more information on micro-segmentation, visit our Micro-Segmentation Hub.

GuardiCore Integrates with AWS Security Hub

Today at re:Invent, Amazon revealed the AWS Security Hub, a security service that provides AWS cloud customers with a comprehensive view of their security state within AWS. GuardiCore has worked with AWS over the past weeks to provide support and integration to this service. While AWS provides some built-in security capabilities, customers require additional capabilities that can only be provided by third-party companies like GuardiCore.

Both GuardiCore Centra and Infection Monkey now integrate with the AWS Security Hub. This integration provides a lot of value to customers. Early feedback is extremely positive and AWS customers would find it interesting to test both integrations:

GuardiCore Centra Integration with AWS Security Hub

GuardiCore Centra, our flagship product, secures any cloud-private or public. Security Incidents will be forwarded to the AWS Security Hub and can be managed through the console or consumed by other security products.

Infection Monkey Integration with AWS Security Hub

The Infection Monkey is an open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement. Its integration with the AWS Security Hub allows anyone to verify and test the resilience of their AWS environment and correlate this information with the native security solutions and benchmark score.

Working on the integration was fun. Since both Centra and Infection Monkey have integration points and can run on AWS, adding reporting interfaces to the Security Hub was a straightforward task.

We believe that the AWS Security Hub represents a good approach, allowing for more shared security insights from more vendors in order to improve the overall security posture of your environment. It detects security findings and alerts generated by other AWS security services, other security solutions (like GuardiCore Centra and Infection Monkey) and aggregates those findings and alerts within each supported AWS region.

During the beta period the service provided integration with Amazon GuardDuty, Amazon Inspector, and Amazon Macie and added new capabilities by running CIS benchmark check for AWS workloads. We are looking forward to your feedback. Tell us- what do you think about the integration?

GuardiCore’s Journey from Vision to Best-in-Class Micro-Segmentation

Micro-segmentation as we know it today has gone through several stages in the last few years, moving from a rising trend for securing software-defined data centers to a full-blown cyber security technology and a top priority on the agenda of nearly every CISO.

Built on the vision of securing the hybrid cloud and software defined data centers, we started our journey in 2013, thinking how to solve what in our opinion was a huge challenge for a market that did not exist at that time. In this post we’ll share how we created the micro-segmentation solution that is considered the best on the market – from vision to execution.

2015: First steps towards segmentation

Throughout the second half of 2015, we started delivering our micro-segmentation methodology after realizing that understanding how applications communicate inside the cloud was the key to success and as such – must be addressed first. “You can’t protect what you can’t see” wasn’t coined by GuardiCore but was immediately embraced by us when we started planning our micro-segmentation solution. We started developing our visibility solution Reveal, a visual map of all the applications running in the data center, all the way down to the process level. Reveal allows you to view applications and the flow they create in real time while also providing historic views. For the first time, admins and security teams were able to easily discover the running applications, one by one, and then review relations between the application tiers. Early releases supported general data center topologies as well as Docker containers.

2016: Gartner names micro-segmentation a top information security technology

We launched our segmentation solution at the RSA conference 2016 with a big splash. Reveal gained a lot of coverage and was well received by security teams who were lacking the proper tools to see the application flows in their data centers. It was one of the hottest security products at RSA 2016 and for a good reason!

Important to note that when micro-segmentation was introduced in Gartner’s Top 10 Technologies for Information Security in 2016 time in June 2016, many security professionals were unaware of the concept. In that report Gartner stated that to prevent attackers from moving “unimpeded laterally to other systems” there was “an emerging requirement for microsegmentation of east/west traffic in enterprise networks”. Enthusiasm was then at its peak, micro-segmentation was widely covered in the media and conferences dealing with the technology abound.

2017: Micro-segmentation for early adopters

Micro-segmentation was gaining traction as one of the most effective ways to secure data centers and clouds, but organizations learned the hard way that the path to meaningful micro-segmentation was full of challenges. Incomplete visibility into east-west traffic flows, inflexible policy engines and lack of multi-cloud support were among the most cited reasons. Throughout 2017 market penetration was around 5% of target audience and micro-segmentation was far from being mainstream. Andrew Lerner, Research Vice President at Gartner, noted in a blog post that “Micro-segmentation is the future of modern data center and cloud security; but not getting the micro-segmentation-supporting technology right can be analogous to building the wrong foundation for a building and trying to adapt afterward”.

That year GuardiCore tackled these challenges head on and based on the feedback we received from our growing customer base, we added flexible policy management and moved on from using only 3rd party integration to add native enforcement at the flow and process levels. Customers were able to move from zero-segmentation to native enforcement in 3 easy steps, based on revealing applications, building policies and natively enforcing policies.

2018: Our solution takes complexity out of micro-segmentation

Today, micro-segmentation serves as a foundational element of data center security in any data center. According to a Citi group’s report, cloud security is the number one priority among CISOs in 2018, with micro-segmentation the top priority in plans to purchase in this category. Concentrated effort on the part of organizations from different industries has resulted in better understanding of the technology. This year we were able to deploy micro-segmentation across all types of environments, from bare metal to virtualized machines, through public cloud instances and recently to containerized environments.

So if you are planning a micro-segmentation project let’s talk. We can show you how to do it in a way that is quick, affordable, secure, and provable across any environment.

Lateral Movement Security

Security teams often focus significant effort and resources on protecting the perimeter of their IT infrastructure and tightly controlling north-south traffic, or traffic that flows between clients and servers. However, several major transformations in enterprise computing are causing east-west traffic, or server-to-server communication within the data center, to outgrow north-south traffic in both volume and strategic importance.

For example:

  • Traditional on-premises data centers increasingly use horizontal scaling techniques that employ large sets of peer nodes to service the requests of clients, rather than a simple north-south flow.
  • The emergence of big data analytics as an essential competency is also driving substantial growth of east-west traffic, as processing of large data sets distributed across many nodes is generally required.
  • The growing adoption of public cloud infrastructure makes the traditional concept of a network perimeter obsolete, increasing the importance of securing east-west traffic among nodes.

While many organizations remain heavily invested in perimeter security, they are often extremely limited in their ability to detect and prevent lateral movement within their data center and cloud infrastructure.

What is Lateral Movement?

Lateral movement is the set of steps that attackers who have gained a foothold in a trusted environment take to identify the most vulnerable and/or valuable assets, expand their level of access, move to additional trusted assets, and further advance in the direction of high-value targets. Lateral movement typically starts with an infection or credential-based compromise of an initial data center or cloud node. From there, an attacker may employ various discovery techniques to learn more about the networks, nodes, and applications surrounding the compromised resource.

As attackers are learning about the environment, they often make parallel efforts to steal credentials, identify software vulnerabilities, or exploit misconfigurations that may allow them to move successfully to their next target node.

When an attacker executes an effective combination of lateral movement techniques, it can be extremely difficult for IT teams to detect, as these movements often blend in with the growing volume of legitimate east-west traffic. The more they learn about how legitimate traffic flows work, the easier it is for them to attempt to masquerade their attacks as a sanctioned activity. This, combined with many organizations’ insufficient investment in lateral movement security, can cause security breaches to escalate quickly.

Assessing Lateral Movement Security

One fast, simple, and inexpensive step that organizations concerned about lateral movement security can take is to test how vulnerable their environment is to unsanctioned east-west traffic. GuardiCore Labs offers a free, open-source breach and attack simulation tool called Infection Monkey that can be used for this purpose.

Infection Monkey scans the environment, identifies potential points of vulnerability, and attempts predetermined attack scenarios to attempt lateral movement. The output is a security report that identifies the security issues that were discovered and includes actionable remediation recommendations.

Infection Monkey Warns of Danger of Lateral Movement

Visualizing East-West Traffic

Organizations seeking more proactive lateral movement security can begin by visualizing the east-west traffic in their environment. Once a clear baseline of sanctioned east-west traffic is established and viewable on a real-time and historical basis, it becomes much easier to identify unsanctioned lateral movement attempts.

This is one of the flagship capabilities of GuardiCore Centra. Centra uses network and host-based sensors to collect detailed information about assets and flows in data center, cloud, and hybrid environments, combines this information with available labeling information from orchestration tools, and displays a visual representation of east-west traffic in the environment.

Visibility for Lateral Movement

This added visibility alone delivers immediate benefits to organizations seeking a greater understanding of potential lateral movement risks. It also provides the foundation for more sophisticated lateral movement security techniques.

Improving Lateral Movement Security

Once an organization has a clear view of both sanctioned and unsanctioned east-west traffic in its data center and cloud infrastructure, it can use this information to take active steps to stop lateral movement. An optimal approach includes a mix of both proactive and reactive lateral movement security techniques.

Micro-Segmentation Policies

Once an IT team has visualized its east-west traffic, the addition of micro-segmentation policies can significantly reduce attackers’ ability to move laterally. Micro-segmentation applies workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. When strong micro-segmentation policies are implemented, attempts at lateral movement that do not explicitly match sanctioned flows – down to the specific process level – can generate alerts to the security operations team or even be blocked proactively.

Detecting and Responding to Unauthorized East-West Traffic

While micro-segmentation policies significantly improve lateral movement security, it is important to complement policy measures with additional detection and response capabilities. In addition to providing information-risk alerts when policy violations occur, GuardiCore Centra can detect and respond to unauthorized east-west traffic by leveraging deception technology to monitor and investigate suspicious behavior within east-west traffic.

Deception

GuardiCore Centra applies deception technology to analyze all failed attempts at lateral movement and then redirect suspicious behavior to a high-interaction deception engine. The attacker is fed responses that suggest that their attack techniques are successful, but all their tools, techniques and exploits are being recorded and analyzed in a fully isolated environment.

Deception

This helps IT teams learn more about the lateral movement being attempted in the environment and assess how to best improve security policies over time.

A Growing Strategic Priority

While strong perimeter security remains essential, the transition from traditional on-premises infrastructure to hybrid-cloud and multi-cloud architectures is increasing the strategic importance of lateral movement security.

It’s essential for security teams to:

  • Gain ongoing visibility into their organization’s east-west traffic
  • Develop techniques for differentiating between sanctioned and unsanctioned east-west traffic
  • Implement controls like micro-segmentation to tightly govern infrastructure activity
  • Actively monitor for unauthorized lateral movement to both contain breaches quickly and continuously refine policies based on the latest attack techniques.

Organizations that move beyond perimeter-focused thinking and place greater emphasis on lateral movement security will ensure that their security measures remain in step as IT infrastructure becomes more dynamic and heterogeneous.

For more information about Micro-Segmentation, visit our Micro-Segmentation Hub

Something is brewing: A CPU bug risks virtual memory segmentation

At any given moment, attack and defense are in a cat and mouse game where each side gains a momentary advantage. What we’ve recently seen over the past few months is a situation where defense is playing catch-up with what appears to be a serious hardware bug.

Current speculations suggest that a serious CPU bug might allow code running in user space to read kernel space memory. Such capability will make it much easier for attackers to exploit other security bugs that exist in the system or read sensitive system data. Another speculative guess suggests that the bug allows one virtual machine an introspection into another virtual machine memory. This attack vector puts in danger virtual environments such as Amazon EC2 and Azure Hyper-V where multiple tenants can co-exist on a single physical machine.

Read more

GuardiCore Extends Series B Funding Round to $35 Million Adding TPG Growth as a New Investor

Funding to Accelerate Growth in Large Enterprise Accounts and Expand Further into Global Markets

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in internal data center and cloud security, today announced that the company has raised an additional $15 million as an extension to its Series B funding round. This brings the company’s total funding raised to date to $48 million. The additional investment was led by TPG Growth, the middle market growth equity platform of alternative asset firm TPG, and Greenfield Partners, a TPG-Growth backed company based in Israel that focuses on investing in early growth-stage global technology and tech-enabled businesses. Existing investors include Battery Ventures, 83North, Cisco Investments and Dell Technologies Capital.

Read more

GuardiCore Announces GuardiCore Labs

Global Research Team Focused on Critical Cyber Security Analysis and Investigation to Benefit the Community through Publications and Timely Disclosure of New Advanced Threats Targeting Data Centers and Clouds

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in internal data center and cloud security, today announced GuardiCore Labs, a global cyber security research team that conducts in-depth research and analysis, providing the security industry with actionable insights into the latest and most advanced threats facing data centers and clouds. GuardiCore Labs delivers cutting-edge breach detection and response methodologies to help GuardiCore customers continually enhance their security posture to protect critical business applications and infrastructure.

Read more

GuardiCore Named to the First Ever CNBC Upstart 25 List by CNBC

CNBC Names GuardiCore to List of Promising Young Startups on the Path to Becoming Tomorrow’s Household Names

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in data center and cloud security, today announced that it was named to the first ever CNBC Upstart 25 List. Emerging from Israel’s cybersecurity sector, GuardiCore provides its customers with more accurate and effective ways to stop advanced threats through granular visibility of network and application flows, coupled with real-time breach detection and response. CNBC Upstart 25 spotlights a diverse list of promising young startups that are building brands, breaking industry barriers, and scaling quickly on the path to becoming tomorrow’s household names..

Read more

GuardiCore Named Info Security Product Guide’s Gold Startup Of The Year, Silver Product Of The Year For Deception At 13th Annual Global Excellence Awards

Honored at Security Industry’s Premier Awards Gala at RSA Conference 2017

San Francisco, CA and Tel Aviv, Israel – GuardiCore, a leader in internal data center security and breach detection, today announced that Info Security Products Guide, the industry’s leading information security research and advisory guide, has named the company as a Gold Security Startup of the Year and Silver Product Excellence of the Year winner in the Deception category at the 13th Annual 2017 Info Security Products Guide Global Excellence Awards. Recipients of these prestigious global awards were honored last night by the security industry for their innovative, ground-breaking products and solutions that are advancing the state of security technologies and the industry as a whole.

Read more