Posts

Welcome to San Francisco. RSA 2020, Here We Come!

Since the early 1990s, RSA Conference has established itself as the destination where the world talks security.

I’ve attended RSA Conference for more than 15 years with roles at various companies: large and small, newly created and already established, public and private, stealthy or well-known. And even though the city I liked a lot is changing its face I still like to attend this event in San Francisco: I enjoy watching how our industry is growing and changing. The RSAC as we like to name it, feels like a big, warm, sometimes cheezy overcrowded wedding. RSAC is where the global security “community” participates in our annual networking events.

The “action” takes place on the expo floor, the surrounding restaurants where one can meet teammates he hasn’t seen for a while as well as the hotel bars and suites. The weather is expected to be sunny so I expect a lot of casual meetings on the surroundings of the Moscone Center.

For me, the real value is the networking opportunity and our (read:my) ability to learn new things from anyone that is willing to talk with me: job seekers, tire-kickers, prospects, ecosystem partners, colleagues and customers. The collective intelligence that is surrounding us is amazing and invaluable.

Obviously I was quite disappointed to learn about IBM Security’s decision not to attend the conference. I am sure that it was not an easy decision and yet, in my opinion it is a mistake and I’m happy to explain my reasons to anyone that will DM me.

And of course, we will be demonstrating our newest innovations. In my opinion, we have achieved some product achievements that will really blow your mind. I’m looking forward to meeting you all at the conference ! See us at the Guardicore Booth #4319, North Hall, Moscone Center.

Hybrid Cloud Security on Your Terms

Mellanox and Guardicore Deliver Agentless and High-Performance Micro-segmentation for Securing Hybrid Cloud Environments

This article was created and published in partnership with Itay Ozery, Director of Product Marketing at Mellanox Technologies

The face of the enterprise datacenter has changed dramatically in recent years. Business-critical applications, data confidentiality and the advent of digital products and services are among the driving forces behind today’s emerging data-center architectures. Sometimes it is easy to think about this change as transformation from 10G to 25G, 40G and 100G but actually it is more than that.

The face of the enterprise datacenter has changed dramatically in recent years. Business-critical applications, data confidentiality and the advent of digital products and services are among the driving forces behind today’s emerging data-center architectures. Sometimes it is easy to think about this change as transformation from 10G to 25G, 40G and 100G but actually it is more than that.

Although public cloud adoption is progressing rapidly, public offerings have not taken over a big piece of the enterprise pie. A recent Gartner research report indicates that less than 20% of total IT expenditure was allocated to public clouds in 2019. Bank of America’s CEO stated in late 2019 that the financial services corporation had saved $2 Billion per year by building its own cloud infrastructure. Aside from the dominant cost factors, some workloads must remain on-premise, due to regulatory and/or compliance reasons, while other legacy applications cannot be migrated to the cloud due to their nature/design. Breaking it all down, the prevailing approach of most enterprise leaders today, and most likely in the years to come is a hybrid-cloud strategy that typically involves a multi-tiered IT environment comprising both on-premises datacenter(s) and cloud service provider(s).

While hybrid clouds provide a cost-effective and agile solution, they also expose organizations to a cyber threat landscape that is broad and continuously changing, fast beyond what the guards can respond to with traditional security tools. Thus, a holistic approach is needed for enterprises to enhance their security postures and achieve robust and complete protection. Only solutions that protect all types of workloads, at any speed and against both current and future threats, can deliver the highest levels of security, integrity and reliability in the hybrid cloud era.

Micro-segmentation Emerges to Secure Hybrid Clouds

Micro-segmentation is an emerging datacenter and cloud security best practice that enables enforcement of fine-grained security policies for any network in a multi-, hybrid cloud environment. It provides many advantages over the traditional approaches of using VLANs for network segmentation and firewalls for application separation. Micro-segmentation uses software-defined controls, running on each node to provide individual workload isolation and protection reducing risks and simplifying security management. These advantages are key as enterprises adopt a hybrid cloud approach consisting of cloud services from one or multiple vendors while maintaining their own datacenters. The rise of cloud-native applications where microservices architectures and containers create new communication frameworks reinforce the need for elastic micro-segmentation implementation. Guardicore, a leader in the internal datacenter and cloud security realm , offers Centra, a comprehensive hybrid cloud security solution that delivers the simplest and most intuitive way to apply micro-segmentation controls to reduce the attack surface and detect and control breaches within east-west traffic.

Our network visualization providing flow and application-level monitoring, is both the basis for resilient micro-segmentation, and achievable through a variety of agent- and network-based techniques. However, there could be use cases when deploying agents is neither possible nor desired due to the nature of the application, identity of the workload owner and even intercompany organization challenges. Some application environments, like in high-frequency trading, are optimized for high-performance, low-latency transactions. In such use cases, even a minimal 3% impact renders the use of agents inefficient and thus, cannot be tolerated. Other businesses with a track record of failed agent deployment may be reluctant to try a different one. The result is a lack of visibility, which leaves enterprises with infrastructure silos where security policy enforcement cannot be applied.

So, here’s an idea: what if we could leverage the intelligent I/O processing units (IPU) from Mellanox to gain visibility into every workload, and enforce micro-segmentation without installing agents, impact performance or increase network latency?

Software-Defined Micro-segmentation Meets Hardware-Defined Isolation and Acceleration

The combination of Mellanox’s BlueField IPU-based SmartNICs with Guardicore Centra Security Platform creates a unique value proposition: No need to install agents on servers. No impact on server/application performance. A software-defined, hardware-native security policy enforcement at wire speed, fully isolated from the workload itself. The joint solution is ideally positioned to those environments in which deploying agents is not permitted:

  • HFT, latency-sensitive applications
  • Bare-metal clouds
  • Mainframe
  • Network-attached storage

Summary

We are excited to partner with Mellanox to deliver an agentless and high-performance micro-segmentation solution for hybrid cloud environments. This solution offering is the result of best-of-breed silicon capabilities, software IP and amazing engineering teams at our companies and is the first out of many innovative cyber security solutions we bring to market – stay tuned for more in 2020 and beyond!

Mellanox will be presenting our joint solution at the upcoming RSA Conference, February 24-27 in San Francisco, CA (North Hall #4525)

Guardicore’s booth is located few meters away – North Hall #4324

Learn more about agentless, high-performance micro-segmentation for securing hybrid cloud environments:

Introducing Guardicore Threat Intelligence Firewall

The Threat Intelligence Firewall is a new Guardicore Centra feature that blocks incoming and outgoing connections to known malicious IPs, eliminating malicious activity before it reaches your data center. To be up-to-date with the most recent threats, the list of known malicious IPs is updated once a day. 

Guardicore’s Threat Intelligence Firewall is based on our recently launched CyberThreat Intelligence (CTI), a service that offers unique information on malicious IP addresses and domains. The data is collected by Guardicore’s threat intelligence sensors installed in multiple data centers, organizations and cloud providers worldwide. More.

What Types of IP Addresses We Block

Guardicore’s Threat Intelligence Firewall blocks three types of IP addresses: 

Attackers IPs
An Attacker IP is a machine that has managed to breach Guardicore’s threat intelligence sensors and executes attacks on them such as malware dropping, scanning internal subnets, modifying system files etc.  


Scanners IPs
A Scanner IP is a machine that accesses one or more services across one or more subnets monitored by Threat Intelligence Sensors. This way we prevent the mere possibility of scanning your network which is normally one of the first steps of an attacker while looking for easy targets. 


C&C IPs
A C&C IP is a machine that attackers connect to after breaching our Threat Intelligence Sensors. This way we prevent the attacker from communicating with its C&C servers which will ultimately cut the chain of attack.

These three types of IP addresses are grouped into three labels – Top Attackers, Top Scanners and Top C&C:

The Guardicore Threat Intelligence labels

Stopping Attackers at Bay

Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications. We block incoming and outgoing connections to and from any port and process.

Threat Intelligence Firewall Block Policy Rules

Example of the TI FW block policy rules

The Threat Intelligence Firewall rules take precedence over standard Allow, Alert, and Block rules so they don’t conflict with any other security policies you may have in place. 

How do I know if a connection was blocked by the Threat Intelligence Firewall?

For any firewall blocked connection an incident is created. The Threat Intelligence Firewall incidents are located under Centra’s Policy Violations section and are tagged with the Threat Intelligence Firewall tag. But what does a Threat Intelligence Firewall incident mean? Well, it depends. Let’s distinguish between policy violation incidents that are generated by an inbound connection as opposed to an outbound connection. 

Inbound Connection Incident

If an inbound connection has been blocked, you shouldn’t be worried – you’ve been scanned by a compromised server. Check Guardicore Cyber Threat Intelligence to find out more about the attack you’ve just avoided. 

A policy violation incident generated by an inbound connection.

Outbound Connection Incident

An outbound connection to a malicious destination means that you’ve probably been hacked. In that case, you should find the source of the attack. Consult with Guardicore Labs security experts at labs@guardicore.com.

How to Get Guardicore Threat Intelligence Firewall

This feature is an enhancement offered to Guardicore customers upon request. If you are interested in this solution, contact our customer success team at support@guardicore.com. If you’re not yet a customer and interested in more information, contact us at labs@guardicore.com.

If You’re Benefiting from a Zero Trust Mentality for your Applications and Workloads, it’s Time to Think About your Users

According to the 2019 State of the Internet report, hackers made 30 billion attempts to attack businesses via successfully stolen credentials in 2018. Up to 2% of these attempts were successful. From just one entry point, the attackers were then able to make movements across an enterprise network, achieve fraudulent transactions, or take advantage of the business with malicious intent.

Once your organization has shored up its outer walls, and segmented the core applications that are business-critical, your people are your last line of defense. However, this doesn’t make this part of your security arsenal any less essential. As the Zero Trust eXtended framework says, “Most breaches are ultimately an inside job.” You don’t need an angry employee with an axe to grind, all you need is one instance of credential theft, and a flat network that’s easy to leverage for lateral movement within your data center.

Attacking this Head-on with your Zero Trust Model

A strong Zero Trust security strategy will include strict enforcement of user access, as well as authentication and monitoring of user behavior and movements, both within the data center and as users connect to the web. Governance of each user’s access and their privileges means that even if the worst happens and their credentials are successfully stolen, there is no way for an attacker to escalate this breach, or to make movements outside of what that specific user is entitled to access.

Think about an HR employee for example. An individual working in the HR team will need access to all the data and applications that are relevant to their role, and might also need permissions to certain financial systems for payroll, or applications that handle candidate information for on-boarding. However, they do not need extended access to anything outside of this, including other financial applications outside of their own purview, or further sensitive data connected to current employees such as medical information. In the same way as your workloads are isolated using micro-perimeters, your user access can follow suit, allowing each employee to access just what they need, and nothing further.

Features of a Strong Solution for User Identity that Leverages Zero Trust

Following the Forrester guidelines for a Zero Trust model, here’s how your security solution can check all the boxes for identity and access management, and achieve this high level of granularity and control. Whichever features you opt for, make sure that your solution can work seamlessly across any platform or infrastructure, and takes immediate effect on both active and new sessions of user activity. Without these two cornerstones, you’re starting from a place of blind spots and security gaps. With them, you’re well placed for success from the start.

  • Isolate user interactions: Using an Active Directory User Group, intelligent micro-segmentation can isolate user access exactly the way we described above, giving specific users access to certain servers and applications via specific ports and processes. This access control can be enforced between workloads in the same segment of the network, and even allows for simultaneous connections from the same server/Jumpbox.
  • Third party access management: User groups can support enforcing specific policies for each third-party connection, strengthening security where it’s weakest, while allowing the benefits of third-party integrations and partnerships. Define policies for the data center at large, as well as individual applications and workloads, providing access to just what each user needs – and no more.
  • Privileged identity management: Especially when it comes to administrative usage, this is an essential area for credential security. Admin/root access passwords are often left unchanged, and can be an open door for attackers to gain a foothold. When testing your network for weaknesses, it’s important to look at propagating using root passwords, as well as where attackers could move laterally from the initial breach.
  • Two-factor authentication: 2FA has become a baseline, heavily reducing the risk of credential compromise. If it isn’t already in place in your organization – it should be. If your managers worry that people will feel slowed down by this essential security tool, remind them of ordinary 2FA tasks that we all consider the norm, such as taking money out of an ATM with a bank card and a pin number. Soon, 2FA will be this equivalent for the workplace.
  • Web security: Phishing scams are becoming increasingly sophisticated and manipulative, and you can’t always rely on employee education to help users spot attacks ahead of time. Strong security solutions will include web security gateways that block user access ahead of time to any malicious websites.
  • User behavior analytics: You can learn a lot about the way your employees act from monitoring ‘business as usual,’ which can then help to build policy that learns from your real employees, and can alert you to anomalous actions. This could be anything from a login at an unusual time of day, to credential use when an employee should be on vacation.

Following the Zero Trust eXtended pillars is best-practice for protecting your network and its users from external and internal threats. This includes a Zero Trust model for more than just networks, applications and data alone. User Identity Access Management is a key part of your Zero Trust strategy, managing individual user access, simultaneous connections, and third-party access management. When done right, this can all be achieved from the same core technology that handles your application segmentation. This lessens the learning curve and streamlines your overall security posture with a truly holistic approach to Zero Trust.

Want to find out where your network stands when it comes to achieving a Zero Trust security strategy? Check out Infection Monkey: Zero Trust Edition, an open-source tool that can get you quick answers and recommendations in line with Forrester’s best-practices. And download our paper on how to get to zero trust implementation faster.

Read More

What’s New in Guardicore Centra Release 31

With release 31 we’re continuing to expand our firewall capabilities while making it even simpler for you to build and enforce a segmentation policy.

We’re doing this with features such as identity and FQDN policies. With Identity-based policies, security administrators can set granular, per-user access policies to applications. Domain name (FQDN) rules allow you to set policies based on the target domain name and save time and hassle on typing lists of ever-changing IP addresses. We’ve also integrated a first of its kind Threat Intelligence Firewall that automatically feeds into Centra daily updated blacklists of known bad actors to create rules that alert and block these communications.

In this release we are also shipping many customer requested features that were evaluated on the merit of improving operational efficiency, reducing policy creation time and taking Guardicore usability to higher levels.

Here are some of the highlights of the version:

User-based Rules

One key feature introduced in v31 is user-based rules. With this new firewall capability, customers can create rules based on Active Directory user groups to provide granular per-user access to applications. This allows you to control user access to data center and cloud resources. By linking your Active Directory to Centra, Centra is able to retrieve user information. Based on user membership in those Active Directory security groups, we allow users different access to different resources. This way you can make sure that users only access what they are entitled to. For example, this can help allow just the Billing users in your environment to access Billing resources and just the HR users to access their HR resources. No additional infrastructure is required.

FQDN Rules

You can now create policies that allow access to a specific domain by its domain name rather than its IP addresses. For example, when you want to allow a server to access windowsupdate.com, instead of typing its IP or its IP lists, you can simply refer to it by its domain name. For example, when you want to allow a server to only access github.com, instead of typing its IP or its IP derivatives (dev.github.com, community.github.com, etc.) you can simply refer to it by its domain name – github.com or *.github.com. Select *.github.com to support wildcards. The ability to type a domain name saves the time and hassle of collecting all the possible IPs and keeping track of their validity.

Threat Intelligence Firewall

Guardicore is offering a threat intelligence-based firewall to Centra SaaS users. This feature uses Guardicore’s threat intelligence sensors, distributed across major cloud providers worldwide, to create blacklists of verified malicious IP addresses. Updated daily, these IP blacklists are automatically fed into Centra to create rules to alert and block communications via malicious IP labels: top attackers, top scanners, and top CnC. To get this feature, contact Guardicore Customer Success at support@guardicore.com.

Extended support for legacy systems

Since most of our customer environments include end of life Unix, Windows and Linux that can no longer be patched and therefore pose a risk to the organization, Guardicore has expanded its operating system coverage for those legacy systems and applications. With version 31, the Guardicore Agent supports more legacy operating systems such as Redhat, Oracle and Centos 5, and has also extended its support to AIX which is a proprietary UNIX operating system commonly used by enterprise customers. Now we have the ability to extend our policy coverage to these OSes and reduce the risk they may pose.

While we listed the features that seem to be the most important, there are many more enhancements. Fthe full list of enhancements and capabilities, see the release notes that can be accessed from our customer portal.

Desktop Virtualization Journey Can be Safe and Sound

Show me an industry that isn’t increasing its usage of Desktop Virtualization (DV) and I’ll show you an industry that doesn’t exist. While different DV technologies are available, Virtual Desktop Infrastructure and Desktop-as-a-service are the clear choice, DaaS is essentially VDI hosted in the cloud. With VDI one deploys virtual desktops in her own on-premises data centers while DaaS takes the In-house IT burden and responsibilities to the cloud.

From Education and Healthcare, to Financial institutions and Governmental agencies, Remote application and DaaS is growing year on year. In fact, industry experts Gartner predict that by 2023 the combined number of on premises VDI users and cloud DaaS will grow by more than 50%.

Organizations are using different types of remote desktop technologies and solutions for a number of key reasons, including operational efficiency, improving their end-point compliance and remote access opportunities, enjoying the centralized management and security backups, as well as the end-user support supplied by market leaders such as Citrix. Newer deployment models provide a popular way to streamline costs, with no need to purchase software licenses, or individual workstations, items that can quickly add up. But what about keeping your data and applications secure? How does security measure up in a VDI environment?

When Shared Infrastructure Raises Risk

Traditional data centers allow for servers to be monitored for signs of threat, and isolated where necessary. However, in a VDI environment, you’ll often find that all servers and applications are on the same infrastructure, even end-user applications and those which need more security and control. Desktops are likely to be shared among a large number of users, perhaps only a step away from critical assets, applications, and data. As all of this takes place inside the data center, you’re not covered by traditional security solutions such as perimeter firewalls that only protect the entrance to your network.

An added element to consider is traffic inspection. Most end-user application traffic is encrypted using SSL or TLS, and compliance mandates require a high level of data privacy. At the same time, for security you need to have insight into traffic and communications.

For many organizations, these risks of VDI are too great. If just one VDI machine is compromised, the attacker can make movements elsewhere within the data center, and may well go undetected because of the complex environment.

User Identity Access Management and Application Segmentation: Two Solutions that Work in Tandem to Mitigate this Risk

Two powerful technologies can be used together to allow enterprise organizations to leverage VDI without worrying about security concerns. First, let’s look at User Identity Access Management.

This solution often comes hand in hand with a Zero Trust model, as the idea is that any user can only access what they need for their role or activity, and no more. Rather than simply rely on initial authentication, smart User Identity Access Management allows you to create policy based on the identity of the user that is logged in, even when multiple users are connected to the same system at the same time.

Identities can be pulled from the Active Directory, and policy will control both new sessions, and ones that are currently active. Even before a user has logged into an application, protection is in place.

active directory app protection

Now Couple Access Management with Application Segmentation

A micro-segmentation solution with granularity can create control over even the most complex environment, helping you to build out your infrastructure in a secure way that gives you peace of mind when using VDI, even defining policy based on a process, label, or other asset information.

For example, using application segmentation, you can ensure that all applications and users within the VDI environment are segmented away from specific business-critical or sensitive applications in the wider data center. You can also ring-fence the VDI environment so that no attackers can achieve lateral movement elsewhere, even in case of a breach.

application segmentation and VDI

Together, you now have a powerful, unbeatable solution. First, your user is limited to only the applications and servers they are allowed to access as mandated by your User Identity Access Management policy. Secondly, each user cannot move outside of their relevant environment, an added layer of defense, without added reliance on any specific network or location.

Reducing Complexity with Visibility

Still in fear of attacker dwell time? Make sure that your security solution comes with real-time visibility into all of your active VDI sessions and their connections. You should be able to see:

    • What specific users are doing, with identification
    • Which processes are currently running and for what purposes
    • How and where the processes are communicating
    • The exact flows that are being generated
    • Which specific applications are being used, and by whom

Another Zero Trust model mandate is to ‘Assume Access’. In this situation, when the assumed breach occurs, your IT team has accurate visibility into the source of the attack, and can see in seconds, (and without any physical or virtual taps) any lateral movement attempts from the original VDI environment to the main data center.

Lose the Fear of a VDI Environment

First, restrict the access from your VDI environment. Secondly, block access by user identity. In two steps, you’re done.

Guardicore Centra makes it simple to say yes to the benefits of a VDI environment. It integrates with Citrix Virtual Apps and Desktops, and Active Directory to reduce the attack surface and improve visibility, even when considering the complex security reality of Virtual Desktop Infrastructure.

3 Game-Changing Reasons to Deploy User Identity Access Management

Segmenting critical applications is nothing new. We’ve long since established the benefits of isolating sensitive data or essential assets in the enterprise data center, preventing potential breaches from escalating, and stopping lateral movement in its tracks. User Identity Access Management is the next essential layer of control, establishing with fine-grained policy exactly which users can access various applications in the first place, and how.

Here are our top three use cases, all of which are revolutionary for today’s enterprise data center.

Control User Access Anywhere

Many enterprises networks currently have broad permissions to business-critical systems, dangerously coarse controls that can be taken advantage of by attackers, or even manipulated with the help of human error. Not only is this bad practice for any enterprise security posture, but it also makes it increasingly difficult for organizations to remain compliant with the latest regulatory mandates.

In contrast, strong user access management policies allow specific users to be either given access or denied entry, with granular options such as permissions over specific servers, ports and processes.

Even in cases where your organization started out with a network design that allowed all users equal access, user access can be segmented to only the applications, servers and processes to which each individual user or group is entitled. Not only will your organization keep the infrastructure of a single data center, there will be no physical changes, downtime, or additional overhead as there would be with network segmentation projects, and you will be massively simplifying the road to compliance. Take PCI-DSS for example. With strong access management, you can ensure that only those users who are allowed to view cardholder data can physically access your CDE (Cardholder Data Environment).

Just as Guardicore Centra’s segmentation follows the workload rather than any particular underlying infrastructure, our User Identity Access Management follows the individual user, enforcing user governance across any environment, from legacy and bare-metal, physical desktops and laptops, to VDI and hybrid cloud platforms.

follow the user with identity access management

Manage Multiple Users, Even When Logged in at the Same Time to the Same System

Think about users who are connected to the same servers at the same time, but who have different access requirements. Perhaps one employee works for HR, and needs access to sensitive personnel files stored in HR management servers, while another works for the Finance team, and is working on an accounting application. They are both administrators, and are working within the same data center.

Without User Identity Access Management policies, the traditional way to secure their access would be with multiple jumpboxes, setting up one for each, with its own network connectivity. This gets expensive and complicated, fast.

A smart access management tool removes the complexity, and streamlines the route to secure user access, even for simultaneous logins to the same server. Each admin can connect from the same jumpbox, at the same time, and yet only have access to their own application, and be blocked from any applications outside of their purview.

user identity access management ame jumpbox no problem

Handle Third Party or Administrators Access 

It’s more important than ever to manage access for third-party vendors and partners, who may be connected to your network through SaaS, IoT devices, or as contractors working on your own systems. Third-party access management needs to be able to seamlessly handle and define user groups based on these examples and more. Traditional solutions that are based on IP addresses are complex to manage, especially when multiple users are logging on simultaneously to the same server. By using policy creation based on user-identity rather than IP, each user group can have its own policies defined for entry, giving specific access to every group or even individual user, and blocking them from moving any further. 

As there is no centralized firewall needed, and access is controlled at the endpoint, your organization can enforce control of users between workloads, even within the same segmented section on the network. Policies take effect immediately, for both new and active sessions, allowing you to act quickly and incisively in case of a security gap. 

Solving Three Problems with One Tool

In conjunction with the benefits of application segmentation, User Identity Access is an obvious step to enhance your data center security. Not only can you keep critical assets away from an attack, you can now enforce exactly who should be accessing these applications in the first place, wherever they reside. 

Want to read more about how micro-segmentation can enhance your data center security? Download our white paper on how to choose the right segmentation solution.

Read More