Posts

NSPM and Simplified Security and Governance for Hybrid Clouds – What does the Guardicore and AlgoSec Integration Mean for You?

Getting the most out of your network firewalls has never been a simple task for enterprise environments. As organizations increasingly move to the cloud and operations become more dynamic and complex, the requirements, and the stakes, are rising.

Over the years, I’ve seen improper management of firewalls open organizations up to various types of risk as a result of employee error and oversight. This can have varying consequences, from large-scale data breaches, to fines and penalties due to non-compliance. What do Network Security Policy Management (NSPM) vendors do to help, and is this technology enough on its own?

Learn more about how micro-segmentation helps you reduce risk.

Why do Companies Need Network Security Policy Management (NSPM)?

Inconsistent or inaccurate firewall policies impact the functionality of business applications, cause compliance gaps, and make an organization vulnerable to cyber attacks.

In response to these fears, Network Security Policy Management companies such as AlgoSec, one of the early pioneers of this category, were born. I have had many chances to work with AlgoSec and their team over the last 15 years and it is amazing to see how the product, and actually the market that they have created, is adapting as the IT landscape changes. More recently however, the rise in internal traffic moving East-West inside the data center has created a need for something more. Let’s look at what this means in practice.

Amplifying Firewall Complexity in the Hybrid Cloud, Data Center and Edge

When implemented well, NSPM provides visibility over complex traffic and communication, adds sophisticated automation capabilities for network firewall policies that are spread over multiple devices or locations, and eases compliance with various regulatory requirements for specific industry needs. Tight governance over your perimeter firewall works to keep North-South attacks that move in and out of the data center at bay. But when it comes to a hybrid data center, traditional perimeter firewalls do nothing to address this risk.

In a hybrid cloud data center, visibility and control become more of a struggle than ever. Some of the reasons why, include:

  • Different environments to consider, from on-premises to public or private clouds, each with evolving requirements.
  • The majority of traffic moving East-West, because of third-party vendors, employee devices, and increased exposure via the public cloud.
  • DevOps teams pushing for faster innovation and the deployment of new features via rapid application development.

The more complexity, the more risk, so the hybrid cloud ecosystem needs to be secure from the earliest possible stages.

Dedicated micro-segmentation solutions like Guardicore have risen to this challenge. With a smart segmentation solution, your organization can create access policies inside hybrid enterprise environments that leverage a zero-trust model. Enterprises tend to start with projects that bring quick time to value, such as ring fencing critical applications that hold the most sensitive data or systems.

As a smart, software-based segmentation vendor, we provide new and essential firewall capabilities, dynamic and flexible enough to meet any use case or scale. Of course, the perimeter firewall is still necessary, and needs concurrent and tight governance and control. Therefore, the best segmentation solutions that address hybrid cloud complexity will integrate seamlessly with best-of-breed NSPM solutions.

Simplifying Complexity with a Two-step Integration

According to Gartner, “Despite there being multiple network security vendors with centralized managers, network security teams are struggling to manage these multiple and multi-vendor policies and to have complete visibility across different environments. Maintaining continuous compliance is becoming a bigger challenge.”

A challenge that, here at Guardicore, we’re happy to meet. Guardicore Centra integrates easily with AlgoSec to make it simpler to manage governance and firewall rulesets across a hybrid enterprise environment. Guardicore customers can continue to use their existing perimeter firewalls for North-South traffic alongside Centra’s precise labeling and segmentation policies for managing and controlling all communications that move East-West.

The AlgoSec Policy Exporter integration with Guardicore can be used to export all labels and files from Guardicore Centra, converting them into two easy to manage CSV files, one for endpoint machines and another for rules. The security team now has these policies and labeling rules to forward to any other managed devices within the data center, consolidating existing policies and governance. This integration also provides your enterprise with full visibility of dynamic policies across the data center, even in hybrid environments.

No Firewall Left Behind: Adding Visibility and Control Across a Hybrid Ecosystem

Internal firewall management and control are essential in today’s hybrid cloud data centers, but they don’t negate the need for existing traditional perimeter firewalls. Managing this complex arrangement are NSPM industry leaders such as AlgoSec that can seamlessly visualize, automate and organize policies from multiple firewall vendors across the data center.

By using AlgoSec with Guardicore Centra, our customers have access to the simplest and strongest segmentation choice when managing East-West traffic without adding complexity to firewall management overall.

Want to learn more about segmenting East-West traffic for your hybrid cloud data center?

Download the White Paper here

How to Prove the Savings of Software-Defined Segmentation vs Legacy Firewalls

Many companies have discovered to their dismay that using firewalls to segment their networks is a complex, ineffective, and expensive process – especially when it comes to a hybrid cloud environment. In addition to the burdensome upfront cost of firewalls and hardware, there are the heavy downstream costs of project management, labor, maintenance, and prolonged asset exposure due to lengthy implementation times.

Guardicore Centra’s software-based segmentation enables enterprises to avoid those issues. Instead, organizations can reap the benefits of agile DevOps, rapid application deployment, and the cloud, delivering optimal security at a far lower total cost of ownership than traditional methods. Yet how can you prove the savings of software-defined segmentation – before you make the switch?

Evaluating the full cost of technology and people is essential when making important, effective decisions. This is particularly true with impactful projects like segmentation, which have long-lasting impact. That’s why we developed the Guardicore Firewall Cost Savings Calculator. The calculator lets you compare legacy firewall segmentation with software-defined segmentation and gain a comprehensive understanding of where the time and cost savings come from, using data that’s relevant to your own environment.

Why is segmentation so hard with legacy firewalls?

Let’s take a moment to understand why segmentation is difficult and pricey with traditional firewalls. Among the reasons for the high costs and challenges are the facts that:

  • There is little visibility with traditional firewalls. As a result, segment boundary identification can take many months.
  • Segmentation with legacy firewall appliances requires network changes (VLANS) and application changes that involves tremendous effort and costly downtime.
  • Applications are dynamic and change fast, and traditional firewalls simply do not have the flexibility to accommodate those kinds of agile changes.

Luckily, software-defined segmentation provides a significantly more cost-effective and efficient alternative.

Food retailer simplifies segmentation and controls access to critical applications

With Guardicore Centra, the HoneyBaked Ham company:
– Reduced upfront costs by 50%
– Secured 45 applications in six weeks
– Reduced total project cost by 85%

Guardicore makes segmentation more efficient

Guardicore’s software-based segmentation solution is independent of underlying infrastructure. It allows simple policy management with a single pane of glass, without relying on cumbersome network appliances.

Guardicore empowers customers to accelerate segmentation projects with:

  • Full visibility for fast segment identification
  • One solution across hybrid environments
  • No networking or application changes required
  • No application downtime required
  • Smooth integration into DevOps lifecycle with REST API

Wondering how that translates into hard data? That’s where the Firewall Cost Savings Calculator comes into play.

The Guardicore Firewall Cost Savings Calculator

The Guardicore Firewall Cost Savings Calculator was developed to quickly and easily demonstrate the extent of the savings businesses can get from using Guardicore’s software-based segmentation compared with a legacy firewall solution.

To use it, all you need to do is answer four simple questions:

  • How many unique segments are required in your environment?
  • On average, how many physical servers or virtual machines will be included in each segment?
  • To how many different locations do you expect to deploy your application?
  • Who is your firewall vendor?

Once the fields for these questions have been filled out, the calculator will automatically display the resulting savings. For a detailed breakdown of how the results were calculated, you can also read the white paper or, for a more personalized breakdown of savings you can gain in your business’ unique environment, request an individual analysis.

As one customer discovered:

“With Guardicore, we were not only able to secure 45 applications without interruption in just six weeks, we also got a more agile, cost-effective, and secure solution than our legacy firewall provider.”

~ David E. Stennett, Sr. Infrastructure Engineer, the HoneyBaked Ham Company

With Guardicore Centra, segmentation takes a mere 16 days, as opposed to 14-22 days with legacy firewalls.
With Guardicore Centra, segmentation takes a mere 16 days, as opposed to 14-22 weeks with legacy firewalls.

See the savings from software-defined segmentation

Ready to be amazed? Try the Guardicore Firewall Cost Savings Calculator for yourself and discover the time and cost savings your company could be getting by switching from traditional firewalls to software-defined segmentation.

Guardicore is AWS Outposts Service-ready, Supporting our Customers that are Moving Closer to The Edge with Hybrid Cloud Environments

Several months ago we announced our plans to support AWS Outposts. Guardicore’s VP Business Development Sharon Besser wrote, “I am excited to share the news that we will support AWS outposts just like any other part of the hybrid cloud. Together with AWS and their hardware partners we are looking forward to expanding the Guardicore ecosystem to additional areas of the ever-expanding cloud, securing customers wherever they might be.”

Learn More about Guardicore’s Solution for AWS Customers

Well, we always keep our promises, and I’m excited to be able to update you about our progress on a whole new frontier and beyond- the edge. Guardicore was among the first vendors to achieve the AWS Outposts service ready partner status, following the tests and certification process performed by the AWS Outposts team. We are now fully enabled and ready to secure our customers’ journey to the new hybrid cloud, including even more environments.

Great! What Can I Use AWS Outposts for?

AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and tools to customer premises. By providing local access to AWS managed infrastructure, AWS Outposts enables customers to build and run applications effectively as an on-premise data center using the same programming interfaces as in AWS Regions, while using local compute and storage resources. This supports applications that require lower latency and have local data processing needs.
The result? Near real-time responses to end-user applications, and the ability to communicate with other on-premises systems, such as controlling on-site equipment. Enterprises can also now securely manage data on-premises in places without an AWS region, and process data locally where utilizing the cloud would be inefficient or use unnecessary resources. AWS Outposts is another environment some of the most sophisticated customers are adopting, raising a need for increased coverage from a solution that addresses hybrid cloud security.

Here are 4 Industries that can Benefit from AWS Outposts

Healthcare: Hospitals are often in places where connectivity is at a premium. With AWS outposts, workloads that handle real-time patient diagnosis or medical imaging can be run on-premises, offering the quickest possible response time.
Manufacturing: Automated operations on factory floors can be managed on-premises via Outpost environments, helping manufacturers to streamline processes, improve productivity and benefit from innovation such as IIoT and data analytics to power real-time decision making.
Media: The incredibly fast response time that organizations can achieve when using AWS Outposts makes it perfect for media streaming and processing companies, where users expect perfect performance without buffering or delay.
Telecommunications: Moving storage and compute resources closer to the end user and their devices at the edge is what will power software-defined networking and network virtualization for mobile networks. In turn, this will allow them to take advantage of the new 5G economy, and the world of IoT.

What Changes for Enterprise Security?

In the AWS Outposts model, a full appliance comprising both hardware and software is delivered to the customer. AWS takes responsibility for supporting and maintaining the hardware and software and the customer provides the physical facility in which the system is hosted. Otherwise, AWS effectively runs the appliance as an extension of its central cloud service. This set up may cause security challenges for some customers by its very design.

Just like AWS Regions, the AWS “Shared Security Responsibility Model” applies to Outposts as well. Even though they are deployed on-premises, AWS is responsible for the hardware, and the customer is responsible for applications, data and operational security. Despite the servers being on-premises, only AWS have access, including any scheduling decisions for patching, updates, and version upgrades.

One important element to consider is compliance. Security certifications like SOC2 will not automatically apply on-premises as they would in the cloud. Customers must work with AWS and, potentially, with other auditors to certify their deployments.

Securing AWS Outposts involves using the same levels of visibility and control that we bring to any existing hybrid cloud ecosystem, expanded to cover this new environment. “We know the importance of helping customers and organizations more easily identify potential security risks in order to take action,” said Joshua Burgin, General Manager, AWS Outposts, Amazon Web Services, Inc. “With Guardicore Centra Security Platform available to customers on AWS Outposts, we are able to provide a comprehensive view of (a customer’s) security posture on their infrastructure, on AWS Outposts, and in AWS Regions both on-premises and in the cloud for a truly consistent hybrid experience.”

Read more about our partnership in our press release here.

Securing the New Hybrid Cloud

The fact that Guardicore has a certified solution and is a service ready provider for Outposts is no small announcement for us. We can already see how AWS Outposts is the beginning of a new type of hybrid cloud, one which leverages on-premises systems to take customers closer to the edge, providing faster speeds and better performance and security for end-users. Think about new service models from AWS like Wavelength or Local Zones, that are already building on the Outposts technology.
By ensuring that we are first out of the gate with the service-ready certification and prepared to help secure the variety of modern hybrid cloud environments that include AWS Outposts, we are sending a message to our customers. We’re secure across your entire hybrid ecosystem, and we’re ready for whatever is coming next.

Looking to learn more about protecting your workloads across a hybrid enterprise environment? Check out our white paper.

Read now

Securing VDI with Micro-segmentation for the Education Sector: A Classroom in the Cloud

I have 4 kids, and 3 are still school age. Like everyone else, they are now spending most of their time online, including their school time. Naturally, the following topic is close to my heart.

Schools and educational institutions offer an ‘X marks the spot’ for hackers looking to leverage sensitive and personally identifiable information (PII). For extended periods of time during a student’s progress from K-12, schools will store and manage varied information for both minors and their guardians, that includes addresses, healthcare records, aptitude assessments, payment information, and social security numbers.

A number of issues make security even more complex for stakeholders in school districts. They work across multiple campuses, have large and complex IT networks, often depend on legacy systems to store and manage critical data, and experience regular turnover of both students and staff.

In 2013, Lahiri, M. & Moseley, J.L. published a research paper, called “Migrating educational data and services to cloud computing”. Inside, they listed the different challenges for educational institutions that were migrating to the cloud. Out of the five challenges (control, performance, security, privacy and reliability), the security challenge is yet to be solved effectively by either the cloud providers or the educational systems.

Whether school districts are moving to the cloud to modernize their environments, or to address the current online learning challenges, a hybrid environment increases their exposure and risk. It’s not surprising that cybersecurity incidents against public K-12 schools tripled in 2019.

Getting on the Syllabus: Where Does Virtual Desktop Infrastructure Fit into Remote Classrooms?

The benefits of VDI in education are clear. Firstly, the technology provides a simple way for students to learn remotely and gain the access they need to course materials and lessons. Devices such as Chromebooks are a low-cost way for schools to level the technology playing field and offer their student body a streamlined learning experience.

In addition, for teachers, VDI is a flexible way to create learning spaces and computer-based assessments that can be accessed in any location, for any student with an internet connection regardless of the age or type of machine. This is an essential part of democratizing learning, and making shared spaces that are accessible to anyone, from any background or of any means.

In fact, VDI in the classroom is nothing new, and has even supported schools in addressing some important security issues, such as lessening the reliance on legacy systems or end of life machines. Of course, it needs to be implemented with its own security controls at the start, such as segmentation over user access and smart protection of critical applications. School districts like Madison City in Atlanta for example have been using virtual machines for almost a decade as part of a program to securely save on high hardware costs and upgrades.

According to Katrina Bowling, Technology Coordinator in Madison City for 9,000+ students and 1,000+ staff,

“VDI lets us replace old machines as they die a natural death, as opposed to being forced to do it because they are inadequate. It takes us out of the endless process of refreshing PCs. Before we deployed VDI, we were four years behind on our refresh schedule, and 3,500 PCs — more than 75 percent of our inventory — were more than five years old and incapable of being upgraded to run anything beyond Windows XP”.

However, this year, as students head back to school during COVID-19, VDI adoption is being rolled out faster than ever before, which may lead to school districts skipping vital security steps.

Citrix has highlighted “the urgency with which higher education institutions need to transition quickly from a traditional campus-based model to a remote-ready model and put in place a long-term digital learning strategy”. Whether students are heading back to the classroom this semester, continuing to study from home, or somewhere in between, VDI can support schools in being ready for anything. However, when schools are being trusted with the confidential data of minors, this should only be considered when districts have the right segmentation controls in place.

The Required Reading: Understanding the Security Risk of Learning from Home with VDI

Being ready to make the leap to VDI in response to COVID-19 means understanding the heightened need for segmentation and access control when using virtual machines, as opposed to when relying on traditional data centers.

When using VDI, your critical applications and sensitive data are sharing the same server as your end users. In the case of education, those end users are any students that are studying remotely, diverse in age and experience, as well as teachers that may be utilizing this kind of technology for the first time in their careers. You’re opening an environment that is designed to be shared by many users, unencumbered by a perimeter firewall, and in which the traffic is likely to be encrypted using SSL or TLS.

As your VDI is largely open, it only takes a single infected machine for an attacker to launch a threat against an entire network, making lateral moves to other machines, accessing administrative controls or critical and sensitive information.

VDI has great security capabilities, but it is missing the ability to restrict lateral movements and reduce the risk of using the shared server environment.

A Quick Study: Handling this Threat with Micro-segmentation

The cheat sheet for securely seeing the benefits of VDI for your school environment is centered around access control. It goes without saying that students shouldn’t have the same ability to move freely through a network as is given to the IT team, or that school administrators or bursars who handle financial or aptitude data should have different permissions than are provided to the math department or the gym teacher.

Here’s how an intelligent micro-segmentation choice makes it happen:

  1. Application segmentation: Enhance governance across your school district by ring fencing critical data or systems at the VM, application, or even process level. Visualize applications by role, or interaction.
  2. User identity access policies: Tightly manage data access by creating process level policies for specific users or groups, based on information pulled automatically from the Active Directory.
  3. Baked-in compliance controls: Show that you’re taking FERPA compliance seriously, and in case of a data breach, protect financial or medical information held under your institutional roof.
  4. Strong visualization: Being able to see across a hybrid environment is essential when you have a large distributed network. Rather than segmenting based on trial and error, gain visibility from day one.
  5. Integration with breach detection: Gain immediate insight when suspicious activity is detected, alongside information-rich alerts that show exactly where and how the incident occured.

Do the Math: Citrix +Guardicore = Secure VDI Environments for your District

Virtual Desktop Infrastructure through industry leading solutions such as Citrix Virtual Apps and Desktop is an intelligent route to a safe school year for K-12 around the world. It sets up students with virtual spaces to learn from anywhere, and provides teachers with the technology they need to support remote learning, touchless lessons, or a mix of home and school study.

However, safe also needs to include secure.

The FBI has announced its own fears that malicious actors will use VDI to launch attacks against educational facilities, and without an A+ segmentation strategy for using VDI, your school district and the schools within are left unprotected.

Guardicore Centra is certified as Citrix-ready, and successfully validated with the latest versions of Citrix Virtual Apps and Desktops. It can run on your environment on premises, in the cloud as well as for a hybrid model. As technology partners, the combination offers extremely quick time to value for school districts that need a fast turnaround on providing a new technology to their staff and students.

If you need support in shoring up your defenses ahead of time with a micro-segmentation solution that leaves nothing to chance, find us in the Citrix-ready Marketplace, and get in touch to discuss your specific requirements.

Want to know more about securing VDI with micro-segmentation?

Read our recent white paper

Or find out how one school district improved their PCI-DSS compliance posture with Guardicore in our case study.

FritzFrog: A New Generation of
Peer-to-Peer Botnets

Guardicore Labs uncovers a sophisticated, multifunctional P2P botnet written in Golang and targeting SSH servers.

An Affordable Approach for Reducing the Attack Surface of the Evolving Telecommunications Infrastructure

Telecommunications service providers are constantly launching new service offerings that require new infrastructures and cloud technologies. This requires managing the security posture in hybrid and complex environments, many times having to use different tools for each.

Guardicore has taken an entirely new approach that simplifies the challenge and makes the process significantly more effective. With Guardicore Centra, telecommunications service providers can segment their most important assets by focusing on three steps:

  • Visualize
  • Build
  • Enforce

Let’s look at each of these in-depth.

Visualize Telecommunications Infrastructure

Adonias Filho, Senior Sales Manager at Italtel, a leading telecommunications provider and Guardicore strategic partner, notes, “Segmentation is a need that has long been felt – but unfortunately never [previously] been achieved in an effective way. The micro-segmentation projects have been catastrophic, because it was not possible to segregate something if you don’t know exactly what it is.”

In other words, you can’t design an effective segmentation program if you don’t have complete visibility into application interdependencies and communication flows. Guardicore Centra rectifies that issue, making it quick and easy to visualize and secure on-premise and cloud workloads.

Adonias adds, “The main point Guardicore brings to this context is visibility. Starting out from visibility, one can propose rules for separation, segmentation, micro-segmentation, and nano-segmentation. With Guardicore, I was able to implement micro-segmentation rapidly and with stability – that is to say, without any problems.”

Centra collects and maps detailed information about application functionality, communication flows, and dependencies. These maps make it simple for security teams to assess potential for exposure and identify when assets have been compromised. They can also define expected behavior and identify areas where additional controls can be applied to reduce the attack surface.

Build Rules With Ease

Telecommunications service providers feel constant pressure from regulations and industry standards. In addition, they operate complex infrastructures. The two issues combine to create a challenging situation, wherein managing/enforcing security controls and reporting on risk across a diverse set of technologies on multiple platforms is resource intensive. Moreover, frequent reconfiguration needs can result in production downtime.

Because of these security challenges, telecommunications communities often end up with security gaps and broad attack surfaces. This leaves them vulnerable to illicit activities.

With a single click, Guardicore Centra generates automated rule suggestions and enables organizations to quickly build strong security policies. Intuitive workflows and a flexible policy engine allows for continuous policy refinement and reduces costly errors.

Enforce Consistent Security Controls

Guardicore Centra helps Telecommunications companies maintain consistent security controls, regardless of their underlying infrastructure. Leveraging software-based overlay segmentation technology enables telecommunications companies to achieve network segmentation in record time, with significant risk reduction across all types of infrastructure.

What’s more, Guardicore provides integrated breach detection and response capabilities, enabling businesses to see policy violations in the context of an active breach. Data exfiltration in particular – a threat which telecommunications services are vulnerable to due to the new infrastructure and technologies they support – requires the kind of protection that Guardicore provides.

All an attacker needs is an opening to a single network-connected resource in order to be able to move laterally across the network. At that point, they can access the entire infrastructure and destroy, ransom, or steal any data they want.

As Adonias comments, “Protection in data centers and clouds defends, at the origin, the companies that subcontract provider services. Why try to invade directly a large company, with its defenses up to speed, if there is an open door to it through a provider from whom it outsourced – for example its financial department?”

With Guardicore, organizations can contain this type of attack before it spreads across the company, keeping it from becoming a true disaster. Using Guardicore Centra, telecommunications providers have been able to dramatically shrink their attack surfaces across thousands of critical servers without service disruptions, significantly reducing risk and impact of security breaches.

Learn More About Protecting Telecommunications Infrastructures Today

Ready to learn more? Listen to our on-demand webinar, Simple and Fast Segmentation for Telecommunication Service Providers, to hear about:

  • Real-world security challenges facing Telecommunications CISOs, including:
    • Maintaining full visibility across all environments
    • Enforcing third-party access controls
    • Protecting 5G technology, cloud infrastructure, and legacy assets
  • How security and cloud infrastructure professionals can accelerate and simplify segmentation projects
  • Deutsche Telekom’s approach to segmentation and its enable of hyperscale in data centers and clouds

View the webinar.

What SANS Thinks About Guardicore’s Micro-Segmentation Solution

Gone are the days when perimeter security or traditional segmentation were all you needed to keep your crown jewels safe. As the speed of work and cloud integration increases, traditional security models no longer suffice. Instant visualization of your security posture with context is key. A software-defined segmentation will get you where you need to be in a faster, easier and in a more cost-effective manner. Moreover, it replaces other disparate, time-intensive segmentation methodologies with a single method that works across all environments seamlessly.

That’s where Guardicore Centra comes in.

It’s a no-brainer that we think our micro-segmentation solution is pretty awesome. What has been more exciting to see, is the enthusiasm with which analysts and customers have embraced our solution as well. In fact, SANS analyst Dave Shackleford recently ran Guardicore Centra through its paces, testing the product across a wide variety of environments. After pummeling it with attack scenarios and trying out all its features, he uncovered some interesting insights.

Read the SANS evaluation report: Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra

Guardicore Centra is Comprehensive

Guardicore Centra replaces multiple, arduous security methods with a single agnostic approach. Attempting to find a separate solution for each new platform, infrastructure, operating system, etc. – and every legacy one as well – doesn’t work. Instead, Guardicore provides visibility and a single point of management across it all, supplying a context-rich, unified view from a single pane of glass.

“Guardicore provides assurances that we are locking down the environment properly while validating that Azure is doing its job in a very efficient and effective way.”

~Michael Lamberg, Vice President and Chief Information Security Officer with Openlink

INDUSTRY

  • Software company

MAIN USE CASES

  • Software-Defined Segmentation
  • Visualization of application dependencies and entire enterprise environment
  • Secure hybrid cloud adoption
  • Accelerate troubleshooting, threat detection and response

FEATURES USED

  • Visibility
  • Segmentation
  • Threat detection and response

Read the full story here.

Guardicore Centra is Simple and Easy to Use

Many companies using traditional security methods have found it difficult to implement zero trust, particularly because it is challenging to view and map assets, their behaviors, and their local components. And of course, if you can’t do that, you can’t create logical policies – and therefore, you can’t create effective segmentation rules.

Guardicore Centra makes micro-segmentation simple. With unparalleled flexibility and visibility – real-time and historical – you can quickly and easily visualize your entire environment. Centra offers a wide variety of unique views per use case/user role and intuitive policies so you can implement ring-fencing, internal micro-segmentation, and more.

INDUSTRY

  • Utility Company

MAIN USE CASES

  • Centralized policy management for SCADA and other assets
  • Updated outdated and inefficient third-party access controls
  • Streamlined compliance for regulations and consistent audit management

RESULTS

  • Required only ½ full-time equivalent to run the solution
  • Fully segmented within a few weeks

With Centra, You Can Work At the Speed of Business

Imagine if you could visualize your infrastructure, create policies, and update those policies as needed in weeks, not months or years. With Guardicore, you can! That’s the beauty of not requiring underlying network or infrastructure changes. It’s a real game-changer.
INDUSTRY

  • International bank

MAIN USE CASES

  • Superior visibility
  • Flexible, fast labeling – no IP address or VLAN changes needed
  • Mapping and segmenting more than 10,000 servers

RESULTS

  • 10x acceleration of compliance
  • Zero downtime
  • Significant cost and risk reduction

Beyond Segmentation: Breach Detection, Response Capabilities

Many businesses start using Guardicore Centra for its segmentation capabilities. That said, they often discover soon thereafter that we offer a variety of additional invaluable capabilities that enable them to discover the origin of breaches and respond in hours instead of weeks.

For example, we support such features as:

  • Dynamic detection and response capabilities
  • Reputation and monitoring services
  • Threat and intelligence data

“Guardicore enables us to enhance our overall data center security strategy and help our IT security team to avoid today’s advanced threats.”

~ Marino Aguiar, CIO, Santander Brasil

Learn More About SANS and Guardicore Micro-Segmentation Today
Ready to learn more? Watch the webinar featuring SANS’ analyst Dave Shackleton and our own Dave Klein to find out the detailed SANS analysis and review, or download the Guardicore Centra review paper today.

The Minimum Viable Controls (MVC) to Secure IaaS and PaaS

The mass move to the cloud over the last few months has been good for digital transformation, but challenging for security. While many companies have successfully transitioned to a more remote-friendly environment, there is still a lack of clarity around the minimum viable controls (MVC) needed to secure IaaS and PaaS.

Speeding the Move to the Cloud

In “ancient” days – as in a couple of months ago – it was obvious that the adoption of public clouds was inevitable. However, it seemed that it would take some time until every organization had a significant presence there. Then came COVID-19.

Even during a disaster, there are winners. Many organizations followed Winston Churchill’s famous quote “don’t waste a good crisis” and accelerated their journey to the cloud on a mission to transform their IT environment.

It was great that they could speed the migration process. It was not so great that many did so without paying enough attention to security requirements and risk mitigation.

Understanding Cloud Security Requirements

According to Gartner analyst Tom Croll, enterprises trying to implement on-premises data center security processes and tools for the cloud are actually inhibiting cloud adoption, slowing their own progress and increasing risk. Using yesterday’s tools to protect today’s cloud infrastructure is risky and creates more damage than benefits. It will not get you the desired results and may even risk your organization.

IaaS and PaaS are provided by the Cloud Service Providers, which have to assure and secure the infrastructure of the cloud itself. We wrote a lot about it in the past, for example here and here. This “shared responsibility model” still leaves your data and critical application exposed and unprotected.

Luckily, modern security solutions – such as Guardicore Centra – are capable of providing the necessary controls required to protect the cloud. Micro-segmentation and zero trust network access (ZTNA) should be implemented when configuring cloud infrastructure, combined with strong IAM, robust encryption, and constant posture management.

The Five Most Important Security Controls You Need to Implement Today

Wondering how to put together an actionable plan for securing your infrastructure? Together with our ecosystem partner SecuPi, Guardicore has created a webinar sharing the five most important security controls that organizations should take in order to ensure that the IaaS and PaaS infrastructure they are using is secure and solid.

View the webinar today and you’ll be on your way to lowering risk and tightening security across your entire environment.

How to Do Micro-Segmentation the Right Way

The evolution of network segmentation and application segmentation has brought about the movement to micro-segmentation. Micro-segmentation adds flexibility and granularity to access control processes. This detail-oriented viewpoint is key, especially as businesses adopt cloud services and new deployment options like containers that make firewalls and other traditional perimeter security less relevant.

Infrastructure visualization plays an essential role in the development of a sound micro-segmentation strategy. When it’s done well, visualization makes both sanctioned and unsanctioned activity in the environment easier for IT teams to identify and understand.

In case you didn’t catch it, the key phrase there was, “when it’s done well.” That’s important, because many businesses don’t know where to start.

What we often hear is:

“We want to better secure our infrastructure by defining tight security policies  – but where do we even start? How can we build policies at the application level for thousands of existing machines, each one developed and deployed by a different person?”

This confusion is understandable in today’s complex environments! Let’s dive into the details and gain some clarity into how to do micro-segmentation the right way.

What is Micro-Segmentation?

Using legacy tools like VLANs for separation is no longer enough in today’s network environments. Every machine – virtual or physical – in every location – cloud or not – must have incoming and outgoing traffic limits. Otherwise, bad actors can easily take advantage of loose policies to move undetected between machines.

Micro-segmentation is the central IT security best practice response to overly-permissive policies. Software-defined segmentation allows companies to apply workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. It is extremely effective at detecting and blocking lateral movement in data center, cloud, and hybrid-cloud environments.

Some solutions facilitate segmentation across physical and virtual data centers by doing distributed enforcement on all east-west traffic. Public cloud offerings also provide limited abilities, and other products fully integrate with these frameworks, moving existing firewall technologies into the data center.

Then there are solutions like Guardicore Centra, which was purpose-built to simplify micro-segmentation and increase agility, while simultaneously increasing security. Centra creates human-readable views of your complete infrastructure – from the data center to the cloud – with fast and intuitive workflows for segmentation policy creation.

So the technology is there, but the question of how to set these policies up remains. How can administrators tell the role of thousands of machines in their data center and decide which specific ports to open to what other machines?

The Old-Fashioned Way to Build Policies

This is how the usual process for building application-specific policies works:

  1. Discover a specific application and the machines it’s running on.
  2. Build security groups for each of the different application tiers (i.e., web/application/logging/DB servers).
  3. Define a tight policy between the different security groups, so only the ports necessary for the application’s proper functioning are open.
  4. Rinse and repeat.

This can be a long and burdensome process, especially without deep visibility into data centers – all the way down to the process level. Administrators and security teams are required to browse endless logs or chase app developers. Obviously, not the ideal way to do things.

A (tiny bit of a) typical firewall log. How easy is it to build a security policy using these?

How to Do Micro-Segmentation Right

Guardicore decided that there had to be a better way to simplify segmentation. That’s why we built a wonderful feature into Centra: Reveal. This feature enables teams to avoid the above-mentioned pain.

Guardicore Reveal provides a full visual map of the entire data center, all the way down to the process level. By using Reveal to focus on specific parts of the data center and identify relations between different servers, admins and security teams can easily discover the running applications, one by one.

A typical 3-tiered application. Note the process information which shows the underlying Tomcat->MongoDB traffic.

Process-level visibility allows users to do a number of things, including:

  • Identify servers with similar roles (which belong to the same tier).
  • Group them together.
  • Push the resulting security groups to a micro-segmentation framework.

The same application — grouped.

Once the users create policy rules tying the discovered applications and security groups, they can see these policies overlaid on Reveal’s visual map. This allows users to test, monitor and optimize their created policies.

Watch the video below to see how it works.

The Easy Way to Achieve First-Class Protection

Micro-segmentation is an essential building block for data center security. By using Guardicore Reveal along with the real-time threat detection provided by the Guardicore Centra platform, data centers can now do micro-segmentation the right way. The result: first class protection, without the hassle.

Why Micro-Segmentation Needs to be a Priority for Banks

Micro-segmentation allows financial institutions to achieve a number of key goals while protecting their crown jewels through a single, straightforward approach.

Financial institutions have a strong requirement for cost-savings through automation, resources optimization, and agile technologies. They need a solution that can increase security while also promoting operational efficiency.

Moreover, financial institutions have always been prime targets for crime. According to Forbes, cyberattacks cost financial institutions more to address than firms in any other industries. Given that remote and indirect transactions are the norm these days, attackers have even more opportunities to break through perimeter security. This further increases the risk of breach and the remediation costs.

How can banks use micro-segmentation to solve these issues? Let’s take a look.

What are the cyber-security challenges banks face?

Managing cyber security controls in financial services is a complex task. There are numerous drivers that make the work time-consuming and resource-heavy, such as:

  • There are country- and state-level cyber security requirements that need to be followed, not to mention vendor security mandates and various privacy regulations. Altogether, they impose a vast number of reporting and risk-management challenges.
  • Modern banking heavily relies on a large number of third-party applications, partners, and outsourcing vendors accessing the data center via a variety of access routes.
  • The evolving network infrastructure leaves organizations with a cloud technology and legacy systems mix, in a tangled environment that is hard to visualize, audit, and protect.

All those factors combined with a multitude of tools, users, and outside pressures makes financial institutions especially vulnerable to cybercrime.

Enabling digital transformation for better customer service and availability leads to even more ways for banks to be vulnerable to fraud and unauthorized transactions. Customers are well aware of these growing issues and want reassurance that their privacy and finances are protected.

“Customers are becoming increasingly aware of cybersecurity threats and they expect their banks and credit unions to secure and protect their private financial information.”
~ Credit Union Council (CUC), FS-ISAC, 2019

“Banks have validated this trend by reporting that losses due to operational disruption and losses in customer trust are more financially damaging than losses due to regulatory fines.”
~ Deloitte and FS-ISAC Cybersecurity Benchmarking Analysis, 2019

Four ways banks can benefit from micro-segmentation

The best way to address these challenges is to create a single pane of glass for security, with complete network traffic visibility and full isolation of the digital crown jewels. Using flexible, quickly deployed, and easy-to-understand micro-segmentation controls, financial institutions can protect their core assets simply and effectively.

In order to get the most from a micro-segmentation solution, there are four critical steps to take:

1. Simplify and accelerate regulatory compliance

To achieve this goal, start by mapping everything and isolating all compliance-related applications and systems. Granular visualization will help you understand how best to reduce the risk of breaches quickly and easily.

2. Protect your essential systems

Separate critical applications such as money transfers, payments, and customer applications from the general IT infrastructure.

3. Prevent unauthorized lateral movement

Properly isolate IoT and third-party access. In addition, manage access routes and terminate access at the target applications, preventing further movement within the data center.

4. Adopt Cloud, PaaS, and other emerging technology cost-effectively and securely

Use a single pane of glass for visibility and setting security policy across all infrastructures. In addition, be sure you enforce security via a unified set of tools.

How micro-segmentation works in real life

Need proof that the micro-segmentation approach works? Here is an example of a Guardicore customer – a US regional bank – which was able to produce vast improvements utilizing Guardicore Centra’s visualization and micro-segmentation capabilities.

This bank had a few initiatives in place:

  • Comply with the Fedline mandate to isolate any Fedline Service-connected application from general IT.
  • Ring-fence ten of their most critical applications to significantly reduce cyber risks and ensure business continuity in case of breach.
  • Limit third-party access to enforce Zero Trust access controls.
  • Make it possible to migrate applications securely to the cloud.
  • Maintain a single set of security controls across the entire hybrid infrastructure.

With a single security architect, over the course of two months, the customer was able to meet all of their goals beyond original expectations. Ultimately, they were able to:

  • Achieve granular east-west traffic visibility.
  • Ring-fence their business critical applications.
  • Restrict and properly route third-party access.
  • Map applications’ dependencies for seamless cloud migration.
  • Achieve full process automation with the DevOps integration.

Looking for more? Here’s what some of our other customers have to say:

“Guardicore enables us to enhance our overall data center security strategy and help our IT security team to avoid today’s advanced threats.”
~ Marino Aguiar, CIO, Santander Brasil

“Deutsche Bank is committed to the highest standards of security, and a high priority for us is implementing tight network segmentation in our on-premises and cloud environments. Guardicore gives us an effective way to protect our critical assets through segmentation.”
~ Alan Meirzon, Director, Chief Information Security Officer

Use micro-segmentation to protect your crown jewels today

With simple and easy to manage micro-segmentation controls, financial institutions can reduce attack surface and quickly detect breaches within the data center. Deep visibility into applications’ dependencies and traffic flows helps to enforce precise network and process-level policies that isolate critical applications and systems.

Don’t forget to look for a tool that provides complete security coverage for applications, regardless where they reside. After all, most financial institutions need to protect workloads that span across platforms and environments: on-premise, legacy and bare metal, VMs, containers, and public and private clouds (including Amazon Web Services, Microsoft Azure, Google Cloud and Oracle Cloud Infrastructures).

Want to delve into more details? Watch the Regional Banking Webinar and learn more about how Guardicore can help you today!