Posts

What SANS Thinks About Guardicore’s Micro-Segmentation Solution

Gone are the days when perimeter security or traditional segmentation were all you needed to keep your crown jewels safe. As the speed of work and cloud integration increases, traditional security models no longer suffice. Instant visualization of your security posture with context is key. A software-defined segmentation will get you where you need to be in a faster, easier and in a more cost-effective manner. Moreover, it replaces other disparate, time-intensive segmentation methodologies with a single method that works across all environments seamlessly.

That’s where Guardicore Centra comes in.

It’s a no-brainer that we think our micro-segmentation solution is pretty awesome. What has been more exciting to see, is the enthusiasm with which analysts and customers have embraced our solution as well. In fact, SANS analyst Dave Shackleford recently ran Guardicore Centra through its paces, testing the product across a wide variety of environments. After pummeling it with attack scenarios and trying out all its features, he uncovered some interesting insights.

Read the SANS evaluation report: Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Centra

Guardicore Centra is Comprehensive

Guardicore Centra replaces multiple, arduous security methods with a single agnostic approach. Attempting to find a separate solution for each new platform, infrastructure, operating system, etc. – and every legacy one as well – doesn’t work. Instead, Guardicore provides visibility and a single point of management across it all, supplying a context-rich, unified view from a single pane of glass.

“Guardicore provides assurances that we are locking down the environment properly while validating that Azure is doing its job in a very efficient and effective way.”

~Michael Lamberg, Vice President and Chief Information Security Officer with Openlink

INDUSTRY

  • Software company

MAIN USE CASES

  • Software-Defined Segmentation
  • Visualization of application dependencies and entire enterprise environment
  • Secure hybrid cloud adoption
  • Accelerate troubleshooting, threat detection and response

FEATURES USED

  • Visibility
  • Segmentation
  • Threat detection and response

Read the full story here.

Guardicore Centra is Simple and Easy to Use

Many companies using traditional security methods have found it difficult to implement zero trust, particularly because it is challenging to view and map assets, their behaviors, and their local components. And of course, if you can’t do that, you can’t create logical policies – and therefore, you can’t create effective segmentation rules.

Guardicore Centra makes micro-segmentation simple. With unparalleled flexibility and visibility – real-time and historical – you can quickly and easily visualize your entire environment. Centra offers a wide variety of unique views per use case/user role and intuitive policies so you can implement ring-fencing, internal micro-segmentation, and more.

INDUSTRY

  • Utility Company

MAIN USE CASES

  • Centralized policy management for SCADA and other assets
  • Updated outdated and inefficient third-party access controls
  • Streamlined compliance for regulations and consistent audit management

RESULTS

  • Required only ½ full-time equivalent to run the solution
  • Fully segmented within a few weeks

With Centra, You Can Work At the Speed of Business

Imagine if you could visualize your infrastructure, create policies, and update those policies as needed in weeks, not months or years. With Guardicore, you can! That’s the beauty of not requiring underlying network or infrastructure changes. It’s a real game-changer.
INDUSTRY

  • International bank

MAIN USE CASES

  • Superior visibility
  • Flexible, fast labeling – no IP address or VLAN changes needed
  • Mapping and segmenting more than 10,000 servers

RESULTS

  • 10x acceleration of compliance
  • Zero downtime
  • Significant cost and risk reduction

Beyond Segmentation: Breach Detection, Response Capabilities

Many businesses start using Guardicore Centra for its segmentation capabilities. That said, they often discover soon thereafter that we offer a variety of additional invaluable capabilities that enable them to discover the origin of breaches and respond in hours instead of weeks.

For example, we support such features as:

  • Dynamic detection and response capabilities
  • Reputation and monitoring services
  • Threat and intelligence data

“Guardicore enables us to enhance our overall data center security strategy and help our IT security team to avoid today’s advanced threats.”

~ Marino Aguiar, CIO, Santander Brasil

Learn More About SANS and Guardicore Micro-Segmentation Today
Ready to learn more? Watch the webinar featuring SANS’ analyst Dave Shackleton and our own Dave Klein to find out the detailed SANS analysis and review, or download the Guardicore Centra review paper today.

The Minimum Viable Controls (MVC) to Secure IaaS and PaaS

The mass move to the cloud over the last few months has been good for digital transformation, but challenging for security. While many companies have successfully transitioned to a more remote-friendly environment, there is still a lack of clarity around the minimum viable controls (MVC) needed to secure IaaS and PaaS.

Speeding the Move to the Cloud

In “ancient” days – as in a couple of months ago – it was obvious that the adoption of public clouds was inevitable. However, it seemed that it would take some time until every organization had a significant presence there. Then came COVID-19.

Even during a disaster, there are winners. Many organizations followed Winston Churchill’s famous quote “don’t waste a good crisis” and accelerated their journey to the cloud on a mission to transform their IT environment.

It was great that they could speed the migration process. It was not so great that many did so without paying enough attention to security requirements and risk mitigation.

Understanding Cloud Security Requirements

According to Gartner analyst Tom Croll, enterprises trying to implement on-premises data center security processes and tools for the cloud are actually inhibiting cloud adoption, slowing their own progress and increasing risk. Using yesterday’s tools to protect today’s cloud infrastructure is risky and creates more damage than benefits. It will not get you the desired results and may even risk your organization.

IaaS and PaaS are provided by the Cloud Service Providers, which have to assure and secure the infrastructure of the cloud itself. We wrote a lot about it in the past, for example here and here. This “shared responsibility model” still leaves your data and critical application exposed and unprotected.

Luckily, modern security solutions – such as Guardicore Centra – are capable of providing the necessary controls required to protect the cloud. Micro-segmentation and zero trust network access (ZTNA) should be implemented when configuring cloud infrastructure, combined with strong IAM, robust encryption, and constant posture management.

The Five Most Important Security Controls You Need to Implement Today

Wondering how to put together an actionable plan for securing your infrastructure? Together with our ecosystem partner SecuPi, Guardicore has created a webinar sharing the five most important security controls that organizations should take in order to ensure that the IaaS and PaaS infrastructure they are using is secure and solid.

View the webinar today and you’ll be on your way to lowering risk and tightening security across your entire environment.

How to Do Micro-Segmentation the Right Way

The evolution of network segmentation and application segmentation has brought about the movement to micro-segmentation. Micro-segmentation adds flexibility and granularity to access control processes. This detail-oriented viewpoint is key, especially as businesses adopt cloud services and new deployment options like containers that make firewalls and other traditional perimeter security less relevant.

Infrastructure visualization plays an essential role in the development of a sound micro-segmentation strategy. When it’s done well, visualization makes both sanctioned and unsanctioned activity in the environment easier for IT teams to identify and understand.

In case you didn’t catch it, the key phrase there was, “when it’s done well.” That’s important, because many businesses don’t know where to start.

What we often hear is:

“We want to better secure our infrastructure by defining tight security policies  – but where do we even start? How can we build policies at the application level for thousands of existing machines, each one developed and deployed by a different person?”

This confusion is understandable in today’s complex environments! Let’s dive into the details and gain some clarity into how to do micro-segmentation the right way.

What is Micro-Segmentation?

Using legacy tools like VLANs for separation is no longer enough in today’s network environments. Every machine – virtual or physical – in every location – cloud or not – must have incoming and outgoing traffic limits. Otherwise, bad actors can easily take advantage of loose policies to move undetected between machines.

Micro-segmentation is the central IT security best practice response to overly-permissive policies. Software-defined segmentation allows companies to apply workload and process-level security controls to data center and cloud assets that have an explicit business purpose for communicating with each other. It is extremely effective at detecting and blocking lateral movement in data center, cloud, and hybrid-cloud environments.

Some solutions facilitate segmentation across physical and virtual data centers by doing distributed enforcement on all east-west traffic. Public cloud offerings also provide limited abilities, and other products fully integrate with these frameworks, moving existing firewall technologies into the data center.

Then there are solutions like Guardicore Centra, which was purpose-built to simplify micro-segmentation and increase agility, while simultaneously increasing security. Centra creates human-readable views of your complete infrastructure – from the data center to the cloud – with fast and intuitive workflows for segmentation policy creation.

So the technology is there, but the question of how to set these policies up remains. How can administrators tell the role of thousands of machines in their data center and decide which specific ports to open to what other machines?

The Old-Fashioned Way to Build Policies

This is how the usual process for building application-specific policies works:

  1. Discover a specific application and the machines it’s running on.
  2. Build security groups for each of the different application tiers (i.e., web/application/logging/DB servers).
  3. Define a tight policy between the different security groups, so only the ports necessary for the application’s proper functioning are open.
  4. Rinse and repeat.

This can be a long and burdensome process, especially without deep visibility into data centers – all the way down to the process level. Administrators and security teams are required to browse endless logs or chase app developers. Obviously, not the ideal way to do things.

A (tiny bit of a) typical firewall log. How easy is it to build a security policy using these?

How to Do Micro-Segmentation Right

Guardicore decided that there had to be a better way to simplify segmentation. That’s why we built a wonderful feature into Centra: Reveal. This feature enables teams to avoid the above-mentioned pain.

Guardicore Reveal provides a full visual map of the entire data center, all the way down to the process level. By using Reveal to focus on specific parts of the data center and identify relations between different servers, admins and security teams can easily discover the running applications, one by one.

A typical 3-tiered application. Note the process information which shows the underlying Tomcat->MongoDB traffic.

Process-level visibility allows users to do a number of things, including:

  • Identify servers with similar roles (which belong to the same tier).
  • Group them together.
  • Push the resulting security groups to a micro-segmentation framework.

The same application — grouped.

Once the users create policy rules tying the discovered applications and security groups, they can see these policies overlaid on Reveal’s visual map. This allows users to test, monitor and optimize their created policies.

Watch the video below to see how it works.

The Easy Way to Achieve First-Class Protection

Micro-segmentation is an essential building block for data center security. By using Guardicore Reveal along with the real-time threat detection provided by the Guardicore Centra platform, data centers can now do micro-segmentation the right way. The result: first class protection, without the hassle.

Why Micro-Segmentation Needs to be a Priority for Banks

Micro-segmentation allows financial institutions to achieve a number of key goals while protecting their crown jewels through a single, straightforward approach.

Financial institutions have a strong requirement for cost-savings through automation, resources optimization, and agile technologies. They need a solution that can increase security while also promoting operational efficiency.

Moreover, financial institutions have always been prime targets for crime. According to Forbes, cyberattacks cost financial institutions more to address than firms in any other industries. Given that remote and indirect transactions are the norm these days, attackers have even more opportunities to break through perimeter security. This further increases the risk of breach and the remediation costs.

How can banks use micro-segmentation to solve these issues? Let’s take a look.

What are the cyber-security challenges banks face?

Managing cyber security controls in financial services is a complex task. There are numerous drivers that make the work time-consuming and resource-heavy, such as:

  • There are country- and state-level cyber security requirements that need to be followed, not to mention vendor security mandates and various privacy regulations. Altogether, they impose a vast number of reporting and risk-management challenges.
  • Modern banking heavily relies on a large number of third-party applications, partners, and outsourcing vendors accessing the data center via a variety of access routes.
  • The evolving network infrastructure leaves organizations with a cloud technology and legacy systems mix, in a tangled environment that is hard to visualize, audit, and protect.

All those factors combined with a multitude of tools, users, and outside pressures makes financial institutions especially vulnerable to cybercrime.

Enabling digital transformation for better customer service and availability leads to even more ways for banks to be vulnerable to fraud and unauthorized transactions. Customers are well aware of these growing issues and want reassurance that their privacy and finances are protected.

“Customers are becoming increasingly aware of cybersecurity threats and they expect their banks and credit unions to secure and protect their private financial information.”
~ Credit Union Council (CUC), FS-ISAC, 2019

“Banks have validated this trend by reporting that losses due to operational disruption and losses in customer trust are more financially damaging than losses due to regulatory fines.”
~ Deloitte and FS-ISAC Cybersecurity Benchmarking Analysis, 2019

Four ways banks can benefit from micro-segmentation

The best way to address these challenges is to create a single pane of glass for security, with complete network traffic visibility and full isolation of the digital crown jewels. Using flexible, quickly deployed, and easy-to-understand micro-segmentation controls, financial institutions can protect their core assets simply and effectively.

In order to get the most from a micro-segmentation solution, there are four critical steps to take:

1. Simplify and accelerate regulatory compliance

To achieve this goal, start by mapping everything and isolating all compliance-related applications and systems. Granular visualization will help you understand how best to reduce the risk of breaches quickly and easily.

2. Protect your essential systems

Separate critical applications such as money transfers, payments, and customer applications from the general IT infrastructure.

3. Prevent unauthorized lateral movement

Properly isolate IoT and third-party access. In addition, manage access routes and terminate access at the target applications, preventing further movement within the data center.

4. Adopt Cloud, PaaS, and other emerging technology cost-effectively and securely

Use a single pane of glass for visibility and setting security policy across all infrastructures. In addition, be sure you enforce security via a unified set of tools.

How micro-segmentation works in real life

Need proof that the micro-segmentation approach works? Here is an example of a Guardicore customer – a US regional bank – which was able to produce vast improvements utilizing Guardicore Centra’s visualization and micro-segmentation capabilities.

This bank had a few initiatives in place:

  • Comply with the Fedline mandate to isolate any Fedline Service-connected application from general IT.
  • Ring-fence ten of their most critical applications to significantly reduce cyber risks and ensure business continuity in case of breach.
  • Limit third-party access to enforce Zero Trust access controls.
  • Make it possible to migrate applications securely to the cloud.
  • Maintain a single set of security controls across the entire hybrid infrastructure.

With a single security architect, over the course of two months, the customer was able to meet all of their goals beyond original expectations. Ultimately, they were able to:

  • Achieve granular east-west traffic visibility.
  • Ring-fence their business critical applications.
  • Restrict and properly route third-party access.
  • Map applications’ dependencies for seamless cloud migration.
  • Achieve full process automation with the DevOps integration.

Looking for more? Here’s what some of our other customers have to say:

“Guardicore enables us to enhance our overall data center security strategy and help our IT security team to avoid today’s advanced threats.”
~ Marino Aguiar, CIO, Santander Brasil

“Deutsche Bank is committed to the highest standards of security, and a high priority for us is implementing tight network segmentation in our on-premises and cloud environments. Guardicore gives us an effective way to protect our critical assets through segmentation.”
~ Alan Meirzon, Director, Chief Information Security Officer

Use micro-segmentation to protect your crown jewels today

With simple and easy to manage micro-segmentation controls, financial institutions can reduce attack surface and quickly detect breaches within the data center. Deep visibility into applications’ dependencies and traffic flows helps to enforce precise network and process-level policies that isolate critical applications and systems.

Don’t forget to look for a tool that provides complete security coverage for applications, regardless where they reside. After all, most financial institutions need to protect workloads that span across platforms and environments: on-premise, legacy and bare metal, VMs, containers, and public and private clouds (including Amazon Web Services, Microsoft Azure, Google Cloud and Oracle Cloud Infrastructures).

Want to delve into more details? Watch the Regional Banking Webinar and learn more about how Guardicore can help you today!


Securing the Edge with Micro-segmentation and NVIDIA EGX

In recent years, the “Edge” has taken on a vital role in cloud computing. The Edge represents the growing need to deliver a better cloud model that enables locations and methods to place workloads, compute, storage, applications and data closer to the point of action.

Cloud edge computing moves the processing closer to the user and IOT devices, where the data is generated and consumed. This solves the problem caused by these highly distributed edge sites, by minimizing latency, maximizing bandwidth, and performing computation and data compression right at the point of action. Edge computing even addresses compliance requirements which can vary between different states and countries.

The Edge is decentralizing the cloud itself and creating a better model to support emerging use cases like self-driving cars, augmented reality (AR) and virtual reality (VR), connected homes and offices, 5G and more.

Guardicore is excited to partner and work together with NVIDIA to leverage their high-performance, cloud-native NVIDIA EGX Edge AI platform to deliver AI, IoT and 5G-based services efficiently, powerfully, and securely.

  • There are many verticals that can benefit from Edge computing. Here are just two examples:
    Healthcare organizations can run machine learning and analytics models on their health management platforms, especially where low latency processing requirements dictate that they remain on-premises. When it’s time to retrieve data, this information is stored locally and therefore quick to retrieve.
  • Financial services are another vertical that can leverage edge computing to handle the real-time processing of data that must reside within the confines of local data requirements.

Decentralizing the cloud has many benefits, but it also creates and amplifies the security challenges that are already present in the cloud. The distributed cloud edge creates a larger attack surface, spread across diverse IOT technologies and multiple unprotected physical locations. This provides attackers more opportunities to penetrate the organization and achieve their malicious goals.

Edge-related security challenges are compounded by the accelerating pace of change of infrastructure and the more dynamic application deployment models required to support the Edge. (But this is a topic for a different blog post).

In other words, the security of the cloud, which has always been a top priority, is becoming even more important with Edge.

To address these unique challenges, security must be built into the edge to ensure quality and transparent operations across the entire extended organization: at the core data center, public cloud, and the Edge.

Ironing security into workloads, compute, storage, critical application, and data in any environment and any platform is considered a huge challenge.

Fortuitously micro-segmentation has recently become available, and when implemented correctly, addresses the security challenges inherent in the distributed and decentralized nature of the Edge. Gartner recently named micro-segmentation as one of their top 10 security initiatives. They cited micro-segmentation’s ability to reduce risk and protect the critical assets and information that matter most to the business.

Gartner also described micro-segmentation as being well suited for thwarting “the spread of data center attacks in both on-premises and cloud environments.”

Micro-segmentation is a granular way to create secure zones in data center and cloud deployments, allowing workload isolation and protection. Since legacy perimeter protection is painfully inadequate, micro-segmentation is an essential technology to implement a zero-trust security model. Furthermore, it provides both real-time and historical visibility to understand application dependencies and then easily create network and application security policies based on various business owner contexts.

The cloud killed the enterprise’s legacy perimeter and the Edge is killing the cloud’s perimeter, making micro-segmentation more important for securing the distributed, hybrid cloud that includes an Edge component.

Micro-segmentation, when well-executed, provides benefits at the earliest stages of deployment. Many enterprises start out with easily implemented and achievable projects that eliminate the most fundamental risks first. Whether separating development environments from production, isolating a compliance-driven infrastructure or series of applications from the non-compliant ones, or merely segmenting most critical applications first, these early-stage projects provide the enterprise with immediate value and measurable gains.

It’s important to select a micro-segmentation approach that works consistently across multiple cloud providers. By decoupling security from the cloud infrastructure provider, organizations can prevent vendor lock-in from driving costs up and avoid unnecessary complexity when mergers and acquisitions create mixed cloud environments.

Our solutions are able to address both the security and performance requirements by taking advantage of the advanced hardware capabilities of NVIDIA Mellanox BlueField and NVIDIA Mellanox ConnectX SmartNIC technology, which include dynamically reconfigurable firewall offloads in hardware, encryption offloads and the ASAP2 flow engine for virtual switching offloading. We are excited to see secure NVIDIA Mellanox ConnectX adapters being integrated into the new NVIDIA EGX Edge AI platform, and look forward to the benefits that secure, accelerated computing will bring to the edge.

Test Your ATT&CK Before the Attack With Guardicore Infection Monkey

Test Your ATT&CK Before the Attack With Guardicore Infection Monkey

What’s a 10? Pwning vCenter with
CVE-2020-3952

Guardicore Labs provides a full, detailed technical analysis of the latest vulnerability from VMware – CVE-2020-3952. The bug, which hit the maximal score of CVSS 10.0, allows a malicious actor to take over the complete vSphere infrastructure, with all its machines and servers.

The Vollgar Campaign: MS-SQL Servers Under Attack

Guardicore Labs uncovers an attack campaign that’s been under the radar for almost two years, breaching MS-SQL servers and infecting them with remote-access tools and cryptominers.

How to Stop Human and Computer Viruses In Their Tracks

Viruses of any type can spread frighteningly quickly. As we are seeing today with COVID-19, the impact that can have is both widespread and frightening. It’s especially difficult to stop the spread of viruses if you don’t already have the right structures and protocols in place.

While computer viruses don’t have life-changing effects, they can certainly have business-altering ones. Not only do they spread in similar ways to human viruses, but they also can be stopped by implementing similar measures to those we are using to halt the spread of coronavirus.

Test To Gain Visibility

Testing those people who evidence symptoms of a virus like COVID-19 gives you insight into the breadth, location, and volume of an outbreak. Similarly, gaining visibility into what is happening in your network environment enables you to manage your assets in general and to understand the what, where, and extent of issues when they occur.

Getting a clear view into what is happening on your network also empowers you to develop a fast and informed response. For instance, with NotPetya (targeted ransomware), those businesses that mapped all their SMB connections before they were compromised had a better chance of responding intelligently once they were under attack.

Quarantine / Segment

The more you can isolate infected people or applications, the faster you will be able to to limit the spread of any virus, including COVID-19. In cybersecurity, the equivalent of quarantine is segmentation.

Without a tool like Guardicore Centra, segmentation can be quite complex. Moreover, it’s difficult to implement once your systems are already infected. That’s where people who have already implemented Centra have the advantage: the better prepared a business is ahead of time, the faster a compromise can be halted.

Protect Vulnerable and Critical Resources

There is no doubt that some resources/people are more vulnerable to viruses’ effects than others. Those who have compromised immunity and the elderly in particular need to be careful.

In the cybersecurity world, the parallel is legacy systems, which can hold unknown vulnerabilities. They therefore need to be carefully protected (for instance, by ringfencing them), and, if possible, removed from any virus exposure.

Moreover, it makes sense to secure your critical resources with better protections as well. In the case of humans, this may include those running a company, medical personnel, or government officials. In the cybersecurity world there are also critical resources protecting your most sensitive data. With the right protocols in place, you can ensure their survival even under the most aggressive attack.

Using Guardicore Centra, you can quickly enforce policies when you need them, for swift protection of vulnerable and critical resources.

Implement Controls

Biological and computer viruses both often use known propagation methods. For example, viruses that attack humans often propagate through person-to-person contact. Therefore, sanitizers, hand washing, and no handshake policies are effective at slowing the spread.

Similarly, for NotPetya attacks, for instance, SMBs were the propagation paths and restricting SMB access to a bare minimum helped a lot. That’s why it’s key to be able to speedily apply the right type of policy at the right time, anywhere it’s needed. This will provide strong protections against current vulnerabilities as well as future attacks.

Use Common Sense

There really is nothing shocking about any of this advice. Most of it is common sense. Yet not every business (or person) follows these steps, and that’s when we all pay a price.

That said, if you apply these basic steps even when a virus isn’t active, you will be prepared to handle issues when they arise. Even during critical events, you will be prepared to swiftly deploy policies anywhere and keep your business – and communities – safe and running smoothly.

How To Protect Your Systems Against Critical SMB Vulnerabilities (CVE-2020-0796)

Microsoft has issued its latest set of cumulative updates for Windows for the month of March. There are a total of 117 vulnerabilities, 25 of which are rated critical.

One particular vulnerability stands out from the crowd: CVE-2020-0796. This is a critical vulnerability in the Server Message Block (SMB) protocol in new versions of Windows operating systems. This SMB vulnerability could cause a wide range of wormable attacks and potentially a new Eternal Blue. Without going into the gory details, a flaw in the new SMBv3 compression mechanism potentially allows an attacker to take down or take over a Windows system.

Potentially affected operating systems include:

  • Windows 10 Version 1903 for 32-bit Systems
  • Windows 10 Version 1903 for ARM64-based Systems
  • Windows 10 Version 1903 for x64-based Systems
  • Windows 10 Version 1909 for 32-bit Systems
  • Windows 10 Version 1909 for ARM64-based Systems
  • Windows 10 Version 1909 for x64-based Systems
  • Windows Server, version 1903 (Server Core installation)
  • Windows Server, version 1909 (Server Core installation)

Advisories on this CVE suggest patching your systems (which you should be doing regardless) as well as “Block TCP port 445 at the enterprise perimeter firewall,” which should be the case in any network. If you can’t patch your Windows system, you can manually disable the SMBv3 compression feature. That is the root of all evil in this case.

A powershell command to disable SMBv3 compression is:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

Why Are SMB Vulnerabilities Problematic?

SMB vulnerabilities are not more common than any other Windows vulnerability. The SMB protocol is amazingly useful, but also one of the easiest ways to move laterally in an organization’s data center. All an attacker needs to do is gain access to one system in order to spread across the whole data center. In fact, the WannaCry campaign and EternalBlue vulnerability are great examples of how an SMB vulnerability can have a wide and crippling impact on organizations worldwide.

The question that many ask is, “How do SMB vulnerabilities still happen if we patch and deny all the SMB traffic from external networks?” Moving from theory to reality, we know that not 100% of hosts get patches. In fact, most companies are still struggling with this basic task today. In addition, networks are complex animals that can’t simply be wrangled by placing a box in an arbitrary location.

Moreover, the main reason for widespread damage in most SMB-related incidents we’ve encountered is the fact that hosts within the network can freely move laterally on any port (and specifically on 445 AKA SMB). There is no real justification for allowing this type of behavior inside the network. SMB inside the network should usually only be allowed to communicate with the DC and, in some cases, dedicated file share and backup services. In most cases, servers shouldn’t be communicating with one another over SMB.

So why not just deny the SMB traffic? The answer is that it’s hard for organizations that rely on legacy technologies like gateway firewalls. These tools only enforce traffic going between network zones, not what’s inside.

How Can SMB Vulnerabilities Be Stopped?

One of the first things we recommend to our customers is to improve their network hygiene by implementing basic best practices policies. For example, you can allow only DC, backup, and files SMB traffic. The rest of the traffic should be blocked, regardless of VLANS or network topology. More explicitly, you should deny lateral SMB traffic.

Guardicore Centra helps prevent SMB vulnerabilities by providing a simple and fast way to create and apply policies across the network. These policies allow only legitimate SMB traffic, while blocking the rest of the lateral movement between the hosts.

For example, see how this screenshot demonstrates how only legitimate SMB traffic is allowed within the network:

And here, Centra blocks the rest of the 445 traffic:

Conclusion

A simple common protocol like SMB can pose a great risk to the datacenter. However the risk of SMB vulnerabilities can be easily mitigated with three rules. Simply apply segmentation policies using a tool like Guardicore Centra to prevent lateral SMB traffic inside the datacenter.

Contact us to learn how to reduce your attack surface and prevent lateral movement with fast and simple segmentation that works everywhere.

Additional Resources

  1. Preventing SMB traffic from lateral connections and entering or leaving the network
  2. CVE-2020-0796