In his talk at the USENIX Enigma conference last year, the nation’s top hacker, Rob Joyce, chief of the U.S. National Security Agency’s cyber-warfare department, the Tailored Access Operations (TAO) unit, said the key to getting into any system is understanding the network better than those who built and run it.
Apparently, hackers do, since they’re able to roam around undetected for more than six months on average, according to Verizon’s latest count, making clear enterprises have to better understand the stacks and applications they’re running.
The enterprise security model is moving beyond the “hard, crunchy shell, with a gooey interior” with few controls inside, as Redpoint Ventures’ Lenny Pruss described it to The New Stack, yet the focus remains largely on prevention.
A SANS Institute report found access and authentication, advanced malware prevention and endpoint security to be the top three security spending priorities. Respondents ranked application security, cyber threat intelligence services, and security intelligence platforms lower in terms of spending priority and perceived effectiveness.
Security firm GuardiCore takes the position that perimeter will be breached — it’s not a matter of if, but when. Yet most organizations haven’t invested much on security inside, so they find it difficult to determine if they’ve been breached, according to Dave Burton, marketing vice president at GuardiCore.
“As applications are getting more spread out, data center and cloud environments are highly virtualized, and it’s harder for customers to keep track and control that internal traffic. It used to be a trust zone and it’s really not anymore,” he said. “We’re enabling customers to put those controls, the monitoring and detection capability onto their internal traffic.”
GuardiCore provides controls to segment between the traffic and applications with extreme granularity, increasing visibility down to the process level and helps organizations detect and respond to breaches more quickly.
GuardiCore Centra Security Platform boils down to five vital capabilities, Burton explained:
- Visualization of all traffic flows, not just at the network level, but at the application level, providing visibility into which processes are communicating to whom and how.
- Ability to set and monitor micro-segmentation policies. It enables customers set fine-grained controls between processes, not just between VMs or containers, to get a better handle on east-west traffic.
- Detection using three different methods: deception, in which suspicious actors are lured into isolated honeypot environments where their actions are monitored and analyzed; deviation from policy; and reputation analysis of suspicious domain names, IP addresses and file hashes within traffic flows.
- Automated analysis that provides a clear, concise report summary of real-time activity with detailed forensics behind it to make prioritization easier.
- Automated response to help clients do things like quickly quarantine a VM or server if, for example, you have things like worms that are self-propagating. It also provides recommendations on automating things like removing known bad files as part of and incident.
The company was founded in 2013 and has raised $33 million, including $20 million last summer from 83 North, Battery Ventures and Cisco. It has and offices in Tel Aviv and San Francisco. Its customers include Schuberg Philis, a business technology company based in the Netherlands; Israeli wireless communications company Cellcom; and OpenLink, a risk management, operations and finance software company based in Massachusetts.
GuardiCore uses a lightweight agent to scan process-level activity and network events then correlates the information and builds the visual map. From there, clients can drill down into individual applications and workloads using data not only from guest operating systems and hypervisors but also from orchestration tools to define groups and set policy.
The technology was designed to have little effect on performance, Burton said, because both analysis and deception activity are done outside of production, either as a SaaS offering or as a virtual appliance on-premises. Multiple analysis engines can run simultaneously since it was designed to scale to handle massive IT environments, he said.
It integrates with other security management tools and ticketing systems. Event and analysis data can be exported via Syslog and STIX.
Both deception technology and micro-segmentation are fast-growing segments of the security market. VMware is positioning its NSX networking product as a micro-segmentation tool. GuardiCore’s closest competitors include vArmour and Illumio, though Burton maintains its automated analysis and response sets it apart from them.
Originally focused on VMs, it’s also a Docker partner. It works in multi-vendor environments with partners including Cisco, VMware, OpenStack, CheckPoint and RedHat and supports Microsoft Azure and Amazon Web Services public clouds.