Detect, Protect, Collaborate
We team with partners to provide better data center security. Check Point is a case in point.
By Ofri Ziv, Guardicore Detection Group Manager
With today’s current threats, collaboration is mandatory. GuardiCore believes that it’s important to integrate multiple solutions together; provide protection and at the same time strengthen our customers’ other defenses.
Earlier this month we announced that GuardiCore Centra™, our flagship product has been integrated with Check Point vSec Gateway to deliver our joint customers a coordinated solution to effectively respond to active and future data center breaches. We wanted to take this opportunity to explain how this integration works and show how it ties nicely with our greater vision of data center remediation.
“Integrating Check Point vSec Virtual Gateways with IOCs generated by GuardiCore enhances our comprehensive security platform. Now, our customers can quickly detect breaches and block future attacks by securing virtual machines (VMs) and applications”
Alon Kantor, Vice President, business development, Check Point
Centra™ observes different security incidents across the data center, collected by its deception and visibility engines. The security intelligence generated from these incidents is transformed into indicators of compromise (IoCs) that are fed into other security components.
Centra™ exports over 10 types of IoCs tailored to the threats detected in your operating environment. Our IoCs are not generic by any means but rather matching threats detected in your environment. So, for instance, Network IoCs exported to Check Point helped starve a trojan found in a data center by blocking its specific C&C domains and IPs in real time at the perimeter.
The drawing below demonstrates the IoCs data flow: here is a specific incident analyzed by the Guardicore Semantic Analysis Engine. Based on the attacker operations (e.g. network activity, tools, persistency techniques etc.), the engine generates customized IoCs in the STIX™ format and exports them to different consumers, including Check Point vSec Gateway, SIEM server and Guardicore Mitigation Engine.
A partial list of IoC types includes:
- Network — IP or domain name of an attacker, C&C server, log server, etc.
- VM — Compromised VM names in the data center
- File — Malicious file SHA-256 used in current attacks across the data center
- Service — Malicious operating system services created by attackers
- User — User accounts added by attackers
So how do we integrate? We export our network IoCs directly to Check Point’s security management server over a secure channel, keeping their policy up-to-date with relevant information about the threats affecting the customer’s data center. After uploading our latest IoCs to the Check Point security gateway, its policy is updated automatically.
Providing data center remediation. Our advanced breach detection technology is an important first step in a much larger data center security vision. Our solution not only detects attackers but also responds to the breaches and remediates the data center in real time. Along these lines, a dropper, detected by Centra™, which installed a malicious malware will automatically be removed from the data center along with its peripherals, including every file and persistency method it used. Our mitigation engine will search for the specific attack IoCs across the data center and have it cleaned from any infected disk, service list, registry, etc.
Sharing GuardiCore’s intelligence with security products around us is a natural step to achieve this vision. Sounds interesting? If you think we can compliment your security offering, email me at ofri@guardicore.com.
