Listen to our latest podcast episode on "Akamai Guardicore Segmentation (AGS) with Christian Samuel" to learn how to protect your business from cyber threats!
Hosted by Max Clark, Founder of ITBroker.com, and featuring Christian Samuel, the Channel Sales Engineering Manager for North America at Akamai, this episode provides valuable insights on how Akamai Guardicore Segmentation works. With a mix of agent-based sensors, network-based data collectors, and virtual private cloud flow logs, this security solution maps your network and helps you create policies to reduce your attack surface.
Don't miss out on this informative episode! Tune in now and take the first step in securing your business from cyber threats with Akamai Guardicore Segmentation.
Max:00:00
Hear all these crazy things. You look back and you go through these, like, root analysis and stuff. You're like, oh, we had a Wi Fi enabled light bulb that was compromised and was used as a source vector or, like, what was the other one that was crazy? It was, like, an espresso maker. The espresso maker was compromised.Max:00:16
And I think gone are the days of, like, the really easy ones where it's like, oh, our HVAC contractor was hacked, and they had network access into our stores. And they use that to get on to our POS terminals and collect 50,000,000 credit cards. Right? Like, they're like, okay. That was pretty bad.
Max:00:32
But then you're like, oh, our coffee machine was hacked and got access to our network. And then, you know, like, where's coffee machine in your threat vector analysis? Right? So, Christian, thank you for doing this with me today. We've had a couple of exciting things trying to get to the schedule between the 2 of us.
Max:01:00
You were actually with GardaCore before Akamai's acquisition. So you've been around this product and service for a long time, and now you have a fancy title of a manager of sales engineering for the Gardicore line. So it means that I can ask you all of the nonsensical technical questions I want, and you'll be able to tell me all everything I wanna know. Right? That's the goal, Max.
Max:01:20
Hopefully, you're able to ask me
Christian:01:21
the questions that I am well versed in.
Max:01:25
So starting off, what is GardaCore and and why? I mean, like, let's start at
Christian:01:30
the top. Sure. Garda Core is a data center and cloud security solution. That's really what it is. There's many different aspects to the one flagship software.
Christian:01:40
It's Garda Core Centra is the core. There's no other product. And this actually came about from Gardacore way back in 2015 because Gardacore initially started off as a deception company. If you're familiar with that, it's like honeypot technology. You've got an attacker that comes in.
Christian:01:56
They say, hey, I wanna be able to do some stuff. They're able to detect that and redirect them out of the environment and they had their honeypots. Right? So the attacker thinks they are attacking your environment when in reality they're not. And then when they realized that they could control that behavior, that's when they started getting into and they saw the need for segmentation.
Christian:02:16
So that's where they pivoted to and they went into segmentation, micro segmentation, and controlling that. So micro segmentation has become a one
Max:02:27
of my favorite marketing tech terms. Everybody now is microsegmentation. What is microsegmentation? Like, what is it actually doing when we talk about putting microsegmentation in place?
Christian:02:37
Yeah. I mean, segmentation is the logical division of workloads in the data center to prevent lateral movement in the event of a ransomware attack and also enforce least privilege for access
Max:02:49
to those workloads. Okay. So, normally, you would control access to an application with a firewall. And so we talk about firewall. We're talking about users here and then a firewall and then an application.
Max:03:00
So what you're talking about is really when you say lateral movement, we're talking about this east west Yeah.
Christian:03:05
There's 2 types of firewalls. Right? You'll typically have your perimeter firewalls. Right? That's gonna be the north south.
Christian:03:10
Right? That's the Internet ingress and egress. But where we sit in the data center and we control that east west traffic. K. So I'm gonna go to 2 places with this one, but let's do the first one.
Christian:03:20
Why would you wanna do this? Well, I mean, if you think about let's just use a shipbuilding analogy, the way back in the day when you used to build a ship. Right? The hulls were wide open. So when the hulls were wide open, if you got a breach in the hull, what would happen to the ship?
Christian:03:34
It would sink. Well, currently, today, how they build the ship, so that way, in case they do have a breach in the hull, they can kind of seal it off and then only the damage is basically gone in there. So that's really the easiest way I can throw, like, a parallel out there on on how and what segmentation really is. You do the same thing with your network. Right?
Christian:03:53
Typically, the only way that they had to do segmentation was VLANs. Right? VLANs were just the easiest thing to do. Right? Separate one area from another.
Christian:04:03
They tried doing it with firewalls, But the problem with that is there's many things that you're missing, such as visibility. Right? How do you know exactly which systems are talking to each other? So the challenge is that if you did that and you made a change to the firewall and it was wrong, you could disrupt a business system to the point where if that business system runs on a database or something like that,
Max:04:31
if that goes down and certain applications can't access that, then you have a problem. So let's go back 20 years. I'm going through a PCI audit with the company I'm working for, and one of the audio recommendations that they wanted us to do was put a firewall in between the web server and the application servers and then another firewall between the application servers and the database servers. And the intention behind this firewall was to prevent traffic flowing between these two things that was unrestricted. And the question I asked the auditor that I never had an answer on is somebody hacks my application servers out as a firewall protect our environment at that point?
Max:05:04
Because a firewall is gonna have a rule. This point, we're rerunning Oracle. Right? It's gonna have a rule that says allow Oracle access from the application server. And we ended up not deploying firewalls because it made no sense for application architecture.
Max:05:16
But we talk about least trusted application environments and segmentation. How does the I'll use a terminology like segmentation controller, like the brain behind this platform actually then detect what is supposed to be traffic flowing between different application servers and the data center and stuff that shouldn't be flowing. What's that heuristic? Sure. So what happens is when an agent is deployed, we have visibility all the way down to the process layer.
Max:05:46
Right? So layer 7, whereas your typical firewalls typically only see the layer 4. Right? Source, destination, port, protocol. When you get down to
Christian:05:55
the layer 7 and you get to the process level visibility using your example, if there was a piece of malware that spun up, right, that was going from your web server to your database server, that firewall is still gonna let that through because it's, again, it's layer 4. If you're able to use the process level visibility, you can detect which process is running and you can say only this process from the database server can access the web server over a specific port talking to another process over there. So, in the event of malware spinning up, that process, it can spin up. That's fine. But we've defined only the other process can go over that port and protocol over there.
Christian:06:43
And that's the true definition in my head of micro segmentation, really all the way down
Max:06:47
to that process layer. Linux introduced an extension to the kernel, I mean, again, probably 15, 20 years ago to do this on a process level within the Linux kernel itself. And you could get pretty granular and, like, what processes could run, what could open ports, what could access files, what directories could be accessed. And it's an absolute nightmare. Oops.
Max:07:06
Basically, if we have to encounter anybody, myself included, that doesn't, like, disable this as just a default. Like, the first thing you do, you deploy your Linux box and you say, don't disable this nonsense so I don't have to deal with this. Because when you forget, then inevitably, something doesn't work right.
Christian:07:19
Are you talking about the SE Linux? Are you talking about the SE Lex? Yeah. The dreaded SE Linux.
Max:07:23
My good old friend that's burned me more than once.
Christian:07:26
He is the one
Max:07:27
I'm in. So I mean, it's great conceptually. Right? But it's in practice, it's painful. And so if you're gonna install an agent on everything running inside of environment and then turn it on to, say, restrict traffic between point a and point b, I immediately go to SE Linux again of being, like, FSIS, not just, like, all of a sudden, whoops, we've just disabled all of our infrastructure for being able to talk to each other.
Max:07:51
So our agent actually works independently of the Linux IP tables. Right? So that's, first of all, that's a competitive advantage for us. Our competitors can only they leverage the native host firewall.
Christian:08:04
So they can only get down to layer 4 in Linux. So that's a competitive advantage for us. We can get down to layer 7. I actually have done POCs where we had to install the agent when SELinux was enabled. And because our agent also sits down in the kernel layer and we are a certified rel and suse module, we are a shim that goes into that and we work alongside of Linux.
Christian:08:29
So we're still able to control that network socket because that's what we're really doing at the end
Max:08:34
of the day. We're controlling that network socket either allowing or not allowing it to open up. Can you walk me through let's just start with, like, requirements and then go into prep and then deployment, implementation, initial training, you know, like, what this process really looks like for somebody from start to finish. Yeah. So even if we start
Christian:08:56
in the way back, typically, what'll happen is and it'll be are you talking about the whole entire sales cycle?
Max:09:00
Yeah. Let's go soup to nuts here.
Christian:09:02
Love it. So what typically will happen is either an inside call will make a customer cold call, whatnot, or you've got the regular salesperson. They're making calls, and they say, hey. Have you heard the news? Right?
Christian:09:14
Have you heard about, you know, what are you doing about segmentation? How are you protecting your environment? The salesperson will end up going ahead and having a 30 minute discovery call. A sales engineer typically is not on there, but they'll have a discovery call, kinda get an understanding of what is needed to be done. Typically, right after that, we will have a 1 hour demo based off of the requirements and the discovery that the salesperson didn't.
Christian:09:37
Maybe the sales engineer is on there. We have a demo, get in-depth, they understand, they're like, yep, this is exactly what we need, these are the conditions that we're trying to solve, these are the use cases. And so from that demo, then we will say, okay. Let's set up a POC. All of our POCs have been free at the time that I was there before I moved in.
Christian:09:54
Then what we would do is we'd set up a quick call. Right? A 30 minute call with the technical people that says, let's really truly understand the use cases, what you're trying to solve. And their homework is to go back and say, hey, we wanna have at least 2 or 3 tiered applications that we're gonna secure. That's really what we're gonna.
Christian:10:12
We're gonna secure these applications. And then we create a test plan. The test plan will get brought back. We said we customize it for that customer or the prospect. They go.
Christian:10:21
They sign off on it. They give us the names of their servers and then we start the PLC. Then that typically is a it's a 2 hour engagement to where we deploy the software, configure the software, get the agents deployed. Right? And then once that happens, then we just let the system sit for about, say, a week.
Christian:10:39
That collects the network traffic, the network flow. We understand that. And then we come back, and then we start executing the test plan. Right? And we typically try to keep these within, like, a 30 day window.
Christian:10:51
I will brag my fastest POC to closing is 8 days. Okay? This is fast moving. They had a ransomware attack, and we showed them exactly how easy it was to prevent lateral movement in there. And so yeah.
Christian:11:03
So typically, they will go ahead and if we close the deal, when we close the deal, our professional services team will have an engagement with them. They will lay out the agent deployment. We have this concept of labeling, which we can get into later. But, they will go through all of the preliminary things that the customer will do in order to prepare for the actual massive global deployment. Then our professional services team works with the customer in one of 2 ways, a joint operation or a turnkey operation.
Christian:11:36
A joint operation would be, hey, mister customer, or you have a you have 10 use cases and those use cases could be separate my prod from dev. I want you to ring fence or secure these 10 applications. And so those are use cases. So what the professional services team was, they will do one use case, then the customer will do one. Then they kinda go back and forth in their training and customer so they can be self sufficient.
Christian:11:59
Right? Teach that person to fish. Or it ends up becoming a turnkey operation where our professional services team deploys, does everything, all the use cases, and then once that's done, then it moves into our customer success team for care and feeding and whatnot.
Max:12:15
What's driving this with customers? I mean, is this a response to an event like ransomware? Is this a compliance driven thing? I mean, security, I asked that because security in most budgets is a line item expense. It's not necessarily like this isn't viewed as, like, a revenue enabler or growth engine.
Max:12:31
Right? It's, oh, we've gotta do this thing because something happened or somebody's forcing us to do it kinda response. So what drives micro segmentation with your customers and what are you seeing with that?
Christian:12:41
Yep. Typically, it's to reduce cost, right, because if you have systems that go down because of an attack, it's gonna cost them a lot more money to try to recover from that attack. Compliance is another big issue. They wanna be able to be either PCI or SWIFT or GDPR. They wanna be able to not fail that audit again.
Christian:13:00
And then the overused words are the 0 trust initiative. Right? So if you look at the 3 pillars of 0 trust, and this is Forrester's definition. Right? You wanna be able to remove the implicit trust.
Christian:13:12
Right? So all entities are untrusted until they're trusted. 2nd, you want to ensure least privilege. So that would mean, hey. Mary from finance can only access the finance application from her workload, her device, her workstation.
Christian:13:27
And then, finally, you need to have that comprehensive security monitoring. So those are the typical drivers, but more importantly, it's as you're well aware, the world is full of ransomware attacks. And before back in the day, the response that we used to get was, it's okay. We've got insurance. It'll cover that in the event of attack.
Christian:13:47
Well, these insurance companies saw Colonial Pipeline. They saw the meat suppliers that are getting just crushed, and it cost the insurance companies a boatload of money to fund the recovery. Well, they got wise and they figured it out and they said, okay. Well, in order for us to insure you, and these are the verbiage right now paraphrases, please don't a 100% quote me, but really what it states is you must have a solution in place to prevent lateral movement in the event of a ransomware attack or you must have segmentation in place in order to show control between segments in your environment. And so there was a couple of factors there, but at the end of the day, that the insurance has really started to drive business now.
Max:14:34
So CTNA, I mean, I compartmentalize this in my brain as you have ZTNA, which is a client focused architecture. Right? There's somebody running on the client device that's authenticating and providing access into the application behind it. And Akamai has a product specifically for this with the bundles usually with your secure Internet product, with your remote access product. And then you have segmentation, which is really about infrastructure in a data center or running your applications.
Max:15:00
Has Akamai married these 2 together? I mean, can you extend the segmentation and lateral access within GardaCore as well as remote access when you start talking about ZTNAities control planes
Christian:15:12
combined? So the ultimate forward thinking goal is to have one agent that supports all of the Akamai products when it comes to the ESG, which is Enterprise Security Group. Right? That will be the GardaCore or Akamai segmentation agent. They have enterprise application access, secure Internet access, and then they have web application firewall.
Christian:15:36
I think that's really the components that comprise that the ESG group. Right? So they're disconnected, but there's some overlap to each. Right? Because we leverage the enterprise access, the application access, to get into whatever application that they're using, and then we cascade that down and to say, oh, okay.
Christian:15:54
We know who you are. You've got into this application. But in order for you to get there, you have to have the right policy rules or the right access rules within Centra to get to that application. So it's kinda like
Max:16:04
a dual factor type of thing. So other segmentation products are extending to include support within the actual network itself. So segmentation running on the actual host with an application as well as then push it into the network stack and switch the routers to actually enforce policy. And what I'm hearing you say with GuardantCore is that's different where it's a network agnostic deployment and really an agent that's gonna run on the values host and on the actual application server itself to then make decisions of what's happening, what can and cannot transpire. So that makes you network agnostic, but then also deployment agnostic in a bigger sense.
Max:16:37
Am I understanding this correct? That's 100% correct. We are literally an overlay. Right? Just to kinda set
Christian:16:41
the record straight, it's if you have existing firewalls within your data center, they are transparent to us when we look at our map. We won't see the switches. We won't see the routers, but what we will be able to do is determine if there's a problem, we'll be able to determine who done it. Right? If we have an allow rule and your firewall or switch has a block rule for whatever reason, we're gonna see that.
Christian:17:06
We're gonna see, hey, we attempted to contact this server, but it failed. We allowed it. So now that allows them to go back and look at their network switches and routers for troubleshooting and whatnot.
Max:17:17
But I mean, this doesn't replace the fire I mean, you still there's no plans for segmentation to replace the firewall. I mean, you still need a firewall for your NATPAP roles. I mean, you're still providing, like, high level ACL access coming through north south through firewall. I mean, now WAF makes it a little more blurry, and we've got this idea of, like, cloud federated firewalls. It makes it a little more blurry.
Max:17:36
Right? But, like like, this isn't a talk about taking segmentation and replacing that firewall function. Or is that a discussion? So the answer is, in the future, we're hoping to be able to replace both the north south, but
Christian:17:48
the east west for sure. Right? Because if you think about and we can focus on the east west because that's where we sit. We sit inside the data center. We'll go back.
Christian:17:58
Your initial statement of, you're not gonna replace the inbound and outbound. You're correct. The perimeter firewalls, those will typically stay. Right? For now.
Christian:18:06
Where we were able to replace the east west firewalls is when they see just how easy it is to configure the software because the agents are, like you said, they're network agnostic, they're platform agnostic because they can be installed on bare metal, virtual, in the cloud. It doesn't matter. But more importantly, and this actually is a good segue, we are going to be beating up on and taking advantage of the supply chain issue. If you think about a firewall, a hardware firewall in your data center, you have to refresh it. Right?
Christian:18:38
So what's happening now is they're looking to replace their firewall. They have a refresh probe. Well, guess what? You're not gonna be able to get it for at least 12 to 18 months. Right?
Christian:18:46
So it's a long time for you to get that. So if you have the ability to replace your hardware firewalls in the data center control that east west traffic with a software based segmentation, it's just an easy switch.
Max:18:59
Let's talk about host deployment. And you mentioned different Linux distros. So what are supported from I don't know what the proper terminology here is with Guardicore, but I'll just use host OS. So what host OSs are supported? What environments are
Christian:19:11
you pushing us into? There's a list above this line. We have all of the Windows operating systems going all the way back to server 2,000 Windows 19. Okay. We go all the way back to RHEL 4 AS 400.
Christian:19:24
So we go all the way back, and hands down, we have the broadest operating system coverage out of any of the vendors that are out there.
Max:19:31
So what about the different virtualization and container platforms? I mean, are you is this something where, you know, if you're running VMware or Citrix or Hyper V, is it running an agent inside of the actual virtualized instance, or are you running this on the hypervisor itself and then controlling what's going on with the virtualization? It's on
Christian:19:50
the host OS only. Okay. We don't yeah. There are other competitors that get into the network traffic and get down into the virtualization instance. No.
Christian:19:58
We do only the host OS right now and support for Kubernetes. Okay.
Max:20:03
So Kubernetes is included. Yes. So that covers your containers. Are you doing I mean, there's a there's so many different container platforms coming out. Rancher has gotten really popular.
Max:20:10
I mean, Docker itself. I mean, we'll see more and more and more of that. How does this apply into large public cloud platforms If people are running AWS or GCP or Azure, and, of course, that's either gonna be I mean, we we could talk about, like, the actual cloud based managed services, but then you have cloud compute instances and then cloud container instances. I mean, is this something that will extend up into a public cloud
Christian:20:33
as well? That's absolutely correct. Yeah. We actually support the EC 2 or EC 3 nodes up in Azure and AWS. A lot of times we get the question, hey.
Christian:20:42
Do you guys replace security groups or those types of things? And that's actually no. We work alongside that same thing kinda like when you have an existing firewall. They have existing security groups up there that's managing access. We work alongside that.
Christian:20:55
And when they actually see how much easier it is to manage in one UI, they end up removing a lot of times the security groups because they already see how we can control it easier. And that's the thing, they end up doing a slow phase out of the native security controls within either the cloud or on prem within the firewall themselves. Right? Because we can pull the firewall rules out. We can evaluate that.
Christian:21:21
But they end up doing a little bit of a switch over because they're like, oh, this is easy. We don't need this. This is easy. This and then there's finally, like, that switch over that's purely just software based.
Max:21:29
Let's talk about management of this. I mean, so you've gotta deploy all the agents to all of your hosts. Those agents are talking to is this, Akamai's cloud, or is this software that's being installed on the premise or in the customer's environment?
Christian:21:43
Yep. So there's 3 components to the architecture. You've got the management server that sits up at the top and, as of right now, that resides in Google Cloud as a separate instance per customer. So security wise, it's gonna be there. Right?
Christian:21:57
The next component is what we call the aggregator slash orchestration server. 1 typically sits on prem in the customer's environment. Okay? And then, we have the agent. The agents themselves get deployed and all of the agents talk to the aggregator slash orchestration server.
Christian:22:15
This orchestration server, the aggregator, is got a couple of functions. It takes all of the network logs from all of the agents. It dedupes the information, compresses it, and then sends it up to the management server for post processing. It's also designed for when we create the policies, the management server pushes it down to the orchestration server and then down to the agents. That orchestration server is also designed to connect in with your active directory to pull in the security groups.
Christian:22:42
It's also designed to integrate with your SIEM. Right? Because we integrate with we have a Splunk app, ArcSight, LogRhythm, insert SIEM here. And then finally, we also integrate with your your vCenter, right, because we can pull in contextual information from vCenter, and that way that can be displayed on the screen.
Max:22:59
Is the aggregation server, is it a critical path? I mean, if it goes down, do the agents still work and apply rule set, or are they checking and touching the orchestration system saying, hey. How about this traffic? Is it allowed or denied? Like, what's that?
Christian:23:09
And that's a question that we get all the time. If the aggregator server goes down, I want you to think about group policy. If you take your computer and you disconnect from the network, your group policy and your computer is still gonna be enforced. Same exact thing. Aggregator goes down.
Christian:23:22
Agent still has the policy local encrypted. It's gonna look locally for us. It's gonna say, hey, I got this policy. They're gonna continue to enforce. All of the other agents are going to be aware of their rules.
Christian:23:33
So when the connection comes in, they'll see that. They're gonna say, okay. Once the aggregator comes up back online, store and forward goes in and then gets brought back up.
Max:23:41
So when you go through deployment, right, and you talk about it from, like, a technical standpoint of I mean, so you're gonna create your management instance. You're gonna create your orchestrator aggregator instance. You're going to deploy the actual agent on whatever host you're gonna deploy on. Is there, like, a learning period where you say you're gonna deploy these things out into an environment? You're gonna watch an application for a while and say, oh, this is what this application is actually doing.
Max:24:01
Maybe you you did or did not know, like, this was happening and, like, then you're gonna select and say, okay. This is good. This is good. I don't know what this is. Block it.
Max:24:09
This is good block. I mean, is that a deployment approach in this, or is it more like you just say, hey. We're gonna create, like, a firewall set, which is we know that only these ports from these places should be connected to and just only allow that and block everything else.
Christian:24:21
Yeah. And it's the previous one. Right? So if you remember back when I talked about the POC, we configure everything, deploy the aggregator, configure it, get the agents going, then we let that sit for a week. Well, that's for a POC.
Christian:24:32
But when it's deployed, it's the same thing. Right? Get your agents deployed. Let it start collecting the network traffic. We have a wizard based machine learning process of identifying, hey, I wanna secure this application.
Christian:24:47
And, again, that machine learning knows all of the inbound and outbound connections. Okay? And what it does is it puts everything in learning mode or alert mode. So there's gonna be 2 rules down the bottom that's in alert that says, hey. If I get a new connection in, alert me on it.
Christian:25:03
So what happens is these applications, they go through a learning process when it comes to a point and they keep refining the rule set. They say, yep. This is the backup server. We need that connection inbound, and we're gonna continue to refine the rule set to a point where all known inbound and outbound connections have been made, then you go from alert to block. And this is how we prevent disrupting these business systems.
Christian:25:29
We're gonna see the traffic, we're gonna see all the connections, and then once we have a full understanding we say, okay, Now we're gonna go into block mode, true enforcement mode. And that's really the measurement of our professional services team. It's when do we get to enforcement? That's really the measure for them to understand.
Max:25:47
So one of the use cases you gave was ransomware. Right? And let's go back to kind of my rude example of or crude example of, hey, the application server needs to talk to the database. I mean and in a business application, a corporate network, or a data center environment, I mean, it's there's a lot more than just that going on. Right?
Max:26:04
If something got into a box. Right? What was a big one that happened recently? I mean, Log 4 j is still happening. Right?
Max:26:11
Where, you know, you have an application running, the application's accessible, there is a vulnerability in the application, then you have access to the application server. So they get into the application server. At that point, that application server has rules allowing it to talk to different things. What is GardaCore doing or looking for to say this is valid and this is invalid traffic? We talk a little bit about process, but, like, let's here's the opportunity to really get into the weeds here.
Max:26:38
Like, what else is this doing for a customer environment?
Christian:26:41
Sure. So the first couple of things that we have within Sentra is what we call our threat intelligence firewall. This is built into the product, and what it does is it goes out and it searches for the top command and control, the top block list denies. There's 3 of them that have built into the threat intelligence firewall. And what that does is that list gets updated daily.
Christian:27:02
So we will be able to block specific known threats from ever even executing. That's something that we're gonna do with our built in firewall. Second thing that we have is we have reputation analysis that goes in that says, hey. A process just spun up. We can determine we can go out and determine whether or not the process is malware or not.
Christian:27:23
If it's malware, we're gonna give you an incident, then you can do some further investigation from there. Let's take the Log 4 j example. A lot of times, they had customers that were altered with version 1 dot 10 and version, whatever, 2 dot 10. The patched version for Log 4J, I think, is 2 dot 16. Built into our product, we have what we call Gardacore Insight.
Christian:27:45
Gardacore Insight is based off of the well known OS query, which is developed by Facebook. Right? And what it does is it's baked into our agent, which is competitive differentiator for us. No other competitor out there has OS query built into it. And what it does is it allows us to query the agent which is on the host operating system for anything.
Christian:28:07
So what we were able to do when Log 4 j came out, we had our GardaCore hunt team. They've determined that, hey, we have a problem here. We've got a vulnerability. You can write a SQL query because that's what OS query is. It's SQL based.
Christian:28:20
You go down and you can take a look and say find all of my affected systems that have Log 4J installed that's less than version 2 dot 16. When you do that, you can apply rules that quarantine them, those servers, from either inbound or outbound access. Then the server administrators come in on top of that, They're allowed to apply the patch and then return them to service very quickly.
Max:28:49
Log 4 j was a fascinating exercise in whack a mole where I mean, first off, it turns out that Log 4 j is just in everything. Like, everything runs Log 4 j. It was wild. Like, I had clients go out and, oh, we patched all of our applications running Log 4 j. And then, you go through and you do a a scan against it, you're like and they're like, oh my god.
Max:29:09
It just was everywhere. And the other thing that was crazy about Log 4 j was patches are being released. And as patches are being released, release patch is vulnerable as well. And so we saw, like I mean, I don't even remember the count of, like, just rolling, like, multiple times per day updates against environments just trying to patch Log 4 j as new exploits were coming out and being detected. Now you just said something that was very interesting to me, which is, effectively, you're telling me that in addition to doing segmentation, you've included vulnerability scanning into this application that just comes along with it.
Max:29:42
And that's really interesting because a lot of times, trying to have vulnerability scanning and some sort of agent analysis, I mean, that's separate software. Are you guys are you taking this and putting this against your threat intel and then and giving, like, a composite CVV scores? And can a security team or an IT team actually look at that and say, hey. We've got this software running that maybe isn't I mean, how deep into the MBS space does this actually go in functionality?
Christian:30:07
So I know you use the term to vulnerability scanner. I'd like to switch and say it's a multifaceted way that we can query the agent for anything. Do you have the latest patches installed? Is EDR installed? Because if EDR isn't installed, well, guess what?
Christian:30:21
You can have specific access to the network. Look for critical vulnerabilities such as SolarWinds, the Log 4j's. The big thing that's coming up now, there's 274 SQL tables that we can query the agent for based off of your operating system. Right? So you've got Apple that has 1, Linux has another, and you got your Mac, Apple, and then Linux.
Christian:30:40
So one of the things that's coming up lately is certificates that's installed on the host operating system. And when does it expire? So it's not I don't wanna pigeonhole that into a vulnerability scanner, but what it can do is it can look for vulnerabilities, whatever that is, the SMB v one or the print nightmare or bits or something like that. It can look for those things to identify, do I need to apply patches? And that's the strength of having the agent on all of your workloads.
Christian:31:08
That way, you don't have to play whack a mole with, hey. I thought I got all of them. Well, you didn't. Right? Because they're still, like you said, they're everywhere, so you have to go to way more places than just the apparent or the known applications that you think that you have at it.
Max:31:24
Would Guardicore be installed, I mean, in its current form on a client desk on a desktop? You know, you say Apple. I mean, not very many people running Apple servers anymore.
Christian:31:32
Like, we're It would be macOS. Right? I guess, I'll specify and clarify that it's just it's macOS only right now. Right? But yeah.
Christian:31:40
So to to answer your question, we complement your EDR solution. We do get the question, oh, so you're in EDR. No, we're not. The crowd strikes, they have their own space, they do their own thing and whatnot. We're working on integrations with these EDR companies.
Christian:31:55
Right? If you think about if all EDRs were perfect and equal on the workstation, if you think about where most breaches happen, starts off with a phishing email from a workstation desktop and whatnot, then it starts to go and it tries to move laterally. Right? Yep. Because we control that network socket on those workstations, we can write and this was a a a use case for a large, health care manufacturer.
Christian:32:20
They wanted to block all endpoint to endpoint communication. That was it. On top of their EDR. Right? So John should never have to talk to Max's computer ever.
Christian:32:32
Right? But then, we have the ability to say block it across all of the endpoints, but then allow the help desk and system administrators access from specific computers to endpoints over RDP and SSH.
Max:32:47
So we gotta come up with a new terminology here because microsegmentation doesn't answer what Guardicore is doing. And, also, I'm glad I'm having this conversation because my understanding was this was a server focused deployment, not an environment focused deployment. And what you've just told me is fascinating to me because it's server and workstation, so it's everything. Mhmm. And, yeah, it's not MVS.
Max:33:11
It's not vulnerability scanning. You're doing, like it's more like asset scanning and inventory tracking of what's actually running and then applying threat intelligence on top of that. Right? Correct. Like and again,
Christian:33:20
I don't know, like, how this is gonna work, but it's similar. It's Tanium ish. I don't like to bring out the competitors because they're really not a competitor because we're trying to work with them. But it's if you're familiar with Tanium, it's Tanium ish.
Max:33:31
So I think that's what you're kinda describing and but, yeah, that's exactly right. We have the ability to query the operating system for anything. Right? So we touched on this before, but I'm gonna go back to it. Does Guardicore include a remote access component today, or is that on a road map?
Max:33:48
Because thinking about the modern enterprise environment, right, everything at this point is basically remote access assumption. Right? So, like, ZTNA of the construct is nothing's trusted. Anything could be anywhere. And, of course, most ZTNA gets implemented with some sort of VPN technology to actually authenticate.
Max:34:02
And then, I mean, say you have a VPN technology, then you've got a policy rules engine, and then you end up with, based on whatever criteria, the ability to actually pass traffic up and down. So with a agent running on a workstation operating system talking to an application sitting on a server operating system, we'll just use those terms, the only piece that's missing if the workstation is not physically connected to the server, right, is just whatever that access layer is.
Christian:34:30
Yep. And so this is where the other Akamai products come in. Right? So first of all, if we look at Gardacore, the segmentation piece, we have roaming profiles that can detect whether or not we're on the corporate network or we are remote. Right?
Christian:34:42
But the other part of that is leveraging Akamai's multifactor authentication, their enterprise application access, that gives us the ability to secure when you're remote and that's part of that holistic approach that now that we're part of Akamai, it really helps us out and really completes that part. It's just the power
Max:35:03
of just having everything on one platform. Right? I mean, there's a lot of really good ZTNA platforms in the market. I mean, there's some really good ZTNA platforms in the market with phenomenal policy engines, with good ability to query host OS and look for criteria in order to build policy and entitlements out from that and to actually bridge and make that remote connection into whatever the application is. But they don't give you the ability to do operating system scanning or application scanning at scale.
Max:35:32
Like, you can't use them to say, is there a threat? And there's no segmentation going on within the actual server side or the application side either of what traffic is lateral. Just it's a it just gives you what it is. Zero trust network access. So remote connectivity into whatever your platform is.
Max:35:50
Interesting. Okay. So now you work with all the SIMs. Yep. So then let's talk about something weird happens.
Max:35:56
I'm gonna put weird into 2 categories. 1st category of weird is something's trying to do something that is hitting a block rule. I mean, this is just streaming, like, noise into a SIM saying because, I mean, you connect something to the Internet. What's the first thing that happens? Like, within a millisecond, it's being scanned by something.
Max:36:14
Right? Yep. So is there something that's aggregating and looking at this data and saying, this is just Internet noise or there's something going on here that is not just Internet noise? Like, how intelligent is that? And then the second part of that would be, I look at security and the evolution of security more into these things of, like, hey.
Max:36:33
We've got an application that normally needs to talk this direction. Like, this user normally needs to do something. But now for some reason, they're doing what they're allowed to do, but they're doing it in a way that's unusual. Yep. It doesn't fit a normal pattern that, like, what's going on with this thing?
Christian:36:49
Yes. So when we think about the blocked connection, again, that's typically within the data center. Why is all of a sudden if we are in enforcement, why are we continuing to get a alert that says, hey, this thing is it's going against the block connection block connection. So that the question becomes, is it nefarious or do we have to update the rule set to include this new block connection? So you're not gonna be hammering the SIM.
Christian:37:14
Right? It's not gonna be every single time, ouch quit it, ouch quit it. It's gonna be they're gonna aggregate all of those alerts into 1. Those will be sent over to, again, your Splunk and whatnot. They will do the post analysis of saying, this is the problem.
Christian:37:28
This is the incident. What's the next step? And the next step is, well, this is a backup server. We need to add that. Or, hey, we've got this process that's now trying to go out and trying to access something else.
Christian:37:43
And that's where we can leverage our threat intelligence firewall, our we also have threat analysis. And then that's where you're gonna have your SEC team come in and really just analyze these things. But the ability for them to be notified immediately that we have something that's blocking or trying to access something that's gonna be immediate. I talked about when we first started off that Gardacore started off as a deception company. Take your example, perfect example.
Christian:38:15
When deception is enabled, if you have x amount of blocked connections, we are going to treat that as nefarious, maybe unanswered connection requests or what malformed DNS requests. It will take that attacker and redirect them out and put them up into a secure Akamai hosted honeypot, where the attacker can continue to do that. And, again, we're getting all of that recording, all of the session recording, what processes they try to spin up, ports they try to open, credentials they use, screenshots of everything that they did. So yeah. So we have that stuff built in.
Christian:38:52
And then on top of that, we have our security services called Gardacore Hunt. It's a combination of human expertise, machine learning, and then we also have people that are literally looking for the latest and greatest APTs and whatnot. So we can determine a APT, Dan's persistent threat. Because a lot of times, we will see a server that's making a connection to another server 22 times a day. Then all of a sudden, this server is making a connection to another server 222 times a day.
Christian:39:27
That is absolutely upset the force. Right? It's something is wrong here, and that's where our Gardacore hunt team is analyzing, saying, hey. What's going on here? And we
Max:39:37
can do further investigation. Is Gardacore doing this evaluation against real time, like, all of its customers' environments? I mean, is this coming along with the service where you've got this overlay where, you know, we'll just use you use health care earlier. You know, if you've got a bunch of health care customers, is all this data being aggregated in some sense of Akamai's looking at it and saying, there's something going on in this health care, like, ecosystem against an Epic platform or against whatever else. And and we've seen it here, and we've seen it now in the second place, and it hasn't hit the third one yet, but let's put rules in place to protect this.
Christian:40:12
Yeah. So so to level set, Gardacord hunt is a paid for service by the end customer. So some customers have it, some customers don't. Another thing I wanna make clear, we drop the data packet. We do not do anything with the data packet at all, and that's by design.
Christian:40:27
Right? We don't wanna be part of it. It's the 5 tuples, the header information, but that's it. So we drop the data packet because we do not wanna have the responsibility to say, what are you doing with my data? So it's by design.
Christian:40:40
It also makes the network flows and traffics that much faster. So, yes, based off of if you have that paid service, then, yes, our GardaCore hunt team will look at holistically what's happening. And they've got alerts. Right? They've got alerts that get set up that's on the back end that can determine what has been a baseline, a normal activity, maybe a spike here or there, but nothing too egregious.
Christian:41:03
But when they start getting consistent ramp ups of activity or if they find the latest threat, they can scan that system to see if that critical vulnerability exists within their network.
Max:41:16
Okay. So Hunt is an add on. I am assuming, and correct me if I'm wrong, is this license based on a per agent installation basis? Yep. That's correct.
Max:41:25
Yep. So you have Makes sense.
Christian:41:26
Yep. You have a server license, server agent price, and you've got a workstation, right, or endpoint price. You get visibility and enforcement with those at the base, but the add ons would be InsightQuery, which, again, you can query the agent for, whatever. Deception is an also an add on, and then Gardecore Hunt sits kind of on top of everything.
Max:41:47
There's a lot of really cool stuff running for enterprise that it would be really cool to have in, like, the home and, like, SMB space. I mean, is this something that, you know, an SMB SME, like, how big of an environment like, who are your sweet spot for customers? Like, how big of an environment before people look at this? Is it, you know, going back to, like, is this some sort of external trigger? You know, they've had ransomware.
Max:42:10
They've had an event. Insurance supports them to do this as a compliance issue. GDPR, you mentioned. Like, really, you know, what's the environment size, and what's really the trigger point
Christian:42:19
for this? The smallest size that we've it's 200. It'll be 200 workstations. Right? Or 200 workloads.
Christian:42:24
That's the minimum that we sell to. But we also have massive customers such as Deutsche Bank that has 30,000 servers, right, and a 100,000 endpoints. Like, massive deal. The largest deal that I ever closed was 6,000 servers with 30,000 endpoints on 1, and then the other one was 4,000 servers and 10,000 endpoints on another. So a decent amount.
Christian:42:45
We are in every single vertical that you can think of. Right?
Max:42:48
Oil and gas. Every vertical that you can think of. Finance. Yep. So oil and gas kind of also connotates the difference between IT and OT, you know, environments and networks.
Max:42:56
Is GardaCore applicable to an OT environment? Yeah. And so one
Christian:43:00
of the other ones and they are a reference customer, Campbell Soup. Right? So a little bit of background on me. Before I got into cybersecurity in the IT world, I did a lot of robotics engineering and
Max:43:08
a lot of automation. So I
Christian:43:08
used to work for a company called Rockwell Automation. A ton of time in manufacturing. Right? All down on the manufacturing floor. So working with Campbell Soup, they are a manufacturer.
Christian:43:22
Right? And there's a ton of OT and IoT devices. Even though we are agent based, we do have an agentless solution. And what typically will happen is we will deploy that agentless solution whether it's integrating with your next gen switches or we have another device that's called a collector that we can see layer 4 visibility. Right?
Christian:43:41
So we'll understand and see what IoT devices that are out there. And I'll use these words typically, usually, most of the time, the IoT devices where we don't have the agent on, we can see it. It will, most of the time, end up talking to a server that has the agent on. So we get the visibility on the source, and we enforce on the destination. Right?
Christian:44:05
We are coming out with a super duper way easier way of doing this agentless solution, but that's all I'm gonna tell you.
Max:44:14
You hear all these crazy things. You look back and you go through these, like, root analysis and stuff. You're like, oh, we had a Wi Fi enabled light bulb that was compromised and was used as a source vector or, like, what was the other one was crazy? It was, like, an espresso maker. The espresso maker was compromised, and I think gone are the days of, like, the really easy ones where it's like, oh, our HVAC contractor was hacked, and they had network access into our stores, and they use that to get on to our POS terminals and collect 50,000,000 credit cards.
Max:44:43
Right? Like, they're like, okay. That was pretty bad. But then you're like, oh, our coffee machine was hacked and got access to our network. And then,
Christian:44:51
like, you know, like, where's coffee machine in your throat vector analysis? Right? It's funny that you mentioned HVAC because Penn State University, a few years ago, they had a problem with 3rd party contractors coming in off a jump box, and they would just be able to access any network that they wanted to. They brought Gardacore on, and they said, okay. You've got Otis Elevator.
Christian:45:14
Otis Elevator would get on a specific Otis Elevator jump box, and we gave them only access to the Otis Elevator application. So we were able to do HVAC, Otis Elevator, whatever system the building management systems. Each of the different vendors had their own jump box. So when they logged in, they were only allowed to be, you know, a sniper approach to very deliberate, least privileged access to their respective applications. So yeah.
Christian:45:39
I mean, it's a multitude of benefits. Right? And then because you've got the agent running on the
Max:45:44
other side of that jump box, you can say once you get into this other system, you can't take that system and go into it. It's not like you're in the environment. Because it was normal. Right? Like, the jump box would be restricted to say the jump box could only talk to this thing.
Max:45:54
But once you got to the other thing, maybe that thing was sitting on, you know, whatever. And unless you were VLAN ing and restricting the VLAN I mean, who wants to go through that nightmare?
Christian:46:03
Yeah. I mean, if you wanted to wrap up, I challenge any other solution out there to have process level visibility on both Windows and Linux, a machine learn wizard driven approach to creating policies that will not break applications or disrupt the business, the ability to query the agent for anything that's all baked into it and also have dynamic deception honeypot technology and coupling that with either SaaS or on prem global scalable configurations across the entire I challenge anyone. I challenge anything that to do that all in one UI. Right? That's looking at the visibility on Azure up here in AWS and you're on prem and you
Max:46:49
all of that stuff wrapped up into one UI. Okay. Challenge. The gauntlet has been thrown. Yeah.
Max:46:54
That's it. Christian, thank you so much. This is fascinating. Love this chat. Learned a lot of new things today, so that was great for me and hope this is valuable for other people as well.
Christian:47:04
Max has been my pleasure. Thank you so much.
