By Jonathan Maresky, CloudGuard Product Manager, published March 10, 2021
Cybersecurity is a cat-and-mouse game between threat actors and defenders. It is also a constant arms race with both sides constantly improving their arsenals based on the capabilities of the other.
Check Point has been an innovator and a global leader in cybersecurity over 27 years, and is continuously improving its technologies to protect its customers and keep them one step (or many steps) ahead of the attackers.
Cloud security is no exception, and may be more complex due to the incredible scalability and dynamic nature of the cloud. This is furthered by the speed of launching new cloud services and continuous integration/continuous deployment processes. Additionally, the coronavirus pandemic has contributed to the acceleration of companies’ digital transformation, moving more workloads to the cloud and at a faster pace.
Recognizing this complexity, Check Point is preparing to launch a new cloud security capability called CloudGuard Network Detection and Response (NDR), the latest addition to the CloudGuard cloud-native platform. CloudGuard NDR is a SaaS solution, which provides non-signature threat detection, visibility and investigation capabilities for your cloud traffic with no impact to the business traffic. More importantly, it provides an additional cloud security layer and uncovers hidden threats that may have evaded other cloud security solutions. This enables investigation into:
- Network reconnaissance and lateral movement attempts
- Anomalous traffic patterns
- Infected assets
- Suspicious users and application
- Data exfiltration activities
CloudGuard NDR integrates with Amazon VPC Traffic Mirroring, which copies any or all instance traffic and sends it to CloudGuard Network Security gateways in passive mode.
AWS recently announced that Traffic Mirroring is now supported on select non-Nitro instance types, expanding customers’ ability to use Traffic Mirroring, which previously was only supported on Nitro-based EC2 instances. Check Point is a launch partner for this announcement.
What is Traffic Mirroring?
It is a feature of Amazon VPC, which is used to copy network traffic from an elastic network interface (ENI) of Amazon EC2 instances. This mirrored traffic can then be sent to other targets (like CloudGuard NDR) for various purposes including threat detection and content inspection. These targets utilize the traffic in out-of-band mode (also called tap mode) and thus do not impact business traffic, as opposed to inline services which inspect the traffic and thus have potential to impact application functionality. Traffic mirroring in AWS is similar to a SPAN port in traditional on-premises network equipment.
What is CloudGuard NDR?
CloudGuard NDR is a Check Point on-premises solution with over 100 customers globally since its launch in 2019, and now supports the same functionality on AWS because of the integration with AWS Traffic Mirroring. Customers can use the same single-pane-of-glass console to deploy the same NDR capabilities on AWS, on-premises and on VMware deployments.
CloudGuard NDR uses collaborative threat intelligence and behavioral AI engines to identify lateral movement of malware, command and control attacks, anomalous traffic patterns, user behavior, and applications activities.
CloudGuard NDR automatically deploys sensors, which are actually CloudGuard Network Security gateways in passive mode, into the customer’s cloud environment. The sensors provide real-time traffic visualization without degrading business applications or throughput and with zero configuration effort.
Deployment is quick and intuitive, and takes minutes. There is no need for network security expertise because the sensors do not require any configuration and do not influence traffic flow; there is also no need to create complicated policy rules. Policy is fully managed by CloudGuard NDR requiring no user input.
The diagram below describes an architecture diagram of CloudGuard NDR.
From its early days, Check Point focuses on threat prevention. Similarly, CloudGuard NDR focuses on creating an autonomous detection-to-prevention closed-loop:.
- Network logs from the sensors are aggregated and used to build various visibilities and create a basis of normal standard behavior.
- Anomalies are detected through a number of engines, including behavioral artificial intelligence. This is the first stage where manual investigation can be performed.
- Data correlated from various sources assists to assign the verdict.
- Threat intelligence in the form of indicators is created, managed and can be automatically distributed using threat intelligence feeds where they can be consumed by in-line systems in prevention mode to block attacks.
CloudGuard NDR value proposition and benefits:
- Provides industry-leading cloud NDR with a closed loop from detection to prevention.
- Inspects all traffic within a VPC and between instances. In fact, CloudGuard NDR is the only way to inspect traffic within a VPC. All other traffic inspection techniques are blind to traffic that stays inside of a VPC (because they require crossing a VPC boundary to trigger an inspection flow).
- Reduces the time for organizations to detect, investigate and contain cloud attacks that have bypassed other defenses.
- Merges intelligence-based detection correlated with AI behavioral anomaly-detection engines, using a hybrid correlation approach.
- Promotes business operation simplicity by deploying easily (“click-click-click”) with automatic configuration and sensor provisioning, and allowing real-time visibility within minutes.
- Does not compromise PII (personally identifiable information) in any way.
Join the CloudGuard NDR Early Availability program
We plan to launch this exciting new capability in the next month or two. Between now and the launch, qualified AWS customers can join the Early Availability program (similar to AWS Private Preview) and benefit from:
- A free CloudGuard license for the duration of the EA
- VIP hand-holding by the R&D team
- The ability to influence and affect future features and functionalities
We also have some AWS credits for the first ten on-boarded and approved EA customers, which should cover their AWS costs for the duration of the EA.
First come, first served!
Please contact me to schedule a discussion and demo.
Check Point CloudGuard provides unified cloud native security for all your assets and workloads, giving you the confidence to automate security, prevent threats, and manage posture – everywhere – across your multi-cloud environment.
CloudGuard Network Security delivers industry-leading advanced threat prevention together with automated and elastic cloud network security at the speed of DevOps, for AWS and hybrid-cloud deployments.
Organizations with on-premises environments and in the process of migrating to AWS receive unified and consistent security management of all their on-prem and cloud environments and experience the easiest, quickest and most secure AWS migration with lowest total cost of ownership.
If you’d like to learn more about CloudGuard Network Security on AWS, please speak with your Check Point channel partner, your account Security Engineer or contact us.
To read the Forrester Total Economic Impact of CloudGuard Network Security, where Forrester interviewed a $10B+ US-based healthcare company who uses CloudGuard to secure their hybrid-clod deployment and generated a 169% ROI, click here.
If you are in the process of planning your migration to AWS or you are already using AWS, please contact us to schedule a demo, and a cloud security expert will help to understand your needs.
If you are ready for a 30-day free trial of CloudGuard, or if you are ready to purchase CloudGuard, you can deploy this via the AWS Marketplace.
How secure is your AWS VPC?
The Check Point Cloud Security CheckMe performs a quick and easy high-level analysis of your AWS VPC and sends you a report of your vulnerabilities against advanced threats.
Do you want to read more about cloud security?
Download the Check Point cloud security blueprint documents:
- This document introduces the cloud security blueprint and describes key architectural principles and cloud security concepts.
- This document explains the blueprint architecture, describes how Check Point’s cloud security solutions enable you implement the blueprint, and how these address the cloud security challenges and architectural principles that were outlined in the first document.
- This document provides reference architectures for implementing the cloud security blueprint.
If you have any questions, please contact your local Check Point account representative or partner, or contact us here.