Micro-Segmented Data Center Security

I recently discovered Matt Butcher’s awesome Illustrated Children’s Guide to Kubernetes. Available in book, video, and blog form (https://deis.com/blog/2016/kubernetes-illustrated-guide/), the cartoon narrative starring a PHP app named Phippy is exactly what good cyber technology writing should be: Fun, simple, and informative. Even if you have no interest in Docker container orchestration, check out Matt’s work. You’ll like it.

Now, I was thinking about Phippy last week (yea, I need a life) while listening to Simon Lvov from GuardiCore describe how the company secures data centers. As he explained the GuardiCore model for agent-based visibility and mitigation, the resulting micro-segments seemed to resemble little containers for data centers that would be transportable, like Docker containers, across successively evolving designs. Here is what I learned about GuardiCore:

The presumed backdrop is that data centers are evolving from traditional on-premise hardware to virtualized off-premise software. Securing a data center that exists on this continuum, using a platform solution that will persist along the journey, is what GuardiCore is all about. They accomplish this goal with emphasis on five key functions: Flow visibility, micro-segmentation, breach detection, security analysis, and deceptive response.

The flow visibility function is accomplished via lightweight distributed collectors deployed across the data center. The resultant visualization provides insight into activity across traditional data center network connections or modern virtualized data flows across APIs. “Our platform is designed to correlate process-level activity across applications with observed network events to identify security anomalies,” Simon explained.

The micro-segmentation comes from the ability of the GuardiCore platform to enforce application-aware access policies. This allows data center administrators to prevent trusted east-west traversal in lieu of micro-segments that only permit access if policy rules are met. “Non-compliant traffic flows are contained by our solution,” Simon explained, “which addresses the weakness of data center perimeters.”

The breach detection function involves a variety of advanced techniques including considerable focus on reputational analysis to identify indicators. Specifically, domain names, IP addresses, and file hashes provide basis for an advanced notification system for errant flows, policy violations, and other potential intrusions traversing across any physical or virtualized data center infrastructure.

The security analysis is performed via automated, intelligence-based processing of ingested data from the collection infrastructure. The goal is to identify indicators of data center attacks across containerized workloads to prevent policy violations. A management server provides a dashboard console for data center security analysts to support modern management and hunting tasks.

The deceptive response task is done using an explicit deception server provided by GuardiCore and integrated into the overall security architecture. Deception offers a useful means for observing attacker behavior and performing forensic analysis to prioritize proper remediation. “Mitigation can be done using our software,” Simon explained, “or via connectors to third-party security from Checkpoint, VMware, and other vendors supporting the data center.”

While the GuardiCore solution is clearly general enough to cover a range of use-cases well beyond data centers – Simon even mentioned many possible applications including set-top-boxes – the platform represents a nicely tailored and specific approach to containerized micro-segmented data center security. If your own data center could use some improved protections, then GuardiCore might be a nice option. Give them a call.

And who knows: Maybe if Matt Butcher ever decides to meet up with GuardiCore, then perhaps we will see little PHP app Phippy get a new cousin called Dippy, the secure data center. (Or maybe not.)