

Search results
651 results found with an empty search
- AlgoSec | Emerging Tech Trends – 2023 Perspective
1. Application-centric security Many of today’s security discussions focus on compromised credentials, misconfigurations, and malicious... Cloud Security Emerging Tech Trends – 2023 Perspective Ava Chawla 2 min read Ava Chawla Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/24/22 Published 1. Application-centric security Many of today’s security discussions focus on compromised credentials, misconfigurations, and malicious or unintentional misuse of resources. Disruptive technologies from Cloud to smart devices and connected networks mean the attack surface is growing. Security conversations are increasingly expanding to include business-critical applications and their dependencies. Organizations are beginning to recognize that a failure to take an application-centric approach to security increases the potential for unidentified, unmitigated security gaps and vulnerabilities. 2. Portable, agile, API & automation driven enterprise architectures Successful business innovation requires the ability to efficiently deploy new applications and make changes without impacting downstream elements. This means fast deployments, optimized use of IT resources, and application segmentation with modular components that can seamlessly communicate. Container security is here to stay Containerization is a popular solution that reduces costs because containers are lightweight and contain no OS. Let's compare this to VMs, like containers, VMs allow the creation of isolated workspaces on a single machine. The OS is part of the VM and will communicate with the host through a hypervisor. With containers, the orchestration tool manages all the communication between the host OS and each container. Aside from the portability benefit of containers, they are also easily managed via APIs, which is ideal for modular, automation-driven enterprise architectures. The growth of containerized applications and automation will continue. Lift and Shift left approach will thrive Many organizations have started digital transformation journeys that include lift and shift migrations to the Cloud. A lift and shift migration enables organizations to move quickly, however, the full benefits of cloud are not realized. Optimized cloud architectures have cloud automation mechanisms deployed such as serverless (i.e – AWS Lamda), auto-scaling, and infrastructure as code (IaC) (i.e – AWS Cloud Formation) services. Enterprises with lift and shift deployments will increasingly prioritize a re-platform and/or modernization of their cloud architectures with a focus on automation. Terraform for IaC is the next step forward With hybrid cloud estates becoming increasingly common, Terraform-based IaC templates will increasingly become the framework of choice for managing and provisioning IT resources through machine-readable definition files. This is because Terraform, is cloud-agnostic, supporting all three major cloud service providers and can be used for on-premises infrastructure enabling a homogenous IaC solution across multi-cloud and on-premises. 3. Smart Connectivity & Predictive Technologies The growth of connected devices and AI/ML has led to a trend toward predictive technologies. Predictive technologies go beyond isolated data analysis to enable intelligent decisions. At the heart of this are smart, connected devices working across networks whose combined data 1. enables intelligent data analytics and 2. provides the means to build the robust labeled data sets required for accurate ML (Machine Learning) algorithms. 4. Accelerated adoption of agentless, multi-cloud security solutions Over 98% of organizations have elements of cloud across their networks. These organizations need robust cloud security but have yet to understand what that means. Most organizations are early in implementing cloud security guardrails and are challenged by the following: Misunderstanding the CSP (Cloud Service Provider) shared responsibility model Lack of visibility across multi-cloud networks Missed cloud misconfigurations Takeaways Cloud security posture management platforms are the current go-to solution for attaining broad compliance and configuration visibility. Cloud-Native Application Protection Platforms (CNAPP) are in their infancy. CNAPP applies an integrated approach with workload protection and other elements. CNAPP will emerge as the next iteration of must have cloud security platforms. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Sunburst Backdoor, Part III: DGA & Security Software
In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor... Cloud Security Sunburst Backdoor, Part III: DGA & Security Software Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/22/20 Published In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor functionality and its Domain Generation Algorithm (DGA). This time, let’s have a deeper look into the passive DNS requests reported by Open-Source Context and Zetalytics . The valid DNS requests generated by the malware fall into 2 groups: DNS requests that encode a local domain name DNS requests that encode data The first type of DNS requests allows splitting long domain names into separate requests. These requests are generated by the malware’s functions GetPreviousString() and GetCurrentString() . In general, the format of a DNS request that encodes a domain name may look like: USER_ID.NUM.COMPUTER_DOMAIN[.]appsync-api.us-west-2[.]avsvmcloud[.]com where: USER_ID is an 8-byte user ID that uniquely identifies a compromised host, encoded as a 15-character string NUM is a number of a domain name – either 0 or 1, encoded as a character COMPUTER_DOMAIN is an encoded local computer domain Let’s try decoding the following 3 DNS requests: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com String 1 Let’s start from the 1st string in the list: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com. In this string, the first 15-character string is an encoded USER_ID : “olc62cocacn7u2q” . Once it is base-64 decoded, as explained in the previous post, it becomes a 9-byte byte array: 86 7f 2f be f9 fb a3 ae c4 The first byte in this byte array is a XOR key: 0x86 . Once applied to the 8 bytes that follow it, we get the 8-byte user ID – let’s take a note and write it down, we will need it later: f9 a9 38 7f 7d 25 28 42 Next, let’s take the NUM part of the encoded domain: it’s a character “2” located at the position #15 (starting from 0) of the encrypted domain. In order to decode the NUM number, we have to take the first character of the encrypted domain, take the reminder of its division by 36 , and subtract the NUM ‘s position in the string “0123456789abcdefghijklmnopqrstuvwxyz” : num = domain[0] % 36 – “0123456789abcdefghijklmnopqrstuvwxyz”.IndexOf(domain.Substring(15, 1)); The result is 1 . That means the decrypted domain will be the 2nd part of a full domain name. The first part must have its NUM decoded as 0. The COMPUTER_DOMAIN part of the encrypted domain is “2v02eu” . Once decoded, using the previously explained method, the decoded computer domain name becomes “on.ca” . String 2 Let’s decode the second passive DNS request from our list: r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com Just as before, the decoded 8-byte user ID becomes: f9 a9 38 7f 7d 25 28 42 The NUM part of the encoded domain, located at the position #15 (starting from 0), is a character “6” . Let’s decode it, by taking the first character ( “r” = 114 ), take the reminder of its division by 36 ( 114 % 36 = 6 ), and subtracting the position of the character “6” in the “0123456789abcdefghijklmnopqrstuvwxyz” , which is 6 . The result is 0 . That means the decrypted domain will be the 1st part of the full domain name. The COMPUTER_DOMAIN part of the encrypted domain is “eoip02jovt6i2v0c” . Once decoded, it becomes “city.kingston.” Next, we need to match 2 decrypted domains by the user ID, which is f9 a9 38 7f 7d 25 28 42 in both cases, and concatenate the first and the second parts of the domain. The result will be “city.kingston.on.ca” . String 3 Here comes the most interesting part. Lets try to decrypt the string #3 from our list of passive DNS requests: lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com The decoded user ID is not relevant, as the decoded NUM part is a number -29 . It’s neither 0 nor 1 , so what kind of domain name that is? If we ignore the NUM part and decode the domain name, using the old method, we will get “thx8xb” , which does not look like a valid domain name. Cases like that are not the noise, and are not some artificially encrypted artifacts that showed up among the DNS requests. This is a different type of DNS requests. Instead of encoding local domain names, these types of requests contain data. They are generated by the malware’s function GetNextStringEx() . The encryption method is different as well. Let’s decrypt this request. First, we can decode the encrypted domain, using the same base-64 method, as before . The string will be decoded into 14 bytes: 7c a5 4d 64 9b 21 c1 74 a6 59 e4 5c 7c 7f Let’s decode these bytes, starting from the 2nd byte, and using the first byte as a XOR key. We will get: 7c d9 31 18 e7 5d bd 08 da 25 98 20 00 03 In this array, the bytes marked in yellow are an 8-byte User ID, encoded with a XOR key that is selected from 2 bytes marked in red. Let’s decode User ID: for ( int i = 0 ; i < 8 ; i++) { bytes[i + 1 ] ^= bytes[ 11 - i % 2 ]; } The decoded byte array becomes: 7c f9 a9 38 7f 7d 25 28 42 25 98 20 00 03 The User ID part in marked in yellow. Does it look familiar? Indeed, it’s the same User ID we’ve seen before, when we decoded “city.kingston.on.ca” . The next 3 bytes marked in red are: 25 98 20 . 2 0x59820 The first number 2 stands for the size of data that follows – this data is 00 03 (selected in green). The number 0x59820 , or 366,624 in decimal, is a timestamp. It’s a number of 4-second periods of time since 1 January 2010. To obtain the real time stamp, we need to multiple it by 15 to get minutes, then add those minutes to 1 January 2010: var date = ( new DateTime( 2010 , 1 , 1 , 0 , 0 , 0 , DateTimeKind.Utc)).AddMinutes(timestamp * 15 ); For the number 0x59820 , the time stamp becomes 16 July 2020 12:00:00 AM – that’s the day when the DNS request was made. The remaining 2 bytes, 00 03 , encrypt the state of 8 security products, to indicate whether each one of them is running or whether it is stopped. The 8 security products are: Windows Live OneCare / Windows Defender Windows Defender Advanced Threat Protection Microsoft Defender for Identity Carbon Black CrowdStrike FireEye ESET F-Secure 2 states for 8 products require 2 * 8 = 16 bits = 2 bytes. The 2 bytes 00 03 in binary form are: 00 00 00 00 00 00 00 11 Here, the least-significant bits 11 identify that the first product in the list, Windows Live OneCare / Windows Defender, is reported as ‘running’ ( 1 ) and as ‘stopped’ ( 1 ). Now we know that apart from the local domain, the trojanised SolarWinds software running on the same compromised host on “city.kingston.on.ca” domain has also reported the status of the Windows Defender software. What Does it Mean? As explained in the first part of our description, the malware is capable of stopping the services of security products, be manipulating registry service keys under Administrator account. It’s likely that the attackers are using DNS queries as a C2 channel to first understand what security products are present. Next, the same channel is used to instruct the malware to stop/deactivate these services, before the 2nd stage payload, TearDrop Backdoor, is deployed. Armed with this knowledge, let’s decode other passive DNS requests, printing the cases when the compromised host reports a running security software. NOTES: As a private case, if the data size field is 0 or 1 , the timestamp field is not followed with any data. Such type of DNS request is generated by the malware’s function GetNextString() . It is called ‘a ping’ in the listing below. If the first part of the domain name is missing, the recovered domain name is pre-pended with ‘*’ . The malware takes the time difference in minutes, then divides it by 30 and then converts the result from double type to int type; as a result of such conversion, the time stamps are truncated to the earliest half hour. 2D82B037C060515C SFBALLET Data: Windows Live OneCare / Windows Defender [running] 11/07/2020 12:00:00 AM Pings: 12/07/2020 12:30:00 AM 70DEE5C062CFEE53 ccscurriculum.c Data: ESET [running] 17/04/2020 4:00:00 PM Pings: 20/04/2020 5:00:00 PM AB902A323B541775 mountsinai.hospital Pings: 4/07/2020 12:30:00 AM 9ACC3A3067DC7FD5 *ripta.com Data: ESET [running] 12/09/2020 6:30:00 AM Pings: 13/09/2020 7:30:00 AM 14/09/2020 9:00:00 AM CB34C4EBCB12AF88 DPCITY.I7a Data: ESET [running] 26/06/2020 5:00:00 PM Pings: 27/06/2020 6:30:00 PM 28/06/2020 7:30:00 PM 29/06/2020 8:30:00 PM 29/06/2020 8:30:00 PM E5FAFE265E86088E *scroot.com Data: CrowdStrike [running] 25/07/2020 2:00:00 PM Pings: 26/07/2020 2:30:00 PM 26/07/2020 2:30:00 PM 27/07/2020 3:00:00 PM 27/07/2020 3:00:00 PM 426030B2ED480DED *kcpl.com Data: Windows Live OneCare / Windows Defender [running] 8/07/2020 12:00:00 AM Carbon Black [running] 8/07/2020 12:00:00 AM Full list of decoded pDNS requests can be found here . An example of a working implementation is available at this repo. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | The shocking truth about Network Cloud Security in 2025
The cloud's come a long way, baby. Remember when it was just a buzzword tossed around in boardrooms? Now, it's the engine powering our... Cloud Network Security The shocking truth about Network Cloud Security in 2025 Iris Stein 2 min read Iris Stein Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 2/10/25 Published The cloud's come a long way, baby. Remember when it was just a buzzword tossed around in boardrooms? Now, it's the engine powering our digital world. But this rapid evolution has left many cloud network security managers grappling with a new reality – and a bit of an identity crisis. Feeling the heat? You're not alone. The demands on cloud security professionals are skyrocketing. We're expected to be masters of hybrid environments, navigate a widening skills gap, and stay ahead of threats evolving at warp speed. Let's break down the challenges: Hybrid is the new normal: Gartner predicts that by 2025, a whopping 90% of organizations will be running hybrid cloud environments. This means juggling the complexities of both on-premises and cloud security, demanding a broader skillset and a more holistic approach. Forget silos – we need to be fluent in both worlds. The skills gap is a chasm: (ISC)²'s 2022 Cybersecurity Workforce Study revealed a global cybersecurity workforce gap of 3.4 million. This talent shortage puts immense pressure on existing security professionals to do more with less. We're stretched thin, and something's gotta give. Threats are evolving faster than ever: The cloud introduces new attack vectors and vulnerabilities we haven't even imagined yet. McAfee reported a staggering 630% increase in cloud-native attacks in 2022. Staying ahead of these threats requires constant vigilance, continuous learning, and a proactive mindset. Level up your cloud security game So, how can you thrive in this chaotic environment and ensure your career (and your company's security posture) doesn't go down in flames? Here's your survival guide: Automate or die: Manual processes are a relic of the past. Embrace automation tools to manage complex security policies, respond to threats faster, and free up your time for strategic initiatives. Think of it as your force multiplier in the fight against complexity. Become a cloud-native ninja: Deepen your understanding of cloud platforms like AWS, Azure, and GCP. Master their security features, best practices, and quirks. The more you know, the more you can protect. Sharpen your soft skills: Technical chops alone won't cut it. Communication, collaboration, and problem-solving are critical. You need to clearly articulate security risks to stakeholders, build bridges with different teams, and drive solutions. Never stop learning: The cloud is a moving target. Continuous learning is no longer optional – it's essential. Attend conferences, devour online courses, and stay informed about the latest security trends and technologies. Complacency is the enemy. Introducing AlgoSec Cloud Enterprise (ACE): Your cloud security wingman Let's face it, managing security across a hybrid cloud environment can feel like herding cats. That's where AlgoSec Cloud Enterprise (ACE) steps in. ACE is a comprehensive cloud network security suite that gives you the visibility, automation, and control you need to secure your applications and keep the business humming. Gain X-Ray Vision into Your Hybrid Cloud: See everything, know everything. ACE gives you complete visibility across your entire environment, from on-premises servers to cloud platforms. No more blind spots, no more surprises. Enforce Security Policies Like a Boss: Consistent security policies are the bedrock of a strong security posture. ACE makes it easy to define and enforce policies across all your applications, no matter where they reside. Conquer Compliance with Confidence: Staying compliant can feel like a never-ending struggle. ACE simplifies compliance management across your hybrid environment, helping you meet regulatory requirements without breaking a sweat. Accelerate App Delivery Without Sacrificing Security: In today's fast-paced world, speed is key. ACE empowers you to accelerate application delivery without compromising security. Move fast, break things – but not your security posture. Proactive Risk Prevention: ACE goes beyond basic security checks with over 150+ network security policy risk checks, proactively identifying and mitigating potential vulnerabilities before they can be exploited. Ready to unlock the true power of the cloud while fortifying your defenses? Learn more about AlgoSec Cloud Enterprise today and take control of your cloud security destiny. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Convergence didn’t fail, compliance did.
Convergence has been claimed. Security orgs merged their teams, aligned their titles, and drew the new boxes on the whiteboard. The... Convergence didn’t fail, compliance did. Adel Osta Dadan 2 min read Adel Osta Dadan Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/17/25 Published Convergence has been claimed. Security orgs merged their teams, aligned their titles, and drew the new boxes on the whiteboard. The result: security teams are now responsible for both cloud and on-premises network environments. But for many of those teams, compliance is still running on fumes. The reporting lines changed. The responsibilities increased. The oversight? Still patchy. The systems? Still fragmented. And the ability to demonstrate consistent policy enforcement across hybrid environments—where compliance lives or dies—has never been more at risk. This isn’t an edge case. It’s structural. And it’s quietly putting every converged team in a bind. The illusion of control If convergence was supposed to simplify compliance, most teams missed the memo. Cloud-native controls don’t sync with on-prem rule sets. Application deployments move faster than the audits tracking them. Policies drift. Risk assessments stall out. And when the next audit comes knocking, security teams are left reconciling evidence after the fact—manually stitching together logs, policies, and screenshots across tools that don’t talk to each other. The result? Ownership without visibility. Policy without context. Responsibility without control. Compliance at the application layer—or nowhere Security and compliance are often treated as parallel tracks. But in hybrid environments, they’re the same problem. The more distributed your network, the more fragmented your enforcement—and the harder it becomes to map controls to real business risk. What matters isn’t whether a port is open. It’s whether the application behind it should be reachable from that region, that VPC, or that user. That requires context. And today, context lives at the application layer. This is where AlgoSec Horizon changes the equation. AlgoSec Horizon is the first platform built to secure application connectivity across hybrid networks—with compliance embedded by design. Horizon: compliance that knows what it’s looking at With Horizon, compliance isn’t an add-on. It’s the outcome of deep visibility and policy awareness at the level that actually matters: the business application. Our customers are using Horizon to: Automatically discover and map every business application—including shadow IT and unapproved flows Simulate rule changes in advance, avoiding deployment errors that compromise compliance Track and enforce policies in context, with real-time validation against compliance frameworks Generate audit-ready reports across hybrid networks without assembling data by hand It’s compliance without the swivel chair. And it’s already helping converged teams move faster—without giving up control. Compliance can’t be an after-thought. Security convergence wasn’t the mistake. Stopping at structure was. When compliance is left behind, the risk isn’t just audit failure—it’s operational drag. Policy friction. Delays in application delivery. Missed SLAs. Because the real impact of compliance gaps isn’t found in the SOC—it’s found in the business outcomes that stall because security couldn’t keep pace. Horizon closes that gap. Because in a world of converged teams and hybrid environments, security has to operate with complete visibility—and compliance has to work at the speed of the application. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Drovorub’s Ability to Conceal C2 Traffic And Its Implications For Docker Containers
As you may have heard already, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint... Cloud Security Drovorub’s Ability to Conceal C2 Traffic And Its Implications For Docker Containers Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/15/20 Published As you may have heard already, the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory about previously undisclosed Russian malware called Drovorub. According to the report, the malware is designed for Linux systems as part of its cyber espionage operations. Drovorub is a Linux malware toolset that consists of an implant coupled with a kernel module rootkit, a file transfer and port forwarding tool, and a Command and Control (C2) server. The name Drovorub originates from the Russian language. It is a complex word that consists of 2 roots (not the full words): “drov” and “rub” . The “o” in between is used to join both roots together. The root “drov” forms a noun “drova” , which translates to “firewood” , or “wood” . The root “rub” /ˈruːb/ forms a verb “rubit” , which translates to “to fell” , or “to chop” . Hence, the original meaning of this word is indeed a “woodcutter” . What the report omits, however, is that apart from the classic interpretation, there is also slang. In the Russian computer slang, the word “drova” is widely used to denote “drivers” . The word “rubit” also has other meanings in Russian. It may mean to kill, to disable, to switch off. In the Russian slang, “rubit” also means to understand something very well, to be professional in a specific field. It resonates with the English word “sharp” – to be able to cut through the problem. Hence, we have 3 possible interpretations of ‘ Drovorub ‘: someone who chops wood – “дроворуб” someone who disables other kernel-mode drivers – “тот, кто отрубает / рубит драйвера” someone who understands kernel-mode drivers very well – “тот, кто (хорошо) рубит в драйверах” Given that Drovorub does not disable other drivers, the last interpretation could be the intended one. In that case, “Drovorub” could be a code name of the project or even someone’s nickname. Let’s put aside the intricacies of the Russian translations and get a closer look into the report. DISCLAIMER Before we dive into some of the Drovorub analysis aspects, we need to make clear that neither FBI nor NSA has shared any hashes or any samples of Drovorub. Without the samples, it’s impossible to conduct a full reverse engineering analysis of the malware. Netfilter Hiding According to the report, the Drovorub-kernel module registers a Netfilter hook. A network packet filter with a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) is a common malware technique. It allows a backdoor to watch passively for certain magic packets or series of packets, to extract C2 traffic. What is interesting though, is that the driver also hooks the kernel’s nf_register_hook() function. The hook handler will register the original Netfilter hook, then un-register it, then re-register the kernel’s own Netfilter hook. According to the nf_register_hook() function in the Netfilter’s source , if two hooks have the same protocol family (e.g., PF_INET ), and the same hook identifier (e.g., NF_IP_INPUT ), the hook execution sequence is determined by priority. The hook list enumerator breaks at the position of an existing hook with a priority number elem->priority higher than the new hook’s priority number reg->priority : int nf_register_hook ( struct nf_hook_ops * reg) { struct nf_hook_ops * elem; int err; err = mutex_lock_interruptible( & nf_hook_mutex); if (err < 0 ) return err; list_for_each_entry(elem, & nf_hooks[reg -> pf][reg -> hooknum], list) { if (reg -> priority < elem -> priority) break ; } list_add_rcu( & reg -> list, elem -> list.prev); mutex_unlock( & nf_hook_mutex); ... return 0 ; } In that case, the new hook is inserted into the list, so that the higher-priority hook’s PREVIOUS link would point into the newly inserted hook. What happens if the new hook’s priority is also the same, such as NF_IP_PRI_FIRST – the maximum hook priority? In that case, the break condition will not be met, the list iterator list_for_each_entry will slide past the existing hook, and the new hook will be inserted after it as if the new hook’s priority was higher. By re-inserting its Netfilter hook in the hook handler of the nf_register_hook() function, the driver makes sure the Drovorub’s Netfilter hook will beat any other registered hook at the same hook number and with the same (maximum) priority. If the intercepted TCP packet does not belong to the hidden TCP connection, or if it’s destined to or originates from another process, hidden by Drovorub’s kernel-mode driver, the hook will return 5 ( NF_STOP ). Doing so will prevent other hooks from being called to process the same packet. Security Implications For Docker Containers Given that Drovorub toolset targets Linux and contains a port forwarding tool to route network traffic to other hosts on the compromised network, it would not be entirely unreasonable to assume that this toolset was detected in a client’s cloud infrastructure. According to Gartner’s prediction , in just two years, more than 75% of global organizations will be running cloud-native containerized applications in production, up from less than 30% today. Would the Drovorub toolset survive, if the client’s cloud infrastructure was running containerized applications? Would that facilitate the attack or would it disrupt it? Would it make the breach stealthier? To answer these questions, we have tested a different malicious toolset, CloudSnooper, reported earlier this year by Sophos. Just like Drovorub, CloudSnooper’s kernel-mode driver also relies on a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) to extract C2 traffic from the intercepted TCP packets. As seen in the FBI/NSA report, the Volatility framework was used to carve the Drovorub kernel module out of the host, running CentOS. In our little lab experiment, let’s also use CentOS host. To build a new Docker container image, let’s construct the following Dockerfile: FROM scratch ADD centos-7.4.1708-docker.tar.xz / ADD rootkit.ko / CMD [“/bin/bash”] The new image, built from scratch, will have the CentOS 7.4 installed. The kernel-mode rootkit will be added to its root directory. Let’s build an image from our Dockerfile, and call it ‘test’: [root@localhost 1]# docker build . -t test Sending build context to Docker daemon 43.6MB Step 1/4 : FROM scratch —> Step 2/4 : ADD centos-7.4.1708-docker.tar.xz / —> 0c3c322f2e28 Step 3/4 : ADD rootkit.ko / —> 5aaa26212769 Step 4/4 : CMD [“/bin/bash”] —> Running in 8e34940342a2 Removing intermediate container 8e34940342a2 —> 575e3875cdab Successfully built 575e3875cdab Successfully tagged test:latest Next, let’s execute our image interactively (with pseudo-TTY and STDIN ): docker run -it test The executed image will be waiting for our commands: [root@8921e4c7d45e /]# Next, let’s try to load the malicious kernel module: [root@8921e4c7d45e /]# insmod rootkit.ko The output of this command is: insmod: ERROR: could not insert module rootkit.ko: Operation not permitted The reason why it failed is that by default, Docker containers are ‘unprivileged’. Loading a kernel module from a docker container requires a special privilege that allows it doing so. Let’s repeat our experiment. This time, let’s execute our image either in a fully privileged mode or by enabling only one capability – a capability to load and unload kernel modules ( SYS_MODULE ). docker run -it –privileged test or docker run -it –cap-add SYS_MODULE test Let’s load our driver again: [root@547451b8bf87 /]# insmod rootkit.ko This time, the command is executed silently. Running lsmod command allows us to enlist the driver and to prove it was loaded just fine. A little magic here is to quit the docker container and then delete its image: docker rmi -f test Next, let’s execute lsmod again, only this time on the host. The output produced by lsmod will confirm the rootkit module is loaded on the host even after the container image is fully unloaded from memory and deleted! Let’s see what ports are open on the host: [root@localhost 1]# netstat -tulpn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1044/sshd With the SSH server running on port 22 , let’s send a C2 ‘ping’ command to the rootkit over port 22 : [root@localhost 1]# python client.py 127.0.0.1 22 8080 rrootkit-negotiation: hello The ‘hello’ response from the rootkit proves it’s fully operational. The Netfilter hook detects a command concealed in a TCP packet transferred over port 22 , even though the host runs SSH server on port 22 . How was it possible that a rootkit loaded from a docker container ended up loaded on the host? The answer is simple: a docker container is not a virtual machine. Despite the namespace and ‘control groups’ isolation, it still relies on the same kernel as the host. Therefore, a kernel-mode rootkit loaded from inside a Docker container instantly compromises the host, thus allowing the attackers to compromise other containers that reside on the same host. It is true that by default, a Docker container is ‘unprivileged’ and hence, may not load kernel-mode drivers. However, if a host is compromised, or if a trojanized container image detects the presence of the SYS_MODULE capability (as required by many legitimate Docker containers), loading a kernel-mode rootkit on a host from inside a container becomes a trivial task. Detecting the SYS_MODULE capability ( cap_sys_module ) from inside the container: [root@80402f9c2e4c /]# capsh –print Current: = cap_chown, … cap_sys_module, … Conclusion This post is drawing a parallel between the recently reported Drovorub rootkit and CloudSnooper, a rootkit reported earlier this year. Allegedly built by different teams, both of these Linux rootkits have one mechanism in common: a Netfilter hook ( NF_INET_LOCAL_IN and NF_INET_LOCAL_OUT ) and a toolset that enables tunneling of the traffic to other hosts within the same compromised cloud infrastructure. We are still hunting for the hashes and samples of Drovorub. Unfortunately, the YARA rules published by FBI/NSA cause False Positives. For example, the “Rule to detect Drovorub-server, Drovorub-agent, and Drovorub-client binaries based on unique strings and strings indicating statically linked libraries” enlists the following strings: “Poco” “Json” “OpenSSL” “clientid” “—–BEGIN” “—–END” “tunnel” The string “Poco” comes from the POCO C++ Libraries that are used for over 15 years. It is w-a-a-a-a-y too generic, even in combination with other generic strings. As a result, all these strings, along with the ELF header and a file size between 1MB and 10MB, produce a false hit on legitimate ARM libraries, such as a library used for GPS navigation on Android devices: f058ebb581f22882290b27725df94bb302b89504 56c36bfd4bbb1e3084e8e87657f02dbc4ba87755 Nevertheless, based on the information available today, our interest is naturally drawn to the security implications of these Linux rootkits for the Docker containers. Regardless of what security mechanisms may have been compromised, Docker containers contribute an additional attack surface, another opportunity for the attackers to compromise the hosts and other containers within the same organization. The scenario outlined in this post is purely hypothetical. There is no evidence that supports that Drovorub may have affected any containers. However, an increase in volume and sophistication of attacks against Linux-based cloud-native production environments, coupled with the increased proliferation of containers, suggests that such a scenario may, in fact, be plausible. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Resolving human error in application outages: strategies for success
Application outages caused by human error can be a nightmare for businesses, leading to financial losses, customer dissatisfaction, and... Cyber Attacks & Incident Response Resolving human error in application outages: strategies for success Malynnda Littky-Porath 2 min read Malynnda Littky-Porath Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 3/18/24 Published Application outages caused by human error can be a nightmare for businesses, leading to financial losses, customer dissatisfaction, and reputational damage. While human error is inevitable, organizations can implement effective strategies to minimize its impact and resolve outages promptly. In this blog post, we will explore proven solutions for addressing human error in application outages, empowering businesses to enhance their operational resilience and deliver uninterrupted services to their customers. Organizations must emphasize training and education One of the most crucial steps in resolving human error in application outages is investing in comprehensive training and education for IT staff. By ensuring that employees have the necessary skills, knowledge, and understanding of the application environment, organizations can reduce the likelihood of errors occurring. Training should cover proper configuration management, system monitoring, troubleshooting techniques, and incident response protocols. Additionally, fostering a culture of continuous learning and improvement is essential. Encourage employees to stay up to date with the latest technologies, best practices, and industry trends through workshops, conferences, and online courses. Regular knowledge sharing sessions and cross-team collaborations can also help mitigate human errors by fostering a culture of accountability and knowledge transfer. It’s time to implement robust change management processes Implementing rigorous change management processes is vital for preventing human errors that lead to application outages. Establishing a standardized change management framework ensures that all modifications to the application environment go through a well-defined process, reducing the risk of inadvertent errors. The change management process should include proper documentation of proposed changes, a thorough impact analysis, and rigorous testing in non-production environments before deploying changes to the production environment. Additionally, maintaining a change log and conducting post-implementation reviews can provide valuable insights for identifying and rectifying any potential errors. Why automate and orchestrate operational tasks Human errors often occur due to repetitive, mundane tasks that are prone to oversight or mistakes. Automating and orchestrating operational tasks can significantly reduce human error in application outages. Organizations should leverage automation tools to streamline routine tasks such as provisioning, configuration management, and deployment processes. By removing the manual element, the risk of human error decreases, and the consistency and accuracy of these tasks improve. Furthermore, implementing orchestration tools allows for the coordination and synchronization of complex workflows involving multiple teams and systems. This reduces the likelihood of miscommunication and enhances collaboration, minimizing errors caused by lack of coordination. Establish effective monitoring and alerting mechanisms Proactive monitoring and timely alerts are crucial for identifying potential issues and resolving them before they escalate into outages. Implementing robust monitoring systems that capture key performance indicators, system metrics, and application logs enables IT teams to quickly identify anomalies and take corrective action. Additionally, setting up alerts and notifications for critical events ensures that the appropriate personnel are notified promptly, allowing for rapid response and resolution. Leveraging artificial intelligence and machine learning capabilities can enhance monitoring by detecting patterns and anomalies that human operators might miss. Human errors will always be a factor in application outages, but by implementing effective strategies, organizations can minimize their impact and resolve incidents promptly. Investing in comprehensive training, robust change management processes, automation and orchestration, and proactive monitoring can significantly reduce the likelihood of human error-related outages. By prioritizing these solutions and fostering a culture of continuous improvement, businesses can enhance their operational resilience, protect their reputation, and deliver uninterrupted services to their customers. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Cloud Application Security: Threats, Benefits, & Solutions
As your organization adopts a hybrid IT infrastructure, there are more ways for hackers to steal your sensitive data. This is why cloud... Cloud Security Cloud Application Security: Threats, Benefits, & Solutions Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/29/23 Published As your organization adopts a hybrid IT infrastructure, there are more ways for hackers to steal your sensitive data. This is why cloud application security is a critical part of data protection. It allows you to secure your cloud-based applications from cyber threats while ensuring your data is safe. This post will walk you through cloud application security, including its importance. We will also discuss the main cloud application security threats and how to mitigate them. What is Cloud Application Security Cloud application security refers to the security measures taken to protect cloud-based assets throughout their development lifecycle. These security measures are a framework of policies, tools, and controls that protect your cloud against cyber threats. Here is a list of security measures that cloud application security may involve: Compliance with industry standards such as CIS benchmarks to prevent data breaches. Identity management and access controls to prevent unauthorized access to your cloud-based apps. Data encryption and tokenization to protect sensitive data. Vulnerability management through vulnerability scanning and penetration testing. Network perimeter security, such as firewalls, to prevent unwanted access. The following are some of the assets that cloud security affects: Third-party cloud providers like Amazon AWS, Microsoft Azure, and Google GCP. Collaborative applications like Slack and Microsoft Teams. Data Servers. Computer Networks. Why is Cloud Application Security Important Cloud application security is becoming more relevant as businesses migrated their data to the cloud in recent years. This is especially true for companies with a multi-cloud environment. These types of environments create a larger attack surface for hackers to exploit. According to IBM , the cost of a data breach in 2022 was $4.35 million. And this represents an increase of 2.6% from the previous year. The report also revealed that it took an average of 287 days to find and stop a data breach in a cloud environment. This time is enough for hackers to steal sensitive data and really damage your assets. Here are more things that can go wrong if organizations don’t pay attention to cloud security: Brand image damage: A security breach may cause a brand’s reputation to suffer and a decline in client confidence. During a breach, your company’s servers may be down for days or weeks. This means customers who paid for your services will not get access in that time. They may end up destroying your brand’s image through word of mouth. Lost consumer trust: Consumer confidence is tough to restore after being lost due to a security breach. Customers could migrate to rivals they believe to be more secure. Organizational disruption: A security breach may cause system failures preventing employees from working. This, in turn, could affect their productivity. You may also have to fire employees tasked with ensuring cloud security. Data loss: You may lose sensitive data, such as client information, resulting in legal penalties. Trade secrets theft may also affect the survival of your organization. Your competitors may steal your only leverage in the industry. Compliance violations: You may be fined for failing to comply with industry regulations such as GDPR. You may also face legal consequences for failing to protect consumer data. What are the Major Cloud Application Security Threats The following is a list of the major cloud application security threats: Misconfigurations: Misconfigurations are errors made when setting up cloud-based applications. They can occur due to human errors, lack of expertise, or mismanagement of cloud resources. Examples include weak passwords, unsecured storage baskets, and unsecured ports. Hackers may use these misconfigurations to access critical data in your public cloud. Insecure data sharing: This is the unauthorized or unintended sharing of sensitive data between users. Insecure data sharing can happen due to a misconfiguration or inappropriate access controls. It can lead to data loss, breaches, and non-compliance with regulatory standards. Limited visibility into network operations: This is the inability to monitor and control your cloud infrastructure and its apps. Limited network visibility prevents you from quickly identifying and responding to cyber threats. Many vulnerabilities may go undetected for a long time. Cybercriminals may exploit these weak points in your network security and gain access to sensitive data. Account hijacking: This is a situation where a hacker gains unauthorized access to a legitimate user’s cloud account. The attackers may use various social engineering tactics to steal login credentials. Examples include phishing attacks, password spraying, and brute-force attacks. Once they access the user’s cloud account, they can steal data or damage assets from within. Employee negligence and inadequately trained personnel: This threat occurs when employees are not adequately trained to recognize, report and prevent cyber risks. It can also happen when employees unintentionally or intentionally engage in risky behavior. For example, they could share login credentials with unauthorized users or set weak passwords. Weak passwords enable attackers to gain entry into your public cloud. Rogue employees can also intentionally give away your sensitive data. Compliance risks: Your organization faces cloud computing risks when non-compliant with industry regulations such as GDPR, PCI-DSS, and HIPAA. Some of these cloud computing risks include data breaches and exposure of sensitive information. This, in turn, may result in fines, legal repercussions, and reputational harm. Data loss: Data loss is a severe security risk for cloud applications. It may happen for several causes, including hardware malfunction, natural calamities, or cyber-attacks. Some of the consequences of data loss may be the loss of customer trust and legal penalties. Outdated security software: SaaS vendors always release updates to address new vulnerabilities and threats. Failing to update your security software on a regular basis may leave your system vulnerable to cyber-attacks. Hackers may exploit the flaws in your outdated SaaS apps to gain access to your cloud. Insecure APIs: APIs are a crucial part of cloud services but can pose a severe security risk if improperly secured. Insecure APIs and other endpoint infrastructure may cause many severe system breaches. They can lead to a complete system takeover by hackers and elevated privileged access. How to Mitigate Cloud Application Security Risks The following is a list of measures to mitigate cloud app security risks: Conduct a thorough risk analysis: This entails identifying possible security risks and assessing their potential effects. You then prioritize correcting the risks depending on their level of severity. By conducting risk analysis on a regular basis, you can keep your cloud environment secure. You’ll quickly understand your security posture and select the right security policies. Implement a firm access control policy: Access control policies ensure that only authorized users gain access to your data. They also outline the level of access to sensitive data based on your employees’ roles. A robust access control policy comprises features such as: Multi-factor authentication Role-based access control Least Privilege Access Strong password policies. Use encryption: Encryption is a crucial security measure that protects sensitive data in transit and at rest. This way, if an attacker intercepts data in transit, it will only be useful if they have a decryption key. Some of the cloud encryption solutions you can implement include: Advanced Encryption Standard (AES) Rivest -Shamir-Addleman (RSA) Transport Layer Security (TSL) Set up data backup and disaster recovery policies: A data backup policy ensures data is completely recovered in case of breaches. You can always recover the lost data from your data backup files. Data backup systems also help reduce the impact of cyberattacks as you will restore normal operations quickly. Disaster recovery policies focus on establishing protocols and procedures to restore critical systems during a major disaster. This way, your data security will stay intact even when disaster strikes. Keep a constant watch over cloud environments: Security issues in cloud settings can only be spotted through continuous monitoring. Cloud security posture management tools like Prevasio can help you monitor your cloud for such issues. With its layer analysis feature, you’ll know the exact area in your cloud and how to fix it. Test and audit cloud security controls regularly: Security controls help you detect and mitigate potential security threats in your cloud. Examples of security controls include firewalls, intrusion detection systems, and database encryption. Auditing these security controls helps to identify gaps they may have. And then you take corrective actions to restore their effectiveness. Regularly evaluating your security controls will reduce the risk of security incidents in your cloud. Implement a security awareness training program: Security awareness training helps educate employees on cloud best practices. When employees learn commonly overlooked security protocols, they reduce the risks of data breaches due to human error. Organize regular assessment tests with your employees to determine their weak points. This way, you’ll reduce chances of hackers gaining access to your cloud through tactics such as phishing and ransomware attacks. Use the security tools and services that cloud service providers offer: Cloud service providers like AWS, Azure, and Google Cloud Platform (GCP) offer security tools and services such as: Web application firewalls (WAF), Runtime application self-protection (RASP), Intrusion detection and prevention systems Identity and access management (IAM) controls You can strengthen the security of your cloud environments by utilizing these tools. However, you should not rely solely on these features to ensure a secure cloud. You also need to implement your own cloud security best practices. Implement an incident response strategy: A security incident response strategy describes the measures to take during a cyber attack. It provides the procedures and protocols to bring the system back to normal in case of a breach. Designing incident response plans helps to reduce downtime. It also minimizes the impact of the damages due to cyber attacks. Apply the Paved Road Security Approach in DevSecOps Processes: DevSecOps environments require security to be integrated into development workflows and tools. This way, cloud security becomes integral to an app development process. The paved road security approach provides a secure baseline that DevSecOps can use for continuous monitoring and automated remediation. Automate your cloud application security practices Using on-premise security practices such as manual compliance checks to mitigate cloud application security threats can be tiring. Your security team may also need help to keep up with the updates as your cloud needs grow. Cloud vendors that can automate all the necessary processes to maintain a secure cloud. They have cloud security tools to help you achieve and maintain compliance with industry standards. You can improve your visibility into your cloud infrastructures by utilizing these solutions. They also spot real-time security challenges and offer remediations. For example, Prevasio’s cloud security solutions monitor cloud environments continually from the cloud. They can spot possible security threats and vulnerabilities using AI and machine learning. What Are Cloud Application Security Solutions? Cloud application security solutions are designed to protect apps and other assets in the cloud. Unlike point devices, cloud application security solutions are deployed from the cloud. This ensures you get a comprehensive cybersecurity approach for your IT infrastructure. These solutions are designed to protect the entire system instead of a single point of vulnerability. This makes managing your cybersecurity strategy easier. Here are some examples of cloud security application solutions: 1. Cloud Security Posture Management (CSPM) : CSPM tools enable monitoring and analysis of cloud settings for security risks and vulnerabilities. They locate incorrect setups, resources that aren’t compliant, and other security concerns that might endanger cloud infrastructures. 2. The Cloud Workload Protection Platform (CWPP) : This cloud application security solution provides real-time protection for workloads in cloud environments . It does this by detecting and mitigating real-time threats regardless of where they are deployed. CWPP solutions offer various security features, such as: Network segmentation File integrity monitoring Vulnerability scanning. Using CWPP products will help you optimize your cloud application security strategy. 3. Cloud Access Security Broker (CASB) : CASB products give users visibility into and control over the data and apps they access in the cloud. These solutions help businesses enforce security guidelines and monitor user behavior in cloud settings. The danger of data loss, leakage, and unauthorized access is lowered in the process. CASB products also help with malware detection. 4. Runtime Application Self Protection (RASP): This solution addresses security issues that may arise while a program is working. It identifies potential threats and vulnerabilities during runtime and thwarts them immediately. Some of the RASP solutions include: Input validation Runtime hardening Dynamic Application Security testing 5. Web Application and API protection (WAAP) : These products are designed to protect your organization’s Web applications and APIs. They monitor outgoing and incoming web apps and API traffic to detect malicious activity. WAAP products can block any unauthorized access attempts. They can also protect against cyber threats like SQL injection and Cross-site scripting. 6. Data Loss Prevention (DLP): DLP products are intended to stop the loss or leaking of private information in cloud settings. These technologies keep track of sensitive data in use and at rest. They can also enforce rules to stop unauthorized people from losing or accessing it. 7. Security Information and Event Management (SIEM) systems : SIEM systems track and analyze real-time security incidents and events in cloud settings. The effect of security breaches is decreased thanks to these solutions. They help firms in detecting and responding to security issues rapidly. Cloud Native Application Protection Platform (CNAPP) The CNAPP, which Prevasio created, raises the bar for cloud security. It combines CSPM, CIEM, IAM, CWPP, and more in one tool. A CNAPP delivers a complete security solution with sophisticated threat detection and mitigation capabilities for packaged workloads, microservices, and cloud-native applications. The CNAPP can find and eliminate security issues in your cloud systems before hackers can exploit them. With its layer analysis feature, you can quickly fix any potential vulnerabilities in your cloud . It pinpoints the exact layer of code where there are errors, saving you time and effort. CNAPP also offers a visual dynamic analysis of your cloud environment . This lets you grasp the state of your cloud security at a glance. In the process, saving you time as you know exactly where to go. CNAPP is also a scalable cloud security solution. The cloud-native design of Prevasio’s CNAPP enables it to expand dynamically and offer real-time protection against new threats. Let Prevasio Solve Your Cloud Application Security Needs Cloud security is paramount to protecting sensitive data and upholding a company’s reputation in the modern digital age. To be agile to the constantly changing security issues in cloud settings, Prevasio’s Cloud Native Application Protection Platform (CNAPP) offers an all-inclusive solution. From layer analysis to visual dynamic analysis, CNAPP gives you the tools you need to keep your cloud secure. You can rely on Prevasio to properly manage your cloud application security needs. Try Prevasio today! Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Avoid the Traps: What You Need to Know About PCI Requirement 1 (Part 3)
So we’ve made it to the last part of our blog series on PCI 3.0 Requirement 1. The first two posts covered Requirement 1.1... Auditing and Compliance Avoid the Traps: What You Need to Know About PCI Requirement 1 (Part 3) Matthew Pascucci 2 min read Matthew Pascucci Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 9/9/14 Published So we’ve made it to the last part of our blog series on PCI 3.0 Requirement 1. The first two posts covered Requirement 1.1 (appropriate firewall and router configurations) and 1.2 (restrict connections between untrusted networks and any system components in the cardholder data environment) and in this final post we’ll discuss key requirements of Requirements 1.3 -1.5 and I’ll again give you my insight to help you understand the implications of these requirements and how to comply with them. Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports (1.3.1.): The DMZ is used to publish services such as HTTP and HTTPS to the internet and allow external entities to access these services. But the key point here is that you don’t need to open every port on the DMZ. This requirement verifies that a company has a DMZ implemented and that inbound activity is limited to only the required protocols and ports. Limit inbound Internet traffic to IP addresses within the DMZ (1.3.2): This is a similar requirement to 1.3.1, however instead of looking for protocols, the requirement focuses on the IPs that the protocol is able to access. In this case, just because you might need HTTP open to a web server, doesn’t mean that all systems should have external port 80 open to inbound traffic. Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment (1.3.3): This requirement verifies that there isn’t unfiltered access, either going into the CDE or leaving it, which means that all traffic that traverses this network must pass through a firewall. All unwanted traffic should be blocked and all allowed traffic should be permitted based on an explicit source/destination/protocol. There should never be a time that someone can enter or leave the CDE without first being inspected by a firewall of some type. Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network (1.3.4): In an attempt to bypass your firewall, cyber attackers will try and spoof packets using the internal IP range of your network to make it look like the request originated internally. Enabling the IP spoofing feature on your firewall will help prevent these types of attacks. Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet (1.3.5): Similar to 1.3.3, this requirement assumes that you don’t have direct outbound access to the internet without a firewall. However in the event that a system has filtered egress access to the internet the QSA will want to understand why this access is needed, and whether there are controls in place to ensure that sensitive data cannot be transmitted outbound. Implement stateful inspection, also known as dynamic packet filtering (1.3.6): If you’re running a modern firewall this feature is most likely already configured by default. With stateful inspection, the firewall maintains a state table which includes all the connections that traverse the firewall, and it knows if there’s a valid response from the current connection. It is used to stop attackers from trying to trick a firewall into initiating a request that didn’t previously exist. Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks (1.3.7): Attackers are looking for your card holder database. Therefore, it shouldn’t be stored within the DMZ. The DMZ should be considered an untrusted network and segregated from the rest of the network. By having the database on the internal network provides another layer of protection against unwanted access. [Also see my suggestions for designing and securing you DMZ in my previous blog series: The Ideal Network Security Perimeter Design: Examining the DMZ Do not disclose private IP addresses and routing information to unauthorized parties (1.3.8): There should be methods in place to prevent your internal IP address scheme from being leaked outside your company. Attackers are looking for any information on how to breach your network, and giving them your internal address scheme is just one less thing they need to learn. You can stop this by using NAT, proxy servers, etc. to limit what can be seen from the outside. Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network (1.4): Mobile devices, such as laptops, that can connect to both the internal network and externally, should have a personal firewall configured with rules that prevent malicious software or attackers from communicating with the device. These firewalls need to be configured so that their rulebase can never be stopped or changed by anyone other than an administrator. Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties (1.5): There needs to be a unified policy regarding firewall maintenance including how maintenance procedures are performed, who has access to the firewall and when maintenance is scheduled. Well, that’s it! Hopefully, my posts have given you a better insight into what is actually required in Requirement 1 and what you need to do to comply with it. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Errare humanum est
Nick Ellsmore is an Australian cybersecurity professional whose thoughts on the future of cybersecurity are always insightful. Having a... Cloud Security Errare humanum est Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/25/21 Published Nick Ellsmore is an Australian cybersecurity professional whose thoughts on the future of cybersecurity are always insightful. Having a deep respect for Nick, I really enjoyed listening to his latest podcast “Episode 79 Making the cyber sector redundant with Nick Ellsmore” . As Nick opened the door to debate on “all the mildly controversial views” he has put forward in the podcast, I decided to take a stab at a couple of points made by Nick. For some mysterious reason, these points have touched my nerve. So, here we go. Nick: The cybersecurity industry, we spent so long trying to get people to listen to us and take the issue seriously, you know, we’re now getting that, you know. Are the businesses really responding because we were trying to get people to listen to us? Let me rephrase this question. Are the businesses really spending more on cybersecurity because we were trying to get people to listen to us? The “cynical me” tells me No. Businesses are spending more on cybersecurity because they are losing more due to cyber incidents. It’s not the number of incidents; it’s their impact that is increasingly becoming devastating. Over the last ten years, there were plenty of front-page headliners that shattered even seemingly unshakable businesses and government bodies. Think of Target attack in 2013, the Bank of Bangladesh heist in 2016, Equifax breach in 2017, SolarWinds hack in 2020 .. the list goes on. We all know how Uber tried to bribe attackers to sweep the stolen customer data under the rug. But how many companies have succeeded in doing so without being caught? How many cyber incidents have never been disclosed? These headliners don’t stop. Each of them is another reputational blow, impacted stock options, rolled heads, stressed-out PR teams trying to play down the issue, knee-jerk reaction to acquire snake-oil-selling startups, etc. We’re not even talking about skewed election results (a topic for another discussion). Each one of them comes at a considerable cost. So no wonder many geniuses now realise that spending on cybersecurity can actually mitigate those risks. It’s not our perseverance that finally started paying off. It’s their pockets that started hurting. Nick: I think it’s important that we don’t lose sight of the fact that this is actually a bad thing to have to spend money on. Like, the reason that we’re doing this is not healthy. .. no one gets up in the morning and says, wow, I can’t wait to, you know, put better locks on my doors. It’s not the locks we sell. We sell gym membership. We want people to do something now to stop bad things from happening in the future. It’s a concept of hygiene, insurance, prevention, health checks. People are free not to pursue these steps, and run their business the way they used to .. until they get hacked, get into the front page, wondering first “Why me?” and then appointing a scapegoat. Nick: And so I think we need to remember that, in a sense, our job is to create the entire redundancy of this sector. Like, if we actually do our job, well, then we all have to go and do something else, because security is no longer an issue. It won’t happen due to 2 main reasons. Émile Durkheim believed in a “society of saints”. Unfortunately, it is a utopia. Greed, hunger, jealousy, poverty are the never-ending satellites of the human race that will constantly fuel crime. Some of them are induced by wars, some — by corrupt regimes, some — by sanctions, some — by imperfect laws. But in the end — there will always be Haves and Have Nots, and therefore, fundamental inequality. And that will feed crime. “Errare humanum est” , Seneca. To err is human. Because of human errors, there will always be vulnerabilities in code. Because of human nature (and as its derivative, geopolitical or religious tension, domination, competition, nationalism, fight for resources), there will always be people willing to and capable of exploiting those vulnerabilities. Mix those two ingredients — and you get a perfect recipe for cybercrime. Multiply that with never-ending computerisation, automation, digital transformation, and you get a constantly growing attack surface. No matter how well we do our job, we can only control cybercrime and keep the lid on it, but we can’t eradicate it. Thinking we could would be utopic. Another important consideration here is budget constraints. Building proper security is never fun — it’s a tedious process that burns cash but produces no tangible outcome. Imagine a project with an allocated budget B to build a product P with a feature set F, in a timeframe T. Quite often, such a project will be underfinanced, potentially leading to a poor choice of coders, overcommitted promises, unrealistic expectations. Eventually leading to this (oldie, but goldie): Add cybersecurity to this picture, and you’ll get an extra step that seemingly complicates everything even further: The project investors will undoubtedly question why that extra step was needed. Is there a new feature that no one else has? Is there a unique solution to an old problem? None of that? Then what’s the justification for such over-complication? Planning for proper cybersecurity built-in is often perceived as FUD. If it’s not tangible, why do we need it? Customers won’t see it. No one will see it. Scary stories in the press? Nah, that’ll never happen to us. In some way, extra budgeting for cybersecurity is anti-capitalistic in nature. It increases the product cost and, therefore, its price, making it less competitive. It defeats the purpose of outsourcing product development, often making outsourcing impossible. From the business point of view, putting “Sec” into “DevOps” does not make sense. That’s Ok. No need. .. until it all gloriously hits the fan, and then we go back to STEP 1. Then, maybe, just maybe, the customer will say, “If we have budgeted for that extra step, then maybe we would have been better off”. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- Prevasio Kubernetes and container securi | AlgoSec
Elevate Kubernetes container security with AlgoSec s Prevasio Shield your deployments effortlessly Explore more now Kubernetes and container security Agentless zero-trust container analysis system Schedule a demo Watch a video Watch a video AI powered container applications discovery Never misplace a containerized focused application on your estate with new AI powered cloud application discovery. Identify your containerized business applications and their connection to other cloud resources. Comprehensive risk assessment Proactively secure your containers with in-depth vulnerability scanning and malware detection. Take control of your cloud security with clear, actionable remediation recommendations. Compliance Ensure compliance with industry benchmarks such as CIS benchmarks . Achieve and maintain cloud compliance effortlessly. Our platform verifies your Kubernetes , EKS, ECS, and ECR configurations against industry benchmarks, then prioritizes fixes based on the impact to your critical applications. for Kubernetes, EKS, ECS and ECR. Dynamic threat analysis Gain unprecedented visibility into your containerized environments . Prevasio's dynamic threat analysis exposes concealed entry points, detects potential supply chain threats, and empowers you with actionable insights to strengthen your security posture. Get the latest insights from the experts A Guide to Upskilling Your Cloud Architects & Security Teams in 2023 Learn more Securing Cloud-Native Environments: Containerized Applications, Serverless Architectures, and Microservices Learn more Understanding and Preventing Kubernetes Attacks and Threats Read more Schedule time and secure your cloud Schedule time and secure your cloud Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Risk Management in Network Security: 7 Best Practices for 2024
Protecting an organization against every conceivable threat is rarely possible. There is a practically unlimited number of potential threats in the world, and security leaders don’t have unlimited resources available to address them. Prioritizing risks associated with more severe potential impact allows leaders to optimize cybersecurity decision-making and improve the organization’s security posture. Cybersecurity risk management is important because many security measures come with large... Uncategorized Risk Management in Network Security: 7 Best Practices for 2024 Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 1/26/24 Published Protecting an organization against every conceivable threat is rarely possible. There is a practically unlimited number of potential threats in the world, and security leaders don’t have unlimited resources available to address them. Prioritizing risks associated with more severe potential impact allows leaders to optimize cybersecurity decision-making and improve the organization’s security posture. Cybersecurity risk management is important because many security measures come with large costs. Before you can implement security controls designed to protect against cyberattacks and other potential risks, you must convince key stakeholders to support the project. Having a structured approach to cyber risk management lets you demonstrate exactly how your proposed changes impact the organization’s security risk profile. This makes it much easier to calculate the return on cybersecurity investment – making it a valuable tool when communicating with board members and executives. Here are seven tips every security leader should keep in mind when creating a risk management strategy: Cultivate a security-conscious risk management culture Use risk registers to describe potential risks in detail Prioritize proactive, low-cost risk remediation when possible Treat risk management as an ongoing process Invest in penetration testing to discover new vulnerabilities Demonstrate risk tolerance by implementing the NIST Cybersecurity Framework Don’t forget to consider false positives in your risk assessment What is a Risk Management Strategy? The first step to creating a comprehensive risk management plan is defining risk. According to the International Organization for Standardization (ISO) risk is “the effect of uncertainty on objectives”. This definition is accurate, but its scope is too wide. Uncertainty is everywhere, including things like market conditions, natural disasters, or even traffic jams. As a cybersecurity leader, your risk management process is more narrowly focused on managing risks to information systems, protecting sensitive data, and preventing unauthorized access. Your risk management program should focus on identifying these risks, assessing their potential impact, and creating detailed plans for addressing them. This might include deploying tools for detecting cyberattacks, implementing policies to prevent them, or investing in incident response and remediation tools to help you recover from them after they occur. In many cases, you’ll be doing all of these things at once. Crucially, the information you uncover in your cybersecurity risk assessment will help you prioritize these initiatives and decide how much to spend on them. Your risk management framework will provide you with the insight you need to address high-risk, high-impact cybersecurity threats first and manage low-risk, low-impact threats later on. 7 Tips for Creating a Comprehensive Risk Management Strategy 1. Cultivate a security-conscious risk management culture No CISO can mitigate security risks on their own. Every employee counts on their colleagues, partners, and supervisors to keep sensitive data secure and prevent data breaches. Creating a risk management strategy is just one part of the process of developing a security-conscious culture that informs risk-based decision-making. This is important because many employees have to make decisions that impact security on a daily basis. Not all of these decisions are critical-severity security scenarios, but even small choices can influence the way the entire organization handles risk. For example, most organizations list their employees on LinkedIn. This is not a security threat on its own, but it can contribute to security risks associated with phishing attacks and social engineering . Cybercriminals may create spoof emails inviting employees to fake webinars hosted by well-known employees, and use the malicious link to infect employee devices with malware. Cultivating a risk management culture won’t stop these threats from happening, but it might motivate employees to reach out when they suspect something is wrong. This gives security teams much greater visibility into potential risks as they occur, and increases the chance you’ll detect and mitigate threats before they launch active cyberattacks. 2. Use risk registers to describe potential risks in detail A risk register is a project management tool that describes risks that could disrupt a project during execution. Project managers typically create the register during the project planning phase and then refer to it throughout execution. A risk register typically uses the following characteristics to describe individual risks: Description : A brief overview of the risk itself. Category: The formal classification of the risk and what it affects. Likelihood: How likely this risk is to take place. Analysis: What would happen if this risk occurred. Mitigation: What would the team need to do to respond in this scenario. Priority: How critical is this risk compared to others. The same logic applies to business initiatives both large and small. Using a risk register can help you identify and control unexpected occurrences that may derail the organization’s ongoing projects. If these projects are actively supervised by a project manager, risk registers should already exist for them. However, there may be many initiatives, tasks, and projects that do not have risk registers. In these cases, you may need to create them yourself. Part of the overall risk assessment process should include finding and consolidating these risk registers to get an idea of the kinds of disruptions that can take place at every level of the organization. You may find patterns in the types of security risks that you find described in multiple risk registers. This information should help you evaluate the business impact of common risks and find ways to mitigate those risks effectively. 3. Prioritize proactive, low-cost risk remediation when possible Your organization can’t afford to prevent every single risk there is. That would require an unlimited budget and on-demand access to technical specialist expertise. However, you can prevent certain high-impact risks using proactive, low-cost policies that can make a significant difference in your overall security posture. You should take these opportunities when they present themselves. Password policies are a common example. Many organizations do not have sufficiently robust password policies in place. Cybercriminals know this –that’s why dictionary-based credential attacks still occur. If employees are reusing passwords across accounts or saving them onto their devices in plaintext, it’s only a matter of time before hackers notice. At the same time, upgrading a password policy is not an especially expensive task. Even deploying an enterprise-wide password manager and investing in additional training may be several orders of magnitude cheaper than implementing a new SIEM or similarly complex security platform. Your cybersecurity risk assessment will likely uncover many opportunities like this one. Take a close look at things like password policies, change management , and security patch update procedures and look for easy, low-cost projects that can provide immediate security benefits without breaking your budget. Once you address these issues, you will be in a much better position to pursue larger, more elaborate security implementations. 4. Treat risk management as an ongoing process Every year, cybercriminals leverage new tactics and techniques against their victims. Your organization’s security team must be ready to address the risks of emerging malware, AI-enhanced phishing messages, elaborate supply chain attacks, and more. As hackers improve their attack methodologies, your organization’s risk profile shifts. As the level of risk changes, your approach to information security must change as well. This means developing standards and controls that adjust according to your organization’s actual information security risk environment. Risk analysis should not be a one-time event, but a continuous one that delivers timely results about where your organization is today – and where it may be in the future. For example, many security teams treat firewall configuration and management as a one-time process. This leaves them vulnerable to emerging threats that they may not have known about during the initial deployment. Part of your risk management strategy should include verifying existing security solutions and protecting them from new and emerging risks. 5. Invest in penetration testing to discover new vulnerabilities There is more to discovering new risks than mapping your organization’s assets to known vulnerabilities and historical data breaches. You may be vulnerable to zero-day exploits and other weaknesses that won’t be immediately apparent. Penetration testing will help you discover and assess risks that you can’t find out about otherwise. Penetration testing mitigates risk by pinpointing vulnerabilities in your environment and showing how hackers could exploit them. Your penetration testing team will provide a comprehensive report showing you what assets were compromised and how. You can then use this information to close those security gaps and build a stronger security posture as a result. There are multiple kinds of penetration testing. Depending on your specific scenario and environment, you may invest in: External network penetration testing focuses on the defenses your organization deploys on internet-facing assets and equipment. The security of any business application exposed to the public may be assessed through this kind of test. Internal network penetration testing determines how cybercriminals may impact the organization after they gain access to your system and begin moving laterally through it. This also applies to malicious insiders and compromised credential attacks. Social engineering testing looks specifically at how employees respond to attackers impersonating customers, third-party vendors, and internal authority figures. This will help you identify risks associated with employee security training . Web application testing focuses on your organization’s web-hosted applications. This can provide deep insight into how secure your web applications are, and whether they can be leveraged to leak sensitive information. 6. Demonstrate risk tolerance by implementing the NIST Cybersecurity Framework The National Institute of Standards and Technology publishes one of the industry’s most important compliance frameworks for cybersecurity risk mitigation. Unlike similar frameworks like PCI DSS and GDPR, the NIST Cybersecurity Framework is voluntary – you are free to choose when and how you implement its controls in your organization. This set of security controls includes a comprehensive, flexible approach to risk management. It integrates risk management techniques across multiple disciplines and combines them into an effective set of standards any organization can follow. As of 2023, the NIST Risk Management Framework focuses on seven steps: Prepare the organization to change the way it secures its information technology solutions. Categorize each system and the type of information it processes according to a risk and impact analysis/ Select which NIST SP 800-53 controls offer the best data protection for the environment. Implement controls and document their deployment. Assess whether the correct controls are in place and operating as intended. Authorize the implementation in partnership with executives, stakeholders, and IT decision-makers. Monitor control implementations and IT systems to assess their effectiveness and discover emerging risks. 7. Don’t forget to consider false positives in your risk assessment False positives refer to vulnerabilities and activity alerts that have been incorrectly flagged. They can take many forms during the cybersecurity risk assessment process – from vulnerabilities that don’t apply to your organization’s actual tech stack to legitimate traffic getting blocked by firewalls. False positives can impact risk assessments in many ways. The most obvious problem they present is skewing your assessment results. This may lead to you prioritizing security controls against threats that aren’t there. If these controls are expensive or time-consuming to deploy, you may end up having an uncomfortable conversation with key stakeholders and decision-makers later on. However, false positives are also a source of security risks. This is especially true with automated systems like next-generation firewalls , extended detection and response (XDR) solutions, and Security Orchestration, Automation, and Response (SOAR) platforms. Imagine one of these systems detects an outgoing video call from your organization. It flags the connection as suspicious and begins investigating it. It discovers the call is being made from an unusual location and contains confidential data, so it blocks the call and terminates the connection. This could be a case of data exfiltration, or it could be the company CEO presenting a report to stockholders while traveling. Most risk assessments don’t explore the potential risk of blocking high-level executive communications or other legitimate communications due to false positives. Use AlgoSec to Identify and Assess Network Security Risks More Accurately Building a comprehensive risk management strategy is not an easy task. It involves carefully observing the way your organization does business and predicting how cybercriminals may exploit those processes. It demands familiarity with almost every task, process, and technology the organization uses, and the ability to simulate attack scenarios from multiple different angles. There is no need to accomplish these steps manually. Risk management platforms like AlgoSec’s Horizon Security Analyzer can help you map business applications throughout your network and explore attack simulations with detailed “what-if” scenarios. Use Horizon Security Analyzer to gain deep insight into how your organization would actually respond to security incidents and unpredictable events, then use those insights to generate a more complete risk management approach. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call
- AlgoSec | Migrating to AWS in six simple steps
Yitzy Tannenbaum, Product Marketing Manager at AlgoSec, discusses how AWS customers can leverage AlgoSec for AWS to easily migrate... Uncategorized Migrating to AWS in six simple steps Yitzy Tannenbaum 2 min read Yitzy Tannenbaum Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/1/20 Published Yitzy Tannenbaum, Product Marketing Manager at AlgoSec, discusses how AWS customers can leverage AlgoSec for AWS to easily migrate applications Public cloud platforms bring a host of benefits to organizations but managing security and compliance can prove complex. These challenges are exacerbated when organizations are required to manage and maintain security across all controls that make up the security network including on-premise, SDN and in the public cloud. According to a Gartner study , 81% of organizations are concerned about security, and 57% about maintaining regulatory compliance in the public cloud. AlgoSec’s partnership with AWS helps organizations overcome these challenges by making the most of AWS’ capabilities and providing solutions that complement the AWS offering, particularly in terms of security and operational excellence. And to make things even easier, AlgoSec is now available in AWS Marketplace. Accelerating complex application migration with AlgoSec Many organizations choose to migrate workloads to AWS because it provides unparalleled opportunities for scalability, flexibility, and the ability to spin-up new servers within a few minutes. However, moving to AWS while still maintaining high-level security and avoiding application outages can be challenging, especially if you are trying to do the migration manually, which can create opportunities for human error. We help simplify the migration to AWS with a six-step automated process, which takes away manual processes and reduces the risk of error: Step 1 – AlgoSec automatically discovers and maps network flows to the relevant business applications. Step 2- AlgoSec assesses the changes in the application connectivity required to migrate it to AWS. Step 3- AlgoSec analyzes, simulates and computes the necessary changes, across the entire hybrid network (over firewalls, routers, security groups etc.), including providing a what-if risk analysis and compliance report. Step 4- AlgoSec automatically migrates the connectivity flows to the new AWS environment. Step 5 – AlgoSec securely decommissions old connectivity. Step 6- The AlgoSec platform provides ongoing monitoring and visibility of the cloud estate to maintain security and operation of policy configurations or successful continuous operation of the application. Gain control of hybrid estates with AlgoSec Security automation is essential if organizations are to maintain security and compliance across their hybrid environments, as well as get the full benefit of AWS agility and scalability. AlgoSec allows organizations to seamlessly manage security control layers across the entire network from on-premise to cloud services by providing Zero-Touch automation in three key areas. First, visibility is important, since understanding the network we have in the cloud helps us to understand how to deploy and manage the policies across the security controls that make up the hybrid cloud estate. We provide instant visibility, risk assessment and compliance, as well as rule clean-up, under one unified umbrella. Organizations can gain instant network visibility and maintain a risk-free optimized rule set across the entire hybrid network – across all AWS accounts, regions and VPC combinations, as well as 3rd party firewalls deployed in the cloud and across the connection to the on-prem network. Secondly, changes to network security policies in all these diverse security controls can be managed from a single system, security policies can be applied consistently, efficiently, and with a full audit trail of every change. Finally, security automation dramatically accelerates change processes and enables better enforcement and auditing for regulatory compliance. It also helps organizations overcome skill gaps and staffing limitations. Why Purchase Through AWS Marketplace? AWS Marketplace is a digital catalog with thousands of software listings from independent software vendors (ISVs). It makes it easy for organizations to find, test, buy, and deploy software that runs on Amazon Web Services (AWS), giving them a further option to benefit from AlgoSec. The new listing also gives organizations the ability to apply their use of AlgoSec to their AWS Enterprise Discount Program (EDP) spend commitment. With the addition of AlgoSec in AWS Marketplace, customers can benefit from simplified sourcing and contracting as well as consolidated billing, ultimately resulting in cost savings. It offers organizations instant visibility and in-depth risk analysis and remediation, providing multiple unique capabilities such as cloud security group clean-ups, as well as central policy management. This strengthens enterprises’ cloud security postures and ensures continuous audit-readiness. Ready to Get Started? The addition of AlgoSec in AWS Marketplace is the latest development in the relationship between AlgoSec and AWS and is available for businesses with 500 or more users. Visit the AlgoSec AWS Marketplace listing for more information or contact us to discuss it further. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call











