top of page

Search results

642 results found with an empty search

  • AlgoSec | Understanding Security Considerations in IaaS/PaaS/SaaS Deployments

    Knowing how to select and position security capabilities in different cloud deployment models is critical to comprehensive security... Cloud Security Understanding Security Considerations in IaaS/PaaS/SaaS Deployments Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/24/22 Published Knowing how to select and position security capabilities in different cloud deployment models is critical to comprehensive security across your organization. Implementing the right pattern allows you to protect the confidentiality, integrity, and availability of cloud data assets. It can also improve incident response to security threats. Additionally, security teams and cloud security architects no longer have to rely on pre-set security templates or approaches built for on-premises environments. Instead, they must adapt to the specific security demands of the cloud and integrate them with the overall cloud strategy. This can be accomplished by re-evaluating defense mechanisms and combining cloud-native security and vendor tools. Here, we’ll break down the security requirements and best practices for cloud service models like IaaS, PaaS, and SaaS. Do you have cloud security architects on board? We’ll also cover their roles and the importance of leveraging native security tools specific to each model. Managing Separation of Responsibilities with the Cloud Service Provider Secure cloud deployments start with understanding responsibilities. Where do you stand, and what is expected of you? There are certain security responsibilities the cloud security provider takes care of and those that the customer handles. This division of responsibilities means adjusting focus and using different measures to ensure security is necessary. Therefore, organizations must consider implementing compensating controls and alternative security measures to make up for any limitations in the cloud service provider’s security offerings. Security Considerations for SaaS (Software-as-a-Service) Deployments The specific security requirements in SaaS deployments may vary between services. However, it’s important to consider the following areas: Data protection During cloud deployments, protecting data assets is a tough nut to crack for many organizations. As a SaaS provider, ensuring data protection is crucial because you handle and store sensitive customer data. Encryption must be implemented for data in transit and at rest. Protecting data at rest is the cloud provider’s responsibility, whereas you are responsible for data in transit. The cloud provider implements security measures like encryption, access controls, and physical security to protect the data stored in their infrastructure. On the other hand, it’s your responsibility to implement secure communication protocols like encryption, ensuring data remains protected when it moves between your SaaS application. Additionally, best practice solutions may offer you the option of managing your encryption keys so that cloud operations staff cannot decrypt customer data. Interfacing with the Cloud Service There are a number of security considerations to keep in mind when interacting with a SaaS deployment. These include validating data inputs, implementing secure APIs, and securing communication channels. It’s crucial to use secure protocols like HTTPS and to ensure that the necessary authentication and authorization mechanisms are in place. You may also want to review and monitor access logs frequently to spot and address any suspicious activity. Application Security in SaaS During SaaS deployments, it’s essential to ensure application security. For instance, secure coding practices, continuous vulnerability assessments, and comprehensive application testing all contribute to effective SaaS application security. Cross-site scripting (XSS) and SQL injection are some of the common web application cyber-attacks today. You can improve the application’s security posture by implementing the right input validation, regular security patches from the SaaS provider, and web application firewalls (WAFs). Cloud Identity and Access Controls Here, you must define how cloud services will integrate and federate with existing enterprise identity and access management (IAM) systems. This ensures a consistent and secure access control framework. Implementing strong authentication mechanisms like multifactor authentication (MFA) and enforcing proper access controls based on roles and responsibilities are necessary security requirements. You should also consider using Cloud Access Security Broker (CASB) tools to provide adaptive and risk-based access controls. Regulatory Compliance Using a cloud service doesn’t exempt one from regulatory compliance, and cloud architects must design the SaaS architecture to align with these requirements. But why are these stringent requirements there in the first place? The purpose of these regulations is to protect consumer privacy by enforcing confidentiality, integrity, availability, and accountability. So, achieving compliance means you meet these regulations. It demonstrates that your applications and tech stack maintain secure privacy levels. Failure to comply could cost money in the form of fines, legal action, and a damaged reputation. You don’t want that. Security Considerations for PaaS (Platform-as-a-Service) Deployments PaaS security considerations during deployments will address all the SaaS areas. But as a PaaS customer, there are slight differences you should know. For example, more options exist to configure how data is protected and who can do what with it. As such, the responsibility of user permissions may be given to you. On the other hand, some PaaS providers may have built-in tools and mechanisms for managing user permissions. So, what are the other key areas you want to address to ensure a secure environment for PaaS deployments? We’ll start with the application security. Application Security The customer is responsible for securing the applications they build and deploy on the PaaS platform. Securing application platforms is necessary, and cloud architects must ensure this from the design and development stage. So, what do you do to ensure application security? It all starts from the onset. From secure coding practices, addressing application vulnerabilities, and conducting regular security testing. You’ll often find that most security vulnerabilities are introduced from the early stages of software development. If you can identify and fix potential flaws using penetration testing and threat modeling practices, you’re on your way to successful deployment. Data Security PaaS cloud security deployments offer more flexibility and allow customers control over their data and user entitlements. What this means is you can build and deploy your own applications on the platform. You can configure security measures and controls within your applications by defining who has access to applications, what they can do, and how data is protected. Here, cloud security architects and security teams can ensure data classification and access controls, determining appropriate encryption keys management practices, secure data integration and APIs, and data governance. Ultimately, configuring data protection mechanisms and user permissions provides customers with greater customization and control. Platform Security The platform itself, including the operating system, underlying infrastructure, data centers, and middleware, need to be protected. This is the responsibility of the PaaS provider. They must ensure that the components that keep the platform up are functional at all times. Network Security In PaaS environments, identity and roles are primarily used for network security to determine access to resources and data in the PaaS platform. As such, the most important factor to consider in this case is verifying the user identity and managing access based on their roles and permissions. Rather than relying on traditional network security measures like perimeter controls, IDS/IPS, and traffic monitoring, there is a shift to user-centric access controls. Security Considerations for IaaS (Infrastructure-as-a-Service) Cloud Deployments When it comes to application and software security, IaaS security during cloud deployment is similar. If you’re an IaaS customer, there are slight differences in how IaaS cloud deployment is handled. For example, while the cloud provider handles the hypervisor or virtualized layer, everything else is the customers’ responsibility. So, you must secure the cloud deployment by implementing appropriate security measures to safeguard their applications and data. Due to different deployment patterns, some security tools that work well for SaaS may not be suitable for IaaS. For example, we discussed how CASB could be excellent for cloud identity, data, and access controls in SaaS applications. However, this may not be effective in IaaS environments. Your cloud architects and security teams must understand these differences when deploying IaaS. They should consider alternative or additional security measures in certain areas to ensure more robust security during cloud deployments. These areas are: Access Management IaaS deployment requires you to consider several identity and access management (IAM) dimensions. For example, cloud architects must consider access to the operating system, including applications and middleware installed on them. Additionally, they must also consider privileged access, such as root or administrative access at the OS level. Keep in mind that IaaS has additional access layers. These consist of access to the IaaS console and other cloud provider features that may offer insights about or impact the operation of cloud resources. For example, key management and auditing and resource configuration and hardening. It’s important to clarify who has access to these areas and what they can do. Regular Patching There are more responsibilities for you. The IaaS customer is responsible for keeping workloads updated and maintained. This typically includes the OS itself and any additional software installed on the virtual machines. Therefore, cloud architects must apply the same vigilance to cloud workloads as they would to on-premises servers regarding patching and maintenance. This ensures proactive, consistent, and timely updates that ensure the security and stability of cloud workloads. Network Security IaaS customers must configure and manage security mechanisms within their virtual networks. This includes setting firewalls, using intrusion detection and intrusion prevention systems (IDS/IPS), establishing secure connections (VPN), and network monitoring. On the other hand, the cloud provider ensures network security for the underlying network infrastructure, like routers and switches. They also ensure physical security by protecting network infrastructure from unauthorized access. Data Protection While IaaS providers ensure the physical security of data centers, IaaS customers must secure their own data in the IaaS environment. They need to protect data stored in databases, virtual machines (VMs), and any other storage system provisioned by the IaaS provider. Some IaaS providers, especially large ones, offer encryption capabilities for the VMs created on their platform. This feature is typically free or low-priced. It’s up to you to decide whether managing your own encryption keys is more effective or to choose the provider’s offerings. If you decide to go for this feature, it’s important to clarify how encrypting data at rest may affect other services from the IaaS provider, such as backup and recovery. Leveraging Native Cloud Security Tools Just like the encryption feature, some cloud service providers offer a range of native tools to help customers enforce effective security. These tools are available for IaaS, PaaS, and SaaS cloud services. While customers may decide not to use them, the low financial and operational impact of native cloud security tools on businesses makes them a smart decision. It allows you to address several security requirements quickly and easily due to seamless control integration. However, it’s still important to decide which controls are useful and where they are needed. Conclusion Cloud security architecture is always evolving. And this continuous change makes cloud environments more complex and dynamic. From misconfigurations to data loss, many challenges can make secure cloud deployments for IaaS, PaaS, and SaaS services more challenging. Prevasio, an AlgoSec company, is your trusted cloud security partner that helps your organization streamline cloud deployments. Our cloud-native application provides increased risk visibility and control over security and compliance requirements. Contact us now to learn more about how you can expedite your cloud security operations. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

  • AlgoSec | Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities

    Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Like all security tools, firewalls can be hacked. That’s what happened to the... Cyber Attacks & Incident Response Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/20/23 Published Can Firewalls Be Hacked? Yes, Here’s 6 Vulnerabilities Like all security tools, firewalls can be hacked. That’s what happened to the social media platform X in January 2023, when it was still Twitter. Hackers exploited an API vulnerability that had been exposed since June the previous year. This gave them access to the platform’s security system and allowed them to leak sensitive information on millions of users. This breach occurred because the organization’s firewalls were not configured to examine API traffic with enough scrutiny. This failure in firewall protection led to the leak of more than 200 million names, email addresses, and usernames, along with other information, putting victims at risk of identity theft . Firewalls are your organization’s first line of defense against malware and data breaches. They inspect all traffic traveling into and out of your network, looking for signs of cyber attacks and blocking malicious activity when they find it. This makes them an important part of every organization’s cybersecurity strategy. Effective firewall management and configuration is vital for preventing cybercrime. Read on to find out how you can protect your organization from attacks that exploit firewall vulnerabilities you may not be aware of. Understanding the 4 Types of Firewalls The first thing every executive and IT leader should know is that there are four basic types of firewalls . Each category offers a different level of protection, with simpler solutions costing less than more advanced ones. Most organizations need to use some combination of these four firewall types to protect sensitive data effectively. Keep in mind that buying more advanced firewalls is not always the answer. Optimal firewall management usually means deploying the right type of firewall for its particular use case. Ideally, these should be implemented alongside multi-layered network security solutions that include network detection and response, endpoint security, and security information and event management (SIEM) technology. 1. Packet Filtering Firewalls These are the oldest and most basic types of firewalls. They operate at the network layer, checking individual data packets for their source IP address and destination IP. They also verify the connection protocol, as well as the source port and destination port against predefined rules. The firewall drops packets that fail to meet these standards, protecting the network from potentially harmful threats. Packet filtering firewalls are among the fastest and cheapest types of firewalls available. Since they can not inspect the contents of data packets, they offer minimal functionality. They also can’t keep track of established connections or enforce rules that rely on knowledge of network connection states. This is why they are considered stateless firewalls. 2. Stateful Inspection Firewalls These firewalls also perform packet inspection, but they ingest more information about the traffic they inspect and compare that information against a list of established connections and network states. Stateful inspection firewalls work by creating a table that contains the IP and port data for traffic sources and destinations, and dynamically check whether data packets are part of a verified active connection. This approach allows stateful inspection firewalls to deny data packets that do not belong to a verified connection. However, the process of checking data packets against the state table consumes system resources and slows down traffic. This makes stateful inspection firewalls vulnerable to Distributed Denial-of-Service (DDoS) attacks. 3. Application Layer Gateways These firewalls operate at the application layer, inspecting and managing traffic based on specific applications or protocols, providing deep packet inspection and content filtering. They are also known as proxy firewalls because they can be implemented at the application layer through a proxy device. In practice, this means that an external client trying to access your system has to send a request to the proxy firewall first. The firewall verifies the authenticity of the request and forwards it to an internal server. They can also work the other way around, providing internal users with access to external resources (like public web pages) without exposing the identity or location of the internal device used. 4. Next-Generation Firewalls (NGFW) Next-generation firewalls combine traditional firewall functions with advanced features such as intrusion prevention, antivirus, and application awareness . They contextualize data packet flows and enrich them with additional data, providing comprehensive security against a wide range of threats. Instead of relying exclusively on IP addresses and port information, NGFWs can perform identity-based monitoring of individual users, applications, and assets. For example, a properly configured NGFW can follow a single user’s network traffic across multiple devices and operating systems, providing an activity timeline even if the user switches between a desktop computer running Microsoft Windows and an Amazon AWS instance controlling routers and iOT devices. How Do These Firewalls Function? Each type of firewall has a unique set of functions that serve to improve the organization’s security posture and prevent hackers from carrying out malicious cyber attacks. Optimizing your firewall fleet means deploying the right type of solution for each particular use case throughout your network. Some of the most valuable functions that firewalls perform include: Traffic Control They regulate incoming and outgoing traffic, ensuring that only legitimate and authorized data flows through the network. This is especially helpful in cases where large volumes of automated traffic can slow down routine operations and disrupt operations. For example, many modern firewalls include rules designed to deny bot traffic. Some non-human traffic is harmless, like the search engine crawlers that determine your website’s ranking against certain keyword searches. However, the vast majority of bot traffic is either unnecessary or malicious. Firewalls can help you keep your infrastructure costs down by filtering out connection attempts from automated sources you don’t trust. Protection Against Cyber Threats Firewalls act as a shield against various cyber threats, including phishing attacks, malware and ransomware attacks . Since they are your first line of defense, any malicious activity that targets your organization will have to bypass your firewall first. Hackers know this, which is why they spend a great deal of time and effort finding ways to bypass firewall protection. They can do this by exploiting technical vulnerabilities in your firewall devices or by hiding their activities in legitimate traffic. For example, many firewalls do not inspect authenticated connections from trusted users. If cybercriminals learn your login credentials and use your authenticated account to conduct an attack, your firewalls may not notice the malicious activity at all. Network Segmentation By defining access rules, firewalls can segment networks into zones with varying levels of trust, limiting lateral movement for attackers. This effectively isolates cybercriminals into the zone they originally infiltrated, and increases the chance they make a mistake and reveal themselves trying to access additional assets throughout your network. Network segmentation is an important aspect of the Zero Trust framework. Firewalls can help reinforce the Zero Trust approach by inspecting traffic traveling between internal networks and dropping connections that fail to authenticate themselves. Security Policy Enforcement Firewalls enforce security policies, ensuring that organizations comply with their security standards and regulatory requirements. Security frameworks like NIST , ISO 27001/27002 , and CIS specify policies and controls that organizations need to implement in order to achieve compliance. Many of these frameworks stipulate firewall controls and features that require organizations to invest in optimizing their deployments. They also include foundational and organizational controls where firewalls play a supporting role, contributing to a stronger multi-layered cybersecurity strategy. Intrusion Detection and Prevention Advanced firewalls include intrusion detection and prevention capabilities, which can identify and block suspicious activities in real-time. This allows security teams to automate their response to some of the high-volume security events that would otherwise drag down performance . Automatically detecting and blocking known exploits frees IT staff to spend more time on high-impact strategic work that can boost the organization’s security posture. Logging and Reporting Firewalls generate logs and reports that assist in security analysis, incident response, and compliance reporting. These logs provide in-depth data on who accessed the organization’s IT assets, and when the connection occurred. They enable security teams to conduct forensic investigations into security incidents, driving security performance and generating valuable insights into the organization’s real-world security risk profile. Organizations that want to implement SIEM technology must also connect their firewall devices to the platform and configure them to send log data to their SIEM for centralized analysis. This gives security teams visibility into the entire organization’s attack surface and enables them to adopt a Zero Trust approach to managing log traffic. Common Vulnerabilities & Weaknesses Firewalls Share Firewalls are crucial for network security, but they are not immune to vulnerabilities. Common weaknesses most firewall solutions share include: Zero-day vulnerabilities These are vulnerabilities in firewall software or hardware that are unknown to the vendor or the general public. Attackers can exploit them before patches or updates are available, making zero-day attacks highly effective. Highly advanced NGFW solutions can protect against zero-day attacks by inspecting behavioral data and using AI-enriched analysis to detect unknown threats. Backdoors Backdoors are secret entry points left by developers or attackers within a firewall’s code. These hidden access points can be exploited to bypass security measures. Security teams must continuously verify their firewall configurations to identify the signs of backdoor attacks. Robust and effective change management solutions help prevent backdoors from remaining hidden. Header manipulation Attackers may manipulate packet headers to trick firewalls into allowing unauthorized traffic or obscuring their malicious intent. There are multiple ways to manipulate the “Host” header in HTTP traffic to execute attacks. Security teams need to configure their firewalls and servers to validate incoming HTTP traffic and limit exposure to header vulnerabilities. How Cyber Criminals Exploit These Vulnerabilities Unauthorized Access Exploiting a vulnerability can allow cybercriminals to penetrate a network firewall, gaining access to sensitive data, proprietary information, or critical systems. Once hackers gain unauthorized access to a network asset, only a well-segmented network operating on Zero Trust principles can reliably force them to reveal themselves. Otherwise, they will probably remain hidden until they launch an active attack. Data Breaches Once inside your network, attackers may exfiltrate sensitive information, including customer data, intellectual property, and financial records (like credit cards), leading to data breaches. These complex security incidents can lead to major business disruptions and reputational damage, as well as enormous recovery costs. Malware Distribution Attackers may use compromised firewalls to distribute malware, ransomware, or malicious payloads to other devices within the network. This type of attack may focus on exploiting your systems and network assets, or it may target networks adjacent to your own – like your third-party vendors, affiliate partners, or customers. Denial of Service (DDoS) Exploited firewalls can be used in DDoS attacks, potentially disrupting network services and rendering them unavailable to users. This leads to expensive downtime and reputational damage. Some hackers try to extort their victims directly, demanding organizations pay money to stop the attack. 6 Techniques Used to Bypass Firewalls 1. Malware and Payload Delivery Attackers use malicious software and payloads to exploit firewall vulnerabilities, allowing them to infiltrate networks or systems undetected. This often occurs due to unpatched security vulnerabilities in popular firewall operating systems. For example, in June 2023 Fortinet addressed a critical-severity FortiOS vulnerability with a security patch. One month later in July, there were still 300,000 Fortinet firewalls still using the unpatched operating system. 2. Phishing Attacks Phishing involves tricking individuals into divulging sensitive information or executing malicious actions. Attackers use deceptive emails or websites that may bypass firewall filters. If they gain access to privileged user account credentials, they may be able to bypass firewall policies entirely, or even reconfigure firewalls themselves. 3. Social Engineering Tactics Cybercriminals manipulate human psychology to deceive individuals into disclosing confidential information, effectively bypassing technical security measures like firewalls. This is typically done through social media, email, or by telephone. Attackers may impersonate authority figures both inside and outside the organization and demand access to sensitive assets without going through the appropriate security checks. 4. Deep Packet Inspection Evasion Attackers employ techniques to disguise malicious traffic, making it appear benign to firewalls using deep packet inspection, allowing it to pass through undetected. Some open-source tools like SymTCP can achieve this by running symbolic executions on the server’s TCP implementation, scanning the resulting execution paths, and sending malicious data through any handling discrepancies identified. 5. VPNs and Remote Access Attackers may use Virtual Private Networks (VPNs) and remote access methods to circumvent firewall restrictions and gain unauthorized entry into networks. This is particularly easy in cases where simple geo restrictions block traffic from IP addresses associated with certain countries or regions. Attackers may also use more sophisticated versions of this technique to access exposed services that don’t require authentication, like certain containerized servers . 6. Intrusion Prevention Systems (IPS) Bypass Sophisticated attackers attempt to evade IPS systems by crafting traffic patterns or attacks that go undetected, enabling them to compromise network security. For example, they may use technologies to decode remote access tool executable files hidden inside certificate files, allowing them to reassemble the malicious file after it passes through the IPS. Protecting Against Firewall Vulnerabilities Multi-factor Authentication (MFA) MFA adds an extra layer of security by requiring users to provide multiple forms of identification, such as a password and a one-time code sent to their mobile device, before they gain access. This prevents attackers from accessing sensitive network assets immediately after stealing privileged login credentials. Knowing an account holder’s password and username is not enough. Two-factor Authentication (2FA) 2FA is a subset of MFA that involves using two authentication factors, typically something the user knows (password) and something the user has (a mobile device or security token), to verify identity and enhance firewall security. Other versions use biometrics like fingerprint scanning to authenticate the user. Intrusion Prevention Systems (IPS) IPS solutions work alongside firewalls to actively monitor network traffic for suspicious activity and known attack patterns, helping to block or mitigate threats before they can breach the network. These systems significantly reduce the amount of manual effort that goes into detecting and blocking known malicious attack techniques. Web Application Firewalls (WAF) WAFs are specialized firewalls designed to protect web applications from a wide range of threats, including SQL injection, cross-site scripting (XSS), and other web-based attacks. Since these firewalls focus specifically on HTTP traffic, they are a type of application level gateway designed specifically for web applications that interact with users on the public internet. Antivirus Software and Anti-malware Tools Deploying up-to-date antivirus and anti-malware software on endpoints, servers, and Wi-Fi network routers helps detect and remove malicious software, reducing the risk of firewall compromise. In order to work effectively, these tools must be configured to detect and mitigate the latest threats alongside the organization’s other security tools and firewalls. Automated solutions can help terminate unauthorized processes before attackers get a chance to deliver malicious payloads. Regular Updates and Patch Management Keeping firewalls and all associated software up-to-date with the latest security patches and firmware updates is essential for addressing known vulnerabilities and ensuring optimal security. Security teams should know when configuration changes are taking place, and be equipped to respond quickly when unauthorized changes take place. Implementing a comprehensive visibility and change management platform like AlgoSec makes this possible. With AlgoSec, you can simulate the effects of network configuration changes and proactively defend against sophisticated threats before attackers have a chance to strike. Monitoring Network Traffic for Anomalies Continuous monitoring of network traffic helps identify unusual patterns or behaviors that may indicate a security incident. Anomalies can trigger alerts for further investigation and response. Network detection and response solutions grant visibility into network activities that would otherwise go unnoticed, potentially giving security personnel early warning when unannounced changes or suspicious behaviors take place. Streamline Your Firewall Security With AlgoSec Organizations continue to face increasingly sophisticated cyber threats, including attacks that capitalize on misconfigured firewalls – or manipulate firewall configurations directly. Firewall management software has become a valuable tool for maintaining a robust network security posture and ensuring regulatory compliance. AlgoSec plays a vital role enhancing firewall security by automating policy analysis, optimizing rule sets, streamlining change management, and providing real-time monitoring and visibility. Find out how to make the most of your firewall deployment and detect unauthorized changes to firewall configurations with our help. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

  • AlgoSec | Securely accelerating application delivery

    In this guest blog, Jeff Yager from IT Central Station (soon to be PeerSpot), discusses how actual AlgoSec users have been able to... Security Policy Management Securely accelerating application delivery Jeff Yeger 2 min read Jeff Yeger Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/15/21 Published In this guest blog, Jeff Yager from IT Central Station (soon to be PeerSpot), discusses how actual AlgoSec users have been able to securely accelerate their app delivery. These days, it is more important than ever for business owners, application owners, and information security professionals to speak the same language. That way, their organizations can deliver business applications more rapidly while achieving a heightened security posture. AlgoSec’s patented platform enables the world’s most complex organizations to gain visibility and process changes at zero-touch across the hybrid network. IT Central Station members discussed these benefits of AlgoSec , along with related issues, in their reviews on the site. Application Visibility AlgoSec allows users to discover, identify, map, and analyze business applications and security policies across their entire networks. For instance, Jacob S., an IT security analyst at a retailer, reported that the overall visibility that AlgoSec gives into his network security policies is high. He said, “It’s very clever in the logic it uses to provide insights, especially into risks and cleanup tasks . It’s very valuable. It saved a lot of hours on the cleanup tasks for sure. It has saved us days to weeks.” “AlgoSec absolutely provides us with full visibility into the risk involved in firewall change requests,” said Aaron Z. a senior network and security administrator at an insurance company that deals with patient health information that must be kept secure. He added, “There is a risk analysis piece of it that allows us to go in and run that risk analysis against it, figuring out what rules we need to be able to change, then make our environment a little more secure. This is incredibly important for compliance and security of our clients .” Also impressed with AlgoSec’s overall visibility into network security policies was Christopher W., a vice president – head of information security at a financial services firm, who said, “ What AlgoSec does is give me the ability to see everything about the firewall : its rules, configurations and usage patterns.” AlgoSec gives his team all the visibility they need to make sure they can keep the firewall tight. As he put it, “There is no perimeter anymore. We have to be very careful what we are letting in and out, and Firewall Analyzer helps us to do that.” For a cyber security architect at a tech services company, the platform helps him gain visibility into application connectivity flows. He remarked, “We have Splunk, so we need a firewall/security expert view on top of it. AlgoSec gives us that information and it’s a valuable contributor to our security environment.” Application Changes and Requesting Connectivity AlgoSec accelerates application delivery and security policy changes with intelligent application connectivity and change automation. A case in point is Vitas S., a lead infrastructure engineer at a financial services firm who appreciates the full visibility into the risk involved in firewall change requests. He said, “[AlgoSec] definitely allows us to drill down to the level where we can see the actual policy rule that’s affecting the risk ratings. If there are any changes in ratings, it’ll show you exactly how to determine what’s changed in the network that will affect it. It’s been very clear and intuitive.” A senior technical analyst at a maritime company has been equally pleased with the full visibility. He explained, “That feature is important to us because we’re a heavily risk-averse organization when it comes to IT control and changes. It allows us to verify, for the most part, that the controls that IT security is putting in place are being maintained and tracked at the security boundaries .” A financial services firm with more than 10 cluster firewalls deployed AlgoSec to check the compliance status of their devices and reduce the number of rules in each of the policies. According to Mustafa K. their network security engineer, “Now, we can easily track the changes in policies. With every change, AlgoSec automatically sends an email to the IT audit team. It increases our visibility of changes in every policy .” Speed and Automation The AlgoSec platform automates application connectivity and security policy across a hybrid network so clients can move quickly and stay secure. For Ilya K., a deputy information security department director at a computer software company, utilizing AlgoSec translates into an increase in security and accuracy of firewall rules. He said, “ AlgoSec ASMS brings a holistic view of network firewall policy and automates firewall security management in very large-sized environments. Additionally, it speeds up the changes in firewall rules with a vendor-agnostic approach.” “The user receives the information if his request is within the policies and can continue the request,” said Paulo A., a senior information technology security analyst at an integrator. He then noted, “Or, if it is denied, the applicant must adjust their request to stay within the policies. The time spent for this without AlgoSec is up to one week, whereas with AlgoSec, in a maximum of 15 minutes we have the request analyzed .” The results of this capability include greater security, a faster request process and the ability to automate the implementation of rules. Srdjan, a senior technical and integration designer at a large retailer, concurred when he said, “ By automating some parts of the work, business pressure is reduced since we now deliver much faster . I received feedback from our security department that their FCR approval process is now much easier. The network team is also now able to process FCRs much faster and with more accuracy.” To learn more about what IT Central Station members think about AlgoSec, visit https://www.itcentralstation.com/products/algosec-reviews Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

  • AlgoSec | How AppSec Network Engineers Can Align Security with the Business

    Eric Jeffery, AlgoSec’s regional solutions engineer, gives his view on the pivotal role of AppSec network engineers and how they can... Application Connectivity Management How AppSec Network Engineers Can Align Security with the Business Eric Jeffery 2 min read Eric Jeffery Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 7/13/22 Published Eric Jeffery, AlgoSec’s regional solutions engineer, gives his view on the pivotal role of AppSec network engineers and how they can positively impact the business It may surprise many people but the number one skills gap hampering today’s application security network engineers is primarily centred around the soft skills which includes communication, writing, presentation, team building and critical thinking. Why is this so important? Because first and foremost, their goal is to manage the organization’s security posture by deploying the best application security tools and technologies for the specific security and growth needs of the business. Keep things safe but don’t get in the way of revenue generation What an application security network engineer should not do is get in the way of developing new business-critical or revenue generating applications. At the same time, they need to understand that they have a leadership role to play in steering a safe and profitable course for the business. Starting with an in depth understanding of all wired traffic, AppSec network engineers need to know what applications are running on the network, how they communicate, who they communicate with and how to secure the traffic and connectivity flow associated with each one of them. An AppSec network engineer’s expertise should extend much more than mastering simple applications such as FTP and SSH. Rather, business traffic continuity should sit at the pinnacle of their responsibilities. There’s a lot of revenue generating traffic that they need to understand and put the right guardrails to protect it. However, equally as important, they need to make sure that the traffic is not hindered by outdated or irrelevant rules and policies, to avoid any negative financial impact on the organization. Layers of expertise beyond the OSI model A good starting point for any AppSec network engineer is to acquire a commanding knowledge of the seven layers of the OSI model, especially Layer 6 which covers Presentation. In practical terms, this means that they should have a thorough understanding of the network and transport layers – knowing what traffic is going across the network and why. It’s also helpful to have basic scripting knowledge and an understanding of simple scripts such as a cron job for scheduling tasks. It could also be useful to know some basic level programming like Perl and PHP. Beyond the network skills, AppSec network engineers should grasp the business vertical in which they operate. Once they gain an understanding of the business DNA and the applications that make it tick, then they can add real value to their organizations. What’s on the network vs. what should be on the network Should AppSec network engineers be expected to understand business and applications? Absolutely. With this level of skill and knowledge, they can help the business progress securely by corelating what is actually in the network environment versus what should be in the environment. Once they have clear understanding, they can clean up then environment and optimize network performance with enhanced security. This becomes more critical as organizations grow and develop, often allowing too much unnecessary traffic into the environment. Typically, this is how the scenario plays out: Applications are added or removed (decommissioned), or a new vendor or solution is brought on board and the firewall turns into a de facto router. The end result of such often leads to new vulnerabilities and too many unnecessary threat vectors. This is precisely where the aforementioned soft skills come in – an AppSec network engineer should be able to call out practices that don’t align with business goals. It’s also incumbent upon organizations to offer soft skills training to help their AppSec network engineers become more valuable to their teams. Need an application view to be effective in securing the business When firewalls become de facto routers, organizations end up relying on other areas for security. However, security needs to be aligned with the applications to prevent cyber attacks from getting onto the network and then from moving laterally across the network, should they manage to bypass the firewalls. All too often, east-west security is inadequate and therefore, AppSec network engineers need to look at network segmentation and application segmentation as part of a holistic network security strategy. The good news is that there are some great new technologies that can help with segmenting an internal network. The lesser good news is that there’s a danger in the thinking that by bolting on new tools, the problem will be solved. So often these tools are only partially deployed before the team moves onto the next “latest and the greatest” solution. When exploring new technologies, AppSec network engineers must ask themselves the following: Is there a matching use case for each solution? Will procurement of another tool lead to securing the environment or will it just be another useless “flavor of the month” tool? Irregardless, once the new technology solution is acquired, it is imperative to align the right skilful people with this technology to enable the organization to intelligently secure the whole environment before moving onto a new tool. To further hone this point, celebrating the introduction of a new firewall is superfluous if at the end of the day, it does not utilize the right rules and policies. Ushering some of these new technologies without proper deployment will only leave gaping holes and give organizations a false sense of security, exposing them to continuous risks. Don’t put the cloud native cart before the horse The role of an AppSec network engineer becomes even more critical when moving to the cloud. It starts with asking probing questions: What are the applications in the business and why are we moving them to the cloud? Is it for scalability, speed of access or to update a legacy system? Will the business benefit from the investment and the potential performance impact? It’s also important to consider the architecture in the cloud: Is it containerized, public cloud, private cloud or hybrid? Once you get definitive answers to these questions, create reference architectures and get senior level buy-in. Finally, think about the order in which the enterprise migrates applications to the cloud and maybe start with some non-critical applications that only affect a small number of locations or people before risking moving critical revenue generating applications. Don’t put the cart before the horse. DevSecOps: We should be working together; you can be sure the criminals are… Network application security is complicated enough without introducing internal squabbles over resources or sacrificing security for speed. Security teams and development teams need to work together and focus on what is best for your business. Again, this where the soft skills like teamwork, communications and project management come into play. The bottom line is this: Understand bad actors and prepare for the worst. The bad guys are just chomping at the bit, waiting for your organizations to make the next mistake. To beat them, DevSecOps teams must leverage all the resources they have available. Future promise or false sense of security? There are some exciting new technologies to look forward to in the horizon to help secure the application environment. Areas like quantum computing, machine learning, AI and blockchain show great promise in outfoxing the cyber criminals in the healthcare and financial services industries. It is expected that the AppSec network engineer will play a vital role in the viability of these new technologies. Yet, the right technology will still need to be applied to the right use case correctly and then fully deployed to in order see any effective results. The takeaway So much of the role of the AppSec network engineer is about taking a cold hard look at the goals of the business and asking some challenging questions. It all starts with “what’s right for the business?” rather than “what’s the latest technology we can get our hands on?” To be an effective AppSec network engineer, individuals should not only know the corporate network inside out, but they also must have an overall grasp of applications and the applicable business cases they support. Furthermore, collaboration with developers and operations (DevOps) becomes an agent for rapid deployment of revenue generating or mission critical applications. But it still goes back to the soft skills. To protect the business from taking needless security risks and demand a seat at the decision-making table, AppSec network engineers need to apply strong leadership, project management and communications skills To learn more on the importance of AppSec network engineers to your organization’s cybersecurity team, watch the following video Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

  • AlgoSec | Achieving policy-driven application-centric security management for Cisco Nexus Dashboard Orchestrat

    Jeremiah Cornelius, Technical Lead for Alliances and Partners at AlgoSec, discusses how Cisco Nexus Dashboard Orchestrator (NDO) users can achieve policy-driven application-centric security management with AlgoSec. Leading Edge of the Data Center with AlgoSec and Cisco NDO AlgoSec ASMS A32.6 is our latest release to feature a major technology integration, built upon our well-established collaboration with Cisco — bringing this partnership to the front of the Cisco innovation cycle with... Application Connectivity Management Achieving policy-driven application-centric security management for Cisco Nexus Dashboard Orchestrat Jeremiah Cornelius 2 min read Jeremiah Cornelius Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 1/2/24 Published Jeremiah Cornelius, Technical Lead for Alliances and Partners at AlgoSec, discusses how Cisco Nexus Dashboard Orchestrator (NDO) users can achieve policy-driven application-centric security management with AlgoSec. Leading Edge of the Data Center with AlgoSec and Cisco NDO AlgoSec ASMS A32.6 is our latest release to feature a major technology integration, built upon our well-established collaboration with Cisco — bringing this partnership to the front of the Cisco innovation cycle with support for Nexus Dashboard Orchestrator (NDO) . NDO allows Cisco ACI – and legacy-style Data Center Network Management – to operate at scale in a global context, across data center and cloud regions. The AlgoSec solution with NDO brings the power of our intelligent automation and software-defined security features for ACI, including planning, change management, and microsegmentation, to this global scope. I urge you to see what AlgoSec delivers for ACI with multiple use cases, enabling application-mode operation and microsegmentation, and delivering integrated security operations workflows. AlgoSec now brings support for Shadow EPG and Inter-Site Contracts with NDO, to our existing ACI strength. Let’s Change the World by Intent I had my first encounter with Cisco Application Centric Infrastructure in 2014 at a Symantec Vision conference. The original Senior Product Manager and Technical Marketing lead were hosting a discussion about the new results from their recent Insieme acquisition and were eager to onboard new partners with security cases and added operations value. At the time I was promoting the security ecosystem of a different platform vendor, and I have to admit that I didn’t fully understand the tremendous changes that ACI was bringing to security for enterprise connectivity. It’s hard to believe that it’s now seven years since then and that Cisco ACI has mainstreamed software-defined networking — changing the way that network teams had grown used to running their networks and devices since at least the mid-’90s. Since that 2014 introduction, Cisco’s ACI changed the landscape of data center networking by introducing an intent-based approach, over earlier configuration-centric architecture models. This opened the way for accelerated movement by enterprise data centers to meet their requirements for internal cloud deployments, new DevOps and serverless application models, and the extension of these to public clouds for hybrid operation – all within a single networking technology that uses familiar switching elements. Two new, software-defined artifacts make this possible in ACI: End-Point Groups (EPG) and Contracts – individual rules that define characteristics and behavior for an allowed network connection. ACI Is Great, NDO Is Global That’s really where NDO comes into the picture. By now, we have an ACI-driven data center networking infrastructure, with management redundancy for the availability of applications and preserving their intent characteristics. Through the use of an infrastructure built on EPGs and contracts, we can reach from the mobile and desktop to the datacenter and the cloud. This means our next barrier is the sharing of intent-based objects and management operations, beyond the confines of a single data center. We want to do this without clustering types, that depend on the availability risk of individual controllers, and hit other limits for availability and oversight. Instead of labor-intensive and error-prone duplication of data center networks and security in different regions, and for different zones of cloud operation, NDO introduces “stretched” shadow EPGs, and inter-site contracts, for application-centric and intent-based, secure traffic which is agnostic to global topologies – wherever your users and applications need to be. NDO Deployment Topology – Image: Cisco Getting NDO Together with AlgoSec: Policy-Driven, App-Centric Security Management  Having added NDO capability to the formidable shared platform of AlgoSec and Cisco ACI, regional-wide and global policy operations can be executed in confidence with intelligent automation. AlgoSec makes it possible to plan for operations of the Cisco NDO scope of connected fabrics in application-centric mode, unlocking the ACI super-powers for micro-segmentation. This enables a shared model between networking and security teams for zero-trust and defense-in-depth, with accelerated, global-scope, secure application changes at the speed of business demand — within minutes, rather than days or weeks. Change management : For security policy change management this means that workloads may be securely re-located from on-premises to public cloud, under a single and uniform network model and change-management framework — ensuring consistency across multiple clouds and hybrid environments. Visibility : With an NDO-enabled ACI networking infrastructure and AlgoSec’s ASMS, all connectivity can be visualized at multiple levels of detail, across an entire multi-vendor, multi-cloud network. This means that individual security risks can be directly correlated to the assets that are impacted, and a full understanding of the impact by security controls on an application’s availability. Risk and Compliance : It’s possible across all the NDO connected fabrics to identify risk on-premises and through the connected ACI cloud networks, including additional cloud-provider security controls. The AlgoSec solution makes this a self-documenting system for NDO, with detailed reporting and an audit trail of network security changes, related to original business and application requests. This means that you can generate automated compliance reports, supporting a wide range of global regulations, and your own, self-tailored policies. The Road Ahead Cisco NDO is a major technology and AlgoSec is in the early days with our feature introduction, nonetheless, we are delighted and enthusiastic about our early adoption customers. Based on early reports with our Cisco partners, needs will arise for more automation, which would include the “zero-touch” push for policy changes – committing Shadow EPG and Inter-site Contract changes to the orchestrator, as we currently do for ACI APIC. Feedback will also shape a need for automation playbooks and workflows that are most useful in the NDO context, and that we can realize with a full committable policy by the ASMS Horizon Security Analyzer. Contact Us! I encourage anyone interested in NDO and enhancing their operational maturity in aligned network and security operation, to talk to us about our joint solution. We work together with Cisco teams and resellers and will be glad to share more. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

  • AlgoSec | Sunburst Backdoor, Part III: DGA & Security Software

    In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor... Cloud Security Sunburst Backdoor, Part III: DGA & Security Software Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/22/20 Published In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor functionality and its Domain Generation Algorithm (DGA). This time, let’s have a deeper look into the passive DNS requests reported by Open-Source Context and Zetalytics . The valid DNS requests generated by the malware fall into 2 groups: DNS requests that encode a local domain name DNS requests that encode data The first type of DNS requests allows splitting long domain names into separate requests. These requests are generated by the malware’s functions GetPreviousString() and GetCurrentString() . In general, the format of a DNS request that encodes a domain name may look like: USER_ID.NUM.COMPUTER_DOMAIN[.]appsync-api.us-west-2[.]avsvmcloud[.]com where: USER_ID is an 8-byte user ID that uniquely identifies a compromised host, encoded as a 15-character string NUM is a number of a domain name – either 0 or 1, encoded as a character COMPUTER_DOMAIN is an encoded local computer domain Let’s try decoding the following 3 DNS requests: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com String 1 Let’s start from the 1st string in the list: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com. In this string, the first 15-character string is an encoded USER_ID : “olc62cocacn7u2q” . Once it is base-64 decoded, as explained in the previous post, it becomes a 9-byte byte array: 86 7f 2f be f9 fb a3 ae c4 The first byte in this byte array is a XOR key: 0x86 . Once applied to the 8 bytes that follow it, we get the 8-byte user ID – let’s take a note and write it down, we will need it later: f9 a9 38 7f 7d 25 28 42 Next, let’s take the NUM part of the encoded domain: it’s a character “2” located at the position #15 (starting from 0) of the encrypted domain. In order to decode the NUM number, we have to take the first character of the encrypted domain, take the reminder of its division by 36 , and subtract the NUM ‘s position in the string “0123456789abcdefghijklmnopqrstuvwxyz” : num = domain[0] % 36 – “0123456789abcdefghijklmnopqrstuvwxyz”.IndexOf(domain.Substring(15, 1)); The result is 1 . That means the decrypted domain will be the 2nd part of a full domain name. The first part must have its NUM decoded as 0. The COMPUTER_DOMAIN part of the encrypted domain is “2v02eu” . Once decoded, using the previously explained method, the decoded computer domain name becomes “on.ca” . String 2 Let’s decode the second passive DNS request from our list: r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com Just as before, the decoded 8-byte user ID becomes: f9 a9 38 7f 7d 25 28 42 The NUM part of the encoded domain, located at the position #15 (starting from 0), is a character “6” . Let’s decode it, by taking the first character ( “r” = 114 ), take the reminder of its division by 36 ( 114 % 36 = 6 ), and subtracting the position of the character “6” in the “0123456789abcdefghijklmnopqrstuvwxyz” , which is 6 . The result is 0 . That means the decrypted domain will be the 1st part of the full domain name. The COMPUTER_DOMAIN part of the encrypted domain is “eoip02jovt6i2v0c” . Once decoded, it becomes “city.kingston.” Next, we need to match 2 decrypted domains by the user ID, which is f9 a9 38 7f 7d 25 28 42 in both cases, and concatenate the first and the second parts of the domain. The result will be “city.kingston.on.ca” . String 3 Here comes the most interesting part. Lets try to decrypt the string #3 from our list of passive DNS requests: lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com The decoded user ID is not relevant, as the decoded NUM part is a number -29 . It’s neither 0 nor 1 , so what kind of domain name that is? If we ignore the NUM part and decode the domain name, using the old method, we will get “thx8xb” , which does not look like a valid domain name. Cases like that are not the noise, and are not some artificially encrypted artifacts that showed up among the DNS requests. This is a different type of DNS requests. Instead of encoding local domain names, these types of requests contain data. They are generated by the malware’s function GetNextStringEx() . The encryption method is different as well. Let’s decrypt this request. First, we can decode the encrypted domain, using the same base-64 method, as before . The string will be decoded into 14 bytes: 7c a5 4d 64 9b 21 c1 74 a6 59 e4 5c 7c 7f Let’s decode these bytes, starting from the 2nd byte, and using the first byte as a XOR key. We will get: 7c d9 31 18 e7 5d bd 08 da 25 98 20 00 03 In this array, the bytes marked in yellow are an 8-byte User ID, encoded with a XOR key that is selected from 2 bytes marked in red. Let’s decode User ID: for ( int i = 0 ; i < 8 ; i++) { bytes[i + 1 ] ^= bytes[ 11 - i % 2 ]; } The decoded byte array becomes: 7c f9 a9 38 7f 7d 25 28 42 25 98 20 00 03 The User ID part in marked in yellow. Does it look familiar? Indeed, it’s the same User ID we’ve seen before, when we decoded “city.kingston.on.ca” . The next 3 bytes marked in red are: 25 98 20 . 2 0x59820 The first number 2 stands for the size of data that follows – this data is 00 03 (selected in green). The number 0x59820 , or 366,624 in decimal, is a timestamp. It’s a number of 4-second periods of time since 1 January 2010. To obtain the real time stamp, we need to multiple it by 15 to get minutes, then add those minutes to 1 January 2010: var date = ( new DateTime( 2010 , 1 , 1 , 0 , 0 , 0 , DateTimeKind.Utc)).AddMinutes(timestamp * 15 ); For the number 0x59820 , the time stamp becomes 16 July 2020 12:00:00 AM – that’s the day when the DNS request was made. The remaining 2 bytes, 00 03 , encrypt the state of 8 security products, to indicate whether each one of them is running or whether it is stopped. The 8 security products are: Windows Live OneCare / Windows Defender Windows Defender Advanced Threat Protection Microsoft Defender for Identity Carbon Black CrowdStrike FireEye ESET F-Secure 2 states for 8 products require 2 * 8 = 16 bits = 2 bytes. The 2 bytes 00 03 in binary form are: 00 00 00 00 00 00 00 11 Here, the least-significant bits 11 identify that the first product in the list, Windows Live OneCare / Windows Defender, is reported as ‘running’ ( 1 ) and as ‘stopped’ ( 1 ). Now we know that apart from the local domain, the trojanised SolarWinds software running on the same compromised host on “city.kingston.on.ca” domain has also reported the status of the Windows Defender software. What Does it Mean? As explained in the first part of our description, the malware is capable of stopping the services of security products, be manipulating registry service keys under Administrator account. It’s likely that the attackers are using DNS queries as a C2 channel to first understand what security products are present. Next, the same channel is used to instruct the malware to stop/deactivate these services, before the 2nd stage payload, TearDrop Backdoor, is deployed. Armed with this knowledge, let’s decode other passive DNS requests, printing the cases when the compromised host reports a running security software. NOTES: As a private case, if the data size field is 0 or 1 , the timestamp field is not followed with any data. Such type of DNS request is generated by the malware’s function GetNextString() . It is called ‘a ping’ in the listing below. If the first part of the domain name is missing, the recovered domain name is pre-pended with ‘*’ . The malware takes the time difference in minutes, then divides it by 30 and then converts the result from double type to int type; as a result of such conversion, the time stamps are truncated to the earliest half hour. 2D82B037C060515C SFBALLET Data: Windows Live OneCare / Windows Defender [running] 11/07/2020 12:00:00 AM Pings: 12/07/2020 12:30:00 AM 70DEE5C062CFEE53 ccscurriculum.c Data: ESET [running] 17/04/2020 4:00:00 PM Pings: 20/04/2020 5:00:00 PM AB902A323B541775 mountsinai.hospital Pings: 4/07/2020 12:30:00 AM 9ACC3A3067DC7FD5 *ripta.com Data: ESET [running] 12/09/2020 6:30:00 AM Pings: 13/09/2020 7:30:00 AM 14/09/2020 9:00:00 AM CB34C4EBCB12AF88 DPCITY.I7a Data: ESET [running] 26/06/2020 5:00:00 PM Pings: 27/06/2020 6:30:00 PM 28/06/2020 7:30:00 PM 29/06/2020 8:30:00 PM 29/06/2020 8:30:00 PM E5FAFE265E86088E *scroot.com Data: CrowdStrike [running] 25/07/2020 2:00:00 PM Pings: 26/07/2020 2:30:00 PM 26/07/2020 2:30:00 PM 27/07/2020 3:00:00 PM 27/07/2020 3:00:00 PM 426030B2ED480DED *kcpl.com Data: Windows Live OneCare / Windows Defender [running] 8/07/2020 12:00:00 AM Carbon Black [running] 8/07/2020 12:00:00 AM Full list of decoded pDNS requests can be found here . An example of a working implementation is available at this repo. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

  • Hybrid & multi-cloud management tool | AlgoSec

    Algosec Cloud automates cloud security policy management, providing visibility, risk mitigation, and compliance across hybrid environments. Secure your cloud with application-first security Gain complete network visibility. Simplify. Automate. Comply. Schedule a demo Watch a video Trusted by over 2,200 organizations since 2004 The cloud network security challenge Is your cloud network a maze of complexity? Hybrid and multi-cloud environments create a complex web of network security challenges. Fragmented visibility, manual processes, and evolving threats leave your organization vulnerable. Introducing AlgoSec Cloud Your Network Security Command Center. AlgoSec Cloud empowers you to take control of your network security posture with a single, unified platform. Gain unparalleled visibility, automate security tasks, and proactively address risks across your entire cloud ecosystem. Key Benefits Comprehensive Visibility: See every application, asset, configuration, and potential vulnerability across your on-premises and multi-cloud environments. Automation: Eliminate manual errors and streamline security operations with intelligent automation for network security policy management, change control, and compliance checks. Risk Mitigation: Proactively identify and prioritize network risks, and receive actionable recommendations for remediation. Compliance: Ensure continuous compliance with industry regulations and internal policies. Operational Efficiency: Foster collaboration across teams and free up resources to focus on innovation, not just firefighting. Experience the power of unified cloud network security and compliance. Use Cases: Transforming Network Security Real-World Solutions for Real-World Challenges: Simplify Network Application Security Management Accelerate Cloud Adoption Respond to Security Incidents Faster Optimize Network Security & Costs End-to-end security management Application discovery and visibility is only one piece of a robust security policy.See how our full solution suite completes the picture Horizon Security Analyzer Security policy you can see Enable visibility across your hybrid network, optimize firewall rules, and prioritize risks Horizon Security Analyzer Horizon FireFlow Automate and secure
policy changes Process security changes in a fraction of the time by automating the entire security policy change process. FireFlow solution Horizon AppViz Clear application visibility Application discovery and connectivity management AlgoSec Horizon AppViz solution Equip yourself with the technical details to discuss with your team and managers Ready for a deep dive? Learn more Got everything you need?
Here’s how you get started How to buy Learn more Get the conversation started by sharing it with your team Solution brochure Learn more Here's how we secure our SaaS solution Cloud Security Watch the video "With AlgoSec, I am able to get requests completed within minutes" What they say about us IT Director Get the latest insights from the experts 6 best practices to stay secure in the hybrid cloud Read eBook NCR Corporation's Network Security Transformation with AlgoSec Watch it now AlgoSec cloud product demo Watch it now Schedule time to manage your application connectivity in the cloud Schedule time to manage your application connectivity in the cloud Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

  • AlgoSec Security Management solution A33.10 delivers new compliance reporting and precise discovery of application connectivity

    The new product version release provides extended multi-cloud hybrid network visibility, reduces risk exposure and addresses new compliance regulations in a unified platform AlgoSec Security Management solution A33.10 delivers new compliance reporting and precise discovery of application connectivity The new product version release provides extended multi-cloud hybrid network visibility, reduces risk exposure and addresses new compliance regulations in a unified platform May 20, 2025 Speak to one of our experts RIDGEFIELD PARK, NJ, May 20, 2025 – Global cybersecurity leader AlgoSec has launched its new Security Management solution version A33.10, as a part of its AlgoSec Horizon platform. The new release provides better visibility across multi-cloud hybrid network environments, prioritizes risks more easily, reduces compliance effort and cuts down on manual processes by automating policy changes. As network environments grow more distributed, visibility becomes harder to maintain. The 2025 State of Network Security Report found that 71% of security teams struggle with visibility, which is delaying threat detection and response. Without comprehensive network visibility, security teams lack a clear understanding of application behavior to protect, detect, and prevent vulnerabilities. “AlgoSec is committed to updating its products to solve everyday problems that security teams face,” said Eran Shiff , VP Product of AlgoSec. “The A33.10 release ensures that our customers have clear and unified visibility into their complex hybrid network environment to reduce manual processes and ensure proper compliance reporting.” Highlights from the AlgoSec Horizon product update include: ● Visibility continues at the application level. Application security management is now faster and smarter with AlgoSec Horizon Security Analyzer and AlgoSec ACE ’s cloud application discovery as a datasource, allowing the creation of an application library fast. ● Security and compliance go hand in hand. To prepare security teams for audits and identify risks earlier, the new update includes a dedicated DORA and SOC2 compliance reporting, as well as built-in MITRE ATT&CK mapping. ● Streamlined application traffic view. This release introduces early availability support for AWS Load Balancer and Cisco Catalyst SD-WAN (Viptela), helping teams clearly see how traffic traverses across hybrid infrastructure and make more informed decisions. To learn more about the new A33.10 product release, click here . About AlgoSec AlgoSec, a global cybersecurity leader, empowers organizations to securely accelerate application delivery up to 10 times faster by automating application connectivity and security policy across the hybrid network environment. With two decades of expertise securing hybrid networks, over 2200 of the world's most complex organizations trust AlgoSec to help secure their most critical workloads. AlgoSec Horizon platform utilizes advanced AI capabilities, enabling users to automatically discover and identify their business applications across multi-clouds, and remediate risks more effectively. It serves as a single source for visibility into security and compliance issues across the hybrid network environment, to ensure ongoing adherence to internet security standards, industry, and internal regulations. Additionally, organizations can leverage intelligent change automation to streamline security change processes, thus improving security and agility. Learn how AlgoSec enables application owners, information security experts, SecOps and cloud security teams to deploy business applications faster while maintaining security at www.algosec.com . MEDIA CONTACT: Megan Davis Alloy, on behalf of AlgoSec [email protected]

  • Partner solution brief AlgoSec & Zscaler - AlgoSec

    Partner solution brief AlgoSec & Zscaler Download PDF Download PDF Add a Title Add a Title Add a Title Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

  • Careers | algosec

    What you do Matters Where your voice will always be heard and your opinion will always count Join our awesome team Our Values Teamwork and great work environment Customer satisfaction Excellence Accountability and execution Thorough decision-making process Diversity Equity Inclusion & Belonging 540+ employees Personal Coaching Mentoring Day in a life AlgoSec DEIB Diversity, Equity, Inclusion, and Belonging We are passionate about People, Culture, Growth, Collaboration Our Vision: Secure Application Connectivity, Anywhere. 26 Location Worldwide

  • Best Practices: Incorporating Security into DevOps | algosec

    Security Policy Management with Professor Wool Best Practices: Incorporating Security into DevOps Best Practices for Incorporating Security into DevOps, is a whiteboard-style series of lessons that examine the challenges of and provide technical tips for how to incorporate security throughout the DevOps process. Lesson 1 In this lesson, Professor Wool examines the need for and the process of adjusting application connectivity throughout each stage of the DevOps lifecycle. Best Practices for Incorporating Security Automation into the DevOps Lifecycle Watch Lesson 2 In theory adding capacity should be fairly straightforward, with minimal need for any intervention by the organization’s security team. But in practice it’s a little more complex. In this video Professor Wool provides some tips and best practices to help you add capacity without having to change your security policies, complete a security review or worse still, cause an outage or gap in the security perimeter. Tips for Adding Capacity Without Changing Your Security Policies Watch Lesson 3 In a typical DevOps scenario development team adds new functionality to an existing business application and then rolls it out into production. However, while the new functionality worked as planned in both the test and pre-production environments, the application then fails when moved into the live production environment. In this video, Professor Wool will discuss the reasons why this process went wrong, and how you can fix it. How to Integrate Security into the Test Environment Watch Lesson 4 In previous lessons Professor Wool discussed how building security into DevOps processes at an early stage helps organizations maximize the speed and agility of application development, while minimizing the risks of problems and outages when the applications go live. In this whiteboard video Professor Wool looks at how security automation helps to speed up the practice of Continuous Integration (CI) - a core element of DevOps. How to Integrate Security into the CI Process Watch Have a Question for Professor Wool? Ask him now Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

  • Migrate & modernize: Supercharging your Cisco Nexus refresh with ACI | AlgoSec

    Webinars Migrate & modernize: Supercharging your Cisco Nexus refresh with ACI If you still have Cisco Nexus 7000 devices in your environment, surely you have been inundated with end-of-life warnings and next-gen messaging touting the benefits of upgrading to Nexus 9000 with Cisco ACI. We know, modernizing your infrastructure can be a real pain, but with change also comes opportunity! Find out in this session how to leverage your Nexus refresh to increase your efficiency and productivity, and reduce security concerns at the same time. AlgoSec’s Jeremiah Cornelius, along with Cisco’s Cynthia Broderick, will guide you on how to: Migrate your current Nexus flows to ACI using your preferred mode – network or application centric Remove vulnerabilities caused by human error via automation of network change processes. Instantly identify and remediate risk and compliance violations. June 9, 2021 Cynthia Broderick DC Networking, Business Development at Cisco Jeremiah Cornelius Technical Leader for Alliances and Partners at AlgoSec Relevant resources Modernize your network and harness the power of Nexus & Cisco ACI with AlgoSec Watch Video AlgoSec’s integration with Cisco ACI Watch Video Cisco & AlgoSec achieving application-driven security across your hybrid network Keep Reading Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

bottom of page