Viewing posts categorised under: Uncategorized
CISO’s Guide to DevOps: Learning to Cooperate with DevOps and Living to Tell the Tale ShieldX

ShieldX has assembled a set of guides for CISOs to help understand and deal with today’s security challenges.  They are designed to be ready quickly with a check list approach to help CISOs—and their teams—become more effective.  Next up? CISO’s Guide to DevOps: Learning to Cooperate with DevOps and Living to Tell the Tale. (No registration required). 

In this guide, we explore how the DevOps paradigm presents a major dilemma to Chief Information Security Officers (CISOs) and their security teams. DevOps requires agility and, in fact, most areas of IT have become agile by automating in areas like service orchestration and continuous deployment. The problem? The rate of change in security is slow and many IT security processes are still manual. For example, before deploying a new application, a security team may require weeks to analyze new architectures and create, test and deploy new security controls. This inhibits technical and business innovation. 

Read More
CISO’s Guide to Multicloud Security

ShieldX has assembled a set of guides for CISOs to help understand and deal with today’s security challenges.  They are designed to be ready quickly with a check list approach to help CISOs—and their teams—become more effective.  Although they can be read in any order, we do recommend starting with the CISO’s Guide to Multicloud Security 

With this guide, we explore the central choice of securing multicloud environments: either adapt security to today’s business needs or try to retrofit existing security processes and toolsets. Many CISO’s want to maintain the practices and toolsets that they have built over the years, but unfortunately traditional agent and network tools are not suited for the scale, automation, or the architectures of multicloud. Failure to automate and streamline provisioning across multiple clouds complicates IT’s ability to deliver secure, agile services at the scale that organizations are demanding. As security teams struggle to keep up with threat containment across multicloud, it leads to initial compromises, which if undetected in application traffic (east-west) result in outages and more severe incidents. And, most importantly, security teams are hindered by the lack of a single tool that can provide both visibility and the enforcement of uniform security policies across multiple, cloud-specific architectures. 

To see the list of recommendations, just click here—no registration required. 

Read More
SWIFT Customer Security Program for 2019

The Customer Security Program (CSP) is a framework launched by the Society for World Interbank Financial Telecommunication (SWIFT), originally in 2016. The “programme” can be broken down into three key objectives:

  • Secure your environment
  • Know and limit access
  • Detect and respond

Obviously, these are fairly high-level bullets and therefore leave a lot to interpretation, but SWIFT built into the CSP a couple dozen controls (27 of them, to be exact), some of them mandatory, some of them merely advised. Originally, the arrangement called for member organizations to self-attest to their use of these controls as of the end of last year. 94% of organizations met this deadline and, impressively, this meant that 99% of SWIFT network traffic fell under the controls.

An update from earlier this year means that organizations are again asked to self-attest their compliance by the end of the year. Because some of the controls were updated, this may mean rethinking how it is that your organization, if it is a SWIFT member, achieves its compliance.

At ShieldX, we think the way to protect a modern data center is to have the security architecture be specifically designed for the attributes of such a data center: containerized workloads, elastic and dynamic allocation of workloads, and controls to prevent attacks from pivoting along the axis of east-west traffic within the center. This may sound obvious, but we meet a lot of organizations who are trying to create a static perimeter in the cloud with a stack of virtualized next-gen firewalls. Maybe this works within limits, but it definitely doesn’t scale well and it also comes with all the security risks that accompany the (nearly always) resultant flat network.

As we’ve noted elsewhere, ShieldX takes an approach based on microsegmentation and the application of deep packet inspection. ShieldX Elastic Cloud Security uses microsegmentation and a container-based, microservices architecture to replace the tiered zones and the monolithic firewalls that organizations have traditionally used with mixed success. With ShieldX, you still have zones, but they are automatically generated and maintained, individually defined for separate business applications, and scaled dynamically on a per-zone basis. Within these elastic zones, ShieldX offers full packet inspection equivalent.

When it comes to the SWIFT requirement for “detecting and responding,” virtual patching is a critical part of any current defense posture. You can use a vulnerability scanner to find problems in your network and then, in theory, you could take the scanner report, assemble a team of experts, and manually generate the policies needed to provide virtual patches to your highest-priority vulnerabilities. But the expense and time intensity of this process run aground on the difficulties of too many patches and too many (dynamic) workloads.

We think ShieldX makes an enormous amount of sense when tackling the SWIFT CSP. Learn more about this in our data sheet.



Read More
PCI DSS 3.2.1 updates and ShieldX

While the May 2019 changes made to take the PCI DSS standard from version 3.2 to version 3.2.1 were largely clarifications of the existing standard, any change in the standard is an occasion to take another look at how your organization is achieving compliance.

PCI sets out a number of requirements, not all of which are addressed by capabilities ShieldX provides (we don’t address physical access to servers, to take one obvious example). Here are a handful of requirements where ShieldX and the microsegmentation it provides are particularly relevant (or check the more complete listing here):

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

Not last but least, there’s this sub-item about intrusion detection, which is something ShieldX builds in at a per-container granularity (unique in the industry as far as we’re aware):

11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

Cloud security

How is ShieldX relevant to the above requirements? Almost across the board, it has to do with building a data center architecture that uses not only containers for server workloads, but also uses containers to implement security services (making them more granular to deploy with greater agility). ShieldX creates tiers within a network that are elastic with the dynamic allocation of workloads.

So when it comes to Requirement 1, maintaining a firewall, ShieldX gives you a next-gen firewall like capabilities performing deep-packet inspection on a per-workload basis. When it comes to the requirements for data protected in storage and restriction of access to a need-to-know basis, access to tiers is limited by business policy, not by IP address—which some solutions do by using server Access Control Lists (ACLs).

One other point that has to be made has to do with scoping. The PCI Security Standards Council information supplement “Guidance for PCI DSS Scoping and Network Segmentation” makes it clear that organizations should give serious consideration to which elements of their business systems are within scope and which properly should not fall under PCI DSS compliance requirements. As the guidance notes, “when properly implemented, network segmentation is one method that can help reduce the number of system components in scope for PCI DSS.”

To state the obvious, reducing the segments of the network where PCI compliance is required inherently reduces the scope and complexity of PCI assessments.

Bottom line, we think ShieldX makes an enormous amount of sense for PCI DSS compliance regimes. Learn more about this in our recent writeup.



Read More
Beyond Native Cloud Security Controls

One thing you tend to get with a move to the cloud is a flat network. You have a virtual network perimeter, but inside the network, you’ve got no points of control unless you put them there by hand. If you logically group your workloads along the lines of an old-school tiered architecture, you can put in virtual appliances such as next-gen firewalls, but you have to do this manually and it’s not a setup that really delivers on your need to scale workloads dynamically. At the end of the day, this means security remains a drag on the business and no one wants to be “the guy” who slows things down.

This was all spelled out in a great article that recently appeared on In the article, Dave Shackleford spelled out his laundry list of what’s wrong with a non-cloud approach to securing cloud infrastructure:

  1. Flat networks abound
  2. No native monitoring of east-west traffic
  3. Limited routing control
  4. Network access control is often primitive
  5. Inline intrusion detection are difficult to implement
  6. Content-based inspection capabilities are scarce

He goes on to point out that it’s possible to remedy some of these ills using some of the native capabilities in cloud environments, such as security groups in AWS and network security groups in Azure. While I agree that it’s possible to tighten up a network this way, there are some important ways in which this approach falls short when even mildly stressed. The primary issue is complexity—lots of workloads and lots on interconnections among them—and this has to be countered with automation. You simply must have automation to handle the process of configuring the microsegments that connect all the workloads on your network.

Bottom line: you need to get the logic of your security controls expressed directly in the interconnections of your network architecture. Again, you could in theory do this by hand using the tools I’ve mentioned, but if your infrastructure is of any size or complexity at all, you really need the next level of tools to automate this. Not only that, but you need these tools to dynamically follow the changes in server workloads on your network on an ongoing basis and readjust policies and microsegments on the fly.

As ShieldX is deployed, it automatically creates a summary of your workload assets and then uses a machine learning algorithm to discern what kinds of processes are running on each workload. If your organization uses containers and has developed a discipline of tagging your workloads, these tags are used to directly and automatically deploy policies to govern the microsegmentation of your network. Otherwise, the grouped workloads are presented to you in a user interface that makes it easy to express policies for kinds of workloads.

From all of this, logical tiers are created and dynamically updated so that the tiers continue to govern communications among workloads as workloads scale up or down within various tiers. This elastic tiering is unlike anything offered by any other vendor and—another unique characteristic—this is done without the need to deploy agent software onto each workload.

Why does it matter whether software agents are used? For one thing, in legacy situations it sometimes just isn’t possible. Perhaps more importantly, this runs counter to the very idea of containerization, where you want one service or function encapsulated per container (and often isn’t possible even if you don’t care about the aesthetics of it). Either way, you wind up with a microsegmentation capability that leaves critical workloads out of the equation.

ShieldX doesn’t use agents. It also doesn’t rely on the manipulation of ACLs, the problem being that ACLs are an inherently IP-address-centric approach. More agile microsegmentation is possible using approaches such as Cisco Underlay Networks and Azure User-Defined Routes.

To conclude, the ideal multi-cloud solution would:

  • Automate and continuous discovery of assets.
  • Autogenerate security policy.
  • Auto deploy controls to fulfill dictated policies.

Without this level of automation, security teams continue to exist in a perpetual hamster wheel. The cloud—along with cloud native solutions—bring the promise of automation and economics that traditional vendors have failed to leverage.  In the old days, IT teams manually managed networks but eventually migrated to SDN.  Now, with ShieldX, its security can enjoy the same level of agility.

Read More
Why I Joined ShieldX

We recently announced that I joined ShieldX Networks as CEO.

Like many job seekers, I relied on friends and trusted colleagues to inform my decision. Mike Fey first turned me onto ShieldX (he recently outlined his reasons for investing in ShieldX and it is a must read). Mike encouraged me to invest alongside him. Consequently, when the ShieldX team started to look for a CEO to partner with the founding team, a much more direct level of involvement began to surface. It did not take long for me to recognize that ShieldX is where I wanted to be, if the founders and board would have me. While there were several reasons this opportunity was so compelling, it came down to four main drivers.

Market opportunity.
The ShieldX Elastic Security Platform could well be THE enabling security offering with the ability to both enable the “migration to” and “security promises” of microsegmentation in the era of cloud computing. The move to the cloud is fundamentally changing how IT and networking are done, how applications are developed, where security risks need to be mitigated and how security needs to be inherently and elastically applied. To date, many enterprises have begun their data center transition to the cloud, but during this transition, hackers and malicious insiders have uncovered and exploited blind spots—particularly along the emerging East-West data center. We, as an industry, have spent a few decades focused on securing North-South network traffic boundaries; but as networks became flatter, larger and more dynamic, a growing attack surface within arose that led to an ever growing number of security breaches due to attacks spreading on the East-West axis.

What if we could offer improved network security by using elastic security software, which offers visibility, policy generation for microsegmentation and a rich set of dynamic security controls to enable fully automated security in this new world? What if we could simplify achieving and reporting on compliance in the cloud? For CISOs, the current set of market options means buying multiple point products, some of which are being shoehorned into solving a problem they were never designed to solve.

Further, what if we could offer security without increasing customer overhead? ShieldX does this with technology that was designed from the ground up to serve in this elastic environment where it once was impossible to define your network security posture. As Mike Fey stated in his blog, “East west security is more important than north south.”  ShieldX can—and will—protect all data center workloads in the future. As anyone interested in deploying a Zero Trust effort will understand—ShieldX is in the thick of an important market.

Today, the majority of approaches to microsegmentation require agents. Not ShieldX. Instead, ShieldX pioneered an application layer security approach that brings visibility to traffic patterns enterprises haven’t seen before the arrival of multi cloud.  And it is not just visibility. ShieldX’s approach also brings application layer threat prevention.  Remember what IPS brought to on-prem network perimeters? ShieldX does this in your cloud.  Being agentless allows for robust functionality like virtual patching, for example virtually patching cloud workloads which combats the new trend in ransomware, where the new target is unpatched workloads/VMs in your data center and cloud. And then there’s automation.  One of ShieldX’s customers used to have a firewall analyst update policies taking up four hours (!) daily. Our automated policy enforcement dynamically assigns policies based on predefined criteria aligned to your business process, enabling this valuable resource to be redeployed into more strategic activities.

I knew Ratinder and Manuel professionally and by reputation from McAfee. Both are innovators and famous within the industry for good reason. When stars aligned and Ratinder and the ShieldX board were looking for a CEO partner, it was hard to not get excited. The team that built ShieldX is hard to duplicate. Few innovators could build a platform that promises to upend security as enterprises move to the cloud. Also, if one looks at the other people associated with the company, be it investors, board members or advisors, they would have to say this is truly a “hall of fame” caliber line up.

Competitive landscape
Today, if you want security in the cloud you have to choose between virtual firewalls, agent-based technology or go with cloud-native capabilities. Virtual firewalls suffer two fundamental problems—they don’t scale elastically in the cloud and they create way too much administrative overhead in an ever-changing cloud environment. If you require more TLS decryption in an environment for inspection, for instance, you need to buy more licenses of the firewall to achieve the required TLS decryption; even if you don’t need other features included in that license. Worse, because of the extra traffic incurred by virtual firewalls, you’ll end up paying excessive CPU overhead costs and you’ll have to hire additional network security staff to administrate ACLs in your ever-changing cloud environment. Cloud native providers supply basic security capabilities, but they are hardly best of breed, they too require way too much overhead to constantly re-configure, they only support their own platform, and lack the advanced application layer security capabilities security teams require. And many new entrants in this space require agents. The drawbacks of agents are pretty well known but you can always ask one self-answering question:  Is it OK in a production environment to deploy agents to workloads without extensive QA and compatibility testing? Perhaps the biggest deficiency of all the above approaches is their lack of automation. By contrast, ShieldX installs quickly and brings fast time to value.  More importantly, our software is architected to provide elastic scalability and makes policy and control management dramatically simpler.  At the end of the day, ShieldX lowers your operational costs to enable microsegmentation and lateral movement protection. Bottom line: ShieldX brings an unfair advantage to the market.

I encourage you to try ShieldX. Three of our customers not only influenced my decision to join, but also echoed my sentiments in these detailed reviews including this compelling testimonial from Alaska Air:

We switched to ShieldX because traditional firewalls are more expensive, and they require you to take all of your traffic outside of your virtual environment to inspect it and then return it back to the virtual environment. ShieldX also enables us to migrate to cloud environments faster.

Read More
Shieldx Elastic Cloud Security platform supports TLS 1.3

When we recently saw TLS 1.3 approved, what we really saw was the introduction of best-of-breed security capabilities end to end. This latest iteration of what was originally known as the SSL protocol addresses security shortcomings from the previous version and significantly reduces latency with abbreviated and simplified handshakes. It’s more secure and it’s faster: win/win.

As you might expect, the ShieldX Elastic Cloud Security platform can transparently proxy TLS 1.3 connections and thus customers may use the platform to secure both server and client workloads with inbound and outbound proxying. ShieldX supports all aspects of the protocol and works with popular implementations such as NGINX, Google Chrome and Mozilla Firefox.

Perfect forward secrecy

A concern for key-exchange frameworks like TLS is whether future compromises of a secret key will expose prior communications. Perfect forward secrecy (sometimes just called forward secrecy) means that your session keys will not be compromised even if the private key of the server is compromised. Forward secrecy thus protects past sessions against future revelations and this is now part of TLS: session setup now only supports key exchange modes that provide forward-secrecy. Key exchange methods that don’t provide forward secrecy (non-ephemeral Diffie-Hellman, for example) are deprecated.

While this is great, one important note is that better encryption makes inspection via an inline proxy essential to prevent encrypted threats from passing into internal infrastructure unnoticed. A previous blog entry, for instance, looked at inline proxy when defending against Petya malware variants.

Improved TLS handshakes

TLS 1.3 does things more efficiently and with greater security. All session handshakes that include sensitive data will now be in encrypted form, supporting encrypted extensions (only “client-hello” and part of “server-hello” are exchanged in clear text). For further simplification, several handshakes such as “server-key-exchange” have been deprecated.

According to one cloud proxy provider, about 60% of web connections are from first-time visitors to a site, a situation which the improved handshakes in 1.3 signficantly speed up. For the 40% of connections where the site was recently visited and the previous connection is being resumed, 1.3 supports 0-RTT (zero-round-trip) reconnection. This decreases the time required in the returning-user scenario by not waiting for certain parts of the handshake to be fully returned before proceeding.

Better key and certificate handling

Several elements of key derivation and certificate exchange have been tidied up in 1.3:

  • A new Key-Update mechanism is a more secure approach to refreshing the symmetric encryption key that doesn’t involve repeating the initial certificate exchange.
  • Packet hashes are included in key calculations, making keys more secure than ever—what was an optional extension in 1.2 is now part of the base protocol.
  • Key derivation/calculation doesn’t use packet fields that are exchanged in clear-text (TLS 1.2 and earlier protocols used to include client random and server random fields to derive keys).
  • The protocol now uses HKDF (The HMAC-based Extract-and-Expand Key Derivation Function) for key derivation. Separate secrets and key blocks are generated/used to exchange SSL handshake and SSL application data.
  • Going forward, available cipher suites have been pared down so that AEAD (authenticated encryption with associated data) ciphers like GCM and CHACHA-POLY are available and other prior options have been removed. AEAD combines both encryption and authentication into one step, rather than using a key and a separate message authentication code (MAC).
  • TLS 1.3 supports a proposed extension that allows certificates to be compressed and exchanged in a new TLS session’s handshake. Since certificates can contain a fair amount of text information, they are good candidates for compression. Reducing the certificate size reduces the number of bytes exchanged and thus reduces latency.

Need for TLS inspection

As hinted above, inline proxy inspection of network traffic becomes more important than ever with TLS 1.3. Network threats continue to evolve, especially in their ability to evade detection and penetrate enterprises. Sending malicious data across encrypted channels is perhaps the easiest way to evade detection because many organizations continue to deploy and operate their security perimeter devices without inline, decrypted packet inspection.

Even in cases where organizations deploy TLS inspection, they frequently use it in tap mode or else enable a non-proxy mode by downgrading the security capabilities of their webservers to use RSA or other non-ephemeral key exchange methods. This not only breaks forward-secrecy, it also endangers end consumers by weakening the security capability offered by the protocol. (In the interest of completeness, note that application detection and classification that works based on the TLS SNI extension will continue to work.)

In almost all cases, though, enabling TLS inspection is an important first step. Using TLS proxy inspection provided by Shieldx Elastic Cloud security platform, enterprises may further leverage our “Indicators of Pivot” feature to detect and block advanced threats and lateral movements inside their network.

Read More
ShieldX earns top marks in customer product review

ShieldX was reviewed by our customer, Larry H Miller dealership group. Some highlights:

  • For other security professions who are looking for something which is low in cost that does microsegmentation, they should look at ShieldX.
  • With Illumio, you have to install an agent on every server, and you don’t have to do that with ShieldX, because it is agentless.
  • What I like about it now is that it has a single pane of glass to view our networks and groups.

The full review is here:


Read More
ShieldX Earns Perfect Five Star Rating

SC Media has published its February 2019 “cloud-based security management” group test which included a review of ShieldX’s Elastic Security Platform product. You can view the five star review HERE.

Some highlights:

  • With the capability to have a single pane view into any environment, along with dynamic scaling, visibility and discovery across a multi-cloud infrastructure, this product is worth adding to the top of your list.Full stack protection is offered with FireEye, APP-aware ACL, DLP, malware detection, full-flow packet capture IDS/IPS threat detection and prevention, virtual tap, URL inspection for reputation and classification/filtering, unique anomaly detection, and micro-segmentation.
  • Every workload and application in your data center will be fully mapped automatically without agents.
  • Automating infrastructure, security and applications helps ensure microservices are inserted when and where they are needed. These microservices are inserted directly into infrastructures. This allows for automated intent-based security policies.
  • Security Analytics has a unique component called Indicator of Pivot (IoP) which is based on kill chain methodology.
  • With a fast time-to-value return after a quick 30-minute installation, operational efficiency increases visibility and discovery seamless across a multi-cloud structure with a single pane view into any environment using tools you know.
  • WEAKNESSES:None that we found.



Read More
The Rubric Automated Security Policies

No matter how security focused an organization is, the cloud era has brought on a new set of issues tied to lack of visibility and control over what gets deployed and where it’s deployed. This is why having automated security controls is critical in the protection of critical information being exposed, and more importantly leaked.

Today, Tech Crunch reported a security flaw at Rubrik, a major IT security and cloud management provider that could have lead to the exfiltration of key customer data had it not been caught. The article noted that a server, which was a part of developing a new customer support system, was improperly configured, leading to the risk of data being exfiltrated. It would be easy to point the finger at Rubrik and say they are responsible, however the truth is, in a consistently changing environment such as the cloud,  it is difficult for us as humans to effectively ensure all systems are properly protected during provisioning and migration of workloads and applications.

Many people who are deployed in Azure and AWS assume they are automatically protected through native cloud security controls. This is a perfect example of how those controls are not sufficient in protecting the workloads that are being rapidly provisioned and constantly migrated due to agile development of new applications to support customer functionality and business operations.  But even with a solid level of security in place, the system could have still gone unnoticed. This is where automation becomes important.

Preventing this type or issue is exactly why ShieldX was founded.  With ShieldX you can set Application Aware ACLs to be automatically applied to servers as they are provisioned or migrated. This means ShieldX security policies would have been applied to the elastic search service and guaranteed the same access restriction no matter where it appears in the cloud environment. With ShieldX, customers get “Layered Security and Layered defense” by means of “ACLs/Micro segmentation”, and Indicator Of Pivot modeled around “Cyber Kill chain”, providing single pane of glass for security controls deployed on-premise, AWS and Azure.  With ShieldX in place, organizations like Rubrik can create automated policies that will automatically apply the appropriate security controls as the systems come online. Finally, enterprises can focus on defining the appropriate security intent and have cloud native security platform offered by ShieldX  transform that intent into actual policy and rich set of controls with automation and orchestration to increase security posture and reduce TCO .

Read More

About Author

Ratinder Ahuja

Ratinder Ahuja

Founder & CEORatinder leads ShieldX and its mission as its central pivot point, drawing from a career as a successful serial entrepreneur and corporate leader, bringing with him his unique blend of business acumen, industry network and deep technical knowledge.