GuardiCore approaches software-defined data center security from the perspective of five capabilities: flow visualization, microsegmentation, breach detection, automated analysis and incident response. Centra uses a three-tier architecture to address these five capability areas. The tool uses collectors on the hypervisor combined with agents for virtualized assets. It does not matter where the asset resides.
Data from agents and collectors are aggregated in aggregation servers. Management servers manage the entire process and house a deception network. GuardiCore is well-known for its deception network and with Centra the company has added additional capabilities without losing the benefits of an advanced deception network. Centra supports most software-defined enterprise infrastructures, including public clouds, bare metal and containers such as Docker. It also can interface with popular security and visualization/orchestration tools.
All of the collectors converge in a single management center so that is where we started. The first thing that we noticed was that, although we were seeing traffic between the internet and the enterprise, we also saw internal - or, east-west - traffic. By setting baselines of expected traffic we can alert on unwanted traffic that might represent an intruder moving around in the network. This is the network statistics dashboard and it is pretty much what you'd expect. Drill-down is good and there is a lot of information here.
The other dashboard is the security summary. This gets down to a fair bit of detail, showing which assets are at risk, external attackers, honeypot incidents (from the deception network), external attackers and top services and operating systems.
Moving from the dashboards to the Reveal menu we started with a graphical representation of the data center. This is a flow map and it is extremely useful. A quick glance at this graphical representation - which looks a lot like a typical network map but focusing on data instead of just assets. This lets you see all of the traffic patterns in your network, both internal-external and east-west.
The data center flow map has some strong filtering available that helps build microsegmentation policies for automating analysis. Building segmentation policies is an easy point-and-click proposition. You specify source, destination and destination ports and you have a policy. That policy can be enforced across a single asset or a group of assets. GuardiCore supplies a collection of rules and you can build from those rules with a few mouse clicks.
We believe that the mapping capability is one of the most useful aspects of Centra. For example, applied in analyzing an incident, the mapping shows exactly what happened and how it happened. Because it is very visual, figuring out an incident is much easier than if the data were in tabular form, although you can get that too if you want.
The deception network is, essentially, an overlay on the real network with the addition of some traps. The deception net intercepts all lateral flows. It looks for lateral flows that have been detected as potentially malicious - and thus bound to fail because of the action of the network's sink holes - and performs the applicable forensics. There is a lot of detail to help you to understand the incident quickly and accurately.
This is a pricey product, but it is worth every bit due to its capability and, particularly, the way it can speed up analysis and incident response. The solution can integrate with other tools for such things as reputation and sending indicators of compromise in a form that other security tools can consume. The reputation service - a combination of its own and third-party services - works on files, IPs and domain names. The offering lets you create whitelists and form groups using fuzzy matching.
The website is solid and the documentation is clear and well presented.