Setting up a virtual local area network (VLAN) can be a complicated process, especially if you’re operating a large enterprise network, a network with legacy or hybrid architectures, or a network with specific workloads that require additional security and regulatory compliance safeguards.

Each VLAN configuration process will look a little different, depending on the specifications you bring to the table, and some of these steps — particularly steps five through eight — may be completed simultaneously, in a slightly different order, or even in a more automated fashion if you choose to set up a dynamic VLAN.

Still, in general, your network stands the best chance of success if you complete the following 12 VLAN configuration steps and document your processes, strategies, and requirements along the way.

1. Brainstorm VLAN Groupings

In a traditional local area network with no virtualized barriers, all devices and network components communicate and share information with each other; you’re likely setting up a VLAN in the first place because this foundational setup is too loose for your requirements. But what are the ideal segments that will make your network function optimally and securely?

At this point in VLAN creation and configuration, it’s time to determine what VLAN groupings make the most sense for your network’s strategic complexities. Consider not only how many VLANs you’ll need but also the purpose each VLAN will serve and how they need to be set up to fulfill that purpose. While many organizations stick to more traditional boundaries like physical locations or departments, there may be more effective and secure ways for you to group and set up VLAN rules.

For example, if your company works closely with a third-party professional services firm that needs access to certain HR and security applications and data but not others, you could divide your VLANs based on which ones need looser versus stricter identity and access management controls. From there, determine which users and devices will align with and be assigned to each grouping.

2. Prepare Unique VLAN IDs

Every single VLAN you set up will need a unique VLAN identification number so you can segment network traffic to the appropriate places and keep documentation organized for multiple VLANs simultaneously. VLAN IDs are purely numeric and range from one to 4,095. While you don’t necessarily “need” these VLAN IDs to be operational yet, it’s a good idea to figure them out now so you can use them when labeling your network diagram in the next step.

3. Create a Logical Network Diagram or Map

Before you even begin setting up your VLANs and connecting devices and switches, the best way to ensure a successful VLAN network setup is to map out the specificities and relationships of your network with a network diagram. The labels and connections you illustrate at this stage of VLAN creation will give you the labels and organizational structure you need to keep track of all the devices, switches, routers, and other components necessary to fulfill your architectural plans.

Your team may choose to create this diagram manually or with tools that are already in your portfolio. However, a number of free and low-cost network diagramming tools specifically offer templates and icons that make it easier to illustrate the network you’re setting up, often with low-code/no-code interfaces and tools. If you’re interested in finding a network diagramming tool to make this step more efficient, consider investing in one of these top network diagram software and tooling solutions.

4. Optional: Purchase Additional Equipment

Based on the VLAN grouping requirements and design(s) you’ve developed in the previous three steps, you should have a clearer picture of any missing hardware or software that you need to purchase. Perhaps you have more VLAN groupings than you expected and need to bring in additional switches and routers. Or maybe your organization is growing quickly, and you want to purchase new switches with more ports for more devices. There’s also the possibility that you are moving from a primarily on-premises network setup to a hybrid or cloud setup that requires new software or third-party relationships.

Regardless of your new requirements, start by creating an inventory list of any networking equipment you currently own, including information about switch and router formats, configurations, port counts, speeds, and other details pertinent to VLAN setup. From there, make a separate list of the networking tools you’re missing, the cost of these missing tools, and any other specialized information that should be considered during the buying process. 

5. Connect Network Devices to Appropriate Switch Ports

You should now connect VLAN servers, end-user devices, and other relevant network devices — as long as their IP addresses are already configured — to the switch ports that have been selected for the corresponding VLAN group. While individual devices, ports, switches, and routers have not yet necessarily been configured in their settings to align with a certain VLAN and function, you should still know which devices and network components have been set aside for which VLANs. If you’re unsure about the switch ports that should be connecting to each device, reference your network diagram (or go back to the network diagramming stage and create a more detailed diagram). 

If you are opting to create a dynamic VLAN instead of a static VLAN, steps five through eight may look a little different for you. For example, you may spend these steps creating or identifying the appropriate rule-based protocols for your devices and setting up automation rules rather than manually connecting ports and devices to VLANs.

6. Configure Switch Ports

Now that your devices are connected to the correct switch ports, it’s time to configure the switch ports so they can perform according to their assigned functions. Many of your ports will simply need to be set up as access ports in the switch’s settings; an access port is a simple connection that allows devices to connect to only one VLAN. Access ports are most appropriate for devices and users that will not be using VLAN tagging or participating in inter-VLAN routing. 

Trunk ports are also configured in a switch’s settings, but they are designed to manage higher bandwidth traffic and can manage traffic for more than one VLAN. Devices should only be connected to trunk ports if they have been authorized and configured for VLAN tagging and inter-VLAN routing. Before moving on to the next step, double-check that devices are connected to the correct type of switch port for their operational needs.

7. Set up VLAN Specifications via Network Switch Settings

All of the prework is done: It’s time to actually create the virtual local area networks you want through network switch settings. You’ll do this by accessing your network switch management interfaces and going to the section where you can create VLANs. Create the number of VLANs you determined were necessary in previous steps and assign them the unique VLAN IDs you selected in step two.

8. Assign Switch Ports to VLANs

Again, keep in mind that steps five through eight may go in a slightly different order, depending on your team and their preferences. So if you have not yet assigned switch ports to the appropriate VLAN, it’s time to do that now. Tagged ports (trunk ports) are likely already associated with the correct VLANs, but you should confirm that they are set up correctly at this time. For untagged ports (access ports), you’ll need to manually connect them to the correct VLAN. Remember, trunk ports can be associated with more than one VLAN, if appropriate.

9. Optional: Add VLAN Tags

VLAN tagging is the process through which VLAN network traffic is further segmented and specialized. When VLAN tags are in use, associated devices and ports automatically interact with devices and ports that share those same tags; however, tags also give network administrators the power to further direct traffic and support case-by-case inter-VLAN routing scenarios. 

VLAN tagging is most appropriate for networks with complex traffic patterns and a diverse range of users, devices, and security permissions. If you choose to set up trunk ports with multiple VLANs running through them, as demonstrated in step six, you’ll need to make sure at least some of your VLANs receive tags so traffic doesn’t get muddled in trunk ports. 

If you’re not sure if your network would benefit from VLAN tags, read this in-depth article on the topic to help you make your decision: Tagged vs. Untagged VLAN: When You Should Use Each.

10. Optional: Configure Inter-VLAN Routing

If your network requires VLAN-to-VLAN communication as a part of its regular operations, you’ll want to use the VLAN tags you set up in the previous step to direct inter-VLAN routing. While it sounds counterintuitive to open traffic flow between VLANs, many organizations choose to do this because the different layer at which routers operate makes it possible for them to still control what types of traffic flow across VLANs and when and how devices and users move from VLAN to VLAN. As part of the inter-VLAN configuration step, you may also need to set up or double-check your VLAN access controls, ensuring only approved users and devices can take advantage of inter-VLAN routing.

11. Quality-Test Your VLAN

Now that everything’s set up, it’s time to test network connectivity and performance. Make sure that all devices within the same VLAN are able to interact with each other and, conversely, that they are not able to reach devices in other VLANs. Ping and traceroute are both effective tools for testing VLAN connectivity and performance, but a number of other network security and management tools may be appropriate as well.

12. Document and Reassess VLAN Performance Periodically

Enterprise networks in particular frequently change as more devices and users, new hardware and software requirements, and new operational and security use cases arise. Network administrators and/or network security team members should maintain an up-to-date network diagram, equipment inventory, changelogs, and other configuration documentation so it’s easy to see what the network looks like now, if and where any vulnerabilities have reared their heads, and if any other changes are necessary to improve network performance. Each time you go through this process, update your documentation so you have a full history of the network and what you’ve done to maintain it.

Should You Use a Static VLAN or Dynamic VLAN?

Static and dynamic VLANs bring different advantages to network administrators, depending on the size, complexity, and requirements of their network. Below, we’ve explained how each type works and when you should use it.

Static VLAN

Static VLANs exist when network administrators manually connect network devices to physical switch ports and those devices receive their VLAN assignment based on that connection. If the device ever needs to be reassigned to a new VLAN, the network administrator would physically connect it to a new switch port that is already associated with that VLAN. In other words, a static VLAN is one in which switch ports are assigned to VLANs and devices are not assigned to VLANs; they receive their orders directly from the switch port they’re connected to.

This type of VLAN is best for smaller networks, or networks that change infrequently and include fewer VLAN segments because network administrators have to manually connect (and sometimes reconnect) devices to the right ports for them to work. With a larger network that’s changing frequently, this task alone could become a full-time job and riddled with errors. Static VLANs are most advantageous for network administrators who need an easy-to-setup VLAN with predictable infrastructure and limited authentication needs.

Dynamic VLAN

A dynamic VLAN is one in which devices are assigned to that VLAN on a dynamic and semi-automated basis. Specialized criteria determine which devices are assigned to which VLANs and when. These criteria may include specialized network access controls and protocols, VLAN membership policy servers (VMPS) and databases, or some other combination of servers and data-driven rules. With a dynamic VLAN, devices are assigned to VLANs while ports frequently are not assigned to particular VLANs; they are simply the conduit through which pre-assigned device traffic flows.

Dynamic VLANs are best for larger and more complex networks that need to maintain frequently changing authentication and usage rules. It’s a much more difficult implementation process when compared to static VLAN, but for more strenuous network rules and requirements, dynamic VLAN ultimately saves network professionals time in the long run, as they can simply update protocols and VMPS entries when new VLAN assignments are needed across multiple devices.

Bottom Line: The Importance of Preparation for Optimal VLAN Performance

While the actual process of setting up a VLAN can be as simple as updating network switch settings and connecting devices to VLAN switch ports, the strategy behind a successful VLAN setup can be much more daunting. You’ll need to consider any specialized security or compliance requirements, the different device types that need access, and the resources and monitoring it will take to set up and sustain an efficient VLAN. 

All the steps listed above are crucial aspects of creating and configuring a sustainable VLAN network. But perhaps the most important step of all is documenting your thought process and your network architecture, especially as they change over time. Maintaining detailed documentation will help your existing network and security team members stay on top of the most pertinent network updates and issues while simultaneously ensuring that any future members of the team receive the foundational training necessary to successfully work in your VLAN ecosystem.

Read next: What Is Network Security? Definition, Threats & Protections

The post How to Set Up a VLAN in 12 Steps: Creation & Configuration appeared first on eSecurity Planet.

Also referred to as a perimeter network or screened subnet, a DMZ network acts as an additional layer of network security, isolating itself and its contents from the parts of the enterprise network where more sensitive and private resources are more securely kept. While users can interact with public networks and whatever resources are provided in the DMZ, DMZ perimeter security keeps the organization’s private network private and secure from outside users.

A Comprehensive Guide to DMZ Networks

• What Is the Purpose of a DMZ Network?
• How DMZ Networks Work
• 5 Benefits to DMZ in Networking
• 4 DMZ Networking Examples
• DMZ Network Best Practices
• Bottom Line: DMZ Networks

What Is the Purpose of a DMZ Network?

The purpose of a DMZ network is to balance reasonable access to resources with effective isolation and security measures.

For companies that offer digital products and services, chances are they want some of their resources to be available for customers, while other data and systems need to remain hidden from external users. An effective way to make sure users can only access the resources they need is to isolate them in a new subnetwork or network segment with its own access, security, and operational rules.

DMZ networks typically contain external-facing resources such as DNS, email, proxy and web servers.

DMZ networks are also helpful for separating out third-party servers, routers, and other technologies and platforms that don’t have as many manageable security features and controls built in. By isolating these less secure assets in a single location, network administrators can easily monitor and identify anomalous network traffic before it breaches the main network.

DMZ networks are primarily used to manage outside user access and give network administrators more network security and monitoring support. However, when your DMZ network includes a proxy server, administrators also have the option to filter all internal internet usage through the DMZ. This approach requires employees to use public networks according to their organization’s rules while also giving network security professionals additional visibility into internet usage across the organization.

Also read: Network Protection: How to Secure a Network

How DMZ Networks Work

DMZ networks work through isolation, but first, through network segmentation. Network administrators that want to create a DMZ need to first determine which parts of their network should be available for outside users. They can also use this time to identify any network components that operate with lesser security controls that put the rest of the network at risk.

These are the kinds of servers and resources you’ll often find on a DMZ network:

• VoIP servers
• Proxy servers
• Web servers
• Email servers
• DNS servers
• FTP servers
• Third-party routers and servers
• Other external services, resources, and servers

Now, these resources need to be isolated from the rest of the enterprise network and placed on a DMZ subnetwork. The DMZ should be set up with at least one gateway device (typically a firewall) that will filter external network packets through to the DMZ and monitor for unusual traffic or activity. In many cases, a dual firewall layout is implemented for a second round of network packet filtering before the LAN (see image below).

Many DMZs and the firewalls that protect them include advanced security features and tools, such as network access control (NAC) technology and proxy servers for optimized traffic monitoring. These and many other network security solutions are ramped up specifically on the DMZ, making it so network administrators can often detect unusual behavior before unauthorized users try to move past the DMZ to access the LAN.

DMZ Architecture

There are two main layout options to choose from when developing a DMZ subnetwork: a single firewall layout and a dual firewall layout.

With a single firewall layout, the firewall sits in the middle of the private LAN, the DMZ, and the public network; no users can travel directly from one of these networks to another without first passing through the centralized firewall, which filters and monitors all traffic. This model is much easier to implement, but it is generally considered less secure since only one firewall needs to be compromised for a successful cyberattack to breach the LAN.

In a dual firewall layout, two different firewalls are used for tiered network packet filtering. The front-end firewall sits between public networks and the DMZ to filter and manage traffic before it enters the DMZ. If a user attempts to move from the DMZ to the LAN, a back-end firewall sits between these two networks to further filter and authorize traffic. The dual firewall setup is generally considered more secure, but it’s also harder to manage.

See the top next-generation firewalls (NGFWs)

5 Benefits to DMZ in Networking

DMZ networks provide the isolation necessary to protect the main network from public-facing threats, but they also create an environment where focused security tools can be used to monitor and protect vulnerable DMZ resources. These are some of the benefits you can expect from the implementation of a DMZ model:

Isolation adds an additional layer of protection

DMZ development requires network administrators to segment their networks so potentially unsecure and public-facing resources are identified and isolated from everything else. This isolation is particularly valuable when organizations need to work with resources or servers that have fewer native security controls, such as FTP servers.

These kinds of servers and modern technologies like the Internet of Things (IoT) and operational technology (OT) are important to overall network operations but can be detrimental to everything else on the network if breached. When these kinds of resources are isolated in a dedicated environment like a DMZ, even successful security breaches aren’t likely to reach the LAN.

Avoids common network performance lags

Especially for resources that your customers will regularly be accessing, high speeds and performance are key to the user experience. DMZs are designed in a way that optimizes network performance because they separate frequently used and high-workload resources, like web servers, from the rest of the internal network. With that separation, network admins are able to optimize the DMZ for high traffic volumes without affecting internal network resource allocation.

Focused security tools and notifications

DMZ isolation can offer great support for internal network security, but DMZ networks themselves are also ideal environments for security tools. Most DMZs incorporate multi-functional firewall technology as well as network access control, proxy servers, information security policies, network monitoring, vulnerability management, and other features to protect the environment and alert network administrators when something’s amiss.

Learn about the 34 Most Common Types of Network Security Protections

Compatibility with proxy servers

If your organization implements network access control tools and specific rules on its DMZ network, you can require all internal traffic moving toward the internet to follow specific rules and visit only approved IP addresses. This is because DMZ networks are compatible with proxy servers that make this kind of traffic steering possible.

Proxy servers are also helpful for monitoring types and quantities of traffic. Proxies on DMZs are particularly helpful for healthcare organizations and other industries in which compliance management and data security are crucial operating factors to consider.

See the top secure web gateways

Improved visibility for network administrators

Network administrators have a lot of network features, functions, users, devices, and applications to manage at all times. Especially on networks with limited network security personnel, it can quickly become overwhelming to monitor and address all network security issues. It’s even more difficult if your network uses tools that have limited security features and require more hands-on monitoring than everything else.

With a DMZ in place, network administrators are able to divide up different types of network resources into the main network and the DMZ subnetwork. This division makes the more problematic security configurations readily apparent in the DMZ network. 

Because admins manage both environments, they still have as much control over these resources as they did before. Now, they simply have a more efficient way to monitor vulnerable network assets and services.

4 DMZ Networking Examples

A DMZ can help any organization with a main network and web-facing assets, but here are a few specific use cases where a DMZ can help.

Data-driven user experience on a company website

Whether you’re running an e-commerce business or are a healthcare provider, you likely have a customer-facing website that enables users to make purchases and complete other actions with company data and systems. This website requires a web server running on your network.

Unless the network is segmented, unauthorized users could potentially move from the website and data they’re supposed to access into the rest of the private network. With a DMZ, the web server and other customer materials are isolated from a company’s private assets, making it so users cannot easily move laterally from the web server to the internal network.

See the Top Microsegmentation Software

Hybrid cloud environments

Let’s say your company has been operating for multiple decades and has some of its most important assets and applications on-premises. However, many other applications and services you now use are hosted in the cloud.

In this hybrid cloud environment, you have resources on-premises that need to interact with your cloud assets, but at the same time, you don’t want both aspects of your network to have full, unbridled access to each other. In this scenario, a DMZ network can be set up between the cloud environment and the on-premises network to audit and filter traffic moving between the two.

See the top cloud security companies

Production and manufacturing device security

Manufacturers and critical infrastructure industries are increasingly investing in newer technologies like IoT and OT devices, which open up businesses to new operational use cases — and new security vulnerabilities. Most of these kinds of tools are designed to store and transmit a lot of data but don’t necessarily have many security features in place, due to the speed and capacity required of these tools. When an IoT or OT device operates on the same networking plane as other assets, then, it opens all of them up to greater security risk.

DMZs can isolate these kinds of devices from the rest of the network, making them accessible internally and externally while upholding firewall filtering rules to limit any lateral movement if a breach occurs.

DMZ hosts for home computer networks

Home computer networks are much smaller but still contain personally identifiable information (PII) and other features for which you’ll want to limit access to known users. Unfortunately, home networks tend to be easy to hack due to limited security investments on the part of the owner.

A DMZ host is an easy thing to set up with existing technologies in your home, such as a gaming console. The selected host device sits outside of the firewall and acts as a filter for all incoming traffic, giving the rest of your devices and your internal network more protection from unauthorized outside users. For this use case, it’s important to select a DMZ host device that contains minimal sensitive data and private information, as it will be outside of the firewall’s protection.

DMZ Network Best Practices

Setting up a DMZ network can be a great security addition if it’s configured correctly. Consider these best practices and tips during your implementation process for better outcomes:

Label all networks and network segments

As obvious as it may sound, you need to clearly label each part of your network so it’s clear what’s operating where, how, and why. This will save time during initial setup, make ongoing reconfigurations easier, and also create usable documentation if your network security team changes over time.

Clearly define and enforce isolation rules

Your DMZ is only as effective as the filtering rules and policies you set up. It’s important to research every feature of your network and be able to justify why something does or does not need to go into the DMZ; similarly, it’s important to program your firewalls and any other security tools you set up on the DMZ to reflect and enforce your security policies for all device and traffic types.

Also read: Fine-tuning Firewall Rules: 10 Best Practices

Use a dual firewall strategy for added protection

A dual firewall setup is harder to manage than a single firewall, but it’s also more effective at filtering out malicious traffic. If you plan to implement a dual firewall architecture, consider working with a different provider for each firewall to diversify your security setup and make it more difficult to take down all infrastructure in an attack.

Choose the right kinds of firewalls

Not all firewalls are created equal and not all firewalls work for the same scenarios. Because you’re trying to filter traffic at a very granular level that’s driven by applications and individual users, a proxy firewall or application-level gateway is typically the best option for your DMZ.

Also read: Types of Firewalls Explained

Incorporate zero trust best practices

DMZs work best in cooperation with zero trust network access (ZTNA). With ZTNA solutions, traffic is denied unless it explicitly passes your predefined user access control policies. Combined with DMZ isolation, it’s a great way to stop unauthorized access to the LAN.

Don’t forget vulnerability management

Vulnerability management tools, like vulnerability scanners and vulnerability assessments, are incredibly helpful assets for regularly monitoring network traffic in a DMZ. But don’t just invest in vulnerability management solutions; also take the time to develop a vulnerability management policy and process that makes sense for your organization.

Monitor and audit DMZ performance over time

Be sure to invest in tools and personnel for DMZ traffic monitoring, as it may require more constant and vigilant oversight than the rest of the network. As new tools, applications, and users are brought onto your enterprise network, frequently evaluate whether or not they should be moved to the DMZ and what changes will be necessary if that move happens.

See the Top Network Detection & Response (NDR) Solutions

Bottom Line: DMZ Networks

Some people now consider DMZ networks outdated or ill-fitting for the modern enterprise network, especially since many networks have moved past technologies like internal web servers in favor of cloud computing and cloud-hosted networks. There are also several newer networking and security options, such as SD-WAN, containerization, virtualization, SASE, and ZTNA, which seem to offer more comprehensive security support for modern cloud environments than DMZ’s form of perimeter security.

However, DMZ still proves useful in many cases, especially when hardware or on-premises networks need to be part of a secure and integrated environment with access management rules. When a DMZ network is implemented in the right scenarios, your business can more easily isolate unsecure devices, operate hybrid networks with appropriately-integrated legacy components, and streamline the network monitoring process for network administrators.

Further reading:

• Best Enterprise Network Security Tools & Solutions
• Top Secure Email Gateway Solutions

The post What Is a DMZ Network? Definition, Architecture & Benefits appeared first on eSecurity Planet.

However, as useful as VLANs can be for improving network performance and management, they can also get convoluted and overly complex for enterprise network managers who are juggling multiple VLANs and specs at once. That’s where VLAN tagging — the practice of adding metadata labels, known as VLAN IDs, to information packets on the network — can help. These informative tags help classify different types of information packets across the network, making it clear which VLAN each packet belongs to and how they should operate accordingly.

In this guide, we’ll explore what VLAN tagging is, how it works, and why and how you may want to implement the strategy in your own network virtualization projects.

Also read: VLANs: Effective Network Segmentation for Security

Network Components and Protocols Used in VLAN Tagging

VLAN tagging is a complicated topic, so we’ll start with a discussion of the network components and protocols used in VLAN tagging and the roles they play before we get into specifics and best practices.

• Switches: A network switch connects other devices within a VLAN. In VLAN tagging, switches are responsible for VLAN tag assignment, VLAN trunking, VLAN routing, and other VLAN management tasks that involve directing and labeling network traffic.
• Broadcast Domain: In a traditional network, the broadcast domain includes any devices and other components in that network; because they’re all in the same flat network, they can all receive a message when it’s broadcast. Broadcast domains are made smaller and more function-specific with the help of VLANs and VLAN tagging, a process that segments domains so devices can only receive messages and packets from other devices on the same VLAN segment.
• Router: A network-layer router makes it possible to route data packets across different VLAN. While switches focus on inter-device connections, routers are most useful for inter-switch connections and larger network operations.
• User Authentication: In addition to checking VLAN IDs to ensure they match and are approved for that particular VLAN, many other user authentication methods are typically used to ensure devices and users are approved for that VLAN. A remote authentication dial-in user service (RADIUS) server or other authentication server is typically used to authenticate and authorize user traffic.
• Trunk: The trunk port forwards and facilitates VLAN-to-VLAN communication across multiple VLANs. It operates at the layer two protocol level and is able to manage the transmission of tagged VLAN traffic via switches and routers.
• Layer Two Protocol: Also known as the data link layer, this type of networking protocol is where switches, wireless access points, frames, and other devices are able to exchange information packets within a single VLAN.
• Layer Three Protocol: Also known as the network layer, layer three routing is a more complex layer on top of layer two that makes it possible for information packets to travel to and from devices in separate VLAN segments. Routers operate at level three.
• Single Tagging: This is the ideal approach for VLAN tagging, wherein each VLAN and information packet receives a single type of tag. Single tagging makes it much easier to identify where data packets belong, where they can travel, and with what other devices they can interact.
• Dual/Double Tagging: This is when an information packet erroneously receives two or more VLAN tags. It occurs when a single packet travels through a network and goes through multiple tagging projects. This most often happens when a packet moves to a new VLAN from its previous VLAN but never sheds the tags and naming structure from that previous VLAN.
• Mixed Tagging: Mixed tagging happens when, in a single VLAN or group of VLANs, several different tagging standards are used, whether it’s done unintentionally or purposely because different devices support only certain tagging standards. Mixing tags in a VLAN environment can cause compatibility issues between devices and make it difficult for network administrators to monitor VLAN performance from a single dashboard view.

How VLAN Tagging Works

To begin the VLAN tagging process, you must first virtualize your physical network and set up different VLANs. These VLANs can be grouped however you see fit — some users create VLANs based on device location while others create VLANs based on department, traffic volume, or some other categorical classification. Regardless of how you decide to classify and group your VLANs, you can set them up through systems like wireless access point management systems.

Once your VLANs have been set up, it’s time to designate a specific VLAN ID to each VLAN; VLAN IDs are typically 12-bit values. From there, VLAN IDs are applied to the headers of different information packets that move through the network. Existing information packets can be manually given the VLAN ID that makes the most sense.

As new users and devices attempt to log into the network, an authentication server and/or other authentication tools will first be used to determine if that new host is valid. Once the user or device has been authenticated, a VLAN switch adds a logical VLAN ID to any information packets that item sends on the network. This VLAN ID ensures that the information packet stays within the appropriate VLAN and is only broadcast to that segment of the broadcast domain.

For more complex packet movement, trunks and/or routers may be set up to facilitate inter-VLAN movement. Otherwise — unless an error like dual tagging occurs — that packet is labeled and set up to stay among the hosts, ports, and switches that are present on its particular VLAN.

For an example of VLANs used for network security segmentation purposes, see Building a Ransomware Resilient Architecture.

Is VLAN Tagging Necessary?

VLAN tagging is a useful process, especially for larger networking environments that require admins to juggle different department classifications and expectations, device and user types, traffic types, permissions, and other factors simultaneously. It also helps network administrators for networks of all sizes to get more organized, understand the traffic they have flowing through their network, and segment the network in a logical way that improves performance and traffic flow.

However, VLAN tagging is not necessary for everyone; its usefulness depends on your network size, the number of VLANs you’re operating, and other organizational requirements. In fact, if you don’t know what you’re doing when you first set up VLAN tags, especially if you fail to standardize your processes and procedures, VLAN tags can actually cause more management difficulties than working in an untagged VLAN environment.

Your team should only go into a VLAN tagging project only if you stand to benefit from features like inter-VLAN routing, more granular policy management, and stronger broadcast controls. If you’re primarily looking to set up an easy-to-use VLAN environment for simple user devices and VLAN classifications, untagged VLANs will likely meet your needs.

Also read: Microsegmentation Is Catching On as Key to Zero Trust

7 VLAN Tagging Best Practices

VLAN tagging isn’t easy, but following these best practices will help you get it right.

1. Maintain Consistent VLAN Standards

To make sure your tags don’t get too confusing and devices on your VLAN remain compatible with each other, stick to a standardized naming convention and uniform tagging standards. With VLAN tagging in particular, users have the option to choose between different methodologies and standards, such as IEEE 802.1Q and ISL. Either standard may be the right fit for your organization, but choosing to work with both can create a mixed tagging scenario where it’s easier to lose track of traffic, misconfigure different aspects of the VLAN, and generally have information packets get misunderstood or misdirected.

2. Monitor and Audit for Dual Tagging and Other Tagging Errors

Different tagging errors can easily crop up in your VLAN environment, especially if multiple users and teams are working on tagging initiatives. To make sure you don’t end up with a scenario like information packets with dual tags, continually monitor traffic moving within and across VLANs with network monitoring tools. For the occasional, more in-depth analysis of tag quality, make VLAN tag assessment a part of your regularly scheduled network audits and vulnerability assessments.

3. Control Broadcast Domain Size

Regardless of how well you tag your VLANs and information packets, your network can still get bogged down and run slowly if your broadcast domain and the traffic within that domain grows too large. As your network activity continues to grow, consider creating new sub-VLANs in order to reduce broadcast traffic and make it easier to manage network security and performance in granular segments.

4. Consider Users, Use Cases, and Other Logical Groupings for Tags

Tag groups can be aligned to nearly any category or classification, so it’s best for organizations to think through how they want to group their virtualized network traffic. Do you have third parties, stakeholders, or employees who need more or less access to certain resources? Are certain devices or applications being used in a way that takes up more bandwidth and requires special attention? Do certain devices transmit data that requires stricter data security and compliance practices? These are all questions that should inform how you divide up and tag individual VLANs.

5. Invest in Network Monitoring and Other Cybersecurity Tools

Network monitoring solutions can prevent bigger cybersecurity issues from spiraling out of control on any type of network, including a virtualized network like a VLAN. As a bonus, certain network monitoring tools give users the levels of customization necessary to track VLAN tagging elements, including if certain information packets have been mistagged or accidentally received multiple tags.

Related: 34 Most Common Types of Network Security Solutions

6. Use Staging Environments to Test VLAN Configurations

Misconfigurations are some of the most common issues — and security threats — that networking professionals face when they first get started with VLANs and VLAN tagging. Although working out the kinks in a staging environment might not solve all your problems, especially as network traffic and devices grow more complex, getting your VLAN initially configured in a staging environment gives you a chance to test its capabilities and performance without negatively impacting your actual network’s performance.

7. Keep VLAN Tagging Documentation Up-to-Date

As team members leave and new team members are brought on to your IT and networking teams, the only way to ensure everyone knows how to maintain current VLAN tagging standards is through detailed, up-to-date documentation. Any time a new VLAN or VLAN ID is created and also as internal standards or rules for data management change, be sure to update that documentation and keep it in a location where all relevant stakeholders can access it. For better results, require that all internal networking professionals go through regular training on VLAN tagging and VLAN usage best practices.

Top Issues Faced With VLAN Tagging

VLAN tagging, when performed correctly, can help networks operate more efficiently and securely. However, the opposite may become true if networking professionals aren’t careful. Keep an eye out for the following most common issues faced with VLAN tagging as you embark on a tagging project:

Misconfigurations

There are a lot of different components and moving parts involved in VLAN tagging. Because of its complexities, organizations frequently misconfigure their VLANs and VLAN tags with errors like mismatched VLAN IDs, untagged ports, misconfigured switches and trunks, and overloaded VLANs that hold too many devices and cause network congestion. These issues can not only cause the network to perform more slowly and inefficiently but can also lead to security issues like unauthorized access.

Management Costs

Although correctly configured VLAN environments often lead to cost savings, there are still areas of VLAN management and VLAN tagging that can be cost-prohibitive. For example, smaller organizations may not be able to afford initial costs or maintenance costs for specialized servers like RADIUS servers.

Limited Internal Expertise

Not all organizations have enough in-house expertise or the resources to work with an expert third party for VLAN tagging projects. Whether it’s during initial implementation, ongoing monitoring, or periodic troubleshooting, many organizations run into issues they can’t solve when certain components aren’t working as intended.

Consistent Maintenance and Monitoring Requirements

Related to the issue of limited internal expertise, many companies do not have the resources they need to continually monitor for network performance issues and emerging security vulnerabilities, which causes them to struggle with maintaining high VLAN standards. VLANs require complex network operations to run smoothly, especially since so many devices and networking tools are involved. Interoperability, network traffic, quality of service (QoS) policies, and user access controls are all complex issues networking professionals need to stay on top of for VLANs and their tags to serve their purpose.

Bottom Line: Getting VLAN Tagging Right

VLAN tagging can be a complex process if your team isn’t prepared to keep up with and monitor network configurations, and especially if your team has greener networking professionals. However, especially for larger companies that are managing large swathes of varied traffic and user types, VLAN tagging is one of the most effective, cost-efficient, and scalable ways for system administrators to manage cybersecurity; bandwidth; network performance; and role-based, device-based, and traffic-based controls. Network administrators can reap all sorts of benefits from this organizational management framework for VLANs so long as they’re willing and able to troubleshoot their tagging setups and methodologies consistently.

Read next: Network Protection: How to Secure a Network

The post What Is VLAN Tagging? Definition & Best Practices appeared first on eSecurity Planet.

VLANs have made it possible for major enterprises to create more secure network configurations and computing operations, but a VLAN setup alone doesn’t offer support for the more intricate routing configurations necessary for more complex networking scenarios and distributed enterprise teams. Enter the tagged VLAN and the largest debate surrounding VLANs: Is it better to work with a tagged or an untagged VLAN setup?

Also read: What is a VLAN? Ultimate Guide to How VLANs Work

Differences Between Tagged and Untagged VLANs

We’ll dive deeper into both types of VLANs in the following sections, but before we go too far, it’s important to know the basics of what each type of VLAN is and why you might want to use either one:

• Tagged VLANs: When tags are implemented in a VLAN, the broadcast domain is further segmented and devices can only communicate with other devices that have matching tags. Tagged VLANs are best for larger organizations that need stricter traffic and security controls over more complex, higher volume, and different types of network traffic.
• Untagged VLANs: Untagged VLANs are traditional VLANs in which all devices share a broadcast domain, meaning every asset on the VLAN receives every message or piece of data that is transmitted. Untagged VLANs are ideal for smaller organizations and less complicated networking operations where no specialized security or classifications are necessary to separate and isolate VLAN traffic.

Both tagged and untagged VLANs add additional structure and logic to a network than a traditional LAN can, but in their designs, purposes, and most common use cases, tagged and untagged VLANs operate quite differently. Below, consider how tagged vs. untagged VLANs differ across different networking and network security metrics.

See how one managed service provider uses VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture

Tagged VLANs

A tagged VLAN is a virtual local area network — or multiple VLANs — that uses different ID tags to segment network traffic into more specific broadcast domains. Even if several devices all technically sit within the same VLAN, they can only communicate and share certain information with other devices as authorized by the trunk port switch that has been configured for particular tag(s).

Tagged VLANs have become increasingly popular for enterprise networks because they give network administrators and cybersecurity teams more hands-on controls over and visibility into network traffic. VLAN tags also make it easier to quickly identify and classify different types of network traffic, which lends itself to greater network visibility and easier risk identification and threat mitigation for a network security team.

When to Use Tagged VLANs

The following are some of the most common scenarios in which organizations choose to use tagged VLAN configurations:

• Inter-VLAN Routing and Complex Traffic Management: When you have multiple VLANs that need to share information, tagged VLANs enable more complex configurations and data transmissions via trunk-port switches and routing.
• QoS Requirements: When you’re interested in establishing a Quality of Service (QoS) policy for critical application and traffic management, VLAN tags provide the necessary information to identify and create specialized rules for top-priority or more complex traffic. QoS enables stricter broadcast and resource controls that prevent certain performance issues.
• Security and Compliance Management: When certain departments, groups, applications, or other categories of network operations require special rules or safeguards that need to be classified and isolated accordingly, tagged VLANs support increased network segmentation. This is particularly important for organizations or departments that must adhere to strict regulations and data security laws.
• Multi-tenant Environments: Beyond the typical organization that operates a network for itself, data centers, cloud providers, and other third-party networking organizations can use tagged VLANs to better isolate and manage traffic for each tenant’s particular requirements.
• VoIP Operations: For Voice over Internet Protocol (VoIP) technology users, tagged VLANs are particularly effective for identifying voice traffic and making sure it is prioritized over other types of traffic; this type of prioritization decreases the chance of performance lags during voice calls.
• Growing or Changing Organizational Demographics: if you work in a hybrid or remote environment, VLAN tags make it easier to manage how network traffic should behave, regardless of where it’s physically coming from. Similarly, if your organization is frequently hiring new employees or otherwise makes recurrent changes to active devices on the network, tagged VLANs are easier to identify and adjust as necessary.

Also read: How to Implement Microsegmentation

Untagged VLANs

An untagged VLAN is a more traditional VLAN in which an untagged access port is connected to a host device. Because tags are not an integral part of this setup, it does not matter if the host device is VLAN-aware. The host is able to transmit frames to the access switch port and does not have to add any kind of label or ID for that traffic to be accepted. Once the traffic is received by the access port, it may be given a temporary tag, but regardless, that switch is set up to send untagged traffic to one untagged VLAN source, which is typically another VLAN-unaware host.

Untagged VLANs are most useful when organizations need simple network connections that are easy to maintain or when traffic is low and unspecialized. In guest and home networks where device counts are limited or devices are mostly VLAN-unaware user devices, untagged VLANs give network administrators the simplicity they need and give end users the ease of use they want.

When to Use Untagged VLANs

Untagged VLAN is less widespread in larger organizations, but particularly for SMBs and smaller or hybrid networking operations, you may choose to use untagged VLAN for the following reasons:

• Limited Number of VLANs: If your organization is smaller and only has one or a small number of VLANs that rarely need to interact with each other via inter-VLAN routing, an untagged VLAN offers enough connectivity for most use cases.
• Small Number of Devices or Traffic Requirements: If you have no special security or performance requirements for any devices on your VLAN, VLAN tags may not be necessary to segment the VLAN broadcast domain further.
• Legacy Devices and Network Technology: Not all legacy hardware and devices are VLAN-aware; these types of devices can not readily accept VLAN tags and operate better in a simple untagged VLAN configuration.
• Consumer and Home Network Configurations: If a network mostly consists of end-user devices like phones or laptops, or if a network is operating in an individual’s home or as a consumer Wi-Fi access point, VLAN tags are overkill for the types and volume of traffic moving through. Especially for guest Wi-Fi networks, untagged VLANs are better for easier log-on and ease of use.
• Lacking Networking Expertise or Budget: Untagged VLANs are easier to set up and harder to misconfigure, making them ideal for teams with inexperienced or small network security teams. Untagged VLANs are also less likely to result in costly security or performance errors and typically don’t require more specialized, VLAN-aware components that can get expensive.
• Less Important Traffic Types: It may be beneficial to leave certain frames, devices, or VLANs untagged if they’re primarily used to transmit less important network traffic. For example, if you’re operating a VLAN for VoIP, you may want to use untagged VLAN for non-voice traffic so the tagged voice traffic can be prioritized for performance needs.

Also read: Network Protection: How to Secure a Network

Frequently Asked Questions (FAQs)

How Many Untagged VLANs Can Exist in a Trunk?

While it is theoretically possible for multiple untagged VLANs to exist in a trunk, in practice, there can and should only be up to one untagged VLAN per trunk port. This is because an untagged VLAN has no designation that indicates which devices and components should connect to it; if multiple untagged VLANs are present in a single trunk port, it will not be clear to other devices where they should connect or if they should connect to one of these untagged VLANs.

How Do You Know if a VLAN Is Tagged or Untagged?

There are many ways to check if a VLAN is tagged or untagged. Network administrators can look for labels on ports that indicate if the port is an untagged (access) port or if it is a tagged (trunk) port. Users may also be able to check switch and router configurations and settings, device documentation, or VLAN membership lists for more information.

Bottom Line: The Benefits of Tagged vs. Untagged VLAN

VLANs are useful virtualized infrastructures that support a more logical approach to network grouping and communication, making it possible for network administrators on larger networks to more effectively group and control different types of network traffic. Tags add an additional grouping and control element to the VLAN designation, which is particularly useful for organizations that need to manage larger amounts of traffic for different cybersecurity, workload, and performance scenarios.

But when it comes to tagged vs. untagged VLAN, it’s not necessarily a question of which one is better but rather which one(s) make the most sense for your organization’s devices and particular needs. In fact, it’s often beneficial to use a combination of both tagged and untagged VLANs on your enterprise network, whether you’re attempting to prioritize voice over other performance data on a VoIP network or you’re working to make simple connections to end-user devices while maintaining more complex connections on your network. Using a combination of tagged and untagged VLANs gives you the best of both simplicity and network control.

Next: Top Network Access Control Solutions

The post Tagged vs Untagged VLAN: When You Should Use Each appeared first on eSecurity Planet.

Containers are unique computing environments that lend many different advantages to users, but their design can also introduce new kinds of security vulnerabilities and challenges. With dedicated container security tools and processes, your organization can ensure that containers stay up and running and continue to protect the applications and data they host with minimal disruption.

10 Components of Container Security

When you’re first setting up containerized applications and infrastructure, it’s important to consider each component of the containerized environment through the lens of cybersecurity. The 10 components listed below not only cover the main components of containerized network architecture but also the container security tools that are most important for this type of network setup.

1. Container network security

A container network is an interconnected, typically virtualized network that is developed between an organization’s different containers. Examples of container networking and virtualization tools include VMWare NSX and HAProxy. Container networking tools help organizations manage communication, interoperability, and scalability while still maintaining control over how individual containers interact with each other.

2. Container runtime security

A container runtime is a type of software that runs containers on the host operating system(s). Examples of container runtime platforms include Docker Engine, containerd, and runC. Container runtime security tools help administrators manage policies, configuration drift and abnormal network traffic, attempted privilege escalations, user access controls, cross-container communications, and container monitoring and logging once a container is up and running.

3. Container registry security

A container registry is a storage repository or catalog for container images that can be pushed or pulled into your running containers through their connection to container orchestration platforms. Some common examples of container registries include Docker Hub, Azure Container Registry, and Amazon ECR. Container registry security tools help users manage image-level security, adjust user privileges, scan images for vulnerabilities, audit image libraries to identify outdated or problematic images, and mitigate supply chain risks.

4. Container orchestration security

A container orchestration tool is what automates and enables the quick deployment and scalability of containers. The best-known example of a container orchestration solution is Kubernetes. Tools that support container orchestration security help users maintain container isolation, manage third-party components, and harden both container runtimes and orchestration platforms while scaling up their container deployment activity.

5. Container image security

Container images are files that contain a microcosmic collection of what’s needed to set up a new container, including container runtimes, registries, configuration settings and specifications, the host operating system kernel, and other information about what can and can’t run on that container. Container image security solutions help users regularly scan image packages and dependencies for vulnerabilities; in many cases, container image security is managed by container registry security solutions.

6. Access controls and user privileges

Identity and access management (IAM) solutions are frequently used to designate specific user privileges in containerized applications and environments. Much of user access management can be handled manually or without tools, but especially as you begin to scale up your container network and differentiate how each container operates, it’s a good idea to invest in tools that support automated credentials and directory management.

7. Container-level segmentation

A number of container and workload segmentation tools are available to manage container isolation and limit lateral movement in cloud environments. These segmentation or microsegmentation tools help to manage zero trust and user access controls with identity verification, enforce application and workload-specific policies, and provide a consistently updated map of where applications live and how they’re being used.

8. Vulnerability scanning and management

Container vulnerability scanning frequently involves looking at the entire container image and then analyzing how workloads, runtimes, orchestration platforms, and other factors may make the overall image more vulnerable to security threats. Beyond simply scanning for vulnerabilities, many container security tools also help to automate the patching process.

9. Container monitoring and logging

Container monitoring and logging tools track the activities and behaviors of microservices, applications, and other components of a containerized environment, reporting any unusual behaviors to your organization’s security administrators. For best results, look for container monitoring tools with event and log correlation, code instrumentation, easy configurability, and compatibility with multiple data sources and types. Most container monitoring and logging tools are affordable, and many are open-source solutions.

10. Container encryption and secure storage

With container encryption, the entire container’s information and operations are hidden from plain sight rather than just individual files or datasets. Container-level encryption is a helpful way to balance secure storage and accessibility, because authorized users can decrypt the container and then access all relevant information in that container from there (though many organizations opt to include additional layers of file and data encryption). Container encryption solutions are best for protecting against backdoors, creating hidden containers, and securely managing cross-platform container security.

See the Top Container Security Solutions

Best Practices on How to Secure Containers

Securing containers requires a combination of traditional cybersecurity strategies and dedicated container security practices. Below, we’ve gathered some quick tips for how to secure your containerized environment:

• Don’t neglect broader cloud and network security tools and strategies in your container security management efforts.
• Stay up-to-date with patches and application upgrades across all containers and container components.
• Take advantage of built-in, configurable security tools in container environments; many already have security capabilities that simply need to be set up.
• Ensure your security teams have application-level visibility and regularly use threat monitoring, logging, and vulnerability scanning tools across each application and container.
• Automate your security scans and other tooling wherever possible.
• Use only vetted container images from trusted sources.
• Set up access controls and usage policies that are specific to each application, platform, and container.
• Regularly audit your containers, alongside your entire network.

Read more on this topic in our Container Security Best Practices Guide.

Benefits of Container Security

Containers make it possible to run granular network operations, and for teams that think strategically about container security, that freedom to customize extends to the cybersecurity tools they use and decisions they make. Learn about some of the specific benefits of container security below:

• Security through segmentation and isolation: Containerized applications and business workflows are purposefully isolated from other containers; containers do a great job of enabling lightweight and efficient computing, and through their isolation, they also help to prevent the spread of security incidents from one application to another, essentially decreasing your organization’s attack surface.
• Consistent builds, immutability, and secure scalability: Once initial container environments are set up for an organization, it becomes much easier to replicate that infrastructure and its security features as computing requirements grow or change. As long as your team establishes strong security tools and procedures from the start, those best practices will transfer to all future containers you build.
• Strategic structure for DevSecOps teams: The tools and best practices associated with container security are optimally designed for DevSecOps. By implementing container security best practices, organizations can ensure developers, security teams, and operations teams all have a hand in and invest time in managing cybersecurity while developing and using containerized applications.
• Container-specific user permissions: Containers operate like miniature networks, making it possible for network administrators to set up container-specific, clustered user permissions. User permissions and capabilities can be confined to specific applications and containers, which limits the possibility of user credentials being stolen and used in an unauthorized fashion across multiple containers.
• Focused environments for continuous security monitoring: Containers are typically given dedicated tools and resources for continuous security monitoring. A focused approach to continuous security monitoring makes it easier to detect threats and anomalous behaviors before they spread to other parts of the network or worsen.
• Configurability for compliance and security audits: Containers are highly configurable and customizable environments, which makes them ideal for complex policy and compliance management requirements. For example, if a specific policy or regulation only applies to one of your departments or projects, the appropriate security rules and settings can be applied solely to that container.
• Simpler security process automation: A number of third-party plugins, extensions, and tools are available to automate security management for containers. Automated tooling options include registry scanners, compliance auditing tools, container firewalls, container workload and host monitoring tools, and alerts and notifications.
• Efficient deployment and rollback: Because containers are both isolated and lightweight, it is easy to set them up and roll them back quickly. This is advantageous in many ways but particularly for cybersecurity because containers that have been impacted by a breach or other suspicious activity can quickly be rolled back to stop the spread to other containers.

Container Security Risks

Container infrastructure involves many different components that are simultaneously running independently and interconnectedly, so it’s no wonder there are several different weak spots for cybersecurity vulnerabilities to creep in, often without network administrators and security teams noticing. When working in a containerized environment, it’s important to be aware of the following security risks:

• Limited visibility: The isolated and segmented nature of containers produces many positive cybersecurity effects, but it has one major cybersecurity drawback: limited visibility for your cybersecurity team. Unless your cybersecurity team uses purpose-built container security, threat monitoring, and dashboarding tools, it will be incredibly difficult for them to do quick security spot checks of your entire network since it’s divided into separate containers with different rules, permissions, and operations.
• Container image vulnerabilities: Container images, especially those from untrusted or unfamiliar third-party sources, may be outdated, unpatched, and/or include malware, spyware, and various vulnerabilities that put your containerized environment at risk. There’s also the risk of image poisoning, or the act in which hackers use backdoors to bring malicious container images into your existing environment without user knowledge.
• User error in container configuration: Even if just one container, application, orchestration platform, or other component of your network is misconfigured, new security vulnerabilities and issues can impact your containers; containerized components rely heavily on each other and can suffer major consequences if another component is misconfigured and left vulnerable.
• Kernel vulnerabilities: Regardless of the hardware or software you use to build out your network, your operating system cannot run without a kernel. Both the host operating system and all hosted containers rely on this core kernel, so if an attack or vulnerability successfully reaches the kernel, it could then impact the rest of the containerized environment.
• Orchestration platform vulnerabilities: Orchestration platforms have their own cybersecurity risks that can affect the containers they manage in a distributed environment. Orchestration-specific cybersecurity risks include outdated patches, API exposures, misconfigurations, and the general complexities that come with managing security for multiple microservices.
• Inconsistent patching and retuning efforts: Containers and all of their components need to be regularly audited and updated in order to maintain security. Individual applications, container images, and container orchestration platforms can all introduce new vulnerabilities into the network if they are not regularly reviewed and patched as new issues are discovered and updates are delivered.
• Loose user access privileges and policies: Containers make it possible for organizations to set up highly segmented user access controls and privileges, but many organizations do not take advantage of this capability. The loose approach most take to managing container access privileges can lead employees and attackers alike to manipulate containers and hosts through Docker APIs, escalate container privileges, leak data, or introduce unapproved container images.
• Third-party exposure: In many cases, third parties have some kind of access to the applications you host in containers, or they may be the owners of applications, libraries, or dependencies that are running in your containers. It can be incredibly difficult to monitor and regulate third-party behavior in your organization’s containers without the proper tools and procedures in place.

Bottom Line: The Importance of Container Security

A growing number of businesses handle computing and daily operations in containerized environments. However, many businesses are not considering the breadth and depth of the container security tools and practices they need before getting started. Bad actors have picked up on this flaw in businesses’ security plans and are targeting containerized environments now more than ever before.

To truly protect the modern attack surface, it’s necessary to incorporate container-specific security tools and best practices into your cybersecurity strategy. Although containers already have some native security benefits, they also pose some additional risks, especially in the ways they limit your cybersecurity team’s ability to view the entire attack surface at a glance. Adding purpose-built container security to your cybersecurity efforts will give your team the peace of mind and support they need to manage vulnerabilities and threats in containerized environments.

Next: See the Top Cloud Workload Protection Platforms (CWPP)

The post What Is Container Security? Complete Guide appeared first on eSecurity Planet.

This modern infrastructure choice brings numerous advantages to operational workflows, but without the appropriate security policies and tools in place, it can also open the door to new security vulnerabilities and attack vectors. To prepare your organization’s containers for all possible security threats, it’s important to be aware of both the challenges you’ll face and the best practices you can follow to optimize your container security setup.

See the Top Container Security Solutions

Top 8 Challenges of Container Security

Container networks are intricate environments, with various components running unique processes and workflows. The design of containers can lead to a number of container security challenges. Here are the major ones.

Vulnerable Container Images

The container images used to create new containers are often the source of new security vulnerabilities for a cloud network. Images, especially those that come from unreliable and/or unvetted third-party image libraries, may be outdated and riddled with malicious code without user knowledge. There’s also the chance that a bad actor will leverage a poisoning attack against images already in your registry or introduce a poisoned image through an unsecured backdoor.

With the variety of images and sources that organizations use when getting started with containers, it can be difficult to detect every abnormality or risk from the outset, especially if your team has little experience with this type of technology.

Vulnerable CI/CD Environments

Even earlier in the container development and deployment lifecycle, it’s possible for vulnerabilities to go undetected in the continuous integration and delivery (CI/CD) environments you use to build container images. Attackers are increasingly introducing malicious code into these build environments and attacking container images, registries, and source code repositories before containers are even built. Build environments have become frequent targets because many organizations do not pay as much attention to build environment security as they do security for other container components.

Monitoring Isolated and Segmented Architecture

By nature, containers are isolated and segmented into unique microservices, which makes it difficult for cybersecurity teams to monitor and quickly assess individual container behaviors in the context of the network as a whole. It takes a well-trained team and the right tools to maintain visibility and effectively monitor a large network with different rules and norms operating in each container.

Maintaining Real-Time Threat Detection During Runtime

A serious security incident can spin up with little notice in container runtime, particularly if the organization has not established appropriate user privileges and is not regularly scanning for anomalous behaviors. Once a container is up and running, real-time threat detection tools and strategies should be in place to catch all possible issues, both existing and emergent.

Setting Up and Working With Various Configurations

Every component of a container ecosystem has its own configuration rules and best practices. It’s all too easy to misconfigure a container image, an orchestration platform, an image registry, or an individual application, and any single misconfiguration could leave the entire container network vulnerable.

Configurations get even more complicated to manage when you consider the different microservices, software formats, and compliance rules that may exist for each container. Open-source container configurations can be particularly challenging to set up and maintain correctly if your team is less experienced with this type of software.

Keeping Up With Security Updates Across Containers

Each container, orchestration platform, application, and individual component of a container typically relies on different software solutions, vendors, and upgrade schedules and particularities. Without automated patching and security management tools, security teams frequently miss crucial patching opportunities and leave their network more vulnerable to unauthorized user access and actions.

Working With Third-Party Products and Services

Sometimes container administrators know they’re working with third-party products and services and are aware of their sources and credibility. In other cases, you may choose to work with third-party container products or services that are less familiar and may not have been properly vetted. Whether you intentionally or unintentionally introduce third parties into your container environment, their cybersecurity posture management practices, user errors, and misconfigurations can extend new issues into your environment.

Designating and Maintaining Appropriate User Access Controls

Each container and application likely requires different user permissions and access levels, especially if certain parts of your business are subject to compliance regulations while others are not. Without a directory or identity and access management (IAM) solution in place, your cybersecurity team will have trouble keeping up with onboarding, offboarding, and otherwise updating the right users in the right places. This has severe consequences: Any unnecessary levels of access that your organization grants open you up to additional security risks, including a greater chance of exposed credentials and credential phishing attacks.

8 Container Security Best Practices

While container security can be difficult to manage, a number of tools, processes, policies, and general best practices can help your team stay on track. Learn about some of the best ways to manage container security for your organization below.

Regularly Monitor for and Fix Container Misconfigurations

Container image, orchestration platform, and other component misconfigurations are some of the biggest, most severe sources of container security breaches. To immediately decrease your chances of a security incident, your organization should strategize on how to monitor for, fix, and establish better standards that prevent container misconfigurations.

To improve your container security outcomes, consider setting up automated configurations and using configuration platforms to avoid issues of human error. Additionally, set up configuration guidelines and expectations from the outset, covering topics like compliance and approved third-party vendors. Finally, make sure your actual build environment has clearly defined dependencies and configurations so new containers can be set up for success.

Learn more about Cloud Workload Protection

Use Purpose-Built Container Security Tools

Many container solutions include built-in security tools that your organization should set up, but those solutions are often not enough to keep up with your different applications and operational workflows. For best results, it’s a good idea to invest in purpose-built container security tools and platforms.

If you’re not sure what to look for in your container security tool selection process, focus your search on the following key features and capabilities:

• Code security tools, including code debugging tools
• Automated image, code repository, registry, and vulnerability scanning
• Workload configuration scanning and misconfiguration alerts
• Container runtime security (CRS)
• Real-time threat detection
• Application-level threat monitoring for zero-day vulnerabilities
• Incident response and forensics
• Accessible reports and dashboards
• Native enforcement and continuous hardening

Automate Container Security Scanning and Threat Monitoring

Automated threat monitoring and vulnerability scanning make it possible for your security and network administrators to manage container security around the clock and at a granular level. With the right monitoring and scanning tools in place, your organization can look for and mitigate misconfigurations, malware code, and various security vulnerabilities in real time and without constantly undergoing full-fledged audits.

Although vulnerability scanning and threat monitoring tasks can be handled manually to a certain extent, it’s a good idea to automate these processes, especially as your container network grows and diversifies. Look for automated tools that regularly scan at an image, dependency, and workload level, and to improve the overall experience, select a tool that includes user-friendly dashboards and data visualizations.

Complete Regular Container Security Audits and Testing

Regardless of what tools or procedures you select, make sure your security audits follow a regular schedule and standardized processes that match your organization’s usage and compliance requirements. In between regular audit cycles, be sure to have continuous security tests running in CI/CD pipelines.

To make container and broader cloud network audits easier to complete, consider investing in a security software solution that includes cloud security mapping among its features. This feature can help you and your team get a quick visual of how all individual pieces of your network — including containers and their individual components — are set up and behaving. This feature is common in cloud security posture management (CSPM) and Kubernetes security posture management solutions.

Vet All Container Images Before Use

Not all container images are created equal, which is why your team must regularly assess container image quality before and during use. To prevent image-related security issues, stick to the following best practices:

• Only use images from trusted third-party repositories.
• Regularly update images and check for patching opportunities; patch management software can help you automate and manage updates across larger container environments.
• Audit images and look for evidence of anomalous behaviors and/or image poisoning.
• Use images that include only the dependencies you absolutely need; this will reduce your attack surface.
• Use image signatures and other verification methodologies to confirm the image source’s credibility.

Patch and Upgrade Container Components Regularly

Applications, orchestration platforms, images, image repositories, and a variety of other components in a containerized environment can become gateways to bad actors and malicious code if you don’t keep up with patch updates. Your team can handle patches manually if you have the on-staff resources and skills to keep track of all patching opportunities. However, most organizations will benefit from using patch management software or a cybersecurity platform that includes this functionality. This type of software is capable of automating and handling patches at scale and across a variety of container components.

Set Up Granular User Access Controls and Permissions

Especially for containers that contain sensitive datasets and are subject to strict compliance regulations, it’s important to determine what roles, responsibilities, and user access levels are necessary to protect that data. Role-based access controls should be applied to both containers and APIs to ensure only authorized users can access and make changes to your applications and the containers where they’re running.

It’s also a good idea to implement internal security and usage policies for all users because having all of the right security tools and permissions in place can only do so much to protect against user errors. Your policies need to cover how different users can and should interact with applications and data stored in containers. An overarching policy may be enough, but role-specific policies and training ensure all users know what they have access to and how they can securely and compliantly use those resources.

Incorporate Broader Cloud and Network Security Best Practices

Your containers and container security practices should be well integrated into your entire cloud computing environment, particularly with DevOps and SIEM tools that you already use. In addition to purpose-built container security tools, it’s important to apply broader cloud security best practices and tools to your container environment. Cloud security posture management tools, third-party risk management platforms, and vulnerability management and scanning solutions are just a handful of cloud security tool examples that often include container-specific configurations and integrations.

Learn more about cloud security best practices.

Bottom Line: Optimizing Your Container Security Setup

Containers offer efficient and lightweight computing architecture to businesses of all backgrounds, but without the proper setup and ongoing maintenance of container components and security tools, your containers and hosted applications can quickly fall into disarray and disrepair.

As a growing number of bad actors target containers and microservice architectures, it’s important to be aware of all of the different ways your host operating system, container images, orchestration platforms, and other container components can fall prey to unauthorized access and use. With the best practices and tips above, your cybersecurity teams and network administrators can be sure that all users are following appropriate processes and procedures and that all container components and security tools are working as they should.

Next: See the Best Cloud Native Application Protection Platforms (CNAPP)

The post 8 Container Security Best Practices & Tips appeared first on eSecurity Planet.

These feeds are often in a standard format like STIX/TAXII so they can be integrated with EDR, SIEM, firewalls, threat intelligence platforms, and other network security tools, offering an additional source of real-time or near-real-time threat information to monitor for indicators of compromise (IoCs), malicious domains and other cyber threats. As a bonus, many of these tools are free to access and have specialized feeds that focus on different industries and sectors.

Here are our picks for the top threat intelligence feeds that security teams should consider adding to their defensive arsenal:

• AlienVault Open Threat Exchange: Best for community-driven threat feeds
• FBI InfraGard: Best for critical infrastructure security
• abuse.ch URLhaus: Best for malicious URL detection
• Proofpoint ET Intelligence: Best for contextualized threat information
• Spamhaus: Best for email security and anti-spam
• SANS: Internet Storm Center: Best for threat explanations

Top Threat Intelligence Feed Comparison

Threat intelligence feeds can come in a variety of formats and pull their information from a number of different sources across the web. To get a better idea of what each top threat intelligence feed solution offers, take a look at our comparison table below.

Jump ahead to:

• Key Features of Threat Intelligence Feeds
• How to Choose the Best Threat Intelligence Feed for Your Business
• How We Evaluated Threat Intelligence Feeds
• Frequently Asked Questions (FAQs)
• Bottom Line: Boost Security with Threat Intelligence Feeds

AlienVault Open Threat Exchange

Best for community-driven threat feeds

AT&T Cybersecurity’s AlienVault Open Threat Exchange (OTX) is one of the largest and most comprehensive threat intelligence feed communities today, with more than 100,000 participants representing 140 countries and contributing more than 19 million threat indicators on a daily basis. OTX prides itself on being a completely open community for threat intelligence, extending access to threat research and shared expertise from security professionals to any and all users.

Beyond simply making its feed available to all kinds of users, AlienVault Open Threat Exchange also does a good job of making its data accessible and easy to read through detailed dashboards. Dashboards clearly state the quantity and types of indicators of compromise (IoCs) and also provide Pulses to quickly summarize threats and their impact. Additionally, dashboards share data about threat names, any relevant reference URLs, tags, adversary and malware families, and attack IDs.

Pricing

All OTX products and features, including the AlienVault Open Threat Exchange and OTX Endpoint Security, are free to use on their own. Additional costs may arise when integrating OTX and OTX Pulses into third-party software or applications. There are also costs associated with the USM product, which users often connect to OTX.

Features

• 100,000 participants and contributors from 140 countries
• OTX Pulses for real-time looks at indicators of compromise, targeted software, and threat summaries
• Integrations with other tools through the DirectConnect API
• Built-in integration with AlienVault USM and AlienVault OSSIM
• Pulse Wizard for automated IoC extraction from blogs, threat reports, emails, PCAPs, and text files

Pros

• Open community approach means threat and security professionals of all backgrounds and from all over the globe can contribute their insights.
• One of the most comprehensive threat delivery solutions available; over 19 million threat indicators are posted daily.
• Threat dashboards are highly intuitive and easy to read.
• With Pulse Wizard, users can easily and automatically extract IoCs from sources in different formats.

Cons

• Though free tools and integrations are available, OTX works best with paid AT&T Cybersecurity products like AlienVault USM.
• The massive, crowdsourced approach OTX takes limits the possibility of effective quality assurance.

FBI InfraGard

Best for critical infrastructure security

InfraGard is a threat intelligence feed and network partnership between the FBI and other government agencies and interested private sector parties. The goal of this threat intelligence community is to share useful threat information back and forth: Private sector leaders can benefit from access to FBI insider knowledge, training, and best practices, while the FBI and other governmental bodies gain additional eyes on different areas of U.S. critical infrastructure. Although it is free to join, membership is required to access InfraGard resources.

InfraGard’s feeds and membership training resources are divided into 16 critical infrastructure categories:

• Chemical
• Commercial facilities
• Communications
• Critical manufacturing
• Dams
• Defense Industrial base
• Emergency services
• Energy
• Financial services
• Food and agriculture
• Government facilities
• Healthcare and public health
• Information technology
• Nuclear reactors, materials, and waste
• Transportation services
• Water and wastewater systems

These focus areas give private sector members access to highly tailored threat information and security tips for their particular industry.

Pricing

It is free to become an InfraGrad member and use InfraGard tools and feeds.

Features

• Threat intelligence feeds are categorized into 16 critical infrastructure sectors
• Threat advisories, intelligence bulletins, analytical reports, and vulnerability assessments are shared with private sector members by the FBI and other government agencies
• Members-only web portal with up-to-date FBI intelligence
• Local InfraGard Member Alliance chapters across the United States
• Two-way threat sharing between the government and the private sector

Pros

• 16 different specialized threat feeds make it possible for users to focus on threats that are relevant to their particular sector
• One of the only threat intelligence solutions that focuses on threat detection and mitigation for U.S. critical infrastructure
• Combines the expertise and insights of government agencies with private sector professionals
• Members can access sector-specific training and resources from the National Sector Security and Resiliency Program (NSSRP) and Cross-Sector Council (CSC)

Cons

• Its membership and networking focus takes away from dedicated threat intelligence efforts
• Focused solely on U.S. infrastructure, making it a less effective option for global enterprises and distributed workforces

abuse.ch URLhaus

Best for malicious URL detection

abuse.ch’s URLhaus feed project compiles data about malicious URLs into user-friendly databases. Though anyone can access this free collection of feeds and the detailed databases they produce, abuse.ch specifically states that the solution is best suited to the needs of network operators, internet service providers (ISPs), computer emergency response teams (CERTs), and domain registries.

URLhaus manages three primary feeds that focus on specific IP address and domain name anomalies. These feeds can be fetched for up-to-date information directly from the URLhaus website. However, for users that want to use this tool to blacklist, review indicators of compromise, or access a parsable dataset, it will be necessary to download the URLhaus API. Additionally, users can only submit their own malicious URL discoveries if they have an abuse.ch account.

Pricing

URLhaus is free for both commercial and non-commercial use.

Features

• ASN Feed for tracking URLs with domain names that resolve to an IP address with a specific AS number
• Country Feed for tracking URLs with domain names that resolve to an IP address with a specific geo IP location or country code
• TLD Feed for tracking URLs with domain names that are associated with a specific ccTDL or gTLD
• Comprehensive, regularly updated malware URL database that includes information such as date added, URLs, status, tags, and the reporter’s identity
• URLhaus API for downloading and submitting malware URLs

Pros

• URLhaus’s three main feeds work for tracking both online and offline malicious URLs.
• URLhaus provides a detailed submission policy to filter out irrelevant malware submissions from users.
• The URLhaus database is well-labeled and frequently updated.
• URLhaus’s API and download options, including a database dump CSV option, are extensive and varied enough to match different user preferences.

Cons

• Several customizations and capabilities, such as blacklisting, are only available if users choose to use datasets in the URLhaus API rather than URLhaus feeds.
• To submit malware URLs via the web, users must log in with Twitter, Google, LinkedIn, or GitHub, which will be publicly visible; the only way around this rule is to submit via API.

Proofpoint ET Intelligence

Best for contextualized threat information

Proofpoint ET Intelligence takes a comprehensive approach to threat intelligence, offering its feeds through what it calls a rich threat intelligence and context portal. It is a top provider of historical threat data, offering both current and historical metadata on IP addresses, domains, and other IoCs. As an added bonus, ET does a great job of separating, classifying, and scoring IP addresses and domains with regular hourly list updates.

Of all the solutions listed in this guide, Proofpoint ET Intelligence is one of the most comprehensive, but it’s also the most expensive. Businesses that are interested in enterprise-level threat explanations and investigative support are the best fit for this solution, while smaller businesses and individual users will probably want to avoid the price tag and opt for a free threat intelligence feed.

Pricing

• Proofpoint ET Intelligence: Subscriptions are estimated to be between $20,000 and $130,000 per year, depending on user count, reseller, and other factors.
• Proofpoint ET Pro: Ruleset: The Ruleset is priced separately. Estimated to be between $750 and $1,000 per year.
• Free trial available.

Features

• Access to historical metadata on IPs, domains, and other IoCs
• IP and domain reputation feeds
• Searchable threat intelligence portal with trends, timestamps, threat type and exploit kit labels, and related samples
• Confidence scoring with aggressive aging practices and hourly list updates
• Support for TXT, CSV, JSON, and compressed formats

Pros

• Integrates with cybersecurity tools and threat intelligence platforms like Splunk, QRadar, Anomali, and ArcSight.
• For an additional fee, users can access the extensive documentation that comes with the ET Pro Ruleset.
• ET intelligence dashboards include highly legible, color-coded graphs.
• Users with less IT infrastructure of their own can use agnostic threat feeds for additional threat detection support.

Cons

• One of the most expensive threat intelligence feeds on the market, and prices continue to go up.
• May have redundant features with other cybersecurity tools in your existing toolset.

Spamhaus

Best for email security and anti-spam

Spamhaus is one of the largest providers of threat intelligence feeds and blacklists/blocklists for email service providers and internet service providers, covering more than 3 billion users with its solutions. Users can access and apply blocklists for policies, exploits, domains, and general IP address spam issues. They can also fix incorrect spam listings in the Blocklist Removal Center, access live news and specialized ISP information, and read dedicated documents on best practices for everything from anti-spam to email marketing.

With its six main feeds and lists, Spamhaus is a comprehensive email security and anti-spam solution; in fact, it is often considered the best solution for accurate, real-time spam filter data. For users who don’t want to juggle multiple Spamhaus threat feeds simultaneously, Spamhaus also now offers Spamhaus Zen, which combines blocklists and information from SBL, SBLCSS, XBL, and PBL blocklists.

Pricing

Most Spamhaus features and DNSBL feeds are extended to users free of charge. However, users and sites that need higher-scale, commercial spam filtering will need to subscribe to Spamhaus’s Datafeed Query Service (DQS). DQS pricing is user- and query-volume-based; pricing starts at $250 per year, and a 30-day free trial is available.

Features

• The Spamhaus Block List (SBL) is a database of IP addresses associated with unsolicited bulk emails and from which users should not accept emails.
• The Exploits Block List (XBL) is a real-time database for IP addresses of PCs that have been hijacked and infected by third-party exploits.
• The Policy Block List (PBL) is a database that helps networks enforce acceptable use policies when dealing with dynamic and non-MTA customer IP ranges.
• The Domain Block List (DBL) is a list of domain names that should be avoided due to their bad reputations.
• The Don’t Route Or Peer Lists (DROP) are drop-all-traffic lists of netblocks that have been hijacked by professional cybercriminals.
• The Register of Known Spam Operations List (ROKSO) identifies the names and countries of several major persistent spam operations.

Pros

• More than 3 billion user inboxes are protected with Spamhaus threat feeds and blocklists; this is one of the largest (if not the largest) blockers of internet spam and malware.
• A detailed FAQ guide is available for users who have specific blocklist questions or more general questions about DNSBL usage.
• For users that want to use only one DNSBL tool, Spamhaus has packaged its SBL, XBL, and PBL solutions into one solution: Spamhaus Zen.
• Spamhaus has a secure ROKSO LEA portal that law enforcement agencies can use to more securely access classified records about spam operations.

Cons

• Certain commercial features and capabilities are only available through a paid upgrade to Datafeed Query Service.
• Spamhaus’s blacklisting procedures sometimes mean safe public IP addresses get blacklisted; the process for getting these IPs unlisted can be tedious.

SANS: Internet Storm Center

Best for threat explanations

Internet Storm Center is one of the oldest and most trusted threat intelligence feed options on the market. It is a feed and community that is entirely built on collaboration, with a small team of volunteers handling daily threat monitoring and documentation. Beyond these daily handlers, ISC benefits from other users who willingly share performance data from their firewalls and intrusion detection systems.

The Internet Storm Center manages to differentiate itself in several ways. For starters, its proprietary network of sensors and its reporting setup mimic weather forecasting in a way that makes ISC effective at providing early warnings for emerging threats. Additionally, ISC focuses not only on technical information about threats but also on providing procedural guidance for how to address these threats.

Pricing

The Internet Storm Center is a free service.

Features

• Pulls information from sensors across 500,000 IP addresses and more than 50 countries.
• Anomalies and detected threats are analyzed by volunteer incident handlers.
• Daily diaries detail handler analyses.
• Frequently updated DShield intrusion detection system and database.
• Incoming data is monitored with automated analysis and graphical visualization tools.

Pros

• Beyond daily diaries, the Internet Storm Center team is also willing to generate custom global summary reports upon user request.
• The ISC’s network of volunteer handlers is made up of cybersecurity professionals with years of experience.
• The daily handler diaries are often the first public reports of emerging attack vectors.
• The distributed sensor network design of ISC makes it easier for the team to quickly identify threats across all corners of the web.

Cons

• The ability to customize ISC’s threat feeds or integrate the tool into private networks and proprietary systems is extremely limited.
• Though the ISC’s network of volunteers is full of experts, it’s still a relatively small team with a setup that could lead to inconsistencies in reporting and depth of analysis.

Key Features of Threat Intelligence Feeds

It’s clear that threat intelligence feeds need to find and identify threats in order to be effective, but what other key features should you be looking for in threat intelligence feeds? In our experience, these are some of the most important features for a threat intelligence feed to include:

Indicators of compromise (IoCs)

Indicators of compromise are the pieces of evidence that reveal a network or specific part of a network has been breached. While more generalized threat intelligence feeds and blacklists don’t always offer IoCs, they’re a valuable feature for teams that want additional guidance for their threat response efforts. Examples of IoCs include malicious IP and email addresses, suspicious domain names and URLs, unusual file paths or file names, unexpected network traffic patterns, and behavioral oddities like frequent unauthorized access attempts.

Real-time updates

Real-time updates or near-real-time updates are a crucial feature of threat intelligence feeds, as threats can evolve or fall apart and new ones can arise in a matter of hours. Many feeds update on a momentary or hourly basis, while nearly all of them update on an at-least daily basis. Many threat intelligence feed providers give users the option to subscribe to alerts when new threats arise or when new daily reports are available.

Contextual analysis

With threat intelligence feeds, threat data is infinitely more useful if users can understand where the threats are coming from, what kind(s) of infrastructure they’re impacting, the overall damage they’re causing, and how these threats compare to historic threats. Dashboards are the most important feature for easy-access contextual analysis. But other features, like contextualized historic metadata, specialized rulesets, and enriched log data are all helpful for better security response and mitigation strategies.

Historical data access

Historical data helps users to frame current threats, both in relation to how those threats first emerged and how they compare to similar historic threats. Historical data that many threat intelligence feeds provide cover attack origins, the identity and past actions of the threat actor, past vs. present attack methods, and past vs. present damage. Having this historical data access allows users to see how quickly certain threat vectors have grown and predict future threat variants and changes in tactics, techniques, and procedures (TTPs).

Integrations

Integrations with other cybersecurity tools help to make threat intelligence feeds more contextual and relevant to cybersecurity management efforts. The best threat intelligence feeds are accessible on their own but also integrate with and provide in-platform insights for other cybersecurity solutions. These integrations may be natively offered or made available through APIs.

How to Choose the Best Threat Intelligence Feed for Your Business

Choosing the best threat intelligence feed for your business will require you to first set internal expectations around budget, integration requirements, and roles and responsibilities for team members accessing those threat intelligence feeds. You’ll also want to consider if a more general feed is what you need or if a specialized, sector-specific feed better serves your business. In many cases, and especially since so many of these threat intelligence feeds are free to use, it may be worthwhile to use multiple threat intelligence feeds in conjunction.

If you’re looking for additional capabilities that go beyond basic threat feeds, a threat intelligence platform or threat research service may be a better solution. You can learn about the leading threat intelligence platforms in this buyer’s guide; for threat intelligence services and other threat management resources, consider one of the following:

• Cisco Talos
• Palo Alto Networks WildFire
• Mandiant Threat Intelligence Services
• Sophos Managed Detection and Response
• Palo Alto Networks Unit 42 Threat Research
• Flashpoint Managed Intelligence

How We Evaluated Threat Intelligence Feeds

Beyond the core threat intelligence feeds we’ve reviewed in this guide, we assessed approximately 15 other threat intelligence feeds and solutions. The selections in this guide were chosen based on their performance in the following evaluation criteria. The percentages listed for each represent the weight of the total score for each product.

Reputation and performance – 50%

Credibility is everything when it comes to threat intelligence, so the bulk of our assessment focused on reputation and performance. We evaluated each feed based on the trustworthiness of its information source(s), the variety of information sources it pulls from, its range and depth of coverage, its contextual analysis and dashboarding capabilities, its security and compliance policies and procedures, and the utility of expert explanations and mitigation tips. 

We assessed both general threat intelligence feeds and function-specific threat feeds, and both types found a spot on our list; in both cases, what we were looking for was evidence that the tool performed its core tasks well for its specified audience. Additionally, when information was available, each threat intelligence feed was assessed based on its perception and performance in user reviews. However, due to the nature of these feeds, limited user reviews were available.

Timeliness – 25%

Speed, accuracy, and comprehensiveness are all important aspects of timely threat intelligence feed delivery. In our review process, we looked for feeds that update their data in real time and from multiple sources. We also considered how quickly this information is disseminated to subscribing users and in what format that information is shared.

Integration and configurability opportunities – 25%

Because threat intelligence feeds serve an important but singular purpose, many organizations need threat intelligence feeds to smoothly integrate with their existing cybersecurity tool stack. In our evaluation of different feeds, we looked for solutions with comprehensive APIs as well as solutions with native integrations in-portfolio or with third-party cybersecurity software. Beyond simply connecting to other cybersecurity tools, we paid special attention to and boosted the rankings of feeds that gave users the freedom to configure and customize feeds according to their specific requirements.

Frequently Asked Questions (FAQs)

What are the primary sources of threat intelligence feeds?

Threat intelligence feeds collect their information from multiple sources, including from the research of security experts and government agencies, malware analysis reports and other sources of open-source threat intelligence, dark web monitoring data, regional and national databases, aggregated customer data from security companies, and network traffic analysis tools.

Can threat intelligence feeds be integrated into existing security systems?

Many threat intelligence feeds can be integrated into existing security systems, either through APIs or native third-party integrations.

How much do threat intelligence feeds cost?

The majority of threat intelligence feeds are free to use. However, some commercial threat intelligence feeds require users to pay an annual subscription, which could run anywhere from approximately a few thousand dollars to over $100,000 per year, depending on user count, reseller pricing, licensing requirements, tool features, and other factors.

Bottom Line: Boost Security with Threat Intelligence Feeds

Threat intelligence feeds won’t provide all of the functionality and corrective action you need to effectively manage your organization’s cybersecurity posture, but they’re great resources for proactive threat identification across a variety of attack vectors. With so many free and low-cost threat intelligence feeds available today, it’s a smart move to integrate one or multiple feeds into your cybersecurity workflow and tools for additional security knowledge and detection capabilities.

Read next: Network Protection: How to Secure a Network

The post 6 Best Threat Intelligence Feeds to Use appeared first on eSecurity Planet.

CSPM is increasingly being combined with cloud workload protection platforms (CWPP) and cloud infrastructure entitlement management (CIEM) as part of comprehensive cloud-native application protection platforms (CNAPP); however, cloud security posture management’s ability to detect and remediate cloud misconfigurations makes standalone CSPM solutions a worthwhile investment for small businesses and enterprises alike.

Here are our picks for the top cloud security posture management (CSPM) tools in the market today:

• Palo Alto Networks Prisma Cloud: Best overall
• Check Point CloudGuard: Best for compliance
• Lacework: Best for behavioral analysis
• CrowdStrike Falcon Cloud Security: Best for threat intelligence
• Cyscale: Best for cloud security mapping
• Trend Micro Trend Cloud One Conformity: Best for configuration recommendations
• Ermetic: Best for privileged access management

Top CSPM Software Comparison

Cloud security posture management tools can come with a wide range of capabilities, including support for different cloud infrastructures and business sizes, and specialized security features and integrations. Here’s how our top CSPM solutions compare across a few key categories:

Jump ahead to:

• Top Cloud Security Posture Management Solutions
• Key Features of CSPM Tools
• Benefits of Working with CSPM Solutions
• How Do I Choose the Best CSPM Tool for My Business?
• Frequently Asked Questions (FAQ)
• Methodology
• Bottom Line: Cloud Security Posture Management (CSPM) tools

Palo Alto Networks Prisma Cloud

Best Overall

Prisma Cloud by Palo Alto Networks is a CNAPP solution with top-tier cloud security posture management features for hybrid, multicloud, and cloud-native environments. The solution offers its full feature set and capabilities across five different public cloud environments: AWS, Google Cloud Platform, Microsoft Azure, Oracle Cloud, and Alibaba. It should be noted that Prisma Cloud is one of the few solutions that provide features that work for both Alibaba and Oracle Cloud.

Prisma Cloud stands out from most CSPM competitors for a number of reasons, including its flexible implementation options, multiple third-party and vendor integrations for security and compliance, machine-learning-driven threat and anomaly detection, and code scanning and development support features. It is one of the few solutions that offer comprehensive code-scanning capabilities that are also easy to use. Customizations and automation are also fairly straightforward to implement through this platform.

Pricing

Pricing information for Prisma Cloud is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, Prisma Cloud Enterprise Edition costs $18,000 for 100 credits and a 12-month subscription from AWS Marketplace. Prisma Cloud Enterprise Edition is the only version of Prisma Cloud with specific CSPM features.

Features

• Automated workload and application classification with full lifecycle asset change attribution
• Configuration assessments based on more than 700 policies and 120 cloud services
• Automated fixes for common misconfigurations
• Custom policy building and reporting capabilities
• Network threat detection, UEBA, and integrated threat detection dashboards

Pros

• Takes a comprehensive approach to data normalization and analysis across multiple sources that goes beyond many competitors
• Machine-learning-driven anomaly-based policies are available to users
• Palo Alto Networks Enterprise Data Loss Prevention (DLP) and the WildFire malware prevention service integrate with Prisma Cloud, supporting robust data security capabilities

Cons

• Palo Alto Network’s approach to pricing is not straightforward; customers can quickly go over their budget, depending on how many Capacity Units they require
• This solution is not ideally suited to smaller businesses, especially since it lacks some spend-tracking functionality

Check Point CloudGuard Cloud Security Posture Management

Best for Compliance Features

Check Point CloudGuard Cloud Security Posture Management is one component of the CloudGuard Cloud Native Security platform that specializes in automated, customizable solutions for cloud security posture management. It is designed to support security and compliance functions in cloud-native environments, offering its full capabilities to AWS, Google Cloud Platform, Microsoft Azure, Alibaba, and Kubernetes users, and limited functionality to other cloud users.

Many users select this CSPM for its impressive compliance capabilities, which include rule-based, ML-driven telemetry mapping based on dozens of compliance frameworks and CloudBots for the automated enforcement of compliance policies. Other standout features in this solution include AI/ML-driven contextualization that comes before risk scoring activities, risk management in IDEs, and advanced infrastructure-as-code scanning.

Pricing

Pricing information for CloudGuard Cloud Security Posture Management is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, one month and 25 assets worth of access to CNAPP Compliance & Network Security cost $625 through AWS Marketplace. AWS Marketplace also offers plans with 12-month, 24-month, and 36-month subscriptions and the ability to purchase 100-asset bundles. CloudGuard Cloud Security Posture Management is typically purchased as part of CloudGuard CNAPP Compliance & Network Security.

Features

• Security hardening and runtime code analysis
• Auto-remediation is provided through a compliance engine
• IAM-driven just-in-time user access
• Security assessments are available for more than 50 compliance frameworks, 250 cloud-native APIs, and 2,400 security rulesets
• Workload and software supply chain security capabilities

Pros

• Threat intelligence support is included as a complimentary add-on for all CloudGuard Cloud Security Posture Management users
• Governance and compliance policies features, especially CloudGuard’s telemetry mapping, are incredibly advanced
• CloudBots offer low-code, open-source automation that is easy to use

Cons

• Limited support and features for Oracle Cloud users
• CloudGuard’s licensing bundles have large minimums that are not friendly to smaller business budgets and requirements

Lacework

Best for Smart Behavioral Analysis

Lacework is a CNAPP platform that combines cloud security posture management with vulnerability management, infrastructure as a code (IaC) security, identity analysis, and cloud workload protection for AWS, Microsoft Azure, Google Cloud Platform, and Kubernetes configurations. Instead of primarily relying on compliance policies for risk and security management, Lacework depends on smart behavioral analysis to determine baselines in your cloud environment and assess anomalies and risks based on those standards.

Lacework’s machine-learning-driven approach allows the platform to automate cloud security management not only for behavioral analytics but also for threat intelligence and anomaly detection. Other effective features in this tool include agent and agentless operations and reporting features, such as push-button and multiple format options, that make it easy to share findings with all kinds of stakeholders in the business.

Pricing

Pricing information for Lacework is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, Lacework starts at $1,500 per month with an additional $0.01 usage fee per unit used through Google Cloud Marketplace. CSPM functionality is offered as part of the Lacework Polygraph Data Platform.

Features

• Cloud asset inventories with daily inventory capture
• Prebuilt and custom policy options
• Push-button, customizable reports
• Attack path analysis and contextualized remediation guidance
• Severity and risk scoring

Pros

• Lacework Labs is an internal research team that identifies new threats and prioritizes ways to optimize the Lacework platform
• The solution is highly customizable, especially through features offered in the Polygraph behavioral engine
• Advanced risk contextualization is available with this tool, allowing users to match various types of misconfigurations with identified anomalous activities in their environment

Cons

• Limited third-party integrations and support
• Somewhat limited data governance capabilities

CrowdStrike Falcon Cloud Security

Best for Threat Intelligence

CrowdStrike Falcon Cloud Security offers advanced CSPM features for hybrid and multicloud environments alike. It is specifically compatible with three major public clouds: AWS, Azure, and GCP, offering threat detection, prevention, and remediation features to users of these three services. CrowdStrike’s solution primarily takes an agentless approach to CSPM, with continuous discovery and intelligent monitoring available to simplify risk management and response in cloud environments.

But CrowdStrike’s CSPM solution truly differentiates itself with a strategic take on and deep expertise in threat intelligence. Its adversary-first approach to threat intelligence, with policies based on more than 50 indicators of attack and 150 adversary groups, supports guided remediation and makes it quicker and easier for teams to identify and fix their most pressing security issues.

Pricing

Pricing information for CrowdStrike Falcon Cloud Security is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, the Falcon CrowdStrike CSPM portion of Falcon Cloud Security costs $14.88 for a 12-month subscription, with the option to pay for additional units, through AWS Marketplace. Users also have the option to purchase access to Falcon CWP and CWP On-Demand through AWS Marketplace.

Features

• TTP/IOA detections driven by machine learning and behavioral analytics
• Adversary-driven threat detection and intelligence
• Guided remediation support for misconfigurations, guided by industry and organizational benchmarks
• One-click reconfiguration capabilities for unprotected resources
• DevOps, SIEM, and other cloud security integrations

Pros

• This solution integrates well with CrowdStrike’s vast collection of cybersecurity solutions.
• CrowdStrike’s expertise in XDR and EDR solutions makes it possible for CSPM customers to benefit from unique features like cloud threat hunting.
• The platform takes a comprehensive and focused approach to threat intelligence, with identity-driven real-time detection.

Cons

• Little to no code scanning capabilities
• Limited public cloud scope for CSPM, with full features only available for AWS, Google Cloud Platform, and Microsoft Azure

Cyscale

Best for Cloud Security Mapping

Cyscale brands itself as a contextual cloud security posture management solution, offering cloud security management features that support AWS, Microsoft Azure, Google Cloud Platform, and Alibaba configurations. With multiple dashboards, an easy-to-navigate interface, and a structured approach to onboarding both new customers and their individual teams, Cyscale heavily emphasizes the user experience aspect of its solution.

Cyscale offers some of the best mapping features for cloud assets and security controls, like regulatory standards and organization-specific policies. The way it works is that cloud infrastructure issues are mapped to everything from established policies to larger regulatory standards; from there, users have the ability to set custom thresholds to determine which assets are meeting their security and compliance requirements. Cyscale’s approach to mapping is particularly effective for organizations that are frequently audited and need a quick way to visualize problems and possible steps for remediation.

Pricing

Pricing information for Cyscale is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, the Pro plan starts at $10,000 for a 12-month subscription and up to 1,000 assets through Azure Marketplace. Users also have the option to purchase the same plan for one month for $1,000. The Scale plan, which includes more features and up to 5,000 assets, costs $50,000 for a one-year subscription and $5,000 per month for month-by-month access.

Features

• Cloud asset inventorying, mapping, and security scoring
• More than 500 built-in security controls and policies
• In-app consultancy and remediation guidance
• Data retention exports for up to one year in PDF and CSV formats
• Exemptions with an exemption approval process are natively offered

Pros

• Beyond support for multiple public clouds, Cyscale also integrates with identity providers such as Okta and Azure Active Directory
• The asset discovery and mapping approach Cyscale takes from the outset with new customers makes this one of the best CSPM solutions for user experience and visibility
• Offers some of the most straightforward onboarding and deployment procedures in the CSPM market

Cons

• Cyscale can be very expensive, especially for businesses with smaller budgets
• What constitutes a single asset can be confusing to users, especially for new users who are attempting to predict costs

Trend Micro Trend Cloud One Conformity

Best for Configuration Recommendations

Trend Micro’s Trend Cloud One Conformity is a leading CSPM solution that mostly focuses on Google Cloud Platform, AWS, and Microsoft Azure configurations, excelling by offering detailed explanations, guidance, and support to new users. Committed to bringing prospective buyers knowledge before they commit, Trend Micro is one of the few CSPM vendors that offers a complimentary public cloud risk assessment to anyone who wants additional guidance on security, governance, and compliance before building their cloud infrastructure in AWS or Azure.

Trend Cloud One Conformity also comes with detailed configuration recommendations that are based on a cloud design and infrastructure standard known as the Well-Architected Frameworks. With this collection of principles as the backbone for its recommendations, users can easily check how their configuration decisions align with pillars such as security, operational excellence, reliability, performance efficiency, cost optimization, and sustainability. Configurations can either be updated manually or auto-remediated based on those rules.

Pricing

Pricing for this Trend Micro solution depends on the source from which you access it. This is one of the few options on this list that can be purchased directly through the vendor, however. The Cloud First plan, offered directly through Trend Micro, is $217 per month per account, billed annually for users with 26 to 50 accounts. Cloud Ready and Cloud Native packages are also offered, and a 30-day free trial is available as well. Learn more about Trend Cloud One Conformity pricing here.

Features

• Remediation guides and auto-remediation
• Filterable auditing for misconfigurations
• Exportable and customizable reports
• Continuous scanning against compliance and industry standards
• Free public cloud risk assessments

Pros

• One of the best options for straightforward, easy-to-setup auto-remediation
• The solution integrates with multiple service ticketing and communication tools, including Slack, ServiceNow, Jira, PagerDuty, and Microsoft Teams
• The Conformity Knowledge Base offers an extensive self-service collection of remediation guides to users

Cons

• Limited CIEM capabilities
• Features are limited to three public clouds: AWS, Microsoft Azure, and Google Cloud Platform

Ermetic

Best for Privileged Access Management

Ermetic is a CNAPP solution that equally emphasizes cloud security posture management and cloud infrastructure entitlement management (CIEM) for AWS, Google Cloud Platform, and Microsoft Azure configurations and users. The addition of advanced CIEM features makes this one of the best CSPM options for monitoring humans and their impact on infrastructural and configuration decisions.

Its identity-driven features include multicloud asset management and detection, risk assessments based on identity entitlements, and IAM-focused policy recommendations. It is also one of the few CSPM software options that include privileged access management (PAM) and just-in-time access management features for its users.

Pricing

Pricing information for Ermetic is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, the commercial plan for Ermetic CIEM and CSPM starts at $28,000 for a 12-month subscription and up to 120 billable workloads when purchased through AWS Marketplace.

Features

• Auto-remediation with an identity-driven strategy
• Remediation is available for both unused and excessive user privileges
• Combined CSPM and CIEM functionality
• IaC snippets in Terraform and CloudFormation
• Built-in templates and customizable options for policies

Pros

• One of the best CSPM options for users who also want comprehensive CIEM functionality
• One of the only CSPM solutions that offer privileged access management
• Capable integrations with SIEM and ticketing solutions, such as Splunk, IBM QRadar, ServiceNow, and Jira

Cons

• At least based on the information provided by AWS Marketplace, this is one of the most expensive options in the CSPM market
• Limited to AWS, Azure, and GCP

Also see the Top Cloud Security Companies

Key Features of CSPM Tools

CSPM features can vary greatly, especially depending on if it’s offered as part of a greater CNAPP or cloud security suite of solutions. In general, it’s important to look for the following features when selecting a CSPM solution:

Infrastructure-level risk monitoring and assessments

All CSPM solutions should include some form of risk and configuration assessments, making it easier for users to identify and assess risks. Most tools include risk scoring, risk mapping, or some other kind of risk visualization to help users of all backgrounds quickly identify configuration problems and how to solve them.

Threat detection and intelligence

Threat detection is an important piece of cloud security posture management, and threat intelligence is often a bonus that transforms discoveries into actionable remediation tasks. CSPM solutions typically use industry or organizational benchmarks, specific policies, behavioral analytics, or a combination of these factors to effectively detect and mitigate cloud security threats. A growing number of CSPM solutions also use machine learning to power and further automate the threat intelligence and detection process.

Remediation and recommendations

Unlike some other cloud security tools that simply identify problems for your team to fix, most CSPM solutions include specific recommendations and can remediate issues on their own. Depending on your specific requirements, your team can set up custom organizational policies or utilize built-in regulatory frameworks and best practices as baselines. From there, users often have the option to manually remediate or rely on auto-remediation when issues are discovered.

Advanced data governance and compliance management

Because public clouds and cloud applications are constantly changing and play by their own rules, data governance and compliance management features are very important to the configuration management part of CSPM. Nearly all CSPM tools allow users to build their own or use prebuilt policies and rules for compliance management. Some of the most common regulatory frameworks that CSPM tools build off of include HIPAA, GDPR, NIST, PCI-DSS, CIS, ISO, and SOC 2.

Automation

Many aspects of CSPM are driven by automation, especially for tools that rely on agentless performance. Automated workflows are used to identify and prevent cloud, app, and data misconfigurations that can cause security and compliance problems. Some of the most common types of CSPM automation are used to automate policy enforcement, classification, and remediation.

Benefits of Working with CSPM Tools

CSPM software offers many benefits to users who are looking to enhance their cloud security. These are some of the top benefits that come from implementing cloud security posture management:

• Increased infrastructural visibility: Constant security and compliance monitoring is a standard aspect of CSPM tools. This real-time approach to threat detection and risk monitoring leads to increased visibility for stakeholders with varying levels of cybersecurity experience and infrastructural expertise.
• Security support for multiple environments and ecosystems: Most CSPMs work with at least the Big Three public cloud providers (AWS, Azure, and GCP), and others work well with Oracle Cloud and Alibaba. CSPM vendors’ experience with public cloud environments gives users additional peace of mind when storing data and workloads in public cloud environments.
• Automation that simplifies security management: Automation is interwoven into many parts of the CSPM lifecycle, simplifying risk detection and remediation efforts for complex and sprawling cloud environments.
• Proactive security and compliance recommendations: Instead of only correcting problems after they arise, CSPM solutions can proactively detect configurations and infrastructure designs that are potentially harmful. They can also make suggestions for security posture improvements.
• Enhanced compliance policies and enforcement: Cybersecurity teams can certainly create their own compliance policies, but it’s difficult to enforce these policies across all parts of cloud infrastructure. CSPM tools take some of this burden off of your team, helping them to create and enforce policies that meet your organizational, regional, and industry-specific requirements.

How Do I Choose the Best CSPM Tool for My Business?

Choosing the best CSPM tool for your business requires you to look closely at your specific cloud setup and security requirements. First, consider the size of your cloud infrastructure and the budget you have in mind. While some solutions may seem slightly more affordable than others in this market, many of them have per-unit and capacity-based pricing that can scale up quickly if you’re not careful. CSPM solutions also usually have unit minimums that may exceed the requirements of your organization, meaning you’re paying for more than you actually need with no alternative from that vendor.

Next, consider the unique compliance and security requirements of your business. Do you operate in a region where GDPR is in effect? Do HIPAA or SOX regulations apply to your data? Do you work with third-party cloud environments or applications with their own security rules and procedures? Uncovering the answers to these questions will help you identify a CSPM tool that supports your compliance frameworks and other unique requirements.

Finally, consider any other features that would particularly benefit your team. Automation is included in nearly all CSPM tools, but some have more extensive automation capabilities for steps like remediation and analytics. Many tools also have some form of artificial intelligence baked into their operations. Regardless of the special features that you determine are most important to your team, look for a tool that implements them in an easy-to-use fashion.

More on third-party risk: 10 Best Third-Party Risk Management Software & Tools

Frequently Asked Questions (FAQs)

What is cloud security posture management?

Cloud security posture management, otherwise known as CSPM, is the strategy behind the tools that support security and compliance management in cloud computing environments. Boasting some overlapping features with risk management and cloud-security-focused tools, cloud security posture management software is designed to identify, assess, prioritize, and manage risk at an infrastructure- and configuration-level in the cloud.

What is the difference between CASB and CSPM?

Cloud access security broker (CASB) and CSPM tools are both effective solutions for managing cloud security, but they each focus on different aspects of that security, with some overlap. CASB tools are dedicated to data-level security and user access controls, while CSPM focuses more heavily on infrastructure-level security, compliance, and configuration management.

Is CSPM a part of SASE?

CSPM solutions are often used in combination with secure access service edge (SASE) technology, but CSPM is not officially a part of SASE. CSPM focuses more on the features and functionality needed to secure cloud environments, while SASE solutions support secure access to the resources in those environments through managed services and specialized features.

Methodology

The top cloud security posture management solutions in this list were selected through a thorough examination of their individual feature sets, their scalability, pricing options, user experience, and their general performance on user- and expert-aggregated review sites. Over two dozen solutions were reviewed in order to create this curated CSPM product guide.

Bottom Line: Cloud Security and Posture Management (CSPM) Tools

The best CSPM solution for your business depends less on how these solutions perform in aggregated reviews and more on your specific cloud environment, security, and compliance requirements. It’s important to look for a platform with built-in features for compliance frameworks that apply to your industry and/or region. To make the best decision for your business, we recommend first identifying your top compliance and cloud security concerns and then reaching out to vendors to determine what support and features they offer in those areas.

Read next: Cloud Security Best Practices

The post Top 7 Cloud Security Posture Management (CSPM) Tools appeared first on eSecurity Planet.

While it’s certainly possible to construct your own pentest framework that meets the specific security and compliance requirements of your organization, a number of existing methodologies and frameworks can be built upon to make the job easier for you. In fact, it’s generally more effective to use one of these comprehensive and peer-reviewed solutions in order to keep your pentests on track.

Read on to learn more about how pentest frameworks are used, how they’re set up, and some of the top pentest frameworks that are available today.

Jump ahead to:

• How Pentest Frameworks Work
• 10 Categories in a Pentest Framework
• How Penetration Test Frameworks Are Used
• 7 Top Pentest Frameworks
• Bottom Line: Pentest Frameworks

Also read: What Is Penetration Testing? Complete Guide & Steps

How Pentest Frameworks Work

In simple terms, a pentest framework works by guiding pentesters to the right tools and methodologies to use for a penetration test, depending on the pentest type and the scope of the test they’re planning to run. Once a pentester gets started with the penetration testing and ethical hacking process, they should reference the pentest framework for the tactical categories they should assess during their tests.

Once the pentest is complete, the pentester should continue using the framework to help them further evaluate and report on their findings, especially as they relate to those primary tactical categories. It’s also important to return the environment to its pre-pentest settings.

The Steps of a Typical Pentest Framework

Pentest frameworks work in slightly different ways, depending on which pentest framework you use, but most follow similar steps that help organizations efficiently and comprehensively move through their pentesting programs.

These are some of the most common steps a pentest framework follows:

1. Initial planning and preparation: The framework instructs organizations to determine who their pentester(s) will be, what pentest framework and methodology/methodologies they’ll be following, expectations for the test and reported results, any legal or compliance requirements, and any tools or resources that are needed in order to conduct a successful test.
2. Intelligence and information gathering: Information that should be gathered early in the pentest framework development and selection process includes the scope of asset ownership, network targets, exploits, any involved third parties, network ports, IP addresses, relevant employees’ names, and property locations. In some cases, this phase is also called the discovery, testing, scanning, or assessment phase.
3. Attack phase: The pentester begins their attack and evaluates the system based on how it performs against the framework’s predefined tactic categories.
4. Post-attack phase: The pentester, or a team of cybersecurity experts, makes sure the testing environment’s assets and features are returned to their original state.
5. Reporting results: The pentest framework is used to frame results based on tools used, tactic category performance, and more.

Also read: How to Implement a Penetration Testing Program in 10 Steps

10 Categories in a Pentest Framework

The typical pentest framework clearly outlines tactic categories that pentesters should use to evaluate cybersecurity performance on multiple fronts during their penetration testing efforts. Every framework uses its own terminology and approach to tactic categories, but these are some of the most frequently found categories in a pentest framework:

1. Collection: As an ethical hacker, what kinds of information and security intelligence are you able to collect during your attack? How valuable would this information be to future attack vectors and plans?
2. Command and control: What kinds of backdoors and covert forms of communication are you able to set up in the enterprise network’s servers or apps during your simulated attack? Are these backdoors easily detected? Do they stay open even after cybersecurity tools step in to mitigate risk?
3. Credential/information access: What tools, users, and hardware can access what kinds of information? What credentials and controls are in place and how effective are they at stopping unauthorized user access during your simulated attack?
4. Defense evasion capabilities and strategies: How does your cybersecurity infrastructure handle threat detection and how does it respond to an attacker’s defense evasion strategies? How effectively does your infrastructure identify and avoid various types of threats, and how quickly does it pivot when initial lines of defense aren’t enough?
5. Discovery and information gathering: How quickly and comprehensively does your cybersecurity setup gather and sift through relevant security incident information after the simulated attack begins?
6. Execution: How do your cybersecurity tools respond when handling an unauthorized user or other suspicious activity in the network? What tools go into action, what are their response timelines, and what gets mitigated by tools versus security professionals? Additionally, how does your cybersecurity infrastructure respond to attack types like remote code execution?
7. Exfiltration: Can data be stolen from any part of your network? If so, what data is accessible, in what quantities can it be taken, and how much defense (if any) goes up against data exfiltration operations?
8. Lateral movement: During the simulated attack, are you able to easily move from your initial point of access into another app, database, or component of the network? How difficult is lateral movement between grouped apps versus parts of the network that are in separate segments or departments?
9. Persistence: What misconfigurations, backdoors, implants, or other components of your attack persist even after cybersecurity tools respond to your attack? Over what time frame can these features continue to deploy discreet attacks?
10. Privilege escalation: Can attackers change their own credentials or steal the credentials of another user in order to elevate their access levels and user permissions in the network or specific applications? How difficult is privilege escalation for an internal bad actor versus an external bad actor?

How Penetration Test Frameworks Are Used

Generally speaking, penetration test frameworks are used to make pentesting efforts more comprehensive and effective. However, pentests are used for a variety of reasons, and pentest frameworks have a few different use cases as well. Here are some of the most common ways penetration test frameworks are used:

• Vulnerability assessment and management
• Ethical hacking for offensive cybersecurity improvements
• Defensive cybersecurity evaluations
• Discovery, probing, and reconnaissance
• Enumeration and information gathering
• Cybersecurity and compliance audits

7 Top Pentest Frameworks Explained

Below, you will find some of the most commonly used pentest frameworks and methodologies, both in a chart and a more detailed discussion. It’s important to note that many of the frameworks you see listed here — such as the Open Source Security Testing Methodology Manual (OSSTMM) — started out as simple pentesting frameworks but have since evolved into methodologies upon which other pentesting frameworks have been developed.

Cobalt Strike

Cobalt Strike is a red team command and operations framework that is one of the most popular frameworks for pentesting. The tool includes adversary simulations, incident response guidance, social engineering capabilities, and more. Users have the option to alter Cobalt Strike to their specific needs with the Community Kit repository, and they can further extend its capabilities by using it in combination with Core Impact, the pentesting software offered by Fortra.

Also read: How Cobalt Strike Became a Favorite Tool of Hackers

Metasploit

Metasploit is a collaboratively-designed penetration testing framework that comes from Rapid7 and the open-source community. Some of its most important features include 1,500 exploits, network discovery, MetaModules for tasks like network segmentation testing, automated tests, baseline audits and reports, and manual exploitation and credential brute forcing options. Users can choose between the free, open-source version of Metasploit or Metasploit Pro for additional features.

Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial

NIST Cybersecurity Framework

NIST’s Cybersecurity Framework (CSF) is a slightly broader framework option that focuses on standards, best practices, and guidelines for all kinds of cybersecurity risks. The five functions that this framework focuses on are: Identify, Protect, Detect, Respond, and Recover. Because this is a broader framework and comes from the U.S. Department of Commerce, this standardized framework can be used as guidelines for a variety of cybersecurity tests and compliance audits.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM framework from the Institute for Security and Open Methodologies (ISECOME) has moved past basic framework features into a full methodology for security testing and analysis. Among other topics covered in its detailed guide, the Open Source Security Testing Methodology Manual gives users information about how to define and scope a security test, rules of engagement, error handling, and disclosure of results.

Penetration Testing Execution Standard (PTES)

The Penetration Testing Execution Standard, or PTES, is another pentesting framework that has evolved into a full methodology. Its main sections cover penetration test communication and rationale, intelligence gathering, threat modeling, vulnerability research, exploitation and post-exploitation, and reporting. The guidelines in the official PTES do not discuss how to conduct a pentest; the team has developed a technical guidelines document to instruct and support in this area. A second, updated version of PTES is currently in the works.

Open Web Application Security Project (OWASP)

OWASP’s Continuous Penetration Testing Framework is an in-the-works framework that focuses on standards, guidelines, and tools for information security and application security penetration tests. OWASP offers a transparent roadmap to users who are interested in learning more about the release timeline and features of this framework.

PenTesters Framework (PTF)

TrustedSec’s PenTesters Framework (PTF) is based heavily on the Penetration Testing Execution Standard. It is designed to make installation and packaging more streamlined and is considered highly customizable and configurable. Users can either download PTF with a Linux command or directly through Git.

Also read:

• Best Open-Source Distributions for Pentesting and Forensics
• Top Open Source Penetration Testing Tools

Bottom Line: Pentest Frameworks

Your penetration testing efforts won’t be as successful if you don’t rely on a pentest framework to structure your processes, the tools you use, and the tactical areas you target. It’s important for pentesting procedures to be both repeatable and scalable, especially as your organization and its attack surface grow. Pentest frameworks take the guesswork out of pentesting, allowing you to focus on improving other areas of vulnerability management while still conducting successful tests and research.

Further reading:

• How Much Does Penetration Testing Cost? 11 Pricing Factors
• Best Penetration Testing Tools
• Best Vulnerability Scanning Tools
• Top Breach and Attack Simulation (BAS) Tools

The post What Is a Pentest Framework? Top 7 Frameworks Explained appeared first on eSecurity Planet.

It’s a fast-growing cloud computing technique that has gotten buy-in and support from a variety of hardware, software, and cloud vendors. Read on to learn more about confidential computing, how it works, and how it benefits enterprise data security efforts.

How Does Confidential Computing Work?

Confidential computing is all about using technology to create an isolated safe space, otherwise known as a Trusted Execution Environment (TEE), for the most sensitive data and data processing instructions. During confidential computing, the TEE and a preselected dataset are separated from the rest of the computing environment, including the operating system, the hypervisor, uninvolved applications, and even cloud service providers. 

Unlike other types of data processing, in confidential computing data does not need to be decrypted in memory and exposed to external security vulnerabilities in order to be processed. Instead, it is only decrypted in the Trusted Execution Environment, which relies on hardware-based coprocessor security, embedded encryption keys, and embedded attestation mechanisms to ensure that only authorized applications, users, and programming code can access the TEE and the data it houses. Data processed inside a Trusted Execution Environment is completely invisible to all computing elements that aren’t part of the designated TEE, and data always stays encrypted while in transit or stored outside the TEE.

Also read: Encryption: How It Works, Types, and the Quantum Future

7 Benefits of Using Confidential Computing

Confidential computing offers a number of benefits for safer handling of sensitive data while in use.

1. Added security in shared, untrusted, or unfamiliar environments

The modern computing landscape, especially when the cloud’s involved, means your data is often stored in environments that are exposed to third parties, different departments, and public users. There’s limited native protection built into cloud environments, especially for your most sensitive data when it’s in use. Confidential computing techniques and technologies give your sensitive data more safeguards, regardless of the computing environment.

2. Secure data input and output

The only time data is decrypted during the confidential computing process is when the TEE has taken multiple steps to ensure that only authorized programming code is entering the environment. At all other times, sensitive data remains encrypted, adding more privacy and security while data is in transit or stored in another part of the computing environment.

3. Equal focus on security and cloud computing capabilities

Traditionally, businesses have either had to process sensitive data in memory with major security risks or limit their sensitive data processing in order to protect it; neither approach is ideal for optimal data usability and outcomes. Confidential computing makes it so users can take advantage of the power and complexity of a cloud computing environment while still protecting their sensitive data to the utmost degree.

4. Remote quality assurance capabilities

Confidential computing architecture is designed for remote quality assurance and security management. Remote verification and attestation make it easier for security admins to manage a distributed network while still protecting and monitoring the Trusted Execution Environment.

5. Easier detection and prevention of unauthorized access

Built-in attestation enables the confidential computing architecture to verify programming codes before they can enter the TEE; confidential computing technology can also completely shut down the computing process if an unauthorized set of code attempts to tamper with or gain access to the TEE. This type of computing provides an ideal combination of hands-off security protocols and visibility into unauthorized network traffic.

6. Compatibility with data privacy and compliance requirements

Compliance laws like GDPR and HIPAA require companies to store and use data in specific ways to maintain compliance. It’s not always easy to adhere to these standards in a public cloud environment, but with the additional security features confidential computing provides for sensitive data, businesses can more easily comply with a variety of data privacy and security regulations while still making the most of their data.

7. Protection for data in use

Although other techniques are emerging and being used today, confidential computing is one of the few encryption strategies that effectively protects data in use. Most other encryption approaches protect data at rest and data in transit only.

Also read: Exfiltration Can Be Stopped With Data-in-Use Encryption

Confidential Computing Use Cases

Confidential computing’s protections make it ideal for a number of sensitive data use cases.

Secure third-party outsourcing

Outsourcing certain business functions to third parties is common these days, but it can be a risky move if your data isn’t entirely secure. The enclaved approach taken with TEEs makes it so your internal team can protect and essentially hide sensitive data from unauthorized third-party users, allowing them to focus solely on the parts of your computing process they need to access while trusted members of your team manage sensitive data processes.

Encryption to mitigate insider threats

Because confidential computing means sensitive data is encrypted at all times (until it is processed in the TEE), even members of your internal team cannot access and interpret this protected data without authorization. This feature of confidential computing protects against rogue users within the network as well as users who fall victim to credential phishing attacks.

Protected public cloud use

Businesses are moving many of their workflows and operations to the cloud, but some of the largest enterprises are still hesitant to move their most sensitive workloads to a public cloud environment. With confidential computing in the mix, enterprises can feel more confident and maintain more control over their sensitive data at rest, in transit, and in use, even in a public cloud environment with third-party vendors and users that follow varying security protocols.

See the Best Third-Party Risk Management Software & Tools

IoT data processing

Internet of Things (IoT) devices generate massive amounts of data that are rarely stored in a secure fashion. Confidential computing is increasingly being used to create enclaves where IoT data can be processed in a confidential way that ensures the data isn’t tampered with.

Collaborative data analytics and data usage

Analyzing broader patterns across an organization or an entire industry often requires users to access sensitive data outside of their normal scope of work. Offering an alternative and more secure approach, confidential computing supports secure and collaborative data analytics, allowing users to manage and view their own inputs and gain insights into a sprawling dataset without seeing other users’ inputs or outputs. This approach to analytics is especially helpful in industries like insurance and healthcare where analyzing and interpreting broad patterns can inform insurance rates and diagnostics, respectively.

Blockchain and crypto security

The encryption involved in confidential computing is especially useful in a blockchain environment. Common confidential computing use cases include smart contract, private key, and cryptographic operations management.

Machine learning training

For organizations that want to work with or train a machine learning model without exposing their training dataset, confidential computing is a viable solution for privacy. The machine learning model can be placed in a TEE enclave, allowing data owners and users to share their data with the model and train it in an invisible, isolated environment.

Confidential Computing Consortium (CCC)

The Confidential Computing Consortium (CCC) is a Linux Foundation project community that is made up of various tech leaders. The CCC works to advance confidential computing capabilities and adoption through collaboration on high-profile and open-source confidential computing projects. Its current projects include Enarx, Gramine, Keystone, Occlum, Open Enclave SDK, Veracruz, and Veraison.

The organization is led by two governing officers, a board of directors, committee chairs, and various staff. Members of the Confidential Computing Consortium include Intel, Meta, Microsoft, Google, Accenture, Huawei, Red Hat, Accenture, Anjuna, AMD, Canonical, Cisco, Fortanix, Nvidia, Ruby, and VMware.

Confidential Computing vs. Homomorphic & Data-in-Use Encryption

Confidential computing, fully homomorphic encryption (FHE), and data-in-use encryption share many similarities, especially since they all focus on securing data in use, but each creates a slightly different encryption and usage scenario.

Data-in-use encryption could be looked at as one component of confidential computing; it is used to keep data encrypted until it is in an isolated TEE, where it can then be decrypted by authorized keys and code. Confidential computing also takes this approach to encryption and isolated data processing, but it’s a much broader concept that includes other technologies and strategies, like other types of encryption, secure execution environments and storage, secure communication protocols, and secure key management features.

Fully homomorphic encryption is an old idea that has only recently advanced enough to realize its promise. This approach to data security encrypts data throughout its entire lifecycle, even when it’s being used in computations. Data inputs are encrypted during processing and computing, and results come out encrypted as well. In contrast, both confidential computing and data-in-use encryption allow data to be decrypted and viewed when it’s in the Trusted Execution Environment.

In theory, FHE has some major security benefits since data is encrypted throughout the computing process. However, this type of encryption requires large amounts of overhead, is complex to manage, and has potential for users to make changes to encrypted data without other users ever knowing, thus damaging data integrity. FHE is still early in its development and may overcome some of these shortcomings over time.

Also read: Homomorphic Encryption Makes Real-World Gains, Pushed by Google, IBM, Microsoft

Top 3 Confidential Computing Companies

Confidential computing is a complex process that requires advanced software, hardware, and cloud computing technologies. As such, there are many confidential computing companies and leaders that focus on different parts of the confidential computing architecture. We’ve taken a closer look at three of these leaders below. Other leading confidential computing companies include IBM, Google (Alphabet), AWS, and Fortanix, and promising startups like Anjuna Security, Opaque Systems, Inpher, Gradient Flow, HUB Security, Edgeless Systems, Profian, Secretarium, and Decentriq.

Intel

Intel is one of the first and foremost players in the confidential computing space. Intel Software Guard Extensions (SGX) is the most commonly used hardware-based enclave solution for confidential computing. The company also manages Project Amber, a zero-trust confidential computing project, and Intel Trust Domain Extensions (TDX), a VM-focused approach for added privacy and control. Ron Perez, an Intel fellow and chief security architect at Intel, is the Confidential Computing Consortium’s governing board vice-chair.

Fortanix

Fortanix is considered one of the earliest pioneers in confidential computing. Fortanix’s Confidential Computing Manager (CCM) is a SaaS solution that helps users manage TEEs and protect data in use across various cloud environments. Fortanix is also a founding member of the Confidential Computing Consortium.

Microsoft

Microsoft offers a range of confidential computing solutions primarily through the Azure cloud environment. The Azure confidential computing initiative includes various products and services, such as confidential VMs and confidential VMs with application enclaves, confidential containers, trusted launch, a confidential ledger, SQL Azure Always Encrypted, Microsoft Azure Attestation, and Azure Key Vault M-HSM. Stephen Walli, a principal program manager for Microsoft Azure, is the governing board chair for the Confidential Computing Consortium.

See the Top Enterprise Encryption Products

Bottom Line: Confidential Computing

The modern enterprise network isn’t just an on-premises environment or simple data center. It consists of third-party partners and applications, public and hybrid clouds, and other external factors that feel somewhat beyond the control of traditional network security solutions. Processing data in those environments is more perilous than ever. For companies that want to increase their security and control at the data level, regardless of what their network looks like or who is using it, confidential computing offers a solution to maintain data security while upholding data integrity and enabling high-performance data tasks.

Read next: Security Considerations for Data Lakes

The post What is Confidential Computing? Definition, Benefits, & Uses appeared first on eSecurity Planet.