Check Point CloudGuard

Prevention-First Cloud Native Application Protection Platform

New Capabilities More Context Actionable Security Smarter Prevention

©2022 Check Point Software Technologies Ltd. 1

THE MOVE TO
THE CLOUD
Puts 100x velocity and
scale in the hands of
developers

©2022 Check Point Software Technologies Ltd. 2

MORE VELOCITY FOR DEV= MORE RISKS FOR SEC

Over permissive roles

Misconfigurations

Exposed Vulnerabilities

Default permissions

Open-Source Code
©2022 Check Point Software Technologies Ltd. 3
DEPLOY SEPARATE TOOLS TO FIX ISSUES

Misconfigured Code IAC Security & Code Scanning

Overly Permissive Users Cloud Entitlement Management

Compliance & Misconfigurations Cloud Posture Management Complicated

Lack of
Too Many
No Context
Security
Effective
Alerts Risk
Threat Monitoring Cloud Detection & Response Management
Management

Malware & Vulnerabilities Container & Agentless Scanning

Web, API, & Bot Attacks WAF, API SecGW & Bot Mitigation

©2023 Check Point Software Technologies Ltd. 4

The Public Cloud “Shared Responsibility Model”
Customer data

Gartner
Platform, applications, identity and access management
Predictions:
Customer
Operating system, network & firewall configuration
Responsible for Through 2025, 99% of
cloud security failures will
security “IN” Client-side data be the customer’s fault
Server-side encryption
the cloud encryption and data
(file system and/or data)
Network traffic protection
Through 2025, 90% of the
integrity authentication
organizations that fail to
control public cloud use will
inappropriately share
Cloud Vendor Compute Storage Database Networking sensitive data.

Responsible for Through 2024, the majority of

enterprises will continue to
security “OF” struggle with appropriately
Available zones
the cloud Cloud global
measuring cloud security
risks
infrastructure Edge locations

Regions

©2023 Check Point Software Technologies Ltd. 5

 #1
Ca
Da use
ta
Br of C
Enemy #1: Misconfiguration & Configuration Drift ea l
ch oud
es

©2023 Check Point Software Technologies Ltd. 6

World’s Biggest Data Breaches & Hacks

https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

©2023 Check Point Software Technologies Ltd. 7

Case Study: What happened?

July
2019
August
2020

• Hacker gained access to > 100 million Capital One customer records

• Located in Capital One’s public cloud environment (AWS)

• Stolen details related to existing and prospective credit card customers

• Credit scores, credit limits, linked bank accounts, transition/payment history

• Social Security details, contact details, DOB and income details

• Hacker also set up cryptocurrency mining operations (Crypto-jacking)

• Ultimately fined US $80m + US $190m Customer Lawsuits + CEO makes public apology. Ouch!

©2023 Check Point Software Technologies Ltd. 8

 Case Study: How did it happen?

Core Problem:
Misconfiguration & Lack of Visibility

 Initial entry via misconfigured firewall (WAF)

 Gained access to a misconfigured EC2 instance

 Elevated privilege IAM role permitted access to S3 storage

 Discovery technique applied to detect all S3 storage

 Misconfigured S3 buckets identified (public & unencrypted)

 Permitted duplication and exfiltration of data

©2023 Check Point Software Technologies Ltd. 9

[Internal Use] for Check Point employees​ ©2023 Check Point Software Technologies Ltd. 10
CLOUDGUARD
AND NOW
THE
MAKES
with TRUTH
IT Risk
Effective
EASIER IS, you
Management
to
canoperationalize
focus on the risks
security
that at cloud speed
matters
andthere
scale is no magic.

More Context – Actionable Security – Smarter Prevention

©2022 Check Point Software Technologies Ltd. 11

 STOP CHASING ALERTS…
START OPERATIONALIZING CLOUD SECURITY

[Internal Use] for Check Point employees​ ©2023 Check Point Software Technologies Ltd. 12
 MORE CONTEXT

Prioritized
8 out of 108k risks

CloudGuard scans the entire cloud environment to identify security risks, and prioritizes those
risks based on the attack path and exposure impact to the business

©2022 Check Point Software Technologies Ltd. 13

ACTIONABLE SECURITY

Critical Risk Identified:

Overly permissive Admin Role
with full access

CloudGuard prioritizes the risk to highlight those most critical,

so security teams can better focus efforts

©2022 Check Point Software Technologies Ltd. 14

 SMARTER PREVENTION

Implement Suggested
Role Policy

CloudGuard automatically prevents threats in runtime and provide security teams with
actionable remediation guidance throughout your development pipeline

©2022 Check Point Software Technologies Ltd. 15

ONLY CLOUDGUARD
OFFERS SMARTER
CLOUD THREAT
PREVENTION...

Comprehensive, Consolidated, & Collaborative

• From code to cloud

• From workload to application
• From intelligent remediation to runtime prevention
• Across the broadest number of use cases

More Context – Actionable Security – Smarter Prevention

©2023 Check Point Software Technologies Ltd. 16

 More Context – Actionable Security – Smarter Prevention

Cloud Security Posture Management

1 Gain deeper insights and visibility with Agentless Workload Posture

Cloud Infrastructure Entitlement

2 Understand effective permissions and privileges Management

Shift-Left Pipeline Security powered

3 Identify security issues in the pipeline by Spectral

4 Prioritize risks across your cloud infrastructure Effective Risk Management Engine

©2022 Check Point Software Technologies Ltd. 17

PREVENTION-FIRST CNAPP IN ACTION
More Context – Actionable Security – Smarter Prevention

1. More Context
CloudGuard looks across the entire cloud
environment to identify security risks, Vulnerability identified in store-front application code in development
understanding the attack path and exposure impact
to the business in order to apply actionable
security- in context
Unencrypted storage found, linked to an externally-facing, crown-jewel web-
server using default Admin Role policies with no WAF protection
Security Findings

Contextual Inputs Secrets found in GitHub repository that has been shared

Business Impact
Weak password configured on lab management console

Attack Path

©2022 Check Point Software Technologies Ltd. 18

PREVENTION-FIRST CNAPP IN ACTION
More Context – Actionable Security – Smarter Prevention

2. Actionable Security
Instead of looking through a million findings. Spotlight the risks & threats, most critical
across cloud environments, workloads, and code

Unencrypted storage found, linked to an externally- 9.8 Misconfigured Crown-Jewel Workload

facing, crown-jewel web-server using default Admin
Role policies with no WAF protection
9.3 Overly Permissive Role

Secrets found in GitHub repository that has been shared 9.2 Secret in shared repository
Remediation
Urgency

Vulnerability identified in store-front application code in

8.1 Vulnerable Code
development

Weak password configured on lab management console 7.1 Weak Passwords in Lab Admin Console

©2022 Check Point Software Technologies Ltd. 19

PREVENTION-FIRST CNAPP IN ACTION
More Context – Actionable Security – Smarter Prevention
3. Smarter Prevention
Effective prevention with the fastest path to solve
security issue—blending runtime prevention, and
intelligent remediation guidance across the entire
application lifecycle
9.8 Misconfigured Crown-Jewel Workload
9.3 Overly Permissive Role
9.2 Secret in shared repository
Misconfigured Workload:
Automatic Remediation: CloudGuard automatically turned-on encryption
on storage bucket using CloudBots
Overly Permissive Role:
Suggested Remediation: CloudGuard recommends a least-permissive
model for existing role
Secret Left Behind:
Suggested Remediation: CloudGuard recommends removing secret from
code artifact
Unauthorized Access:
Automatic Prevention: CloudGuard automatically blocked an attempt to
execute and unauthorized process on serverless functions
©2022 Check Point Software Technologies Ltd. 20
It’s time for a better perspective

Don’t get lost in the details - let context and automation

allow you to prioritize the critical risks that matter.

©2022 Check Point Software Technologies Ltd. 21

Manage Vulnerabilities and
Risks

Actionable Security: Deep

understanding of risk and posture
findings for the specific environment

Smarter Prevention: Implement

remediation guidance or automate
threat prevention with CloudBots
More Context: Agentless scanner analyzes entire
environment to identify and prioritize vulnerabilities
based on context engine findings to better

©2022 Check Point Software Technologies Ltd. 22

Remediate Excessive
Permissions

Actionable Security: At risk entities

are audited to understand impact level

Smarter Prevention: Suggested

remediation role is provided to fix in
runtime
More Context: CIEM engine scans the entire
environment to identify excessive and risky
permissions

©2022 Check Point Software Technologies Ltd. 23

Detect and Stop Issues
in Developer Pipeline

Actionable Security: code security

findings with specific investigation
details directed at developers

Smarter Prevention: Intelligent

remediation in development
More Context: Spectral scanner runs across environment based on investigation
development environments to uncover security
vulnerabilities and issues in code

©2022 Check Point Software Technologies Ltd. 24

ONLY CLOUDGUARD
OFFERS SMARTER
CLOUD THREAT
PREVENTION...
Comprehensive, Consolidated, & Collaborative

• From code to cloud

• From workload to application
• From intelligent remediation to runtime prevention
• Across the broadest number of use cases

More Context – Actionable Security – Smarter Prevention

©2023 Check Point Software Technologies Ltd. 25

 PREVENTION-FIRST CNAPP

More Context Actionable Security Smarter Prevention

[Internal Use] for Check Point employees​ ©2023 Check Point Software Technologies Ltd. 26
THANK YOU

New Capabilities More Context Actionable Security Smarter Prevention

[Internal Use] for Check Point employees​ ©2023 Check Point Software Technologies Ltd. 27