Setting up a virtual local area network (VLAN) can be a complicated process, especially if you’re operating a large enterprise network, a network with legacy or hybrid architectures, or a network with specific workloads that require additional security and regulatory compliance safeguards.

Each VLAN configuration process will look a little different, depending on the specifications you bring to the table, and some of these steps — particularly steps five through eight — may be completed simultaneously, in a slightly different order, or even in a more automated fashion if you choose to set up a dynamic VLAN.

Still, in general, your network stands the best chance of success if you complete the following 12 VLAN configuration steps and document your processes, strategies, and requirements along the way.

1. Brainstorm VLAN Groupings

In a traditional local area network with no virtualized barriers, all devices and network components communicate and share information with each other; you’re likely setting up a VLAN in the first place because this foundational setup is too loose for your requirements. But what are the ideal segments that will make your network function optimally and securely?

At this point in VLAN creation and configuration, it’s time to determine what VLAN groupings make the most sense for your network’s strategic complexities. Consider not only how many VLANs you’ll need but also the purpose each VLAN will serve and how they need to be set up to fulfill that purpose. While many organizations stick to more traditional boundaries like physical locations or departments, there may be more effective and secure ways for you to group and set up VLAN rules.

For example, if your company works closely with a third-party professional services firm that needs access to certain HR and security applications and data but not others, you could divide your VLANs based on which ones need looser versus stricter identity and access management controls. From there, determine which users and devices will align with and be assigned to each grouping.

2. Prepare Unique VLAN IDs

Every single VLAN you set up will need a unique VLAN identification number so you can segment network traffic to the appropriate places and keep documentation organized for multiple VLANs simultaneously. VLAN IDs are purely numeric and range from one to 4,095. While you don’t necessarily “need” these VLAN IDs to be operational yet, it’s a good idea to figure them out now so you can use them when labeling your network diagram in the next step.

3. Create a Logical Network Diagram or Map

Before you even begin setting up your VLANs and connecting devices and switches, the best way to ensure a successful VLAN network setup is to map out the specificities and relationships of your network with a network diagram. The labels and connections you illustrate at this stage of VLAN creation will give you the labels and organizational structure you need to keep track of all the devices, switches, routers, and other components necessary to fulfill your architectural plans.

Your team may choose to create this diagram manually or with tools that are already in your portfolio. However, a number of free and low-cost network diagramming tools specifically offer templates and icons that make it easier to illustrate the network you’re setting up, often with low-code/no-code interfaces and tools. If you’re interested in finding a network diagramming tool to make this step more efficient, consider investing in one of these top network diagram software and tooling solutions.

4. Optional: Purchase Additional Equipment

Based on the VLAN grouping requirements and design(s) you’ve developed in the previous three steps, you should have a clearer picture of any missing hardware or software that you need to purchase. Perhaps you have more VLAN groupings than you expected and need to bring in additional switches and routers. Or maybe your organization is growing quickly, and you want to purchase new switches with more ports for more devices. There’s also the possibility that you are moving from a primarily on-premises network setup to a hybrid or cloud setup that requires new software or third-party relationships.

Regardless of your new requirements, start by creating an inventory list of any networking equipment you currently own, including information about switch and router formats, configurations, port counts, speeds, and other details pertinent to VLAN setup. From there, make a separate list of the networking tools you’re missing, the cost of these missing tools, and any other specialized information that should be considered during the buying process. 

5. Connect Network Devices to Appropriate Switch Ports

You should now connect VLAN servers, end-user devices, and other relevant network devices — as long as their IP addresses are already configured — to the switch ports that have been selected for the corresponding VLAN group. While individual devices, ports, switches, and routers have not yet necessarily been configured in their settings to align with a certain VLAN and function, you should still know which devices and network components have been set aside for which VLANs. If you’re unsure about the switch ports that should be connecting to each device, reference your network diagram (or go back to the network diagramming stage and create a more detailed diagram). 

If you are opting to create a dynamic VLAN instead of a static VLAN, steps five through eight may look a little different for you. For example, you may spend these steps creating or identifying the appropriate rule-based protocols for your devices and setting up automation rules rather than manually connecting ports and devices to VLANs.

6. Configure Switch Ports

Now that your devices are connected to the correct switch ports, it’s time to configure the switch ports so they can perform according to their assigned functions. Many of your ports will simply need to be set up as access ports in the switch’s settings; an access port is a simple connection that allows devices to connect to only one VLAN. Access ports are most appropriate for devices and users that will not be using VLAN tagging or participating in inter-VLAN routing. 

Trunk ports are also configured in a switch’s settings, but they are designed to manage higher bandwidth traffic and can manage traffic for more than one VLAN. Devices should only be connected to trunk ports if they have been authorized and configured for VLAN tagging and inter-VLAN routing. Before moving on to the next step, double-check that devices are connected to the correct type of switch port for their operational needs.

7. Set up VLAN Specifications via Network Switch Settings

All of the prework is done: It’s time to actually create the virtual local area networks you want through network switch settings. You’ll do this by accessing your network switch management interfaces and going to the section where you can create VLANs. Create the number of VLANs you determined were necessary in previous steps and assign them the unique VLAN IDs you selected in step two.

8. Assign Switch Ports to VLANs

Again, keep in mind that steps five through eight may go in a slightly different order, depending on your team and their preferences. So if you have not yet assigned switch ports to the appropriate VLAN, it’s time to do that now. Tagged ports (trunk ports) are likely already associated with the correct VLANs, but you should confirm that they are set up correctly at this time. For untagged ports (access ports), you’ll need to manually connect them to the correct VLAN. Remember, trunk ports can be associated with more than one VLAN, if appropriate.

9. Optional: Add VLAN Tags

VLAN tagging is the process through which VLAN network traffic is further segmented and specialized. When VLAN tags are in use, associated devices and ports automatically interact with devices and ports that share those same tags; however, tags also give network administrators the power to further direct traffic and support case-by-case inter-VLAN routing scenarios. 

VLAN tagging is most appropriate for networks with complex traffic patterns and a diverse range of users, devices, and security permissions. If you choose to set up trunk ports with multiple VLANs running through them, as demonstrated in step six, you’ll need to make sure at least some of your VLANs receive tags so traffic doesn’t get muddled in trunk ports. 

If you’re not sure if your network would benefit from VLAN tags, read this in-depth article on the topic to help you make your decision: Tagged vs. Untagged VLAN: When You Should Use Each.

10. Optional: Configure Inter-VLAN Routing

If your network requires VLAN-to-VLAN communication as a part of its regular operations, you’ll want to use the VLAN tags you set up in the previous step to direct inter-VLAN routing. While it sounds counterintuitive to open traffic flow between VLANs, many organizations choose to do this because the different layer at which routers operate makes it possible for them to still control what types of traffic flow across VLANs and when and how devices and users move from VLAN to VLAN. As part of the inter-VLAN configuration step, you may also need to set up or double-check your VLAN access controls, ensuring only approved users and devices can take advantage of inter-VLAN routing.

11. Quality-Test Your VLAN

Now that everything’s set up, it’s time to test network connectivity and performance. Make sure that all devices within the same VLAN are able to interact with each other and, conversely, that they are not able to reach devices in other VLANs. Ping and traceroute are both effective tools for testing VLAN connectivity and performance, but a number of other network security and management tools may be appropriate as well.

12. Document and Reassess VLAN Performance Periodically

Enterprise networks in particular frequently change as more devices and users, new hardware and software requirements, and new operational and security use cases arise. Network administrators and/or network security team members should maintain an up-to-date network diagram, equipment inventory, changelogs, and other configuration documentation so it’s easy to see what the network looks like now, if and where any vulnerabilities have reared their heads, and if any other changes are necessary to improve network performance. Each time you go through this process, update your documentation so you have a full history of the network and what you’ve done to maintain it.

Should You Use a Static VLAN or Dynamic VLAN?

Static and dynamic VLANs bring different advantages to network administrators, depending on the size, complexity, and requirements of their network. Below, we’ve explained how each type works and when you should use it.

Static VLAN

Static VLANs exist when network administrators manually connect network devices to physical switch ports and those devices receive their VLAN assignment based on that connection. If the device ever needs to be reassigned to a new VLAN, the network administrator would physically connect it to a new switch port that is already associated with that VLAN. In other words, a static VLAN is one in which switch ports are assigned to VLANs and devices are not assigned to VLANs; they receive their orders directly from the switch port they’re connected to.

This type of VLAN is best for smaller networks, or networks that change infrequently and include fewer VLAN segments because network administrators have to manually connect (and sometimes reconnect) devices to the right ports for them to work. With a larger network that’s changing frequently, this task alone could become a full-time job and riddled with errors. Static VLANs are most advantageous for network administrators who need an easy-to-setup VLAN with predictable infrastructure and limited authentication needs.

Dynamic VLAN

A dynamic VLAN is one in which devices are assigned to that VLAN on a dynamic and semi-automated basis. Specialized criteria determine which devices are assigned to which VLANs and when. These criteria may include specialized network access controls and protocols, VLAN membership policy servers (VMPS) and databases, or some other combination of servers and data-driven rules. With a dynamic VLAN, devices are assigned to VLANs while ports frequently are not assigned to particular VLANs; they are simply the conduit through which pre-assigned device traffic flows.

Dynamic VLANs are best for larger and more complex networks that need to maintain frequently changing authentication and usage rules. It’s a much more difficult implementation process when compared to static VLAN, but for more strenuous network rules and requirements, dynamic VLAN ultimately saves network professionals time in the long run, as they can simply update protocols and VMPS entries when new VLAN assignments are needed across multiple devices.

Bottom Line: The Importance of Preparation for Optimal VLAN Performance

While the actual process of setting up a VLAN can be as simple as updating network switch settings and connecting devices to VLAN switch ports, the strategy behind a successful VLAN setup can be much more daunting. You’ll need to consider any specialized security or compliance requirements, the different device types that need access, and the resources and monitoring it will take to set up and sustain an efficient VLAN. 

All the steps listed above are crucial aspects of creating and configuring a sustainable VLAN network. But perhaps the most important step of all is documenting your thought process and your network architecture, especially as they change over time. Maintaining detailed documentation will help your existing network and security team members stay on top of the most pertinent network updates and issues while simultaneously ensuring that any future members of the team receive the foundational training necessary to successfully work in your VLAN ecosystem.

Read next: What Is Network Security? Definition, Threats & Protections

The post How to Set Up a VLAN in 12 Steps: Creation & Configuration appeared first on eSecurity Planet.

VLANs have made it possible for major enterprises to create more secure network configurations and computing operations, but a VLAN setup alone doesn’t offer support for the more intricate routing configurations necessary for more complex networking scenarios and distributed enterprise teams. Enter the tagged VLAN and the largest debate surrounding VLANs: Is it better to work with a tagged or an untagged VLAN setup?

Also read: What is a VLAN? Ultimate Guide to How VLANs Work

Differences Between Tagged and Untagged VLANs

We’ll dive deeper into both types of VLANs in the following sections, but before we go too far, it’s important to know the basics of what each type of VLAN is and why you might want to use either one:

• Tagged VLANs: When tags are implemented in a VLAN, the broadcast domain is further segmented and devices can only communicate with other devices that have matching tags. Tagged VLANs are best for larger organizations that need stricter traffic and security controls over more complex, higher volume, and different types of network traffic.
• Untagged VLANs: Untagged VLANs are traditional VLANs in which all devices share a broadcast domain, meaning every asset on the VLAN receives every message or piece of data that is transmitted. Untagged VLANs are ideal for smaller organizations and less complicated networking operations where no specialized security or classifications are necessary to separate and isolate VLAN traffic.

Both tagged and untagged VLANs add additional structure and logic to a network than a traditional LAN can, but in their designs, purposes, and most common use cases, tagged and untagged VLANs operate quite differently. Below, consider how tagged vs. untagged VLANs differ across different networking and network security metrics.

See how one managed service provider uses VLANs to protect backups from ransomware: Building a Ransomware Resilient Architecture

Tagged VLANs

A tagged VLAN is a virtual local area network — or multiple VLANs — that uses different ID tags to segment network traffic into more specific broadcast domains. Even if several devices all technically sit within the same VLAN, they can only communicate and share certain information with other devices as authorized by the trunk port switch that has been configured for particular tag(s).

Tagged VLANs have become increasingly popular for enterprise networks because they give network administrators and cybersecurity teams more hands-on controls over and visibility into network traffic. VLAN tags also make it easier to quickly identify and classify different types of network traffic, which lends itself to greater network visibility and easier risk identification and threat mitigation for a network security team.

When to Use Tagged VLANs

The following are some of the most common scenarios in which organizations choose to use tagged VLAN configurations:

• Inter-VLAN Routing and Complex Traffic Management: When you have multiple VLANs that need to share information, tagged VLANs enable more complex configurations and data transmissions via trunk-port switches and routing.
• QoS Requirements: When you’re interested in establishing a Quality of Service (QoS) policy for critical application and traffic management, VLAN tags provide the necessary information to identify and create specialized rules for top-priority or more complex traffic. QoS enables stricter broadcast and resource controls that prevent certain performance issues.
• Security and Compliance Management: When certain departments, groups, applications, or other categories of network operations require special rules or safeguards that need to be classified and isolated accordingly, tagged VLANs support increased network segmentation. This is particularly important for organizations or departments that must adhere to strict regulations and data security laws.
• Multi-tenant Environments: Beyond the typical organization that operates a network for itself, data centers, cloud providers, and other third-party networking organizations can use tagged VLANs to better isolate and manage traffic for each tenant’s particular requirements.
• VoIP Operations: For Voice over Internet Protocol (VoIP) technology users, tagged VLANs are particularly effective for identifying voice traffic and making sure it is prioritized over other types of traffic; this type of prioritization decreases the chance of performance lags during voice calls.
• Growing or Changing Organizational Demographics: if you work in a hybrid or remote environment, VLAN tags make it easier to manage how network traffic should behave, regardless of where it’s physically coming from. Similarly, if your organization is frequently hiring new employees or otherwise makes recurrent changes to active devices on the network, tagged VLANs are easier to identify and adjust as necessary.

Also read: How to Implement Microsegmentation

Untagged VLANs

An untagged VLAN is a more traditional VLAN in which an untagged access port is connected to a host device. Because tags are not an integral part of this setup, it does not matter if the host device is VLAN-aware. The host is able to transmit frames to the access switch port and does not have to add any kind of label or ID for that traffic to be accepted. Once the traffic is received by the access port, it may be given a temporary tag, but regardless, that switch is set up to send untagged traffic to one untagged VLAN source, which is typically another VLAN-unaware host.

Untagged VLANs are most useful when organizations need simple network connections that are easy to maintain or when traffic is low and unspecialized. In guest and home networks where device counts are limited or devices are mostly VLAN-unaware user devices, untagged VLANs give network administrators the simplicity they need and give end users the ease of use they want.

When to Use Untagged VLANs

Untagged VLAN is less widespread in larger organizations, but particularly for SMBs and smaller or hybrid networking operations, you may choose to use untagged VLAN for the following reasons:

• Limited Number of VLANs: If your organization is smaller and only has one or a small number of VLANs that rarely need to interact with each other via inter-VLAN routing, an untagged VLAN offers enough connectivity for most use cases.
• Small Number of Devices or Traffic Requirements: If you have no special security or performance requirements for any devices on your VLAN, VLAN tags may not be necessary to segment the VLAN broadcast domain further.
• Legacy Devices and Network Technology: Not all legacy hardware and devices are VLAN-aware; these types of devices can not readily accept VLAN tags and operate better in a simple untagged VLAN configuration.
• Consumer and Home Network Configurations: If a network mostly consists of end-user devices like phones or laptops, or if a network is operating in an individual’s home or as a consumer Wi-Fi access point, VLAN tags are overkill for the types and volume of traffic moving through. Especially for guest Wi-Fi networks, untagged VLANs are better for easier log-on and ease of use.
• Lacking Networking Expertise or Budget: Untagged VLANs are easier to set up and harder to misconfigure, making them ideal for teams with inexperienced or small network security teams. Untagged VLANs are also less likely to result in costly security or performance errors and typically don’t require more specialized, VLAN-aware components that can get expensive.
• Less Important Traffic Types: It may be beneficial to leave certain frames, devices, or VLANs untagged if they’re primarily used to transmit less important network traffic. For example, if you’re operating a VLAN for VoIP, you may want to use untagged VLAN for non-voice traffic so the tagged voice traffic can be prioritized for performance needs.

Also read: Network Protection: How to Secure a Network

Frequently Asked Questions (FAQs)

How Many Untagged VLANs Can Exist in a Trunk?

While it is theoretically possible for multiple untagged VLANs to exist in a trunk, in practice, there can and should only be up to one untagged VLAN per trunk port. This is because an untagged VLAN has no designation that indicates which devices and components should connect to it; if multiple untagged VLANs are present in a single trunk port, it will not be clear to other devices where they should connect or if they should connect to one of these untagged VLANs.

How Do You Know if a VLAN Is Tagged or Untagged?

There are many ways to check if a VLAN is tagged or untagged. Network administrators can look for labels on ports that indicate if the port is an untagged (access) port or if it is a tagged (trunk) port. Users may also be able to check switch and router configurations and settings, device documentation, or VLAN membership lists for more information.

Bottom Line: The Benefits of Tagged vs. Untagged VLAN

VLANs are useful virtualized infrastructures that support a more logical approach to network grouping and communication, making it possible for network administrators on larger networks to more effectively group and control different types of network traffic. Tags add an additional grouping and control element to the VLAN designation, which is particularly useful for organizations that need to manage larger amounts of traffic for different cybersecurity, workload, and performance scenarios.

But when it comes to tagged vs. untagged VLAN, it’s not necessarily a question of which one is better but rather which one(s) make the most sense for your organization’s devices and particular needs. In fact, it’s often beneficial to use a combination of both tagged and untagged VLANs on your enterprise network, whether you’re attempting to prioritize voice over other performance data on a VoIP network or you’re working to make simple connections to end-user devices while maintaining more complex connections on your network. Using a combination of tagged and untagged VLANs gives you the best of both simplicity and network control.

Next: Top Network Access Control Solutions

The post Tagged vs Untagged VLAN: When You Should Use Each appeared first on eSecurity Planet.

However, as useful as VLANs can be for improving network performance and management, they can also get convoluted and overly complex for enterprise network managers who are juggling multiple VLANs and specs at once. That’s where VLAN tagging — the practice of adding metadata labels, known as VLAN IDs, to information packets on the network — can help. These informative tags help classify different types of information packets across the network, making it clear which VLAN each packet belongs to and how they should operate accordingly.

In this guide, we’ll explore what VLAN tagging is, how it works, and why and how you may want to implement the strategy in your own network virtualization projects.

Also read: VLANs: Effective Network Segmentation for Security

Network Components and Protocols Used in VLAN Tagging

VLAN tagging is a complicated topic, so we’ll start with a discussion of the network components and protocols used in VLAN tagging and the roles they play before we get into specifics and best practices.

• Switches: A network switch connects other devices within a VLAN. In VLAN tagging, switches are responsible for VLAN tag assignment, VLAN trunking, VLAN routing, and other VLAN management tasks that involve directing and labeling network traffic.
• Broadcast Domain: In a traditional network, the broadcast domain includes any devices and other components in that network; because they’re all in the same flat network, they can all receive a message when it’s broadcast. Broadcast domains are made smaller and more function-specific with the help of VLANs and VLAN tagging, a process that segments domains so devices can only receive messages and packets from other devices on the same VLAN segment.
• Router: A network-layer router makes it possible to route data packets across different VLAN. While switches focus on inter-device connections, routers are most useful for inter-switch connections and larger network operations.
• User Authentication: In addition to checking VLAN IDs to ensure they match and are approved for that particular VLAN, many other user authentication methods are typically used to ensure devices and users are approved for that VLAN. A remote authentication dial-in user service (RADIUS) server or other authentication server is typically used to authenticate and authorize user traffic.
• Trunk: The trunk port forwards and facilitates VLAN-to-VLAN communication across multiple VLANs. It operates at the layer two protocol level and is able to manage the transmission of tagged VLAN traffic via switches and routers.
• Layer Two Protocol: Also known as the data link layer, this type of networking protocol is where switches, wireless access points, frames, and other devices are able to exchange information packets within a single VLAN.
• Layer Three Protocol: Also known as the network layer, layer three routing is a more complex layer on top of layer two that makes it possible for information packets to travel to and from devices in separate VLAN segments. Routers operate at level three.
• Single Tagging: This is the ideal approach for VLAN tagging, wherein each VLAN and information packet receives a single type of tag. Single tagging makes it much easier to identify where data packets belong, where they can travel, and with what other devices they can interact.
• Dual/Double Tagging: This is when an information packet erroneously receives two or more VLAN tags. It occurs when a single packet travels through a network and goes through multiple tagging projects. This most often happens when a packet moves to a new VLAN from its previous VLAN but never sheds the tags and naming structure from that previous VLAN.
• Mixed Tagging: Mixed tagging happens when, in a single VLAN or group of VLANs, several different tagging standards are used, whether it’s done unintentionally or purposely because different devices support only certain tagging standards. Mixing tags in a VLAN environment can cause compatibility issues between devices and make it difficult for network administrators to monitor VLAN performance from a single dashboard view.

How VLAN Tagging Works

To begin the VLAN tagging process, you must first virtualize your physical network and set up different VLANs. These VLANs can be grouped however you see fit — some users create VLANs based on device location while others create VLANs based on department, traffic volume, or some other categorical classification. Regardless of how you decide to classify and group your VLANs, you can set them up through systems like wireless access point management systems.

Once your VLANs have been set up, it’s time to designate a specific VLAN ID to each VLAN; VLAN IDs are typically 12-bit values. From there, VLAN IDs are applied to the headers of different information packets that move through the network. Existing information packets can be manually given the VLAN ID that makes the most sense.

As new users and devices attempt to log into the network, an authentication server and/or other authentication tools will first be used to determine if that new host is valid. Once the user or device has been authenticated, a VLAN switch adds a logical VLAN ID to any information packets that item sends on the network. This VLAN ID ensures that the information packet stays within the appropriate VLAN and is only broadcast to that segment of the broadcast domain.

For more complex packet movement, trunks and/or routers may be set up to facilitate inter-VLAN movement. Otherwise — unless an error like dual tagging occurs — that packet is labeled and set up to stay among the hosts, ports, and switches that are present on its particular VLAN.

For an example of VLANs used for network security segmentation purposes, see Building a Ransomware Resilient Architecture.

Is VLAN Tagging Necessary?

VLAN tagging is a useful process, especially for larger networking environments that require admins to juggle different department classifications and expectations, device and user types, traffic types, permissions, and other factors simultaneously. It also helps network administrators for networks of all sizes to get more organized, understand the traffic they have flowing through their network, and segment the network in a logical way that improves performance and traffic flow.

However, VLAN tagging is not necessary for everyone; its usefulness depends on your network size, the number of VLANs you’re operating, and other organizational requirements. In fact, if you don’t know what you’re doing when you first set up VLAN tags, especially if you fail to standardize your processes and procedures, VLAN tags can actually cause more management difficulties than working in an untagged VLAN environment.

Your team should only go into a VLAN tagging project only if you stand to benefit from features like inter-VLAN routing, more granular policy management, and stronger broadcast controls. If you’re primarily looking to set up an easy-to-use VLAN environment for simple user devices and VLAN classifications, untagged VLANs will likely meet your needs.

Also read: Microsegmentation Is Catching On as Key to Zero Trust

7 VLAN Tagging Best Practices

VLAN tagging isn’t easy, but following these best practices will help you get it right.

1. Maintain Consistent VLAN Standards

To make sure your tags don’t get too confusing and devices on your VLAN remain compatible with each other, stick to a standardized naming convention and uniform tagging standards. With VLAN tagging in particular, users have the option to choose between different methodologies and standards, such as IEEE 802.1Q and ISL. Either standard may be the right fit for your organization, but choosing to work with both can create a mixed tagging scenario where it’s easier to lose track of traffic, misconfigure different aspects of the VLAN, and generally have information packets get misunderstood or misdirected.

2. Monitor and Audit for Dual Tagging and Other Tagging Errors

Different tagging errors can easily crop up in your VLAN environment, especially if multiple users and teams are working on tagging initiatives. To make sure you don’t end up with a scenario like information packets with dual tags, continually monitor traffic moving within and across VLANs with network monitoring tools. For the occasional, more in-depth analysis of tag quality, make VLAN tag assessment a part of your regularly scheduled network audits and vulnerability assessments.

3. Control Broadcast Domain Size

Regardless of how well you tag your VLANs and information packets, your network can still get bogged down and run slowly if your broadcast domain and the traffic within that domain grows too large. As your network activity continues to grow, consider creating new sub-VLANs in order to reduce broadcast traffic and make it easier to manage network security and performance in granular segments.

4. Consider Users, Use Cases, and Other Logical Groupings for Tags

Tag groups can be aligned to nearly any category or classification, so it’s best for organizations to think through how they want to group their virtualized network traffic. Do you have third parties, stakeholders, or employees who need more or less access to certain resources? Are certain devices or applications being used in a way that takes up more bandwidth and requires special attention? Do certain devices transmit data that requires stricter data security and compliance practices? These are all questions that should inform how you divide up and tag individual VLANs.

5. Invest in Network Monitoring and Other Cybersecurity Tools

Network monitoring solutions can prevent bigger cybersecurity issues from spiraling out of control on any type of network, including a virtualized network like a VLAN. As a bonus, certain network monitoring tools give users the levels of customization necessary to track VLAN tagging elements, including if certain information packets have been mistagged or accidentally received multiple tags.

Related: 34 Most Common Types of Network Security Solutions

6. Use Staging Environments to Test VLAN Configurations

Misconfigurations are some of the most common issues — and security threats — that networking professionals face when they first get started with VLANs and VLAN tagging. Although working out the kinks in a staging environment might not solve all your problems, especially as network traffic and devices grow more complex, getting your VLAN initially configured in a staging environment gives you a chance to test its capabilities and performance without negatively impacting your actual network’s performance.

7. Keep VLAN Tagging Documentation Up-to-Date

As team members leave and new team members are brought on to your IT and networking teams, the only way to ensure everyone knows how to maintain current VLAN tagging standards is through detailed, up-to-date documentation. Any time a new VLAN or VLAN ID is created and also as internal standards or rules for data management change, be sure to update that documentation and keep it in a location where all relevant stakeholders can access it. For better results, require that all internal networking professionals go through regular training on VLAN tagging and VLAN usage best practices.

Top Issues Faced With VLAN Tagging

VLAN tagging, when performed correctly, can help networks operate more efficiently and securely. However, the opposite may become true if networking professionals aren’t careful. Keep an eye out for the following most common issues faced with VLAN tagging as you embark on a tagging project:

Misconfigurations

There are a lot of different components and moving parts involved in VLAN tagging. Because of its complexities, organizations frequently misconfigure their VLANs and VLAN tags with errors like mismatched VLAN IDs, untagged ports, misconfigured switches and trunks, and overloaded VLANs that hold too many devices and cause network congestion. These issues can not only cause the network to perform more slowly and inefficiently but can also lead to security issues like unauthorized access.

Management Costs

Although correctly configured VLAN environments often lead to cost savings, there are still areas of VLAN management and VLAN tagging that can be cost-prohibitive. For example, smaller organizations may not be able to afford initial costs or maintenance costs for specialized servers like RADIUS servers.

Limited Internal Expertise

Not all organizations have enough in-house expertise or the resources to work with an expert third party for VLAN tagging projects. Whether it’s during initial implementation, ongoing monitoring, or periodic troubleshooting, many organizations run into issues they can’t solve when certain components aren’t working as intended.

Consistent Maintenance and Monitoring Requirements

Related to the issue of limited internal expertise, many companies do not have the resources they need to continually monitor for network performance issues and emerging security vulnerabilities, which causes them to struggle with maintaining high VLAN standards. VLANs require complex network operations to run smoothly, especially since so many devices and networking tools are involved. Interoperability, network traffic, quality of service (QoS) policies, and user access controls are all complex issues networking professionals need to stay on top of for VLANs and their tags to serve their purpose.

Bottom Line: Getting VLAN Tagging Right

VLAN tagging can be a complex process if your team isn’t prepared to keep up with and monitor network configurations, and especially if your team has greener networking professionals. However, especially for larger companies that are managing large swathes of varied traffic and user types, VLAN tagging is one of the most effective, cost-efficient, and scalable ways for system administrators to manage cybersecurity; bandwidth; network performance; and role-based, device-based, and traffic-based controls. Network administrators can reap all sorts of benefits from this organizational management framework for VLANs so long as they’re willing and able to troubleshoot their tagging setups and methodologies consistently.

Read next: Network Protection: How to Secure a Network

The post What Is VLAN Tagging? Definition & Best Practices appeared first on eSecurity Planet.

Containers are unique computing environments that lend many different advantages to users, but their design can also introduce new kinds of security vulnerabilities and challenges. With dedicated container security tools and processes, your organization can ensure that containers stay up and running and continue to protect the applications and data they host with minimal disruption.

10 Components of Container Security

When you’re first setting up containerized applications and infrastructure, it’s important to consider each component of the containerized environment through the lens of cybersecurity. The 10 components listed below not only cover the main components of containerized network architecture but also the container security tools that are most important for this type of network setup.

1. Container network security

A container network is an interconnected, typically virtualized network that is developed between an organization’s different containers. Examples of container networking and virtualization tools include VMWare NSX and HAProxy. Container networking tools help organizations manage communication, interoperability, and scalability while still maintaining control over how individual containers interact with each other.

2. Container runtime security

A container runtime is a type of software that runs containers on the host operating system(s). Examples of container runtime platforms include Docker Engine, containerd, and runC. Container runtime security tools help administrators manage policies, configuration drift and abnormal network traffic, attempted privilege escalations, user access controls, cross-container communications, and container monitoring and logging once a container is up and running.

3. Container registry security

A container registry is a storage repository or catalog for container images that can be pushed or pulled into your running containers through their connection to container orchestration platforms. Some common examples of container registries include Docker Hub, Azure Container Registry, and Amazon ECR. Container registry security tools help users manage image-level security, adjust user privileges, scan images for vulnerabilities, audit image libraries to identify outdated or problematic images, and mitigate supply chain risks.

4. Container orchestration security

A container orchestration tool is what automates and enables the quick deployment and scalability of containers. The best-known example of a container orchestration solution is Kubernetes. Tools that support container orchestration security help users maintain container isolation, manage third-party components, and harden both container runtimes and orchestration platforms while scaling up their container deployment activity.

5. Container image security

Container images are files that contain a microcosmic collection of what’s needed to set up a new container, including container runtimes, registries, configuration settings and specifications, the host operating system kernel, and other information about what can and can’t run on that container. Container image security solutions help users regularly scan image packages and dependencies for vulnerabilities; in many cases, container image security is managed by container registry security solutions.

6. Access controls and user privileges

Identity and access management (IAM) solutions are frequently used to designate specific user privileges in containerized applications and environments. Much of user access management can be handled manually or without tools, but especially as you begin to scale up your container network and differentiate how each container operates, it’s a good idea to invest in tools that support automated credentials and directory management.

7. Container-level segmentation

A number of container and workload segmentation tools are available to manage container isolation and limit lateral movement in cloud environments. These segmentation or microsegmentation tools help to manage zero trust and user access controls with identity verification, enforce application and workload-specific policies, and provide a consistently updated map of where applications live and how they’re being used.

8. Vulnerability scanning and management

Container vulnerability scanning frequently involves looking at the entire container image and then analyzing how workloads, runtimes, orchestration platforms, and other factors may make the overall image more vulnerable to security threats. Beyond simply scanning for vulnerabilities, many container security tools also help to automate the patching process.

9. Container monitoring and logging

Container monitoring and logging tools track the activities and behaviors of microservices, applications, and other components of a containerized environment, reporting any unusual behaviors to your organization’s security administrators. For best results, look for container monitoring tools with event and log correlation, code instrumentation, easy configurability, and compatibility with multiple data sources and types. Most container monitoring and logging tools are affordable, and many are open-source solutions.

10. Container encryption and secure storage

With container encryption, the entire container’s information and operations are hidden from plain sight rather than just individual files or datasets. Container-level encryption is a helpful way to balance secure storage and accessibility, because authorized users can decrypt the container and then access all relevant information in that container from there (though many organizations opt to include additional layers of file and data encryption). Container encryption solutions are best for protecting against backdoors, creating hidden containers, and securely managing cross-platform container security.

See the Top Container Security Solutions

Best Practices on How to Secure Containers

Securing containers requires a combination of traditional cybersecurity strategies and dedicated container security practices. Below, we’ve gathered some quick tips for how to secure your containerized environment:

• Don’t neglect broader cloud and network security tools and strategies in your container security management efforts.
• Stay up-to-date with patches and application upgrades across all containers and container components.
• Take advantage of built-in, configurable security tools in container environments; many already have security capabilities that simply need to be set up.
• Ensure your security teams have application-level visibility and regularly use threat monitoring, logging, and vulnerability scanning tools across each application and container.
• Automate your security scans and other tooling wherever possible.
• Use only vetted container images from trusted sources.
• Set up access controls and usage policies that are specific to each application, platform, and container.
• Regularly audit your containers, alongside your entire network.

Read more on this topic in our Container Security Best Practices Guide.

Benefits of Container Security

Containers make it possible to run granular network operations, and for teams that think strategically about container security, that freedom to customize extends to the cybersecurity tools they use and decisions they make. Learn about some of the specific benefits of container security below:

• Security through segmentation and isolation: Containerized applications and business workflows are purposefully isolated from other containers; containers do a great job of enabling lightweight and efficient computing, and through their isolation, they also help to prevent the spread of security incidents from one application to another, essentially decreasing your organization’s attack surface.
• Consistent builds, immutability, and secure scalability: Once initial container environments are set up for an organization, it becomes much easier to replicate that infrastructure and its security features as computing requirements grow or change. As long as your team establishes strong security tools and procedures from the start, those best practices will transfer to all future containers you build.
• Strategic structure for DevSecOps teams: The tools and best practices associated with container security are optimally designed for DevSecOps. By implementing container security best practices, organizations can ensure developers, security teams, and operations teams all have a hand in and invest time in managing cybersecurity while developing and using containerized applications.
• Container-specific user permissions: Containers operate like miniature networks, making it possible for network administrators to set up container-specific, clustered user permissions. User permissions and capabilities can be confined to specific applications and containers, which limits the possibility of user credentials being stolen and used in an unauthorized fashion across multiple containers.
• Focused environments for continuous security monitoring: Containers are typically given dedicated tools and resources for continuous security monitoring. A focused approach to continuous security monitoring makes it easier to detect threats and anomalous behaviors before they spread to other parts of the network or worsen.
• Configurability for compliance and security audits: Containers are highly configurable and customizable environments, which makes them ideal for complex policy and compliance management requirements. For example, if a specific policy or regulation only applies to one of your departments or projects, the appropriate security rules and settings can be applied solely to that container.
• Simpler security process automation: A number of third-party plugins, extensions, and tools are available to automate security management for containers. Automated tooling options include registry scanners, compliance auditing tools, container firewalls, container workload and host monitoring tools, and alerts and notifications.
• Efficient deployment and rollback: Because containers are both isolated and lightweight, it is easy to set them up and roll them back quickly. This is advantageous in many ways but particularly for cybersecurity because containers that have been impacted by a breach or other suspicious activity can quickly be rolled back to stop the spread to other containers.

Container Security Risks

Container infrastructure involves many different components that are simultaneously running independently and interconnectedly, so it’s no wonder there are several different weak spots for cybersecurity vulnerabilities to creep in, often without network administrators and security teams noticing. When working in a containerized environment, it’s important to be aware of the following security risks:

• Limited visibility: The isolated and segmented nature of containers produces many positive cybersecurity effects, but it has one major cybersecurity drawback: limited visibility for your cybersecurity team. Unless your cybersecurity team uses purpose-built container security, threat monitoring, and dashboarding tools, it will be incredibly difficult for them to do quick security spot checks of your entire network since it’s divided into separate containers with different rules, permissions, and operations.
• Container image vulnerabilities: Container images, especially those from untrusted or unfamiliar third-party sources, may be outdated, unpatched, and/or include malware, spyware, and various vulnerabilities that put your containerized environment at risk. There’s also the risk of image poisoning, or the act in which hackers use backdoors to bring malicious container images into your existing environment without user knowledge.
• User error in container configuration: Even if just one container, application, orchestration platform, or other component of your network is misconfigured, new security vulnerabilities and issues can impact your containers; containerized components rely heavily on each other and can suffer major consequences if another component is misconfigured and left vulnerable.
• Kernel vulnerabilities: Regardless of the hardware or software you use to build out your network, your operating system cannot run without a kernel. Both the host operating system and all hosted containers rely on this core kernel, so if an attack or vulnerability successfully reaches the kernel, it could then impact the rest of the containerized environment.
• Orchestration platform vulnerabilities: Orchestration platforms have their own cybersecurity risks that can affect the containers they manage in a distributed environment. Orchestration-specific cybersecurity risks include outdated patches, API exposures, misconfigurations, and the general complexities that come with managing security for multiple microservices.
• Inconsistent patching and retuning efforts: Containers and all of their components need to be regularly audited and updated in order to maintain security. Individual applications, container images, and container orchestration platforms can all introduce new vulnerabilities into the network if they are not regularly reviewed and patched as new issues are discovered and updates are delivered.
• Loose user access privileges and policies: Containers make it possible for organizations to set up highly segmented user access controls and privileges, but many organizations do not take advantage of this capability. The loose approach most take to managing container access privileges can lead employees and attackers alike to manipulate containers and hosts through Docker APIs, escalate container privileges, leak data, or introduce unapproved container images.
• Third-party exposure: In many cases, third parties have some kind of access to the applications you host in containers, or they may be the owners of applications, libraries, or dependencies that are running in your containers. It can be incredibly difficult to monitor and regulate third-party behavior in your organization’s containers without the proper tools and procedures in place.

Bottom Line: The Importance of Container Security

A growing number of businesses handle computing and daily operations in containerized environments. However, many businesses are not considering the breadth and depth of the container security tools and practices they need before getting started. Bad actors have picked up on this flaw in businesses’ security plans and are targeting containerized environments now more than ever before.

To truly protect the modern attack surface, it’s necessary to incorporate container-specific security tools and best practices into your cybersecurity strategy. Although containers already have some native security benefits, they also pose some additional risks, especially in the ways they limit your cybersecurity team’s ability to view the entire attack surface at a glance. Adding purpose-built container security to your cybersecurity efforts will give your team the peace of mind and support they need to manage vulnerabilities and threats in containerized environments.

Next: See the Top Cloud Workload Protection Platforms (CWPP)

The post What Is Container Security? Complete Guide appeared first on eSecurity Planet.

This modern infrastructure choice brings numerous advantages to operational workflows, but without the appropriate security policies and tools in place, it can also open the door to new security vulnerabilities and attack vectors. To prepare your organization’s containers for all possible security threats, it’s important to be aware of both the challenges you’ll face and the best practices you can follow to optimize your container security setup.

See the Top Container Security Solutions

Top 8 Challenges of Container Security

Container networks are intricate environments, with various components running unique processes and workflows. The design of containers can lead to a number of container security challenges. Here are the major ones.

Vulnerable Container Images

The container images used to create new containers are often the source of new security vulnerabilities for a cloud network. Images, especially those that come from unreliable and/or unvetted third-party image libraries, may be outdated and riddled with malicious code without user knowledge. There’s also the chance that a bad actor will leverage a poisoning attack against images already in your registry or introduce a poisoned image through an unsecured backdoor.

With the variety of images and sources that organizations use when getting started with containers, it can be difficult to detect every abnormality or risk from the outset, especially if your team has little experience with this type of technology.

Vulnerable CI/CD Environments

Even earlier in the container development and deployment lifecycle, it’s possible for vulnerabilities to go undetected in the continuous integration and delivery (CI/CD) environments you use to build container images. Attackers are increasingly introducing malicious code into these build environments and attacking container images, registries, and source code repositories before containers are even built. Build environments have become frequent targets because many organizations do not pay as much attention to build environment security as they do security for other container components.

Monitoring Isolated and Segmented Architecture

By nature, containers are isolated and segmented into unique microservices, which makes it difficult for cybersecurity teams to monitor and quickly assess individual container behaviors in the context of the network as a whole. It takes a well-trained team and the right tools to maintain visibility and effectively monitor a large network with different rules and norms operating in each container.

Maintaining Real-Time Threat Detection During Runtime

A serious security incident can spin up with little notice in container runtime, particularly if the organization has not established appropriate user privileges and is not regularly scanning for anomalous behaviors. Once a container is up and running, real-time threat detection tools and strategies should be in place to catch all possible issues, both existing and emergent.

Setting Up and Working With Various Configurations

Every component of a container ecosystem has its own configuration rules and best practices. It’s all too easy to misconfigure a container image, an orchestration platform, an image registry, or an individual application, and any single misconfiguration could leave the entire container network vulnerable.

Configurations get even more complicated to manage when you consider the different microservices, software formats, and compliance rules that may exist for each container. Open-source container configurations can be particularly challenging to set up and maintain correctly if your team is less experienced with this type of software.

Keeping Up With Security Updates Across Containers

Each container, orchestration platform, application, and individual component of a container typically relies on different software solutions, vendors, and upgrade schedules and particularities. Without automated patching and security management tools, security teams frequently miss crucial patching opportunities and leave their network more vulnerable to unauthorized user access and actions.

Working With Third-Party Products and Services

Sometimes container administrators know they’re working with third-party products and services and are aware of their sources and credibility. In other cases, you may choose to work with third-party container products or services that are less familiar and may not have been properly vetted. Whether you intentionally or unintentionally introduce third parties into your container environment, their cybersecurity posture management practices, user errors, and misconfigurations can extend new issues into your environment.

Designating and Maintaining Appropriate User Access Controls

Each container and application likely requires different user permissions and access levels, especially if certain parts of your business are subject to compliance regulations while others are not. Without a directory or identity and access management (IAM) solution in place, your cybersecurity team will have trouble keeping up with onboarding, offboarding, and otherwise updating the right users in the right places. This has severe consequences: Any unnecessary levels of access that your organization grants open you up to additional security risks, including a greater chance of exposed credentials and credential phishing attacks.

8 Container Security Best Practices

While container security can be difficult to manage, a number of tools, processes, policies, and general best practices can help your team stay on track. Learn about some of the best ways to manage container security for your organization below.

Regularly Monitor for and Fix Container Misconfigurations

Container image, orchestration platform, and other component misconfigurations are some of the biggest, most severe sources of container security breaches. To immediately decrease your chances of a security incident, your organization should strategize on how to monitor for, fix, and establish better standards that prevent container misconfigurations.

To improve your container security outcomes, consider setting up automated configurations and using configuration platforms to avoid issues of human error. Additionally, set up configuration guidelines and expectations from the outset, covering topics like compliance and approved third-party vendors. Finally, make sure your actual build environment has clearly defined dependencies and configurations so new containers can be set up for success.

Learn more about Cloud Workload Protection

Use Purpose-Built Container Security Tools

Many container solutions include built-in security tools that your organization should set up, but those solutions are often not enough to keep up with your different applications and operational workflows. For best results, it’s a good idea to invest in purpose-built container security tools and platforms.

If you’re not sure what to look for in your container security tool selection process, focus your search on the following key features and capabilities:

• Code security tools, including code debugging tools
• Automated image, code repository, registry, and vulnerability scanning
• Workload configuration scanning and misconfiguration alerts
• Container runtime security (CRS)
• Real-time threat detection
• Application-level threat monitoring for zero-day vulnerabilities
• Incident response and forensics
• Accessible reports and dashboards
• Native enforcement and continuous hardening

Automate Container Security Scanning and Threat Monitoring

Automated threat monitoring and vulnerability scanning make it possible for your security and network administrators to manage container security around the clock and at a granular level. With the right monitoring and scanning tools in place, your organization can look for and mitigate misconfigurations, malware code, and various security vulnerabilities in real time and without constantly undergoing full-fledged audits.

Although vulnerability scanning and threat monitoring tasks can be handled manually to a certain extent, it’s a good idea to automate these processes, especially as your container network grows and diversifies. Look for automated tools that regularly scan at an image, dependency, and workload level, and to improve the overall experience, select a tool that includes user-friendly dashboards and data visualizations.

Complete Regular Container Security Audits and Testing

Regardless of what tools or procedures you select, make sure your security audits follow a regular schedule and standardized processes that match your organization’s usage and compliance requirements. In between regular audit cycles, be sure to have continuous security tests running in CI/CD pipelines.

To make container and broader cloud network audits easier to complete, consider investing in a security software solution that includes cloud security mapping among its features. This feature can help you and your team get a quick visual of how all individual pieces of your network — including containers and their individual components — are set up and behaving. This feature is common in cloud security posture management (CSPM) and Kubernetes security posture management solutions.

Vet All Container Images Before Use

Not all container images are created equal, which is why your team must regularly assess container image quality before and during use. To prevent image-related security issues, stick to the following best practices:

• Only use images from trusted third-party repositories.
• Regularly update images and check for patching opportunities; patch management software can help you automate and manage updates across larger container environments.
• Audit images and look for evidence of anomalous behaviors and/or image poisoning.
• Use images that include only the dependencies you absolutely need; this will reduce your attack surface.
• Use image signatures and other verification methodologies to confirm the image source’s credibility.

Patch and Upgrade Container Components Regularly

Applications, orchestration platforms, images, image repositories, and a variety of other components in a containerized environment can become gateways to bad actors and malicious code if you don’t keep up with patch updates. Your team can handle patches manually if you have the on-staff resources and skills to keep track of all patching opportunities. However, most organizations will benefit from using patch management software or a cybersecurity platform that includes this functionality. This type of software is capable of automating and handling patches at scale and across a variety of container components.

Set Up Granular User Access Controls and Permissions

Especially for containers that contain sensitive datasets and are subject to strict compliance regulations, it’s important to determine what roles, responsibilities, and user access levels are necessary to protect that data. Role-based access controls should be applied to both containers and APIs to ensure only authorized users can access and make changes to your applications and the containers where they’re running.

It’s also a good idea to implement internal security and usage policies for all users because having all of the right security tools and permissions in place can only do so much to protect against user errors. Your policies need to cover how different users can and should interact with applications and data stored in containers. An overarching policy may be enough, but role-specific policies and training ensure all users know what they have access to and how they can securely and compliantly use those resources.

Incorporate Broader Cloud and Network Security Best Practices

Your containers and container security practices should be well integrated into your entire cloud computing environment, particularly with DevOps and SIEM tools that you already use. In addition to purpose-built container security tools, it’s important to apply broader cloud security best practices and tools to your container environment. Cloud security posture management tools, third-party risk management platforms, and vulnerability management and scanning solutions are just a handful of cloud security tool examples that often include container-specific configurations and integrations.

Learn more about cloud security best practices.

Bottom Line: Optimizing Your Container Security Setup

Containers offer efficient and lightweight computing architecture to businesses of all backgrounds, but without the proper setup and ongoing maintenance of container components and security tools, your containers and hosted applications can quickly fall into disarray and disrepair.

As a growing number of bad actors target containers and microservice architectures, it’s important to be aware of all of the different ways your host operating system, container images, orchestration platforms, and other container components can fall prey to unauthorized access and use. With the best practices and tips above, your cybersecurity teams and network administrators can be sure that all users are following appropriate processes and procedures and that all container components and security tools are working as they should.

Next: See the Best Cloud Native Application Protection Platforms (CNAPP)

The post 8 Container Security Best Practices & Tips appeared first on eSecurity Planet.

These feeds are often in a standard format like STIX/TAXII so they can be integrated with EDR, SIEM, firewalls, threat intelligence platforms, and other network security tools, offering an additional source of real-time or near-real-time threat information to monitor for indicators of compromise (IoCs), malicious domains and other cyber threats. As a bonus, many of these tools are free to access and have specialized feeds that focus on different industries and sectors.

Here are our picks for the top threat intelligence feeds that security teams should consider adding to their defensive arsenal:

• AlienVault Open Threat Exchange: Best for community-driven threat feeds
• FBI InfraGard: Best for critical infrastructure security
• abuse.ch URLhaus: Best for malicious URL detection
• Proofpoint ET Intelligence: Best for contextualized threat information
• Spamhaus: Best for email security and anti-spam
• SANS: Internet Storm Center: Best for threat explanations

Top Threat Intelligence Feed Comparison

Threat intelligence feeds can come in a variety of formats and pull their information from a number of different sources across the web. To get a better idea of what each top threat intelligence feed solution offers, take a look at our comparison table below.

Jump ahead to:

• Key Features of Threat Intelligence Feeds
• How to Choose the Best Threat Intelligence Feed for Your Business
• How We Evaluated Threat Intelligence Feeds
• Frequently Asked Questions (FAQs)
• Bottom Line: Boost Security with Threat Intelligence Feeds

AlienVault Open Threat Exchange

Best for community-driven threat feeds

AT&T Cybersecurity’s AlienVault Open Threat Exchange (OTX) is one of the largest and most comprehensive threat intelligence feed communities today, with more than 100,000 participants representing 140 countries and contributing more than 19 million threat indicators on a daily basis. OTX prides itself on being a completely open community for threat intelligence, extending access to threat research and shared expertise from security professionals to any and all users.

Beyond simply making its feed available to all kinds of users, AlienVault Open Threat Exchange also does a good job of making its data accessible and easy to read through detailed dashboards. Dashboards clearly state the quantity and types of indicators of compromise (IoCs) and also provide Pulses to quickly summarize threats and their impact. Additionally, dashboards share data about threat names, any relevant reference URLs, tags, adversary and malware families, and attack IDs.

Pricing

All OTX products and features, including the AlienVault Open Threat Exchange and OTX Endpoint Security, are free to use on their own. Additional costs may arise when integrating OTX and OTX Pulses into third-party software or applications. There are also costs associated with the USM product, which users often connect to OTX.

Features

• 100,000 participants and contributors from 140 countries
• OTX Pulses for real-time looks at indicators of compromise, targeted software, and threat summaries
• Integrations with other tools through the DirectConnect API
• Built-in integration with AlienVault USM and AlienVault OSSIM
• Pulse Wizard for automated IoC extraction from blogs, threat reports, emails, PCAPs, and text files

Pros

• Open community approach means threat and security professionals of all backgrounds and from all over the globe can contribute their insights.
• One of the most comprehensive threat delivery solutions available; over 19 million threat indicators are posted daily.
• Threat dashboards are highly intuitive and easy to read.
• With Pulse Wizard, users can easily and automatically extract IoCs from sources in different formats.

Cons

• Though free tools and integrations are available, OTX works best with paid AT&T Cybersecurity products like AlienVault USM.
• The massive, crowdsourced approach OTX takes limits the possibility of effective quality assurance.

FBI InfraGard

Best for critical infrastructure security

InfraGard is a threat intelligence feed and network partnership between the FBI and other government agencies and interested private sector parties. The goal of this threat intelligence community is to share useful threat information back and forth: Private sector leaders can benefit from access to FBI insider knowledge, training, and best practices, while the FBI and other governmental bodies gain additional eyes on different areas of U.S. critical infrastructure. Although it is free to join, membership is required to access InfraGard resources.

InfraGard’s feeds and membership training resources are divided into 16 critical infrastructure categories:

• Chemical
• Commercial facilities
• Communications
• Critical manufacturing
• Dams
• Defense Industrial base
• Emergency services
• Energy
• Financial services
• Food and agriculture
• Government facilities
• Healthcare and public health
• Information technology
• Nuclear reactors, materials, and waste
• Transportation services
• Water and wastewater systems

These focus areas give private sector members access to highly tailored threat information and security tips for their particular industry.

Pricing

It is free to become an InfraGrad member and use InfraGard tools and feeds.

Features

• Threat intelligence feeds are categorized into 16 critical infrastructure sectors
• Threat advisories, intelligence bulletins, analytical reports, and vulnerability assessments are shared with private sector members by the FBI and other government agencies
• Members-only web portal with up-to-date FBI intelligence
• Local InfraGard Member Alliance chapters across the United States
• Two-way threat sharing between the government and the private sector

Pros

• 16 different specialized threat feeds make it possible for users to focus on threats that are relevant to their particular sector
• One of the only threat intelligence solutions that focuses on threat detection and mitigation for U.S. critical infrastructure
• Combines the expertise and insights of government agencies with private sector professionals
• Members can access sector-specific training and resources from the National Sector Security and Resiliency Program (NSSRP) and Cross-Sector Council (CSC)

Cons

• Its membership and networking focus takes away from dedicated threat intelligence efforts
• Focused solely on U.S. infrastructure, making it a less effective option for global enterprises and distributed workforces

abuse.ch URLhaus

Best for malicious URL detection

abuse.ch’s URLhaus feed project compiles data about malicious URLs into user-friendly databases. Though anyone can access this free collection of feeds and the detailed databases they produce, abuse.ch specifically states that the solution is best suited to the needs of network operators, internet service providers (ISPs), computer emergency response teams (CERTs), and domain registries.

URLhaus manages three primary feeds that focus on specific IP address and domain name anomalies. These feeds can be fetched for up-to-date information directly from the URLhaus website. However, for users that want to use this tool to blacklist, review indicators of compromise, or access a parsable dataset, it will be necessary to download the URLhaus API. Additionally, users can only submit their own malicious URL discoveries if they have an abuse.ch account.

Pricing

URLhaus is free for both commercial and non-commercial use.

Features

• ASN Feed for tracking URLs with domain names that resolve to an IP address with a specific AS number
• Country Feed for tracking URLs with domain names that resolve to an IP address with a specific geo IP location or country code
• TLD Feed for tracking URLs with domain names that are associated with a specific ccTDL or gTLD
• Comprehensive, regularly updated malware URL database that includes information such as date added, URLs, status, tags, and the reporter’s identity
• URLhaus API for downloading and submitting malware URLs

Pros

• URLhaus’s three main feeds work for tracking both online and offline malicious URLs.
• URLhaus provides a detailed submission policy to filter out irrelevant malware submissions from users.
• The URLhaus database is well-labeled and frequently updated.
• URLhaus’s API and download options, including a database dump CSV option, are extensive and varied enough to match different user preferences.

Cons

• Several customizations and capabilities, such as blacklisting, are only available if users choose to use datasets in the URLhaus API rather than URLhaus feeds.
• To submit malware URLs via the web, users must log in with Twitter, Google, LinkedIn, or GitHub, which will be publicly visible; the only way around this rule is to submit via API.

Proofpoint ET Intelligence

Best for contextualized threat information

Proofpoint ET Intelligence takes a comprehensive approach to threat intelligence, offering its feeds through what it calls a rich threat intelligence and context portal. It is a top provider of historical threat data, offering both current and historical metadata on IP addresses, domains, and other IoCs. As an added bonus, ET does a great job of separating, classifying, and scoring IP addresses and domains with regular hourly list updates.

Of all the solutions listed in this guide, Proofpoint ET Intelligence is one of the most comprehensive, but it’s also the most expensive. Businesses that are interested in enterprise-level threat explanations and investigative support are the best fit for this solution, while smaller businesses and individual users will probably want to avoid the price tag and opt for a free threat intelligence feed.

Pricing

• Proofpoint ET Intelligence: Subscriptions are estimated to be between $20,000 and $130,000 per year, depending on user count, reseller, and other factors.
• Proofpoint ET Pro: Ruleset: The Ruleset is priced separately. Estimated to be between $750 and $1,000 per year.
• Free trial available.

Features

• Access to historical metadata on IPs, domains, and other IoCs
• IP and domain reputation feeds
• Searchable threat intelligence portal with trends, timestamps, threat type and exploit kit labels, and related samples
• Confidence scoring with aggressive aging practices and hourly list updates
• Support for TXT, CSV, JSON, and compressed formats

Pros

• Integrates with cybersecurity tools and threat intelligence platforms like Splunk, QRadar, Anomali, and ArcSight.
• For an additional fee, users can access the extensive documentation that comes with the ET Pro Ruleset.
• ET intelligence dashboards include highly legible, color-coded graphs.
• Users with less IT infrastructure of their own can use agnostic threat feeds for additional threat detection support.

Cons

• One of the most expensive threat intelligence feeds on the market, and prices continue to go up.
• May have redundant features with other cybersecurity tools in your existing toolset.

Spamhaus

Best for email security and anti-spam

Spamhaus is one of the largest providers of threat intelligence feeds and blacklists/blocklists for email service providers and internet service providers, covering more than 3 billion users with its solutions. Users can access and apply blocklists for policies, exploits, domains, and general IP address spam issues. They can also fix incorrect spam listings in the Blocklist Removal Center, access live news and specialized ISP information, and read dedicated documents on best practices for everything from anti-spam to email marketing.

With its six main feeds and lists, Spamhaus is a comprehensive email security and anti-spam solution; in fact, it is often considered the best solution for accurate, real-time spam filter data. For users who don’t want to juggle multiple Spamhaus threat feeds simultaneously, Spamhaus also now offers Spamhaus Zen, which combines blocklists and information from SBL, SBLCSS, XBL, and PBL blocklists.

Pricing

Most Spamhaus features and DNSBL feeds are extended to users free of charge. However, users and sites that need higher-scale, commercial spam filtering will need to subscribe to Spamhaus’s Datafeed Query Service (DQS). DQS pricing is user- and query-volume-based; pricing starts at $250 per year, and a 30-day free trial is available.

Features

• The Spamhaus Block List (SBL) is a database of IP addresses associated with unsolicited bulk emails and from which users should not accept emails.
• The Exploits Block List (XBL) is a real-time database for IP addresses of PCs that have been hijacked and infected by third-party exploits.
• The Policy Block List (PBL) is a database that helps networks enforce acceptable use policies when dealing with dynamic and non-MTA customer IP ranges.
• The Domain Block List (DBL) is a list of domain names that should be avoided due to their bad reputations.
• The Don’t Route Or Peer Lists (DROP) are drop-all-traffic lists of netblocks that have been hijacked by professional cybercriminals.
• The Register of Known Spam Operations List (ROKSO) identifies the names and countries of several major persistent spam operations.

Pros

• More than 3 billion user inboxes are protected with Spamhaus threat feeds and blocklists; this is one of the largest (if not the largest) blockers of internet spam and malware.
• A detailed FAQ guide is available for users who have specific blocklist questions or more general questions about DNSBL usage.
• For users that want to use only one DNSBL tool, Spamhaus has packaged its SBL, XBL, and PBL solutions into one solution: Spamhaus Zen.
• Spamhaus has a secure ROKSO LEA portal that law enforcement agencies can use to more securely access classified records about spam operations.

Cons

• Certain commercial features and capabilities are only available through a paid upgrade to Datafeed Query Service.
• Spamhaus’s blacklisting procedures sometimes mean safe public IP addresses get blacklisted; the process for getting these IPs unlisted can be tedious.

SANS: Internet Storm Center

Best for threat explanations

Internet Storm Center is one of the oldest and most trusted threat intelligence feed options on the market. It is a feed and community that is entirely built on collaboration, with a small team of volunteers handling daily threat monitoring and documentation. Beyond these daily handlers, ISC benefits from other users who willingly share performance data from their firewalls and intrusion detection systems.

The Internet Storm Center manages to differentiate itself in several ways. For starters, its proprietary network of sensors and its reporting setup mimic weather forecasting in a way that makes ISC effective at providing early warnings for emerging threats. Additionally, ISC focuses not only on technical information about threats but also on providing procedural guidance for how to address these threats.

Pricing

The Internet Storm Center is a free service.

Features

• Pulls information from sensors across 500,000 IP addresses and more than 50 countries.
• Anomalies and detected threats are analyzed by volunteer incident handlers.
• Daily diaries detail handler analyses.
• Frequently updated DShield intrusion detection system and database.
• Incoming data is monitored with automated analysis and graphical visualization tools.

Pros

• Beyond daily diaries, the Internet Storm Center team is also willing to generate custom global summary reports upon user request.
• The ISC’s network of volunteer handlers is made up of cybersecurity professionals with years of experience.
• The daily handler diaries are often the first public reports of emerging attack vectors.
• The distributed sensor network design of ISC makes it easier for the team to quickly identify threats across all corners of the web.

Cons

• The ability to customize ISC’s threat feeds or integrate the tool into private networks and proprietary systems is extremely limited.
• Though the ISC’s network of volunteers is full of experts, it’s still a relatively small team with a setup that could lead to inconsistencies in reporting and depth of analysis.

Key Features of Threat Intelligence Feeds

It’s clear that threat intelligence feeds need to find and identify threats in order to be effective, but what other key features should you be looking for in threat intelligence feeds? In our experience, these are some of the most important features for a threat intelligence feed to include:

Indicators of compromise (IoCs)

Indicators of compromise are the pieces of evidence that reveal a network or specific part of a network has been breached. While more generalized threat intelligence feeds and blacklists don’t always offer IoCs, they’re a valuable feature for teams that want additional guidance for their threat response efforts. Examples of IoCs include malicious IP and email addresses, suspicious domain names and URLs, unusual file paths or file names, unexpected network traffic patterns, and behavioral oddities like frequent unauthorized access attempts.

Real-time updates

Real-time updates or near-real-time updates are a crucial feature of threat intelligence feeds, as threats can evolve or fall apart and new ones can arise in a matter of hours. Many feeds update on a momentary or hourly basis, while nearly all of them update on an at-least daily basis. Many threat intelligence feed providers give users the option to subscribe to alerts when new threats arise or when new daily reports are available.

Contextual analysis

With threat intelligence feeds, threat data is infinitely more useful if users can understand where the threats are coming from, what kind(s) of infrastructure they’re impacting, the overall damage they’re causing, and how these threats compare to historic threats. Dashboards are the most important feature for easy-access contextual analysis. But other features, like contextualized historic metadata, specialized rulesets, and enriched log data are all helpful for better security response and mitigation strategies.

Historical data access

Historical data helps users to frame current threats, both in relation to how those threats first emerged and how they compare to similar historic threats. Historical data that many threat intelligence feeds provide cover attack origins, the identity and past actions of the threat actor, past vs. present attack methods, and past vs. present damage. Having this historical data access allows users to see how quickly certain threat vectors have grown and predict future threat variants and changes in tactics, techniques, and procedures (TTPs).

Integrations

Integrations with other cybersecurity tools help to make threat intelligence feeds more contextual and relevant to cybersecurity management efforts. The best threat intelligence feeds are accessible on their own but also integrate with and provide in-platform insights for other cybersecurity solutions. These integrations may be natively offered or made available through APIs.

How to Choose the Best Threat Intelligence Feed for Your Business

Choosing the best threat intelligence feed for your business will require you to first set internal expectations around budget, integration requirements, and roles and responsibilities for team members accessing those threat intelligence feeds. You’ll also want to consider if a more general feed is what you need or if a specialized, sector-specific feed better serves your business. In many cases, and especially since so many of these threat intelligence feeds are free to use, it may be worthwhile to use multiple threat intelligence feeds in conjunction.

If you’re looking for additional capabilities that go beyond basic threat feeds, a threat intelligence platform or threat research service may be a better solution. You can learn about the leading threat intelligence platforms in this buyer’s guide; for threat intelligence services and other threat management resources, consider one of the following:

• Cisco Talos
• Palo Alto Networks WildFire
• Mandiant Threat Intelligence Services
• Sophos Managed Detection and Response
• Palo Alto Networks Unit 42 Threat Research
• Flashpoint Managed Intelligence

How We Evaluated Threat Intelligence Feeds

Beyond the core threat intelligence feeds we’ve reviewed in this guide, we assessed approximately 15 other threat intelligence feeds and solutions. The selections in this guide were chosen based on their performance in the following evaluation criteria. The percentages listed for each represent the weight of the total score for each product.

Reputation and performance – 50%

Credibility is everything when it comes to threat intelligence, so the bulk of our assessment focused on reputation and performance. We evaluated each feed based on the trustworthiness of its information source(s), the variety of information sources it pulls from, its range and depth of coverage, its contextual analysis and dashboarding capabilities, its security and compliance policies and procedures, and the utility of expert explanations and mitigation tips. 

We assessed both general threat intelligence feeds and function-specific threat feeds, and both types found a spot on our list; in both cases, what we were looking for was evidence that the tool performed its core tasks well for its specified audience. Additionally, when information was available, each threat intelligence feed was assessed based on its perception and performance in user reviews. However, due to the nature of these feeds, limited user reviews were available.

Timeliness – 25%

Speed, accuracy, and comprehensiveness are all important aspects of timely threat intelligence feed delivery. In our review process, we looked for feeds that update their data in real time and from multiple sources. We also considered how quickly this information is disseminated to subscribing users and in what format that information is shared.

Integration and configurability opportunities – 25%

Because threat intelligence feeds serve an important but singular purpose, many organizations need threat intelligence feeds to smoothly integrate with their existing cybersecurity tool stack. In our evaluation of different feeds, we looked for solutions with comprehensive APIs as well as solutions with native integrations in-portfolio or with third-party cybersecurity software. Beyond simply connecting to other cybersecurity tools, we paid special attention to and boosted the rankings of feeds that gave users the freedom to configure and customize feeds according to their specific requirements.

Frequently Asked Questions (FAQs)

What are the primary sources of threat intelligence feeds?

Threat intelligence feeds collect their information from multiple sources, including from the research of security experts and government agencies, malware analysis reports and other sources of open-source threat intelligence, dark web monitoring data, regional and national databases, aggregated customer data from security companies, and network traffic analysis tools.

Can threat intelligence feeds be integrated into existing security systems?

Many threat intelligence feeds can be integrated into existing security systems, either through APIs or native third-party integrations.

How much do threat intelligence feeds cost?

The majority of threat intelligence feeds are free to use. However, some commercial threat intelligence feeds require users to pay an annual subscription, which could run anywhere from approximately a few thousand dollars to over $100,000 per year, depending on user count, reseller pricing, licensing requirements, tool features, and other factors.

Bottom Line: Boost Security with Threat Intelligence Feeds

Threat intelligence feeds won’t provide all of the functionality and corrective action you need to effectively manage your organization’s cybersecurity posture, but they’re great resources for proactive threat identification across a variety of attack vectors. With so many free and low-cost threat intelligence feeds available today, it’s a smart move to integrate one or multiple feeds into your cybersecurity workflow and tools for additional security knowledge and detection capabilities.

Read next: Network Protection: How to Secure a Network

The post 6 Best Threat Intelligence Feeds to Use appeared first on eSecurity Planet.

CSPM is increasingly being combined with cloud workload protection platforms (CWPP) and cloud infrastructure entitlement management (CIEM) as part of comprehensive cloud-native application protection platforms (CNAPP); however, cloud security posture management’s ability to detect and remediate cloud misconfigurations makes standalone CSPM solutions a worthwhile investment for small businesses and enterprises alike.

Here are our picks for the top cloud security posture management (CSPM) tools in the market today:

• Palo Alto Networks Prisma Cloud: Best overall
• Check Point CloudGuard: Best for compliance
• Lacework: Best for behavioral analysis
• CrowdStrike Falcon Cloud Security: Best for threat intelligence
• Cyscale: Best for cloud security mapping
• Trend Micro Trend Cloud One Conformity: Best for configuration recommendations
• Ermetic: Best for privileged access management

Top CSPM Software Comparison

Cloud security posture management tools can come with a wide range of capabilities, including support for different cloud infrastructures and business sizes, and specialized security features and integrations. Here’s how our top CSPM solutions compare across a few key categories:

Jump ahead to:

• Top Cloud Security Posture Management Solutions
• Key Features of CSPM Tools
• Benefits of Working with CSPM Solutions
• How Do I Choose the Best CSPM Tool for My Business?
• Frequently Asked Questions (FAQ)
• Methodology
• Bottom Line: Cloud Security Posture Management (CSPM) tools

Palo Alto Networks Prisma Cloud

Best Overall

Prisma Cloud by Palo Alto Networks is a CNAPP solution with top-tier cloud security posture management features for hybrid, multicloud, and cloud-native environments. The solution offers its full feature set and capabilities across five different public cloud environments: AWS, Google Cloud Platform, Microsoft Azure, Oracle Cloud, and Alibaba. It should be noted that Prisma Cloud is one of the few solutions that provide features that work for both Alibaba and Oracle Cloud.

Prisma Cloud stands out from most CSPM competitors for a number of reasons, including its flexible implementation options, multiple third-party and vendor integrations for security and compliance, machine-learning-driven threat and anomaly detection, and code scanning and development support features. It is one of the few solutions that offer comprehensive code-scanning capabilities that are also easy to use. Customizations and automation are also fairly straightforward to implement through this platform.

Pricing

Pricing information for Prisma Cloud is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, Prisma Cloud Enterprise Edition costs $18,000 for 100 credits and a 12-month subscription from AWS Marketplace. Prisma Cloud Enterprise Edition is the only version of Prisma Cloud with specific CSPM features.

Features

• Automated workload and application classification with full lifecycle asset change attribution
• Configuration assessments based on more than 700 policies and 120 cloud services
• Automated fixes for common misconfigurations
• Custom policy building and reporting capabilities
• Network threat detection, UEBA, and integrated threat detection dashboards

Pros

• Takes a comprehensive approach to data normalization and analysis across multiple sources that goes beyond many competitors
• Machine-learning-driven anomaly-based policies are available to users
• Palo Alto Networks Enterprise Data Loss Prevention (DLP) and the WildFire malware prevention service integrate with Prisma Cloud, supporting robust data security capabilities

Cons

• Palo Alto Network’s approach to pricing is not straightforward; customers can quickly go over their budget, depending on how many Capacity Units they require
• This solution is not ideally suited to smaller businesses, especially since it lacks some spend-tracking functionality

Check Point CloudGuard Cloud Security Posture Management

Best for Compliance Features

Check Point CloudGuard Cloud Security Posture Management is one component of the CloudGuard Cloud Native Security platform that specializes in automated, customizable solutions for cloud security posture management. It is designed to support security and compliance functions in cloud-native environments, offering its full capabilities to AWS, Google Cloud Platform, Microsoft Azure, Alibaba, and Kubernetes users, and limited functionality to other cloud users.

Many users select this CSPM for its impressive compliance capabilities, which include rule-based, ML-driven telemetry mapping based on dozens of compliance frameworks and CloudBots for the automated enforcement of compliance policies. Other standout features in this solution include AI/ML-driven contextualization that comes before risk scoring activities, risk management in IDEs, and advanced infrastructure-as-code scanning.

Pricing

Pricing information for CloudGuard Cloud Security Posture Management is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, one month and 25 assets worth of access to CNAPP Compliance & Network Security cost $625 through AWS Marketplace. AWS Marketplace also offers plans with 12-month, 24-month, and 36-month subscriptions and the ability to purchase 100-asset bundles. CloudGuard Cloud Security Posture Management is typically purchased as part of CloudGuard CNAPP Compliance & Network Security.

Features

• Security hardening and runtime code analysis
• Auto-remediation is provided through a compliance engine
• IAM-driven just-in-time user access
• Security assessments are available for more than 50 compliance frameworks, 250 cloud-native APIs, and 2,400 security rulesets
• Workload and software supply chain security capabilities

Pros

• Threat intelligence support is included as a complimentary add-on for all CloudGuard Cloud Security Posture Management users
• Governance and compliance policies features, especially CloudGuard’s telemetry mapping, are incredibly advanced
• CloudBots offer low-code, open-source automation that is easy to use

Cons

• Limited support and features for Oracle Cloud users
• CloudGuard’s licensing bundles have large minimums that are not friendly to smaller business budgets and requirements

Lacework

Best for Smart Behavioral Analysis

Lacework is a CNAPP platform that combines cloud security posture management with vulnerability management, infrastructure as a code (IaC) security, identity analysis, and cloud workload protection for AWS, Microsoft Azure, Google Cloud Platform, and Kubernetes configurations. Instead of primarily relying on compliance policies for risk and security management, Lacework depends on smart behavioral analysis to determine baselines in your cloud environment and assess anomalies and risks based on those standards.

Lacework’s machine-learning-driven approach allows the platform to automate cloud security management not only for behavioral analytics but also for threat intelligence and anomaly detection. Other effective features in this tool include agent and agentless operations and reporting features, such as push-button and multiple format options, that make it easy to share findings with all kinds of stakeholders in the business.

Pricing

Pricing information for Lacework is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, Lacework starts at $1,500 per month with an additional $0.01 usage fee per unit used through Google Cloud Marketplace. CSPM functionality is offered as part of the Lacework Polygraph Data Platform.

Features

• Cloud asset inventories with daily inventory capture
• Prebuilt and custom policy options
• Push-button, customizable reports
• Attack path analysis and contextualized remediation guidance
• Severity and risk scoring

Pros

• Lacework Labs is an internal research team that identifies new threats and prioritizes ways to optimize the Lacework platform
• The solution is highly customizable, especially through features offered in the Polygraph behavioral engine
• Advanced risk contextualization is available with this tool, allowing users to match various types of misconfigurations with identified anomalous activities in their environment

Cons

• Limited third-party integrations and support
• Somewhat limited data governance capabilities

CrowdStrike Falcon Cloud Security

Best for Threat Intelligence

CrowdStrike Falcon Cloud Security offers advanced CSPM features for hybrid and multicloud environments alike. It is specifically compatible with three major public clouds: AWS, Azure, and GCP, offering threat detection, prevention, and remediation features to users of these three services. CrowdStrike’s solution primarily takes an agentless approach to CSPM, with continuous discovery and intelligent monitoring available to simplify risk management and response in cloud environments.

But CrowdStrike’s CSPM solution truly differentiates itself with a strategic take on and deep expertise in threat intelligence. Its adversary-first approach to threat intelligence, with policies based on more than 50 indicators of attack and 150 adversary groups, supports guided remediation and makes it quicker and easier for teams to identify and fix their most pressing security issues.

Pricing

Pricing information for CrowdStrike Falcon Cloud Security is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, the Falcon CrowdStrike CSPM portion of Falcon Cloud Security costs $14.88 for a 12-month subscription, with the option to pay for additional units, through AWS Marketplace. Users also have the option to purchase access to Falcon CWP and CWP On-Demand through AWS Marketplace.

Features

• TTP/IOA detections driven by machine learning and behavioral analytics
• Adversary-driven threat detection and intelligence
• Guided remediation support for misconfigurations, guided by industry and organizational benchmarks
• One-click reconfiguration capabilities for unprotected resources
• DevOps, SIEM, and other cloud security integrations

Pros

• This solution integrates well with CrowdStrike’s vast collection of cybersecurity solutions.
• CrowdStrike’s expertise in XDR and EDR solutions makes it possible for CSPM customers to benefit from unique features like cloud threat hunting.
• The platform takes a comprehensive and focused approach to threat intelligence, with identity-driven real-time detection.

Cons

• Little to no code scanning capabilities
• Limited public cloud scope for CSPM, with full features only available for AWS, Google Cloud Platform, and Microsoft Azure

Cyscale

Best for Cloud Security Mapping

Cyscale brands itself as a contextual cloud security posture management solution, offering cloud security management features that support AWS, Microsoft Azure, Google Cloud Platform, and Alibaba configurations. With multiple dashboards, an easy-to-navigate interface, and a structured approach to onboarding both new customers and their individual teams, Cyscale heavily emphasizes the user experience aspect of its solution.

Cyscale offers some of the best mapping features for cloud assets and security controls, like regulatory standards and organization-specific policies. The way it works is that cloud infrastructure issues are mapped to everything from established policies to larger regulatory standards; from there, users have the ability to set custom thresholds to determine which assets are meeting their security and compliance requirements. Cyscale’s approach to mapping is particularly effective for organizations that are frequently audited and need a quick way to visualize problems and possible steps for remediation.

Pricing

Pricing information for Cyscale is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, the Pro plan starts at $10,000 for a 12-month subscription and up to 1,000 assets through Azure Marketplace. Users also have the option to purchase the same plan for one month for $1,000. The Scale plan, which includes more features and up to 5,000 assets, costs $50,000 for a one-year subscription and $5,000 per month for month-by-month access.

Features

• Cloud asset inventorying, mapping, and security scoring
• More than 500 built-in security controls and policies
• In-app consultancy and remediation guidance
• Data retention exports for up to one year in PDF and CSV formats
• Exemptions with an exemption approval process are natively offered

Pros

• Beyond support for multiple public clouds, Cyscale also integrates with identity providers such as Okta and Azure Active Directory
• The asset discovery and mapping approach Cyscale takes from the outset with new customers makes this one of the best CSPM solutions for user experience and visibility
• Offers some of the most straightforward onboarding and deployment procedures in the CSPM market

Cons

• Cyscale can be very expensive, especially for businesses with smaller budgets
• What constitutes a single asset can be confusing to users, especially for new users who are attempting to predict costs

Trend Micro Trend Cloud One Conformity

Best for Configuration Recommendations

Trend Micro’s Trend Cloud One Conformity is a leading CSPM solution that mostly focuses on Google Cloud Platform, AWS, and Microsoft Azure configurations, excelling by offering detailed explanations, guidance, and support to new users. Committed to bringing prospective buyers knowledge before they commit, Trend Micro is one of the few CSPM vendors that offers a complimentary public cloud risk assessment to anyone who wants additional guidance on security, governance, and compliance before building their cloud infrastructure in AWS or Azure.

Trend Cloud One Conformity also comes with detailed configuration recommendations that are based on a cloud design and infrastructure standard known as the Well-Architected Frameworks. With this collection of principles as the backbone for its recommendations, users can easily check how their configuration decisions align with pillars such as security, operational excellence, reliability, performance efficiency, cost optimization, and sustainability. Configurations can either be updated manually or auto-remediated based on those rules.

Pricing

Pricing for this Trend Micro solution depends on the source from which you access it. This is one of the few options on this list that can be purchased directly through the vendor, however. The Cloud First plan, offered directly through Trend Micro, is $217 per month per account, billed annually for users with 26 to 50 accounts. Cloud Ready and Cloud Native packages are also offered, and a 30-day free trial is available as well. Learn more about Trend Cloud One Conformity pricing here.

Features

• Remediation guides and auto-remediation
• Filterable auditing for misconfigurations
• Exportable and customizable reports
• Continuous scanning against compliance and industry standards
• Free public cloud risk assessments

Pros

• One of the best options for straightforward, easy-to-setup auto-remediation
• The solution integrates with multiple service ticketing and communication tools, including Slack, ServiceNow, Jira, PagerDuty, and Microsoft Teams
• The Conformity Knowledge Base offers an extensive self-service collection of remediation guides to users

Cons

• Limited CIEM capabilities
• Features are limited to three public clouds: AWS, Microsoft Azure, and Google Cloud Platform

Ermetic

Best for Privileged Access Management

Ermetic is a CNAPP solution that equally emphasizes cloud security posture management and cloud infrastructure entitlement management (CIEM) for AWS, Google Cloud Platform, and Microsoft Azure configurations and users. The addition of advanced CIEM features makes this one of the best CSPM options for monitoring humans and their impact on infrastructural and configuration decisions.

Its identity-driven features include multicloud asset management and detection, risk assessments based on identity entitlements, and IAM-focused policy recommendations. It is also one of the few CSPM software options that include privileged access management (PAM) and just-in-time access management features for its users.

Pricing

Pricing information for Ermetic is not transparently listed on the vendor’s website; it varies depending on which partners and features you choose to work with. For example, the commercial plan for Ermetic CIEM and CSPM starts at $28,000 for a 12-month subscription and up to 120 billable workloads when purchased through AWS Marketplace.

Features

• Auto-remediation with an identity-driven strategy
• Remediation is available for both unused and excessive user privileges
• Combined CSPM and CIEM functionality
• IaC snippets in Terraform and CloudFormation
• Built-in templates and customizable options for policies

Pros

• One of the best CSPM options for users who also want comprehensive CIEM functionality
• One of the only CSPM solutions that offer privileged access management
• Capable integrations with SIEM and ticketing solutions, such as Splunk, IBM QRadar, ServiceNow, and Jira

Cons

• At least based on the information provided by AWS Marketplace, this is one of the most expensive options in the CSPM market
• Limited to AWS, Azure, and GCP

Also see the Top Cloud Security Companies

Key Features of CSPM Tools

CSPM features can vary greatly, especially depending on if it’s offered as part of a greater CNAPP or cloud security suite of solutions. In general, it’s important to look for the following features when selecting a CSPM solution:

Infrastructure-level risk monitoring and assessments

All CSPM solutions should include some form of risk and configuration assessments, making it easier for users to identify and assess risks. Most tools include risk scoring, risk mapping, or some other kind of risk visualization to help users of all backgrounds quickly identify configuration problems and how to solve them.

Threat detection and intelligence

Threat detection is an important piece of cloud security posture management, and threat intelligence is often a bonus that transforms discoveries into actionable remediation tasks. CSPM solutions typically use industry or organizational benchmarks, specific policies, behavioral analytics, or a combination of these factors to effectively detect and mitigate cloud security threats. A growing number of CSPM solutions also use machine learning to power and further automate the threat intelligence and detection process.

Remediation and recommendations

Unlike some other cloud security tools that simply identify problems for your team to fix, most CSPM solutions include specific recommendations and can remediate issues on their own. Depending on your specific requirements, your team can set up custom organizational policies or utilize built-in regulatory frameworks and best practices as baselines. From there, users often have the option to manually remediate or rely on auto-remediation when issues are discovered.

Advanced data governance and compliance management

Because public clouds and cloud applications are constantly changing and play by their own rules, data governance and compliance management features are very important to the configuration management part of CSPM. Nearly all CSPM tools allow users to build their own or use prebuilt policies and rules for compliance management. Some of the most common regulatory frameworks that CSPM tools build off of include HIPAA, GDPR, NIST, PCI-DSS, CIS, ISO, and SOC 2.

Automation

Many aspects of CSPM are driven by automation, especially for tools that rely on agentless performance. Automated workflows are used to identify and prevent cloud, app, and data misconfigurations that can cause security and compliance problems. Some of the most common types of CSPM automation are used to automate policy enforcement, classification, and remediation.

Benefits of Working with CSPM Tools

CSPM software offers many benefits to users who are looking to enhance their cloud security. These are some of the top benefits that come from implementing cloud security posture management:

• Increased infrastructural visibility: Constant security and compliance monitoring is a standard aspect of CSPM tools. This real-time approach to threat detection and risk monitoring leads to increased visibility for stakeholders with varying levels of cybersecurity experience and infrastructural expertise.
• Security support for multiple environments and ecosystems: Most CSPMs work with at least the Big Three public cloud providers (AWS, Azure, and GCP), and others work well with Oracle Cloud and Alibaba. CSPM vendors’ experience with public cloud environments gives users additional peace of mind when storing data and workloads in public cloud environments.
• Automation that simplifies security management: Automation is interwoven into many parts of the CSPM lifecycle, simplifying risk detection and remediation efforts for complex and sprawling cloud environments.
• Proactive security and compliance recommendations: Instead of only correcting problems after they arise, CSPM solutions can proactively detect configurations and infrastructure designs that are potentially harmful. They can also make suggestions for security posture improvements.
• Enhanced compliance policies and enforcement: Cybersecurity teams can certainly create their own compliance policies, but it’s difficult to enforce these policies across all parts of cloud infrastructure. CSPM tools take some of this burden off of your team, helping them to create and enforce policies that meet your organizational, regional, and industry-specific requirements.

How Do I Choose the Best CSPM Tool for My Business?

Choosing the best CSPM tool for your business requires you to look closely at your specific cloud setup and security requirements. First, consider the size of your cloud infrastructure and the budget you have in mind. While some solutions may seem slightly more affordable than others in this market, many of them have per-unit and capacity-based pricing that can scale up quickly if you’re not careful. CSPM solutions also usually have unit minimums that may exceed the requirements of your organization, meaning you’re paying for more than you actually need with no alternative from that vendor.

Next, consider the unique compliance and security requirements of your business. Do you operate in a region where GDPR is in effect? Do HIPAA or SOX regulations apply to your data? Do you work with third-party cloud environments or applications with their own security rules and procedures? Uncovering the answers to these questions will help you identify a CSPM tool that supports your compliance frameworks and other unique requirements.

Finally, consider any other features that would particularly benefit your team. Automation is included in nearly all CSPM tools, but some have more extensive automation capabilities for steps like remediation and analytics. Many tools also have some form of artificial intelligence baked into their operations. Regardless of the special features that you determine are most important to your team, look for a tool that implements them in an easy-to-use fashion.

More on third-party risk: 10 Best Third-Party Risk Management Software & Tools

Frequently Asked Questions (FAQs)

What is cloud security posture management?

Cloud security posture management, otherwise known as CSPM, is the strategy behind the tools that support security and compliance management in cloud computing environments. Boasting some overlapping features with risk management and cloud-security-focused tools, cloud security posture management software is designed to identify, assess, prioritize, and manage risk at an infrastructure- and configuration-level in the cloud.

What is the difference between CASB and CSPM?

Cloud access security broker (CASB) and CSPM tools are both effective solutions for managing cloud security, but they each focus on different aspects of that security, with some overlap. CASB tools are dedicated to data-level security and user access controls, while CSPM focuses more heavily on infrastructure-level security, compliance, and configuration management.

Is CSPM a part of SASE?

CSPM solutions are often used in combination with secure access service edge (SASE) technology, but CSPM is not officially a part of SASE. CSPM focuses more on the features and functionality needed to secure cloud environments, while SASE solutions support secure access to the resources in those environments through managed services and specialized features.

Methodology

The top cloud security posture management solutions in this list were selected through a thorough examination of their individual feature sets, their scalability, pricing options, user experience, and their general performance on user- and expert-aggregated review sites. Over two dozen solutions were reviewed in order to create this curated CSPM product guide.

Bottom Line: Cloud Security and Posture Management (CSPM) Tools

The best CSPM solution for your business depends less on how these solutions perform in aggregated reviews and more on your specific cloud environment, security, and compliance requirements. It’s important to look for a platform with built-in features for compliance frameworks that apply to your industry and/or region. To make the best decision for your business, we recommend first identifying your top compliance and cloud security concerns and then reaching out to vendors to determine what support and features they offer in those areas.

Read next: Cloud Security Best Practices

The post Top 7 Cloud Security Posture Management (CSPM) Tools appeared first on eSecurity Planet.

While it’s certainly possible to construct your own pentest framework that meets the specific security and compliance requirements of your organization, a number of existing methodologies and frameworks can be built upon to make the job easier for you. In fact, it’s generally more effective to use one of these comprehensive and peer-reviewed solutions in order to keep your pentests on track.

Read on to learn more about how pentest frameworks are used, how they’re set up, and some of the top pentest frameworks that are available today.

Jump ahead to:

• How Pentest Frameworks Work
• 10 Categories in a Pentest Framework
• How Penetration Test Frameworks Are Used
• 7 Top Pentest Frameworks
• Bottom Line: Pentest Frameworks

Also read: What Is Penetration Testing? Complete Guide & Steps

How Pentest Frameworks Work

In simple terms, a pentest framework works by guiding pentesters to the right tools and methodologies to use for a penetration test, depending on the pentest type and the scope of the test they’re planning to run. Once a pentester gets started with the penetration testing and ethical hacking process, they should reference the pentest framework for the tactical categories they should assess during their tests.

Once the pentest is complete, the pentester should continue using the framework to help them further evaluate and report on their findings, especially as they relate to those primary tactical categories. It’s also important to return the environment to its pre-pentest settings.

The Steps of a Typical Pentest Framework

Pentest frameworks work in slightly different ways, depending on which pentest framework you use, but most follow similar steps that help organizations efficiently and comprehensively move through their pentesting programs.

These are some of the most common steps a pentest framework follows:

1. Initial planning and preparation: The framework instructs organizations to determine who their pentester(s) will be, what pentest framework and methodology/methodologies they’ll be following, expectations for the test and reported results, any legal or compliance requirements, and any tools or resources that are needed in order to conduct a successful test.
2. Intelligence and information gathering: Information that should be gathered early in the pentest framework development and selection process includes the scope of asset ownership, network targets, exploits, any involved third parties, network ports, IP addresses, relevant employees’ names, and property locations. In some cases, this phase is also called the discovery, testing, scanning, or assessment phase.
3. Attack phase: The pentester begins their attack and evaluates the system based on how it performs against the framework’s predefined tactic categories.
4. Post-attack phase: The pentester, or a team of cybersecurity experts, makes sure the testing environment’s assets and features are returned to their original state.
5. Reporting results: The pentest framework is used to frame results based on tools used, tactic category performance, and more.

Also read: How to Implement a Penetration Testing Program in 10 Steps

10 Categories in a Pentest Framework

The typical pentest framework clearly outlines tactic categories that pentesters should use to evaluate cybersecurity performance on multiple fronts during their penetration testing efforts. Every framework uses its own terminology and approach to tactic categories, but these are some of the most frequently found categories in a pentest framework:

1. Collection: As an ethical hacker, what kinds of information and security intelligence are you able to collect during your attack? How valuable would this information be to future attack vectors and plans?
2. Command and control: What kinds of backdoors and covert forms of communication are you able to set up in the enterprise network’s servers or apps during your simulated attack? Are these backdoors easily detected? Do they stay open even after cybersecurity tools step in to mitigate risk?
3. Credential/information access: What tools, users, and hardware can access what kinds of information? What credentials and controls are in place and how effective are they at stopping unauthorized user access during your simulated attack?
4. Defense evasion capabilities and strategies: How does your cybersecurity infrastructure handle threat detection and how does it respond to an attacker’s defense evasion strategies? How effectively does your infrastructure identify and avoid various types of threats, and how quickly does it pivot when initial lines of defense aren’t enough?
5. Discovery and information gathering: How quickly and comprehensively does your cybersecurity setup gather and sift through relevant security incident information after the simulated attack begins?
6. Execution: How do your cybersecurity tools respond when handling an unauthorized user or other suspicious activity in the network? What tools go into action, what are their response timelines, and what gets mitigated by tools versus security professionals? Additionally, how does your cybersecurity infrastructure respond to attack types like remote code execution?
7. Exfiltration: Can data be stolen from any part of your network? If so, what data is accessible, in what quantities can it be taken, and how much defense (if any) goes up against data exfiltration operations?
8. Lateral movement: During the simulated attack, are you able to easily move from your initial point of access into another app, database, or component of the network? How difficult is lateral movement between grouped apps versus parts of the network that are in separate segments or departments?
9. Persistence: What misconfigurations, backdoors, implants, or other components of your attack persist even after cybersecurity tools respond to your attack? Over what time frame can these features continue to deploy discreet attacks?
10. Privilege escalation: Can attackers change their own credentials or steal the credentials of another user in order to elevate their access levels and user permissions in the network or specific applications? How difficult is privilege escalation for an internal bad actor versus an external bad actor?

How Penetration Test Frameworks Are Used

Generally speaking, penetration test frameworks are used to make pentesting efforts more comprehensive and effective. However, pentests are used for a variety of reasons, and pentest frameworks have a few different use cases as well. Here are some of the most common ways penetration test frameworks are used:

• Vulnerability assessment and management
• Ethical hacking for offensive cybersecurity improvements
• Defensive cybersecurity evaluations
• Discovery, probing, and reconnaissance
• Enumeration and information gathering
• Cybersecurity and compliance audits

7 Top Pentest Frameworks Explained

Below, you will find some of the most commonly used pentest frameworks and methodologies, both in a chart and a more detailed discussion. It’s important to note that many of the frameworks you see listed here — such as the Open Source Security Testing Methodology Manual (OSSTMM) — started out as simple pentesting frameworks but have since evolved into methodologies upon which other pentesting frameworks have been developed.

Cobalt Strike

Cobalt Strike is a red team command and operations framework that is one of the most popular frameworks for pentesting. The tool includes adversary simulations, incident response guidance, social engineering capabilities, and more. Users have the option to alter Cobalt Strike to their specific needs with the Community Kit repository, and they can further extend its capabilities by using it in combination with Core Impact, the pentesting software offered by Fortra.

Also read: How Cobalt Strike Became a Favorite Tool of Hackers

Metasploit

Metasploit is a collaboratively-designed penetration testing framework that comes from Rapid7 and the open-source community. Some of its most important features include 1,500 exploits, network discovery, MetaModules for tasks like network segmentation testing, automated tests, baseline audits and reports, and manual exploitation and credential brute forcing options. Users can choose between the free, open-source version of Metasploit or Metasploit Pro for additional features.

Also read: Getting Started With the Metasploit Framework: A Pentesting Tutorial

NIST Cybersecurity Framework

NIST’s Cybersecurity Framework (CSF) is a slightly broader framework option that focuses on standards, best practices, and guidelines for all kinds of cybersecurity risks. The five functions that this framework focuses on are: Identify, Protect, Detect, Respond, and Recover. Because this is a broader framework and comes from the U.S. Department of Commerce, this standardized framework can be used as guidelines for a variety of cybersecurity tests and compliance audits.

Open Source Security Testing Methodology Manual (OSSTMM)

The OSSTMM framework from the Institute for Security and Open Methodologies (ISECOME) has moved past basic framework features into a full methodology for security testing and analysis. Among other topics covered in its detailed guide, the Open Source Security Testing Methodology Manual gives users information about how to define and scope a security test, rules of engagement, error handling, and disclosure of results.

Penetration Testing Execution Standard (PTES)

The Penetration Testing Execution Standard, or PTES, is another pentesting framework that has evolved into a full methodology. Its main sections cover penetration test communication and rationale, intelligence gathering, threat modeling, vulnerability research, exploitation and post-exploitation, and reporting. The guidelines in the official PTES do not discuss how to conduct a pentest; the team has developed a technical guidelines document to instruct and support in this area. A second, updated version of PTES is currently in the works.

Open Web Application Security Project (OWASP)

OWASP’s Continuous Penetration Testing Framework is an in-the-works framework that focuses on standards, guidelines, and tools for information security and application security penetration tests. OWASP offers a transparent roadmap to users who are interested in learning more about the release timeline and features of this framework.

PenTesters Framework (PTF)

TrustedSec’s PenTesters Framework (PTF) is based heavily on the Penetration Testing Execution Standard. It is designed to make installation and packaging more streamlined and is considered highly customizable and configurable. Users can either download PTF with a Linux command or directly through Git.

Also read:

• Best Open-Source Distributions for Pentesting and Forensics
• Top Open Source Penetration Testing Tools

Bottom Line: Pentest Frameworks

Your penetration testing efforts won’t be as successful if you don’t rely on a pentest framework to structure your processes, the tools you use, and the tactical areas you target. It’s important for pentesting procedures to be both repeatable and scalable, especially as your organization and its attack surface grow. Pentest frameworks take the guesswork out of pentesting, allowing you to focus on improving other areas of vulnerability management while still conducting successful tests and research.

Further reading:

• How Much Does Penetration Testing Cost? 11 Pricing Factors
• Best Penetration Testing Tools
• Best Vulnerability Scanning Tools
• Top Breach and Attack Simulation (BAS) Tools

The post What Is a Pentest Framework? Top 7 Frameworks Explained appeared first on eSecurity Planet.

It’s a fast-growing cloud computing technique that has gotten buy-in and support from a variety of hardware, software, and cloud vendors. Read on to learn more about confidential computing, how it works, and how it benefits enterprise data security efforts.

How Does Confidential Computing Work?

Confidential computing is all about using technology to create an isolated safe space, otherwise known as a Trusted Execution Environment (TEE), for the most sensitive data and data processing instructions. During confidential computing, the TEE and a preselected dataset are separated from the rest of the computing environment, including the operating system, the hypervisor, uninvolved applications, and even cloud service providers. 

Unlike other types of data processing, in confidential computing data does not need to be decrypted in memory and exposed to external security vulnerabilities in order to be processed. Instead, it is only decrypted in the Trusted Execution Environment, which relies on hardware-based coprocessor security, embedded encryption keys, and embedded attestation mechanisms to ensure that only authorized applications, users, and programming code can access the TEE and the data it houses. Data processed inside a Trusted Execution Environment is completely invisible to all computing elements that aren’t part of the designated TEE, and data always stays encrypted while in transit or stored outside the TEE.

Also read: Encryption: How It Works, Types, and the Quantum Future

7 Benefits of Using Confidential Computing

Confidential computing offers a number of benefits for safer handling of sensitive data while in use.

1. Added security in shared, untrusted, or unfamiliar environments

The modern computing landscape, especially when the cloud’s involved, means your data is often stored in environments that are exposed to third parties, different departments, and public users. There’s limited native protection built into cloud environments, especially for your most sensitive data when it’s in use. Confidential computing techniques and technologies give your sensitive data more safeguards, regardless of the computing environment.

2. Secure data input and output

The only time data is decrypted during the confidential computing process is when the TEE has taken multiple steps to ensure that only authorized programming code is entering the environment. At all other times, sensitive data remains encrypted, adding more privacy and security while data is in transit or stored in another part of the computing environment.

3. Equal focus on security and cloud computing capabilities

Traditionally, businesses have either had to process sensitive data in memory with major security risks or limit their sensitive data processing in order to protect it; neither approach is ideal for optimal data usability and outcomes. Confidential computing makes it so users can take advantage of the power and complexity of a cloud computing environment while still protecting their sensitive data to the utmost degree.

4. Remote quality assurance capabilities

Confidential computing architecture is designed for remote quality assurance and security management. Remote verification and attestation make it easier for security admins to manage a distributed network while still protecting and monitoring the Trusted Execution Environment.

5. Easier detection and prevention of unauthorized access

Built-in attestation enables the confidential computing architecture to verify programming codes before they can enter the TEE; confidential computing technology can also completely shut down the computing process if an unauthorized set of code attempts to tamper with or gain access to the TEE. This type of computing provides an ideal combination of hands-off security protocols and visibility into unauthorized network traffic.

6. Compatibility with data privacy and compliance requirements

Compliance laws like GDPR and HIPAA require companies to store and use data in specific ways to maintain compliance. It’s not always easy to adhere to these standards in a public cloud environment, but with the additional security features confidential computing provides for sensitive data, businesses can more easily comply with a variety of data privacy and security regulations while still making the most of their data.

7. Protection for data in use

Although other techniques are emerging and being used today, confidential computing is one of the few encryption strategies that effectively protects data in use. Most other encryption approaches protect data at rest and data in transit only.

Also read: Exfiltration Can Be Stopped With Data-in-Use Encryption

Confidential Computing Use Cases

Confidential computing’s protections make it ideal for a number of sensitive data use cases.

Secure third-party outsourcing

Outsourcing certain business functions to third parties is common these days, but it can be a risky move if your data isn’t entirely secure. The enclaved approach taken with TEEs makes it so your internal team can protect and essentially hide sensitive data from unauthorized third-party users, allowing them to focus solely on the parts of your computing process they need to access while trusted members of your team manage sensitive data processes.

Encryption to mitigate insider threats

Because confidential computing means sensitive data is encrypted at all times (until it is processed in the TEE), even members of your internal team cannot access and interpret this protected data without authorization. This feature of confidential computing protects against rogue users within the network as well as users who fall victim to credential phishing attacks.

Protected public cloud use

Businesses are moving many of their workflows and operations to the cloud, but some of the largest enterprises are still hesitant to move their most sensitive workloads to a public cloud environment. With confidential computing in the mix, enterprises can feel more confident and maintain more control over their sensitive data at rest, in transit, and in use, even in a public cloud environment with third-party vendors and users that follow varying security protocols.

See the Best Third-Party Risk Management Software & Tools

IoT data processing

Internet of Things (IoT) devices generate massive amounts of data that are rarely stored in a secure fashion. Confidential computing is increasingly being used to create enclaves where IoT data can be processed in a confidential way that ensures the data isn’t tampered with.

Collaborative data analytics and data usage

Analyzing broader patterns across an organization or an entire industry often requires users to access sensitive data outside of their normal scope of work. Offering an alternative and more secure approach, confidential computing supports secure and collaborative data analytics, allowing users to manage and view their own inputs and gain insights into a sprawling dataset without seeing other users’ inputs or outputs. This approach to analytics is especially helpful in industries like insurance and healthcare where analyzing and interpreting broad patterns can inform insurance rates and diagnostics, respectively.

Blockchain and crypto security

The encryption involved in confidential computing is especially useful in a blockchain environment. Common confidential computing use cases include smart contract, private key, and cryptographic operations management.

Machine learning training

For organizations that want to work with or train a machine learning model without exposing their training dataset, confidential computing is a viable solution for privacy. The machine learning model can be placed in a TEE enclave, allowing data owners and users to share their data with the model and train it in an invisible, isolated environment.

Confidential Computing Consortium (CCC)

The Confidential Computing Consortium (CCC) is a Linux Foundation project community that is made up of various tech leaders. The CCC works to advance confidential computing capabilities and adoption through collaboration on high-profile and open-source confidential computing projects. Its current projects include Enarx, Gramine, Keystone, Occlum, Open Enclave SDK, Veracruz, and Veraison.

The organization is led by two governing officers, a board of directors, committee chairs, and various staff. Members of the Confidential Computing Consortium include Intel, Meta, Microsoft, Google, Accenture, Huawei, Red Hat, Accenture, Anjuna, AMD, Canonical, Cisco, Fortanix, Nvidia, Ruby, and VMware.

Confidential Computing vs. Homomorphic & Data-in-Use Encryption

Confidential computing, fully homomorphic encryption (FHE), and data-in-use encryption share many similarities, especially since they all focus on securing data in use, but each creates a slightly different encryption and usage scenario.

Data-in-use encryption could be looked at as one component of confidential computing; it is used to keep data encrypted until it is in an isolated TEE, where it can then be decrypted by authorized keys and code. Confidential computing also takes this approach to encryption and isolated data processing, but it’s a much broader concept that includes other technologies and strategies, like other types of encryption, secure execution environments and storage, secure communication protocols, and secure key management features.

Fully homomorphic encryption is an old idea that has only recently advanced enough to realize its promise. This approach to data security encrypts data throughout its entire lifecycle, even when it’s being used in computations. Data inputs are encrypted during processing and computing, and results come out encrypted as well. In contrast, both confidential computing and data-in-use encryption allow data to be decrypted and viewed when it’s in the Trusted Execution Environment.

In theory, FHE has some major security benefits since data is encrypted throughout the computing process. However, this type of encryption requires large amounts of overhead, is complex to manage, and has potential for users to make changes to encrypted data without other users ever knowing, thus damaging data integrity. FHE is still early in its development and may overcome some of these shortcomings over time.

Also read: Homomorphic Encryption Makes Real-World Gains, Pushed by Google, IBM, Microsoft

Top 3 Confidential Computing Companies

Confidential computing is a complex process that requires advanced software, hardware, and cloud computing technologies. As such, there are many confidential computing companies and leaders that focus on different parts of the confidential computing architecture. We’ve taken a closer look at three of these leaders below. Other leading confidential computing companies include IBM, Google (Alphabet), AWS, and Fortanix, and promising startups like Anjuna Security, Opaque Systems, Inpher, Gradient Flow, HUB Security, Edgeless Systems, Profian, Secretarium, and Decentriq.

Intel

Intel is one of the first and foremost players in the confidential computing space. Intel Software Guard Extensions (SGX) is the most commonly used hardware-based enclave solution for confidential computing. The company also manages Project Amber, a zero-trust confidential computing project, and Intel Trust Domain Extensions (TDX), a VM-focused approach for added privacy and control. Ron Perez, an Intel fellow and chief security architect at Intel, is the Confidential Computing Consortium’s governing board vice-chair.

Fortanix

Fortanix is considered one of the earliest pioneers in confidential computing. Fortanix’s Confidential Computing Manager (CCM) is a SaaS solution that helps users manage TEEs and protect data in use across various cloud environments. Fortanix is also a founding member of the Confidential Computing Consortium.

Microsoft

Microsoft offers a range of confidential computing solutions primarily through the Azure cloud environment. The Azure confidential computing initiative includes various products and services, such as confidential VMs and confidential VMs with application enclaves, confidential containers, trusted launch, a confidential ledger, SQL Azure Always Encrypted, Microsoft Azure Attestation, and Azure Key Vault M-HSM. Stephen Walli, a principal program manager for Microsoft Azure, is the governing board chair for the Confidential Computing Consortium.

See the Top Enterprise Encryption Products

Bottom Line: Confidential Computing

The modern enterprise network isn’t just an on-premises environment or simple data center. It consists of third-party partners and applications, public and hybrid clouds, and other external factors that feel somewhat beyond the control of traditional network security solutions. Processing data in those environments is more perilous than ever. For companies that want to increase their security and control at the data level, regardless of what their network looks like or who is using it, confidential computing offers a solution to maintain data security while upholding data integrity and enabling high-performance data tasks.

Read next: Security Considerations for Data Lakes

The post What is Confidential Computing? Definition, Benefits, & Uses appeared first on eSecurity Planet.

Third-party risk management (TPRM) software and tools — also known as vendor risk management (VRM) — go beyond the general capabilities of risk management and governance, risk, and compliance (GRC) solutions with specialized onboarding, risk assessments, and due diligence for organizations working with third parties. Some TPRM tools also assess operational risks, but our focus here is on third-party security, privacy and compliance issues.

We’ll take an in-depth look at the top third-party risk management vendors and tools — followed by what buyers should consider before making a purchase.

• OneTrust: Best Overall
• Prevalent TPRM Platform: Best for Managed Vendor Risk Assessments
• Venminder: Best for Customer Support
• BitSight: Best for Vendor Intelligence Networking
• ProcessUnity TPRM: Best for Automated Vendor Management Workflows
• Archer: Best for SLA Management
• SecurityScorecard: Best for Intuitive User Experience
• Aravo for Third Party Management: Best for Customization
• Panorays: Best for Ease of Deployment
• Diligent ThirdPartyBond: Best for Reporting and Visualizations

Comparing the Top TPRM Software & Tools

OneTrust Third-Party Risk Management

Best Overall

A bonafide unicorn, OneTrust launched in 2016 to offer privacy management and marketing compliance solutions. To comply with a growing list of global regulations, the Atlanta-based compliance monitoring provider offers OneTrust Third-Party Risk Management (previously Vendorpedia) to help organizations evaluate customer, employee, and vendor data transfers. OneTrust offers privacy impact assessments, data inventory mapping, remediation actions, and recurring audits on a web-based portal. It is widely considered one of the best TPRM solutions for compliance-driven industries.

OneTrust TPRM’s highest user reviews cite its usability and accessibility, quality of technical support, and high-quality automation for vendor management. OneTrust is also one of the few TPRM solutions that offer a free trial option to users.

Key Features

• Workflow integration builder
• Unified third-party relationship inventory
• OneTrust Insights and Analytics engine
• Intelligent onboarding workflows
• Dynamic questionnaires

Pros

• Highly integrated with other OneTrust solutions and third-party data sources
• Offers AI auto-completion technology for faster questionnaire completion
• Workflows are highly configurable and follow intuitive if/then logic

Cons

• Some limitations to OneTrust’s risk mitigation features
• Limited risk scoring and advanced analytics capabilities
• Room for growth in native integrations

Pricing

Pricing for smaller businesses starts at $600 a month. Enterprise buyers will need to contact OneTrust for pricing information.

Prevalent TPRM Platform

Best for Managed Vendor Risk Assessments

Started in 2004, Prevalent is an IT consulting firm that specializes in governance, risk, infrastructure, and compliance technology. The company offers customers a suite of third-party risk management solutions through the Prevalent TPRM Platform; features include inherent risk scoring, offboarding and termination, and vendor risk assessment and monitoring. With Prevalent’s sourcing and selection, organizations can reduce cost, complexity, and exposure from the start by picking trusted vendors.

Prevalent’s highest reviews and ratings cite its ease of integration and deployment, profile management, and technical support. It is also one of the best options for buyers who are looking to move beyond TPRM software into fully managed services and strong customer support.

Key Features

• Automated risk assessment and continuous risk monitoring
• Automated assessment workflows and remediation management
• Vendor intelligence networks
• RFx Essentials for centralized distribution and management of RFPs and RFIs
• Inherent risk scoring with prescriptive guidance on corrective action and due diligence

Pros

• Users have real-time access to completed risk reports for thousands of companies through vendor intelligence networks
• Strong professional and managed services backbone
• Extensive connector marketplace for easier integration

Cons

• Only basic risk-scoring capabilities are available.
• Customization is limited at the customer level; most customization happens only through the vendor.
• The user interface is less intuitive than some competitors

Pricing

Pricing information is not transparently provided on the Prevalent site. Prospective buyers will need to contact the vendor directly for pricing information. Prevalent TPRM can also be found on AWS.

Venminder

Best for Customer Support

Venminder launched in 2003 as a SaaS vendor that streamlines third-party risk management. Venminder provides administrators with oversight and contract management frameworks, risk assessments, due diligence requirements, questionnaires, SLA management, and vendor onboarding. In Venminder Exchange, clients can access the platform’s repository for assessments of vendor security status, SOC reports, contracts, financials, business continuity and disaster recovery, and more.

Venminder’s highest reviews and ratings cite its quality of end-user training, profile management, and evaluation and contracting. New users are assigned a relationship manager for more hands-on onboarding. After onboarding, the company continues to offer extended support hours for customers with email, phone, and chat communication options.

Key Features

• Customizable risk assessments with templating and progress monitoring
• Automated, customizable questionnaires
• Oversight Management feature with vendor scorecard tracking
• Issue and SLA management
• Point-in-time risk profile creation

Pros

• Extensive library of free learning resources, webinars, infographics, etc.
• Unlimited user access is available in all plans
• With a la carte services and features, this solution is easy to scale and adjust to your business’s specific requirements

Cons

• Limited international presence and reach; works almost exclusively with North American clients
• Historically has mostly focused on finance clients; expertise and experience in other areas may be limited
• Mostly geared toward smaller business requirements

Pricing

Venminder is sold in two different pricing package formats: Professional and Enterprise. Beyond general software features, users also have the option to purchase control assessments and managed services on an a la carte basis. Specific pricing information is not transparently provided on the Venminder site. Prospective buyers will need to contact the vendor directly for pricing information. AWS quotes enterprise pricing, including all modules, at around $100,000.

BitSight Third-Party Risk Management

Best for Vendor Intelligence Networking

BitSight — known as a pioneer in the security ratings space — is a top provider of TPRM solutions. Using sophisticated algorithms and daily security ratings, BitSight Third-Party Risk Management and the Security Ratings Platform help organizations manage third-party risk. BitSight also integrates with other VRM tools like ServiceNow and ProcessUnity to offer users the best of the TPRM market.

BitSight’s highest reviews and ratings cite the timeliness of vendor response to product questions and patching cadence. The TPRM provider is known for its vendor intelligence network, with over 20,000 vendor profiles available to users.

Key Features

• Automated onboarding assessments
• Data-driven vendor response validation
• Real-time reporting
• Fourth-party product usage discovery
• Customizable workflows for vendor assessment prioritization

Pros

• BitSight integrates and works well with most other TPRM solutions
• Customers and non-customers alike have access to free cyber security reports
• Reporting is comprehensive and fairly easy to customize

Cons

• Limited peer community and forum opportunities
• Limited communication and access to customer support representatives
• It’s not easy to filter data results or update report results as issues in the network are resolved

Pricing

Pricing information is not transparently provided on the BitSight site. Prospective buyers will need to contact the vendor directly for pricing information. The only sources we could find cite starting pricing around $20,000 a year.

ProcessUnity Third-Party Risk Management

Best for Automated Vendor Management Workflows

ProcessUnity offers SaaS solutions for managing various components of governance, risk, and compliance (GRC). With ProcessUnity Third-Party Risk Management, organizations are empowered to assess, monitor, and conduct due diligence when working with business partners. Across vendor risk assessment processes, ProcessUnity’s solution can help identify, manage, and remediate issues. The tool also includes periodic vendor performance reviews to ensure the ongoing strength of the organization’s security posture.

ProcessUnity’s highest reviews and ratings cite timely support responses, product configurability, and added features. Users are particularly impressed with the automation that’s been added to the tool over time; automated critical workflows can be customized for assessment scoping, evidence collection, and other risk management processes.

Key Features

• Pre- and post-contract due diligence
• Third-party onboarding with sourcing and RFx support
• Risk domain screening
• Issue and vendor performance management with SLAs
• Automated assessment scoping and evidence collection

Pros

• Hands-on automations and no-code features make this tool highly customizable
• Reporting-As-A-Service feature translates report data in a way that all stakeholders can understand
• The solution supports the whole TPRM lifecycle, from sourcing to contract management

Cons

• Considered a fairly expensive TPRM solution
• Limited visualization features in reports
• Questionnaires could offer more features

Pricing

Pricing information is not transparently provided on the ProcessUnity site. Prospective buyers will need to contact the vendor directly for pricing information. The VRM Essential Edition for SMEs starts at $15,000.

Archer Third-Party Governance

Best for SLA Management

Archer Third-Party Governance — formerly part of RSA but now privately owned — is an enterprise-ready risk quantification software solution for aggregating risks and safeguarding organizations from disruption. Critical features for Archer include customizable controls and risk indicators, risk profile metrics, and advanced visualization tools to compare risk consequences.

Archer’s highest reviews and ratings cite its history and reporting, integration and deployment, and comprehensive management of third-party SLAs. Archer was previously owned by RSA but was acquired by private equity firm, Cinven, in April 2023.

Key Features

• Bowtie diagrams for risk and mitigation illustration
• Customizable risk reporting and monitoring
• Quantitative and qualitative risk analysis
• Desktop and mobile accessibility
• Customizable key risk indicators

Pros

• Designed with highly regulated industries in mind
• AI-powered features make it easier to quickly assess third-party asset risk
• Some of the best fourth-party risk management features in the market

Cons

• The solution works most effectively only when used with other Archer solutions
• The pricing and licensing model for Archer is somewhat complicated
• Frequent acquisitions and internal moves make it difficult to predict the long-term direction and stability of this solution

Pricing

Pricing information is not transparently provided on the Archer site. Prospective buyers will need to contact the vendor directly for pricing information, but the company says typical TPRM pricing is around $30,000 to $50,000.

SecurityScorecard Platform

Best for Intuitive User Experience

Considered a pioneer in the TPRM space, SecurityScorecard is a cybersecurity service provider with patented rating technology. Boasting over 1,000 organizations as clients and a million companies continuously rated by extension, SecurityScorecard has come a long way since its founding. Organizations can analyze their digital footprint and fill cybersecurity gaps with instant risk ratings mapped to vendor cybersecurity questionnaire responses.

The SecurityScorecard Platform’s highest reviews and ratings cite its ease of deployment, superior customer support, and capability of handling public-facing infrastructure risk. The layout of the tool and its central dashboard are easy to navigate, and its graphics make for some of the best TPRM visualizations in the market.

Key Features

• Continuous monitoring and global IP scanning
• Automated send-and-response for questionnaires
• Rule-based tools for cybersecurity responses
• Dashboarding for third- and fourth-party vendors
• Customizable scores, due dates, reminders, and alerts for vendors

Pros

• Strong user interface and visualization capabilities
• One of the few TPRM solutions that offer transparent pricing models for prospective buyers
• The free version of SecurityScorecard offers limited features to an unlimited number of users

Cons

• Limited risk mitigation and response features; the tool primarily focuses on detection
• Occasional lag in response times from customer support
• Somewhat limited reporting capabilities

Pricing

SecurityScorecard is available in four different plan options:

• Free: $0 per month for unlimited team members
• Pro: $400 per month, billed annually
• Business: $1,000 per month, billed annually
• Enterprise: Custom pricing

Aravo for Third Party Management

Best for Customization

Launched in 2000 to address the growing need for enterprise supplier management, Aravo now offers SaaS-based supplier information management (SIM) and TPRM technology. Aravo for Third Party Management enables users to better manage new vendor intake, risk assessment automation, and due diligence.

Aravo’s highest reviews and ratings cite its pricing and contract flexibility, its configurability, and the company’s expert consultations in vendor risk evaluation. Although the solution offers many preconfigured workflows, assessments, dashboards, and reports, it is also easy to configure these features according to an individual business’s needs.

Key Features

• Automated risk assessment and vendor onboarding
• Third-party risk scoring based on dynamic online surveys
• Self-service survey creation with Customer Defined Assessment
• Third-party intelligence networking
• Corrective action and issue tracking

Pros

• Aravo offers specialized features for anti-bribery, anti-corruption, data privacy, and infosec requirements
• Interactive customer experience is available through innovation exchange and customer community
• Aravo’s preconfigured apps and native content integration are robust and highly usable

Cons

• The company has mostly shifted away from TPRM development to focus on business resilience
• Many features are only available through third-party partnerships or add-ons that come at an additional cost
• The pricing model for Aravo is somewhat complicated

Pricing

Pricing information is not transparently provided on the Aravo site. Prospective buyers will need to contact the vendor directly for pricing information. Aravo is also available on Azure.

Panorays

Best for Ease of Deployment

Panorays is a cybersecurity solution that offers automated features for third-party risk management and remediation. The Panorays strategy brings together dynamic questionnaires for existing suppliers with attack surface assessments to give clients greater risk visibility. The tool is particularly capable of meeting compliance standards like GDPR and HIPAA.

Panorays’s highest reviews and ratings cite its ease of deployment and onboarding, its centralized management features, and its ongoing feature updates. It also has a modern and intuitive user interface and a strong commitment to hands-on customer support.

Key Features

• Pre-built template for vendor security questionnaires
• External attack surface monitoring and assessments
• Customizable remediation plans
• Out-of-the-box reporting
• Autocomplete responses for questionnaires

Pros

• The product is constantly evolving and the vendor is receptive to customer feedback; a strong development roadmap is in place
• Straightforward and consistent approach to automation
• Users have commented on the quality and consistency of customer support for planning, assessment, and software implementation

Cons

• Somewhat limited connectors and integration capabilities
• Reports could be improved, especially with more self-service elements
• Limited functionality in the asset scanning feature

Pricing

Panorays is available in five different plan options:

• Free: For up to five third-party one-time assessments
• Basic: For up to 50 third-party continuous assessments
• Premium: For up to 100 third-party continuous assessments
• Enterprise: For up to 250 third-party continuous assessments
• Enterprise+: For more than 250 third-party continuous assessments

Specific pricing information is not transparently provided on the Panorays site. Prospective buyers will need to contact the vendor directly for pricing information. Google Cloud quotes starting enterprise prices of $2,500 per supplier.

Diligent ThirdPartyBond

Best for Reporting and Visualizations

Diligent — previously known as Galvanize — offers top-tier software solutions for audit, risk, and compliance. With the ThirdPartyBond solution, organizations can access end-to-end third-party risk management with resources for vendor onboarding, automated evidence collection, and assessment surveys. ThirdPartyBond also tracks service level agreements (SLA), maintains updated intelligence feeds, and provides tangible reporting for senior management.

ThirdPartyBond’s highest reviews and ratings cite its responses to product questions, its ease of integration and deployment, and its overall efficiency. It also offers some of the best reporting and visualization capabilities, with granular drag-and-drop dashboards, interactive storyboards, and various pre-built reports.

Key Features

• Centralized inventory and bulk import of third parties
• Risk-based control assessments
• Reports driven by KPIs and KRIs
• SLA performance monitoring and contract management
• Adaptive vendor surveys and risk scoring

Pros

• Strong risk analytics are built into the platform
• Advanced machine learning algorithms are incorporated to predict control failures
• One of the few TPRM options that offer interactive storyboards with advanced data visualizations

Cons

• Limited customizability in the most recent version of Diligent’s TPRM solution
• Pricing can quickly get expensive for teams that need multiple out-of-the-box solutions from Diligent
• Most edits to Diligent features can only be completed through scripting, making it challenging for less-technical users

Pricing

Pricing information is not transparently provided on the Diligent site. Prospective buyers will need to contact the vendor directly for pricing information.

Why Do You Need Third-Party Risk Management?

Third-party risk management is necessary for many organizations because adopting any kind of new digital system — especially one from a third party — comes with inherent vulnerabilities, including threats of breach, data loss, noncompliance, and human error. Specialized TPRM tools automate many of the relationship management workflows and steps, making the effort of organizing, optimizing, and securing third-party relationships seamless and simpler for business continuity purposes.

While network infrastructure vulnerabilities have long been the responsibility of security and network professionals, supply chain vulnerabilities are a growing and prescient concern due to their upstream ripple effect. As third-party networks grow larger and third-party tools become more difficult to regulate and track, organizations must increasingly practice vigilance in safeguarding their privacy, operations, and reputation; a strong TPRM posture can help organizations stay on top of these growing security concerns.

8 Common Features of Third-Party Risk Management Software

Every third-party risk management software solution is a little bit different, especially if it’s offered as part of a security suite or managed services offering. However, regardless of which tool appeals to your team most, it’s important to look for the following features and capabilities:

• Self-service portals for suppliers and vendors to provide pertinent documentation and guidance for questionnaires and risk scoring
• User-friendly reports and visualizations that cover risk monitoring and risk exposure to inform action steps
• Processes and templates for supplier risk control, oversight, and risk assessments
• Continuous monitoring of vendor performance and changes to supplier risk status
• Third-party relationship guidance that includes structured steps to follow from sourcing to relationship termination
• Built-in compliance features for internal policies and external mandates for supplier risk; compliance features for finance, government, and other highly regulated sectors are ideal
• Quantitative and qualitative data to show progress in reducing third-party risk exposure
• Reports and visualizations that help the customer and third-party vendors quickly understand current issues and possible mitigation strategies

How to Choose a Third-Party Risk Management Tool

With so many features to consider and other factors that go into making a TPRM purchase, you need to drill down to what’s most important for your business’s risk management strategy. To choose the right third-party risk management tool for your business, be sure to ask organizational leaders and members of your cybersecurity team these kinds of questions:

• How will the solution improve the organization’s third-party risk exposure?
• How does the TPRM tool enable compliance reporting and operational management?
• Is the tool compatible with the business’s specific compliance requirements?
• Does the vendor offer flexible pricing that can scale as third-party exposure grows?
• Is this tool compatible with the organization’s budget?
• What training, deployment, and implementation support comes with this purchase?
• What integrations are compatible and/or configurable for use?
• What advanced features make this TPRM solution stand out?
• What do past and present customers of this TPRM solution say about the tool?
• Does this tool simplify the organization’s TPRM workflow?

Bottom Line: Third-Party Risk Management Tools

Even if your organization trusts and has thoroughly vetted the third-party vendors you partner with, your network becomes increasingly vulnerable to cyberattacks and noncompliance issues with each new partner you add and each new change they make to their own ecosystems. Especially with the rise of modern artificial intelligence (AI) and Internet of Things (IoT) technologies, it has become increasingly difficult to monitor and identify risk across all endpoints through traditional methods and tools.

Though third-party risk management software is a specialized kind of cybersecurity tool that won’t cover all of your network security requirements, TPRM solutions are an important component of overall network security strategy and tooling. Investing in a TPRM solution or service is one of the most effective ways to simultaneously manage your third-party relationships and the security and compliance standards to which you hold these partners.

Read next: 34 Most Common Types of Network Security Protections

This updates an August 2021 article by Sam Ingalls

The post 10 Best Third-Party Risk Management Software & Tools appeared first on eSecurity Planet.