White Paper | Consolidating Kubernetes, Container, and Cloud Security with Check Point CloudGuard

White Paper | Consolidating Kubernetes, Container, and Cloud Security with Check Point CloudGuard

This white paper explores the strategic and operational benefits of Check Point CloudGuard in securing Kubernetes, container, and cloud environments. It highlights the dual-axes defense-in-depth concept, addressing security across the software development lifecycle and runtime stack. Learn how CloudGuard protects over 1 billion assets with advanced AI-powered security. Download the white paper to learn more.

White Paper | Consolidating Kubernetes, Container, and Cloud Security with Check Point CloudGuard

Consolidating

Kubernetes, Container,

and Cloud Security with

Check Point CloudGuard

This document illustrates the strategic and operational

benefits CloudGuard can offer in the areas of cloud

security in general and container and Kubernetes

security in particular, illustrating its dual-axes Defense-

in-Depth concept and how the system is designed to

meet the structure and constraints of large enterprises,

based on our experience with CloudGuard’s 4,000

customers and the 1 billion assets we protect worldwide.

CHECK POINT CLOUDGUARD Check Point CloudGuard Dual-Axes Defense In-Depth Overview

1

© 2024 Check Point Software Technologies Ltd. All Rights Reserved

CHECK POINT CLOUDGUARD DUAL-

AXES DEFENSE IN-DEPTH OVERVIEW

Check Point CloudGuard's two-axes defense-in-depth concept is based on scanning, protection, and detection spanning two axes. One axis spans

the entire Software Development Lifecycle (SDLC) through all the stations from IDE to production. The other deploys a series of interlocking

protection and detection engines throughout the runtime stack: from inspecting network packets going in and out of the Kubernetes (K8s)

deployment, and from there peering in, inspecting kernel-level processes, network connection, configuration, K8s logs, and, finally inspecting

HTTPS and API SSL traffic, all of which leverage Check Point ThreatCloud AI indicators of compromise (IoC) database and advanced attack prevention

working independently in their respective layers.

Runtime Protection: Check Point CloudGuard offers a broad platform approach with robust defense-in-depth security with: (1) CloudGuard

Network Security NGFW provides IPS, DLP, and Threat Emulation and Extraction services at network layers 3 and 4; (2) Cloud Workload Protection

provides advanced eBPF-based scans of kernel processes and network calls; (3) Kubernetes Security Posture Management (KSPM) continuous

monitoring, ensuring adherence to frameworks and regulations. (4) Cloud Detection and Response cross-correlating logs with MITRE ATT&CK TTPs

and IoCs, and finally, (5) our signature-free AI-powered Web Application and API Firewall, which was the only WAF in the world known to have

stopped Log4Shell, MoveIt, and Fluent Bit prior to their CVE disclosure, with no signatures required.

From IDE to Production: Check Point’s shift-left and pre-runtime scans are performed by three components: one serving software engineers, one

designed for DevOps engineers, and the KSPM module for security and compliance experts. Specifically, Code Security extends shift-left scans

as far left as the developer’s machine and stretches into the CI/CD toolchain with playbooks and scan methods tailored to the needs of developers ,

while a separate component – Cloud Workload Protection (CWP) Shift-Left – scans code, configurations, and images from the CI/CD, through

registries and onwards to admission, servicing DevOps and DevSecOps, and finally, the KSPM, which continuously scans images once they are

deployed.

Operational Challenges: The approach of separating shift-left scans to software and DevOps engineers exemplifies Check Point’s separation of

tools based on the stakeholders who oversee each stage/component. Importantly, the way Check Point designs its tools is based on the premise

that security tools should be designed for their users (e.g., developers for code issues, DevOps for configuration issues, SOC for security events…)

but built for the owners of security – the CISO and the CISO-organization. In this respect, Check Point aims to give the CISO back some of the

control lost due to shift-left initiatives and the responsibilities sprawl and silos. Another notable example of addressing operational challenges is

the time to remediation. To solve this, Check Point CloudGuard offers a unique ‘Mitigation as Remediation’ approach. For instance, if a container

image is found to have a vulnerable instance of Fluent Bit, CloudGuard will suggest its WAF as a countermeasure to be deployed, at least until the

issue is addressed at the source.

CHECK POINT CLOUDGUARD A Layered Approach to Security

2

© 2024 Check Point Software Technologies Ltd. All Rights Reserved

A LAYERED APPROACH TO SECURITY

Across the SDLC: From IDE to Production

One of the main hurdles Check Point CloudGuard has noticed amongst its 4,000 customers is the different needs and “language” used by the

different stakeholders involved at different stages of the lifecycle. Coupled with the issue of a single point of failure in security solutions that

never offer a “silver bullet,” we split our shift-left inspection, detection, and scanners into three separate components.

Code Security

As mentioned, CloudGuard extends its shift left as far as the developers' host. It scans binaries, IaC, and other code artifacts with 3,000 pattern-

matchers and OPA rules running at a stunning 0.05 seconds per megabyte, ensuring that developers are made aware of any security vulnerabilities,

misconfigurations, or hardcoded secrets in artifacts even before they are committed into repositories.

Under the tagline ‘Designed for Developers; Built for the CISO, ’ CloudGuard Code Security provides on-machine, Git, Jira/Confluence, and CI/CD

scanners and hardening tools that allow security practitioners to stop developers from pushing code that does not meet specific criteria. For

instance, Helm scripts that don’t adhere to CIS Kubernetes Benchmarks, packages with CVEs, or binaries that contain hardcoded secrets (e.g., API

keys).

Cloud Workload Protection (CWP) Shift-Left

CloudGuard CWP Shift-Left extends the security from the CI/CD phase through to the Admission Control stage. At this stage, CloudGuard inspects

container images, serverless functions, and other workload artifacts before they are deployed into production. Thi s module ensures that only

workloads adhering to security best practices and compliance standards are allowed to be deployed.

By leveraging over 120 built-in frameworks, regulations, and best practices written in CloudGuard’s human -readable configuration language (GSL),

CWP Shift-Left helps DevOps teams enforce policies that prevent risky workloads from ever reaching the cloud environment. Admission Con trol

allows defining rules for deployments, such as “do not allow non-compliant image deployments” and “do not admit containers with docker socket

bind mounts,” with the option to define custom rules using GSL. This ensures workloads are both scanned and verified before e ntering production

environments.

CHECK POINT CLOUDGUARD A Layered Approach to Security

3

© 2024 Check Point Software Technologies Ltd. All Rights Reserved

Kubernetes Security Posture Management (KSPM)

Once workloads have passed the admission control stage and entered the production environment, CloudGuard’s KSPM ensures conti nuous security

for running Kubernetes clusters. KSPM enforces configuration best practices and security policies across all Kuberne tes components, including

the API server, etcd, Kubelet, and containerized applications.

CloudGuard KSPM provides real-time monitoring of the Kubernetes cluster for compliance with CIS benchmarks, RBAC roles, network policies, and

pod security configurations. It also prevents configuration drift and enforces runtime security policies, ensuring that workloads remain secure

throughout their lifecycle. By leveraging Kubernetes-native controls and runtime security mechanisms, CloudGuard reduces the risk of

misconfigurations or drift leading to security incidents and continuously scans for new vulne rabilities or misconfigurations in production

environments.

Across the Runtime Stack: From Packets, through System Calls, to APIs

Another issue Check Point has uncovered in protecting over 800 million

assets worldwide is the varying nature of Advanced Persistent Threats

and zero-day-based attacks and the breadcrumbs they leave before

and during exploitation at different layers of the runtime stack. To

tackle this, Check Point employs several components running in

parallel, each covering a specific layer of the stack.

CloudGuard Network Security NGFW

CloudGuard’s Next-Generation Firewall (NGFW) provides

comprehensive security at Layers 3 and 4, inspecting both north-south

and east-west (lateral) traffic. With features such as cross-protocol

inspection, intrusion prevention systems (IPS), data loss prevention

(DLP), and threat emulation, CloudGuard NGFW effectively prevents

attacks like malicious payloads, data exfiltration, and lateral

movement across cloud environments. By employing advanced

malware detection and bot prevention mechanisms, CloudGuard ensures full attack prevention while supporting cloud -native infrastructure such

as virtual private clouds (VPCs), subnets, and cloud WANs.

CloudGuard Cloud Workload Protection (Runtime)

At the kernel level, CloudGuard Cloud Workload Protection (CWP) monitors and protects workloads by analyzing system calls and process execution

behavior in real time. This protection ensures that any unauthorized system activity, such as attempts to access sensitive files or run malicious

binaries, is flagged and blocked before compromising the workload. In addition, CWP checks file reputation to prevent the exe cution of known

malicious files, ensuring that workloads remain secure against both known and emerging threats.

CloudGuard's Vulnerability Scanner continuously scans containers for vulnerabilities. When a new CVE is published, CloudGuard issues findings

along with relevant notifications, ensuring teams are promptly alerted to new risks. The Vulnerability Scanner is connected to multiple vulnerability

data sources, providing the most accurate and context-aware results possible. This proactive approach helps keep workloads secure even as new

threats emerge.

The anomaly detection engine continuously profiles typical workloads, detecting and preventing any deviations that might indicate a zero-day attack

or exploitation attempt. Runtime protection features such as kernel system call monitoring, file reputation scanning, and proces s whitelisting help

to prevent privilege escalation and fileless execution attacks.

CHECK POINT CLOUDGUARD Mitigation as Remediation and Risk Management

4

© 2024 Check Point Software Technologies Ltd. All Rights Reserved

CloudGuard Cloud Detection & Response

CloudGuard’s Cloud Detection & Response (CDR) module analyzes traffic logs in real -time, correlating data from cloud account activity, Kubernetes

logs, and other runtime telemetry to detect and prevent advanced threats. Using ThreatCloud AI —Check Point’s global threat intelligence engine—

CDR correlates events with MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures) and enriches them with indicators of compr omise (IOCs).

This allows CDR to identify malicious activity patterns, such as unauthorized access attempts (for instance, a pod trying to access K8s metadata

service), lateral movement, or data exfiltration before they can escalate into full -blown breaches. CDR also supports integrations with SIEMs,

ticketing systems, and messaging apps to provide instant alerting and incident management capabilities.

CloudGuard Web Application and API Firewall (WAF)

At Layer 7, CloudGuard Web Application and API Firewall (WAF) ensures comprehensive protection for web applications and APIs. By offering zero -

day attack prevention without relying on signatures, CloudGuard WAF defends against web-based threats such as injections, cross-site scripting

(XSS), API misuse, and DDoS attacks. Automatic API schema mapping allows CloudGuard to monitor and protect APIs without requi ring developer

input, ensuring consistent enforcement of security policies across microservices and cloud-native applications. With features such as bot

prevention, IPS, and DLP, CloudGuard WAF maintains a 97% accuracy rate while minimizing false positives to less than 1% and is known for

preemptively stopping vulnerabilities like Log4Shell, MoveIt, and Spring4Shell without any signatures.

MITIGATION AS REMEDIATION AND

RISK MANAGEMENT

The last main issue Check Point identified with its CloudGuard customers was the dangerously long time it takes teams to remed iate issues. This

was also highlighted in CSA’s latest State of Remediation report, which shows that even for critical issues, it t akes 46.1 hours on average from

detection to fix. Furthermore, according to the 2024 Verizon DBIR report, “patching doesn’t pick up until after the 30-day mark”. During this period,

organizations are vulnerable to exploitation, especially in cloud environments where attacks can spread rapidly.

To address this challenge, CloudGuard introduces its Toxic Combinations feature, which identifies potential risks by correlating different

misconfigurations and vulnerabilities that could lead to exploitation together. Toxic Combinations not only highlight what the problem is but also

assess the likelihood of an issue being exploited within a certain number of days, helping teams prioritize their remediation efforts more effectively.

CHECK POINT CLOUDGUARD Conclusion

5

© 2024 Check Point Software Technologies Ltd. All Rights Reserved

For example, if a Toxic Combination reveals a critical

vulnerability with a high likelihood of exploitation

within the next few days, CloudGuard can recommend

immediate mitigation strategies. One of the key

mitigation options offered is its Web Application

Firewall (WAF). If a toxic combination of

misconfigurations or vulnerabilities is detected—such

as a container image containing a vulnerable Fluent

Bit package (commonly used for Kubernetes

monitoring)—CloudGuard will suggest applying the

WAF to break the attack path from materializing. This

allows the WAF to act as a mitigation until engineers

fully patch the underlying issues.

CONCLUSION

Check Point CloudGuard provides a comprehensive solution for securing containerized and Kubernetes workloads throughout the ap plication

lifecycle. By combining advanced Shift-Left capabilities with robust Runtime Protection and Zero-Day Defense, CloudGuard enables

organizations to protect their cloud environments from today’s most advanced threats. Whether addressing code risks early in development

or defending against runtime threats, CloudGuard delivers the tools and insights needed to secure Kubernetes workloads and containers

across cloud environments while addressing security and business challenges faced by organizations.

Strong Performer

Forrester Wave for

Cloud Workload Security Report

Leader

Frost & Sullivan Radar for

Cloud Workload Protection Platforms

Leader

GigaOm Radar for

Cloud Workload Security

Worldwide Headquarters

5 Shlomo Kaplan Street, Tel Aviv 6789159, Israel | Tel: +972-3-753-4599

U.S. Headquarters

100 Oracle Parkway, Suite 800, Redwood City, CA 94065 | Tel: 1-800-429-4391

www.checkpoint.com

© 2024 Check Point Software Technologies Ltd. All rights reserved.


Item Type: pdf