White Paper | Consolidating Kubernetes, Container, and Cloud Security with Check Point CloudGuard
This white paper explores the strategic and operational benefits of Check Point CloudGuard in securing Kubernetes, container, and cloud environments. It highlights the dual-axes defense-in-depth concept, addressing security across the software development lifecycle and runtime stack. Learn how CloudGuard protects over 1 billion assets with advanced AI-powered security. Download the white paper to learn more.

Consolidating
Kubernetes, Container,
and Cloud Security with
Check Point CloudGuard
This document illustrates the strategic and operational
benefits CloudGuard can offer in the areas of cloud
security in general and container and Kubernetes
security in particular, illustrating its dual-axes Defense-
in-Depth concept and how the system is designed to
meet the structure and constraints of large enterprises,
based on our experience with CloudGuard’s 4,000
customers and the 1 billion assets we protect worldwide.
CHECK POINT CLOUDGUARD Check Point CloudGuard Dual-Axes Defense In-Depth Overview
1
© 2024 Check Point Software Technologies Ltd. All Rights Reserved
CHECK POINT CLOUDGUARD DUAL-
AXES DEFENSE IN-DEPTH OVERVIEW
Check Point CloudGuard's two-axes defense-in-depth concept is based on scanning, protection, and detection spanning two axes. One axis spans
the entire Software Development Lifecycle (SDLC) through all the stations from IDE to production. The other deploys a series of interlocking
protection and detection engines throughout the runtime stack: from inspecting network packets going in and out of the Kubernetes (K8s)
deployment, and from there peering in, inspecting kernel-level processes, network connection, configuration, K8s logs, and, finally inspecting
HTTPS and API SSL traffic, all of which leverage Check Point ThreatCloud AI indicators of compromise (IoC) database and advanced attack prevention
working independently in their respective layers.
Runtime Protection: Check Point CloudGuard offers a broad platform approach with robust defense-in-depth security with: (1) CloudGuard
Network Security NGFW provides IPS, DLP, and Threat Emulation and Extraction services at network layers 3 and 4; (2) Cloud Workload Protection
provides advanced eBPF-based scans of kernel processes and network calls; (3) Kubernetes Security Posture Management (KSPM) continuous
monitoring, ensuring adherence to frameworks and regulations. (4) Cloud Detection and Response cross-correlating logs with MITRE ATT&CK TTPs
and IoCs, and finally, (5) our signature-free AI-powered Web Application and API Firewall, which was the only WAF in the world known to have
stopped Log4Shell, MoveIt, and Fluent Bit prior to their CVE disclosure, with no signatures required.
From IDE to Production: Check Point’s shift-left and pre-runtime scans are performed by three components: one serving software engineers, one
designed for DevOps engineers, and the KSPM module for security and compliance experts. Specifically, Code Security extends shift-left scans
as far left as the developer’s machine and stretches into the CI/CD toolchain with playbooks and scan methods tailored to the needs of developers ,
while a separate component – Cloud Workload Protection (CWP) Shift-Left – scans code, configurations, and images from the CI/CD, through
registries and onwards to admission, servicing DevOps and DevSecOps, and finally, the KSPM, which continuously scans images once they are
deployed.
Operational Challenges: The approach of separating shift-left scans to software and DevOps engineers exemplifies Check Point’s separation of
tools based on the stakeholders who oversee each stage/component. Importantly, the way Check Point designs its tools is based on the premise
that security tools should be designed for their users (e.g., developers for code issues, DevOps for configuration issues, SOC for security events…)
but built for the owners of security – the CISO and the CISO-organization. In this respect, Check Point aims to give the CISO back some of the
control lost due to shift-left initiatives and the responsibilities sprawl and silos. Another notable example of addressing operational challenges is
the time to remediation. To solve this, Check Point CloudGuard offers a unique ‘Mitigation as Remediation’ approach. For instance, if a container
image is found to have a vulnerable instance of Fluent Bit, CloudGuard will suggest its WAF as a countermeasure to be deployed, at least until the
issue is addressed at the source.
CHECK POINT CLOUDGUARD A Layered Approach to Security
2
© 2024 Check Point Software Technologies Ltd. All Rights Reserved
A LAYERED APPROACH TO SECURITY
Across the SDLC: From IDE to Production
One of the main hurdles Check Point CloudGuard has noticed amongst its 4,000 customers is the different needs and “language” used by the
different stakeholders involved at different stages of the lifecycle. Coupled with the issue of a single point of failure in security solutions that
never offer a “silver bullet,” we split our shift-left inspection, detection, and scanners into three separate components.
Code Security
As mentioned, CloudGuard extends its shift left as far as the developers' host. It scans binaries, IaC, and other code artifacts with 3,000 pattern-
matchers and OPA rules running at a stunning 0.05 seconds per megabyte, ensuring that developers are made aware of any security vulnerabilities,
misconfigurations, or hardcoded secrets in artifacts even before they are committed into repositories.
Under the tagline ‘Designed for Developers; Built for the CISO, ’ CloudGuard Code Security provides on-machine, Git, Jira/Confluence, and CI/CD
scanners and hardening tools that allow security practitioners to stop developers from pushing code that does not meet specific criteria. For
instance, Helm scripts that don’t adhere to CIS Kubernetes Benchmarks, packages with CVEs, or binaries that contain hardcoded secrets (e.g., API
keys).
Cloud Workload Protection (CWP) Shift-Left
CloudGuard CWP Shift-Left extends the security from the CI/CD phase through to the Admission Control stage. At this stage, CloudGuard inspects
container images, serverless functions, and other workload artifacts before they are deployed into production. Thi s module ensures that only
workloads adhering to security best practices and compliance standards are allowed to be deployed.
By leveraging over 120 built-in frameworks, regulations, and best practices written in CloudGuard’s human -readable configuration language (GSL),
CWP Shift-Left helps DevOps teams enforce policies that prevent risky workloads from ever reaching the cloud environment. Admission Con trol
allows defining rules for deployments, such as “do not allow non-compliant image deployments” and “do not admit containers with docker socket
bind mounts,” with the option to define custom rules using GSL. This ensures workloads are both scanned and verified before e ntering production
environments.
CHECK POINT CLOUDGUARD A Layered Approach to Security
3
© 2024 Check Point Software Technologies Ltd. All Rights Reserved
Kubernetes Security Posture Management (KSPM)
Once workloads have passed the admission control stage and entered the production environment, CloudGuard’s KSPM ensures conti nuous security
for running Kubernetes clusters. KSPM enforces configuration best practices and security policies across all Kuberne tes components, including
the API server, etcd, Kubelet, and containerized applications.
CloudGuard KSPM provides real-time monitoring of the Kubernetes cluster for compliance with CIS benchmarks, RBAC roles, network policies, and
pod security configurations. It also prevents configuration drift and enforces runtime security policies, ensuring that workloads remain secure
throughout their lifecycle. By leveraging Kubernetes-native controls and runtime security mechanisms, CloudGuard reduces the risk of
misconfigurations or drift leading to security incidents and continuously scans for new vulne rabilities or misconfigurations in production
environments.
Across the Runtime Stack: From Packets, through System Calls, to APIs
Another issue Check Point has uncovered in protecting over 800 million
assets worldwide is the varying nature of Advanced Persistent Threats
and zero-day-based attacks and the breadcrumbs they leave before
and during exploitation at different layers of the runtime stack. To
tackle this, Check Point employs several components running in
parallel, each covering a specific layer of the stack.
CloudGuard Network Security NGFW
CloudGuard’s Next-Generation Firewall (NGFW) provides
comprehensive security at Layers 3 and 4, inspecting both north-south
and east-west (lateral) traffic. With features such as cross-protocol
inspection, intrusion prevention systems (IPS), data loss prevention
(DLP), and threat emulation, CloudGuard NGFW effectively prevents
attacks like malicious payloads, data exfiltration, and lateral
movement across cloud environments. By employing advanced
malware detection and bot prevention mechanisms, CloudGuard ensures full attack prevention while supporting cloud -native infrastructure such
as virtual private clouds (VPCs), subnets, and cloud WANs.
CloudGuard Cloud Workload Protection (Runtime)
At the kernel level, CloudGuard Cloud Workload Protection (CWP) monitors and protects workloads by analyzing system calls and process execution
behavior in real time. This protection ensures that any unauthorized system activity, such as attempts to access sensitive files or run malicious
binaries, is flagged and blocked before compromising the workload. In addition, CWP checks file reputation to prevent the exe cution of known
malicious files, ensuring that workloads remain secure against both known and emerging threats.
CloudGuard's Vulnerability Scanner continuously scans containers for vulnerabilities. When a new CVE is published, CloudGuard issues findings
along with relevant notifications, ensuring teams are promptly alerted to new risks. The Vulnerability Scanner is connected to multiple vulnerability
data sources, providing the most accurate and context-aware results possible. This proactive approach helps keep workloads secure even as new
threats emerge.
The anomaly detection engine continuously profiles typical workloads, detecting and preventing any deviations that might indicate a zero-day attack
or exploitation attempt. Runtime protection features such as kernel system call monitoring, file reputation scanning, and proces s whitelisting help
to prevent privilege escalation and fileless execution attacks.
CHECK POINT CLOUDGUARD Mitigation as Remediation and Risk Management
4
© 2024 Check Point Software Technologies Ltd. All Rights Reserved
CloudGuard Cloud Detection & Response
CloudGuard’s Cloud Detection & Response (CDR) module analyzes traffic logs in real -time, correlating data from cloud account activity, Kubernetes
logs, and other runtime telemetry to detect and prevent advanced threats. Using ThreatCloud AI —Check Point’s global threat intelligence engine—
CDR correlates events with MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures) and enriches them with indicators of compr omise (IOCs).
This allows CDR to identify malicious activity patterns, such as unauthorized access attempts (for instance, a pod trying to access K8s metadata
service), lateral movement, or data exfiltration before they can escalate into full -blown breaches. CDR also supports integrations with SIEMs,
ticketing systems, and messaging apps to provide instant alerting and incident management capabilities.
CloudGuard Web Application and API Firewall (WAF)
At Layer 7, CloudGuard Web Application and API Firewall (WAF) ensures comprehensive protection for web applications and APIs. By offering zero -
day attack prevention without relying on signatures, CloudGuard WAF defends against web-based threats such as injections, cross-site scripting
(XSS), API misuse, and DDoS attacks. Automatic API schema mapping allows CloudGuard to monitor and protect APIs without requi ring developer
input, ensuring consistent enforcement of security policies across microservices and cloud-native applications. With features such as bot
prevention, IPS, and DLP, CloudGuard WAF maintains a 97% accuracy rate while minimizing false positives to less than 1% and is known for
preemptively stopping vulnerabilities like Log4Shell, MoveIt, and Spring4Shell without any signatures.
MITIGATION AS REMEDIATION AND
RISK MANAGEMENT
The last main issue Check Point identified with its CloudGuard customers was the dangerously long time it takes teams to remed iate issues. This
was also highlighted in CSA’s latest State of Remediation report, which shows that even for critical issues, it t akes 46.1 hours on average from
detection to fix. Furthermore, according to the 2024 Verizon DBIR report, “patching doesn’t pick up until after the 30-day mark”. During this period,
organizations are vulnerable to exploitation, especially in cloud environments where attacks can spread rapidly.
To address this challenge, CloudGuard introduces its Toxic Combinations feature, which identifies potential risks by correlating different
misconfigurations and vulnerabilities that could lead to exploitation together. Toxic Combinations not only highlight what the problem is but also
assess the likelihood of an issue being exploited within a certain number of days, helping teams prioritize their remediation efforts more effectively.
CHECK POINT CLOUDGUARD Conclusion
5
© 2024 Check Point Software Technologies Ltd. All Rights Reserved
For example, if a Toxic Combination reveals a critical
vulnerability with a high likelihood of exploitation
within the next few days, CloudGuard can recommend
immediate mitigation strategies. One of the key
mitigation options offered is its Web Application
Firewall (WAF). If a toxic combination of
misconfigurations or vulnerabilities is detected—such
as a container image containing a vulnerable Fluent
Bit package (commonly used for Kubernetes
monitoring)—CloudGuard will suggest applying the
WAF to break the attack path from materializing. This
allows the WAF to act as a mitigation until engineers
fully patch the underlying issues.
CONCLUSION
Check Point CloudGuard provides a comprehensive solution for securing containerized and Kubernetes workloads throughout the ap plication
lifecycle. By combining advanced Shift-Left capabilities with robust Runtime Protection and Zero-Day Defense, CloudGuard enables
organizations to protect their cloud environments from today’s most advanced threats. Whether addressing code risks early in development
or defending against runtime threats, CloudGuard delivers the tools and insights needed to secure Kubernetes workloads and containers
across cloud environments while addressing security and business challenges faced by organizations.
Strong Performer
Forrester Wave for
Cloud Workload Security Report
Leader
Frost & Sullivan Radar for
Cloud Workload Protection Platforms
Leader
GigaOm Radar for
Cloud Workload Security
Worldwide Headquarters
5 Shlomo Kaplan Street, Tel Aviv 6789159, Israel | Tel: +972-3-753-4599
U.S. Headquarters
100 Oracle Parkway, Suite 800, Redwood City, CA 94065 | Tel: 1-800-429-4391
www.checkpoint.com
© 2024 Check Point Software Technologies Ltd. All rights reserved.