The Results



Instant visibility

Within three hours, the breach remediation services organization swiftly provisioned Guardicore agents across more than 3,000 company servers. And, just minutes after deployment, granular visibility into networking and communications flows began to emerge, giving the incident response team the context and accurate data they needed to investigate the breach and validate containment.

Fast time to policy

Shortly after achieving much-needed visibility, teams took action to segment critical assets from the broader environment. Two crucial production applications, responsible for the only functioning manufacturing line, were quickly identified and secured. Using Guardicore, a policy was immediately introduced that restricted connections from infected subnets and parts of the data center to the applications — a task that would have taken weeks with legacy firewalls. A simple query also revealed that legacy machines connected to the internet had bypassed legacy firewalls and were attempting containment restrictions. After discovering noncompliant communication, the team created policies that effectively restricted internet access for all servers, including legacy machines, within minutes.

Preventing lateral movement during recovery

During the next part of the recovery process, the team recreated the manufacturer’s application clusters, baking in Guardicore agents. The team configured an initial policy that blocked all incoming connections and used Guardicore to identify dependencies. Then, communications were allow listed on a need-to-have basis, only after validating the requirements and understanding the context. This approach allowed the team to recover and bring the applications affected by the ransomware attack back online without the risk of reinfection.

Future protection

The internal data center segmentation introduced during the phased recovery significantly reduced the attack surface. Today, the organization’s security posture has improved and the impact of any future breach greatly reduced.

Guardicore enabled the breach remediation services company to demonstrate significant added value for its customer, the manufacturer, while helping it recover from the ransomware attack. This opened up the opportunity for the services company to increase revenue, expand its footprint, and better help clients realize their IT and security goals.