Posts

Press Release:

OPAQ Awarded Patent for Software-Defined Network Segmentation

Innovation Used in Security-as-a-Service Platform Monitors and Enforces Security Policies on Devices from the Cloud

HERNDON, Va. – Dec. 12, 2018 – OPAQ, the network security cloud company, today announced that it has received a patent from the United States Patent & Trademark Office for its software-defined network segmentation technology that monitors connection requests on endpoint devices and transparently enforces security policies to prevent lateral attacks on corporate networks (Patent # 10,122,760). The patented approach is part of the OPAQ Cloud, a platform-as-a-service that enables managed service providers to deliver Fortune 100-grade security to midsize enterprises. With this technology, OPAQ is the only cloud security service that can offer seamless enforcement of security policies at both the network and the endpoint.

This is the fourth patent awarded for intellectual property within OPAQ’s technology portfolio. The others cover cyber security inventions for risk analysis reporting (# 8,793,151), correlating information across distinct domains (# 9,104,710), and providing a global virtual perimeter through distributed points of presence (# 9,197,601 B2).

“The details of the recent SamSam Ransomware indictments highlighted the way that attackers spread within internal networks to infect entire organizations,” said Tom Cross, CTO of OPAQ. “Talk to any security professional, and they’ll tell you that network segmentation is an important best practice that can help mitigate the spread of malware and lateral movement by attackers. Unfortunately, a lot of organizations don’t do a good job at segmentation, in part because the traditional approach of using VLANs, routers, and switches is too brittle and expensive to maintain. OPAQ’s breakthrough technology simplifies segmentation by allowing dynamic policies that respond automatically as users move within a campus. Sometimes referred to as microsegmentation, this technology enables service providers to help their customers adopt a Zero Trust security posture entirely using cloud-based controls, without having to perform expensive truck rolls in order to configure on premises equipment.”

Highlights of the OPAQ Patent

The patented invention works in the following way:

  • Cloud-hosted controllers communicate with software agents on endpoint computers.
  • The agents monitor connections to and from each endpoint, and assesses them against security policies from the controllers, which can adapt in real time to changes on the network.
  • Service providers gain complete visibility into and control over east-west traffic on customer networks, with the ability to craft policies and rapidly respond to incidents.
  • The endpoint agents can be configured from the cloud to perform automated responses (enforce step-up/multi-factor authentication, block a connection request, quarantine the device, etc.) when a security policy violation occurs, or an additional authentication is required.

About OPAQ

OPAQ is the premier network security cloud company. OPAQ’s platform-as-a-service enables partners to deliver Fortune 100-grade security-as-a-service to midsize enterprises on a fully encrypted SD-WAN optimized for speed and performance. With OPAQ, service providers are equipped with a simplified ability to centrally monitor security performance and compliance maturity, generate reports, manage security infrastructure, and enforce policies – all through a single interface. This empowers OPAQ partners to grow revenue and margins, eliminate complexity and costs, and establish a competitive advantage that helps them attract and retain customers. Based in Northern Virginia, OPAQ is privately held and is funded by Greenspring Associates, Columbia Capital, Harmony Partners, and Zero-G, Inc. To learn more, visit www.opaq.com.

 

Media Contact:

Marc Gendron
Marc Gendron PR for OPAQ
781-237-0341
[email protected]

Drawing a New Map of Enterprise Networking

Earlier this year I got to hear Tim O’Reilly speak at Grand Central Tech as part of their Authors @ GCT lecture series. Mr. O’Reilly is out promoting his new book, “WTF? What’s the Future and Why It’s Up To Us.” One of themes of his book is the process of innovation – how we go about creating technologies that completely change the way that we think, work, and live.

O’Reilly writes about drawing visual maps of the different elements within a company’s business plan, in order to understand how they interrelate with each other, a process that he learned about from a strategic consulting firm called BEAM. He then proceeds to draw such a map for an on-demand transportation company like Uber or Lyft.

There was a particular way that on-demand transportation worked a decade ago – you called a cab company, and a dispatcher announced your location on a radio network, and hopefully one of the cab drivers agreed to pick you up. Over time a particular set of technologies have become available, including the Internet, smart phones, and dispatching algorithms, that have enabled a completely different way of organizing this process. However, the new map for on-demand transportation didn’t draw itself – it was the job of innovators to realize that an opportunity existed to connect each of these ingredients in a new way, and to persuade the public that this new way is, in fact, a better way.

Of course, this got me thinking about what we’re doing at OPAQ Networks. IT organizations have been building enterprise networks in the same way ever since we started connecting businesses to the Internet in the early 1990’s. I usually credit Steven Bellovin and William Cheswick for drawing the original maps of this territory in their book “Firewalls and Internet Security.” This model is often called the “perimeter security model” – “We’ve got a bunch of sensitive computer systems here in our corporate headquarters, so we connected all of our satellite offices into that headquarters and we’ve built a stack of security solutions there to protect everything.”

Over time that model has started to show signs of strain. The sensitive systems that used to collect at headquarters are gone – they’ve moved into the cloud. However, the security stack is still there, and all kinds of traffic is still getting backhauled through headquarters for the sole purpose of sending it through the stack. Despite this approach, attackers are successfully getting inside by infecting end user workstations. Once their malware is running on the other side of the firewall, they have free range over the internal network and can get right to the data they want to steal.

At OPAQ Networks we are building a new map for this territory. First, we’re moving the security stack into the cloud, where the sensitive assets now live. This solves the backhaul problem, because satellite offices and remote VPN users can connect to cloud assets through our network instead of backhauling through a corporate headquarters. OPAQ has a nationwide network of points of presence and more than 200 peering relationships with major service providers that enable us to get traffic to it’s destination as efficiently and reliably as possible. Most small and medium sized enterprises don’t have the means to build this kind of infrastructure for themselves.

Second, we’re introducing software-defined network segmentation, a completely new technology that provides enterprises with unparalleled visibility and control over their internal networks. Using this tool, it’s possible to granularly segment internal networks so that end users only have access to the resources that they need, without having to reconfigure VLANs or wrestle with NAC solutions. Our partners’ midsize customers are able to adopt a better security posture, so that a single endpoint compromise does not imperil their entire business.

We are entering a time when the traditional way of building enterprise networks is being disrupted, and other maps are being drawn. Google’s BeyondCorp is one such map, along with the idea of Zero Trust Networks that was eloquently detailed in a recent O’Reilly publication. These approaches suggest doing away with the VPN and the security stack entirely, placing internal applications directly on the Internet and connecting users to them through authenticating proxy servers.

While I believe the BeyondCorp approach has merit, and there is a great deal that we can learn from it, it’s also very difficult for small and medium sized businesses to adopt. The traditional security stack delivered from the cloud has value, particularly for businesses where consistent patch and configuration management can be a challenge. The VPN has value, because it draws a clear line between the organization’s assets and the outside world. The problem is that these assets are often hosted in the wrong place today, and better segmentation is needed behind them.

This is what we’re doing at OPAQ Networks – we’re drawing a new map for the practice of enterprise networking in the cloud computing era. By leveraging network security-as-a-service, software-define network segmentation, and a modern, global network infrastructure, we’re enabling our customers to build networks that are more efficient, reliable, and secure than they have ever been before.

Simplified Microsegmentation — From the Cloud

It is time to change the way that organizations approach network segmentation. In the past few years we have seen a mounting collection of threats target the wide open nature of most organizations’ internal computer networks. Although security pros have been harping on this for some time, most networks remain crunchy on the outside and chewy in the middle – once attackers get past the perimeter, they often have access to any and everything inside the organization.

We’ve seen repeated threats recently exploit this exposure. We’ve seen incidents where entire organizations are crippled from ransomware spreading internally within their networks. We’ve seen the return of internet worms like WannaCry and NotPetya. We’ve seen more automated attacks that pivot from an initial point of compromise within a Windows network to Domain Admin access. In fact, experts are predicting significant increases in the volume of these attacks because of developments in attack automation.

Almost every organization needs to improve their network segmentation strategy in their internal network to cut down on these threats. What is preventing organizations from taking action?

Traditional Network Segmentation is Complex and Difficult to Manage

Unfortunately, the traditional approach to implementing network segmentation poses significant challenges. Configuring and managing internal firewalls and VLANs is both labor intensive and relatively inflexible. Network architecture is usually driven by the need to provide connectivity rather than security. Organizing machines with different security requirements onto separate VLANs is complex, and as soon as the work is done, users demand changes. Deploying multi-factor authentication for internal applications and services can also be a daunting project as each application must be separately integrated.

It’s no wonder organizations — particularly midsize enterprises — continue to struggle with implementing a smart, sustainable network segmentation strategy. What are midsize enterprises — and the service providers supporting them — supposed to do?

Zero Trust Software-Defined Network Segmentation from the Cloud

The term “microsegmentation” has recently become a buzzword in the IT world. These solutions provide a manageable way to lock down east/west traffic policies for cloud workloads. However, many of the threats we’re seeing – ransomware, worms, and domain lateralization – target end user workstations instead. What organizations need is a technology that provides easy-to-deploy software-defined microsegmentation capability that is flexible enough to support the entire enterprise network.

Since the acquisition of Drawbridge Networks in May 2017, we have embarked on integrating unique intellectual property into the OPAQ Cloud that allows users to manage software-defined microsegmentation for the entire enterprise, from a single pane of glass. The OPAQ PathProtect™ capability dramatically simplifies network segmentation, enhances network visibility and control, and enforces policy locally at each device, whether it’s a cloud workload or an employee laptop.

OPAQ PathProtect™ works by connecting software agents running on endpoints with a central controller hosted in the OPAQ Cloud. This architecture provides visibility and control from the cloud into every network interaction happening on every endpoint. This capability gives you the power to investigate incidents, protect against insider and external attacks, and prevent certain devices, such as compromised endpoints, from talking to other workstations on the network.

Microsegmentation with OPAQ PathProtect™ can be used to define granular access segments for users that operate independently from the network’s hardware and physical topology. It also can be easily updated when business needs change. Segments can be defined based on user identity, group membership and job function, and they will follow users as their laptops move throughout the network. OPAQ PathProtect™ can be used to enforce multi-factor authentication for access to any resource or service on the network, without any need to integrate with individual applications. This is possible because the central controller oversees all communication within the network and can authenticate users before allowing traffic to flow.

These capabilities allow organizations to adopt a security posture that is more aligned with Zero Trust security principles, in which users only have access to the specific applications required by their job function. Cutting down on unnecessary access closes the avenues that malware and network attackers use to spread laterally within an organization.

Microsegmentation for Endpoints, Not Just Data Centers

OPAQ PathProtect™ is a microsegmentation solution that can protect the whole network, including workstations, servers, datacenters, and cloud workloads, supporting the following capabilities and use cases:

  • Network Visibility provides detailed topological views of the interactions between hosts on the internal network. It is possible to drill down into different timeframes, hosts, users, process names, ports, and protocols for complete insight into network activity.
  • Network Access Control (NAC) to assign which resources, hosts and users can access services on the network. For example, unmanaged hosts can be prevented from accessing sensitive servers, and are identified and cataloged when they send traffic.
  • Multi -Factor Authentication (MFA) integration enables step-up authentication to tighten security for VPN access and within the internal network.
  • Granular Segmentation which is completely separate from the physical network architecture or network addressing, can be used to segment specific devices, applications, and data, and can keep track of hosts as they move around the network.
  • Quarantine allows organizations to quickly isolate infected hosts from sensitive resources at the touch of a button.

To find out more, view the press announcement, sign up for our upcoming webcast and schedule a demo to see how simple microsegmentation can be from the cloud.

OPAQ CTO Tom Cross Writes on Lateralization Attacks in First Article on CSO Online

Lateralization attacks are commonly used in most sophisticated breaches today. An adversary will typically gain a foothold inside the victim’s network by installing malware on a vulnerable device.

From there, the attacker will compromise other computers within the organization by moving laterally throughout the compromised network. A number of experts are predicting an increase this year in Windows Domain lateralization attacks. Organizations are increasingly looking for a solution that can prevent and isolate lateralization attacks from spreading in their network.

OPAQ chief technology officer Tom Cross was recently invited to be a regular contributor to CSOonline, one of our industry’s most respected publications. In Tom’s first article, he discusses lateralization attacks against Windows networks, and how to defend against them. You can read the full article here.

A Bigger Scope Means A Bigger Mission

Today, I am excited to announce that Drawbridge Networks is officially part of the OPAQ Networks team!

When we started Drawbridge Networks, we had a very clear mission of empowering companies to understand and defend their networks better than attackers. This was not an easy thing to tackle and required thinking outside of the box to create innovative technology that could achieve this goal.

Joining OPAQ Networks expands the scope of what the Drawbridge Networks team set out originally to do. The delivery, scale, and provisioning mechanisms of the OPAQ 360 platform combined with Drawbridge’s unique approach to micro-segmentation make a unified solution extremely powerful.

As security capabilities move off the customer premise, there is a need to enforce controls between different internal network segments. The Drawbridge technology enables this by providing a software-defined overlay capability using endpoint agents that can be managed from the cloud. The integration of this capability into OPAQ’s cloud-based platform enables customers to eliminate complexity and costs associated with the traditional product-centric approach to security without compromising the same local network security assurances that they have previously relied on.

This integrated offering not only creates a ton of value and capability for clients, but will serve as a foundation for what will be extremely powerful security technology going forward – stay tuned!