Cloud Native Application

Protection Platform
The best cloud security is now even smarter
 2
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 2

The cloud has revolutionized the ways in which development teams’ work, and security
teams have strived to keep up at the same velocity and scale. With the exponential
increase in distributed assets, changes occur at a rapid pace, and different teams are
not always aligned with the security guidelines needed throughout the development
lifecycle. This has left security teams unable to stay on top of the risks within their
cloud environment, and take action quickly on the alerts most critical.
Organizations need actionable insights to drive pragmatic remediation. Unfortunately,
the majority of CNAPP solutions on the market lack the context needed, from across
workloads, to operationalize security at cloud speed and scale.
Today’s cloud environment needs more context in order to provide
smarter security—fast.
 3
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 3

More Context. Actionable Security. Smarter Prevention.

From code to cloud, Check Point CloudGuard’s CNAPP unifies cloud security, merging deeper security insights “ Check Point enables us s to maximize
to prioritize risks and prevent critical attacks—providing more context, actionable security, smarter prevention.
CloudGuard enhances visibility by enriching context, provides actionable remediation insights and speeds up
our cybersecurity posture with a
threat mitigation across diverse cloud teams.
fixed level of investment. As we need
new capabilities, we simply add them.
Check Point’s unique flexibility gives
us agility for business growth with
service continuity for our partners
More context Actionable security Smarter prevention and customers.”
Deeper visibility from code to Intelligently prioritize critical Prevent risks early in the dev
cloud across configurations, risks based on contextual pipeline, or stop them in production, —Brian Chan,
identities, vulnerabilities, analysis of all elements to while providing actionable Information Technology Director of Jebsen Group
network exposure and real time focus on the threats that remediation guidance for
security monitoring matter most misconfigurations and permissions
 4
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 4

Take advantage of industry-leading Pipeline Security, Cloud Security Posture

Management (CSPM), Cloud Infrastructure Entitlement Management (CIEM),
Workload Protection (CWPP), Web Application and API Protection (WAAP),
and Cloud Detection and Response (CDR) technologies all integrated with an
AI-driven Effective Risk Management engine (ERM) for a unified experience
and single point of decision-making.

CloudGuard’s CNAPP provides customers actionable security insights covering

public clouds, workloads, identities and applications, covering the entire development
lifecycle from code-to-cloud. CloudGuard delivers a smooth experience for agile
teams that can rely on agentless deployments and seamless integrations to
provide actionable security guidance from build through runtime.

∙ New Deep workload security visibility at scale with no agents

∙ New Understand your permissions and enforce least privilege across your clouds

∙ New Shift CNAPP left & secure your cloud applications from the start

∙ New Focus on the 1% of risks and threats that matter by putting cloud
security in context

Enhanced Cloud Security Posture Management
More context across cloud workloads and
users for greater insights
One of the great things about cloud computing is the
ability to collect telemetry from a wide variety of
sources. Monitoring, intelligence and other data
sources provide a wealth of information when it comes
to application protection. But data extraction is not
the main problem anymore, it’s establishing 100%
visibility, creating synergies, ending fragmentation, and
understanding security posture in context, so you can
make the right decisions. Check Point CloudGuard
combines context from workloads and user activity to
gain deeper security insights.
5
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 5
Gain visibility and stay compliant with CSPM
From one unified platform, you can visualize and
assess security posture, detect misconfigurations,
model and enforce gold standard policies, protect
against attacks and insider threats, and comply with
regulatory requirements and best practices. With
CloudGuard, cloud security operations are faster and
more effective, compliance and governance are
easier, and DevSecOps practices are frictionless.
 6
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 6

Deep workload security visibility at scale with no agents

Don’t rely on other teams to deploy security – Gain deep visibility with
agentless deployments to understand what is happening within your
cloud workloads.

Agentless Workload Posture (AWP) extends CloudGuard’s agentless

infrastructure visibility into workloads. AWP scans and identifies risks
including misconfigurations, malware detection, vulnerabilities
and secrets across all cloud workloads including Virtual Machines,
Containers and Serverless Functions:

∙ Immediate visibility into workloads including VMs, containers,

and serverless functions at scale

∙ Detect and alert on risks such as misconfigurations, malware,

vulnerabilities and secrets

∙ WP findings feed into CloudGuard’s contextual risk engine

(ERM) and XDR platforms

Understand Your Permissions
& Enforce Least Privilege
Across Your Clouds with Cloud
Infrastructure Entitlement
Management (CIEM)
In today’s complex cloud environment, you need to
ensure that user and workload access is optimized
with the perfect dose of permissions, while quickly
addressing over permissive roles.
With Check Point CloudGuard CIEM functionality you
get full visibility of effective permissions to quickly
identify over-permissive entitlements. CloudGuard
identifies exposure and risks quickly to automatically
generate least privilege role recommendations to
reduce access and revoke unused permissions—
helping you reach a state of zero-trust.
7
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 7
∙ Visualize effective permissions of users
and cloud services
∙ Detect unused roles, over-permissions and
risky entitlements that can put you at risk
∙ Automatically generate least privilege roles
recommendations based on actual usage
 8
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 8

Runtime Protection for Your

Cloud Workloads (CWPP)
CloudGuard provides fully automated, cloud-native workload protection.
It allows unified visibility, compliance and threat prevention across
applications, APIs and microservices (K8s containers & serverless
functions), from development through runtime. Protect workloads during
runtime, and profile and enforce function, container, and application
behavior. CloudGuard allows you to block malicious activity with
behavioral signature matching and easily set security policies and
guardrails for K8s cluster operations with admission control.

CloudGuard unifies workload protection, providing visibility, security

controls and scanning across the entire cloud workload from the
first line of code through to runtime.

∙ Achieve zero trust security across applications,

APIs, K8s and serverless functions

∙ Auto-deploy & enforce security controls

∙ Remain cloud & architecture agnostic with

protection on multi and hybrid cloud deployments
 9
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 9

Context-Based Web
Application and API
Protection (WAAP)
As a revolutionary paradigm in application security,
CloudGuard replaces legacy Web Application
Firewalls, which only work well if an excessive
amount of management resources are devoted
to maintaining them.

With CloudGuard, every incoming request is analyzed

in context. The patent-pending AI engine analyzes
risk by examining user profiles, patterns observed in
user sessions, and how other users interact with the
application. The score assigned to each request
determines how likely it is to be malicious. Through
continuous profiling of the user, application, and With deployment to protection in a matter of hours, ∙ Stop attacks against applications including
content, the engine adapts automatically to changes maintain application security with a solution that can site defacing, information leakage, digital theft,
in the application. This approach has proven to eliminate keep up even with the fastest Devops teams. and user session hijacking
false positives while maintaining the highest standards
of application security. ∙ Stop attacks against applications including site
defacing, information leakage, digital theft, and
user session hijacking
 10
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 10

Shift CNAPP Left to

Secure Applications
from the Start in Your
CI/CD Pipeline
As applications are developed faster, they often
contain hard-coded secrets or vulnerabilities
erroneously left behind, and too often reaching
your production environment. CloudGuard prevents
these exposure from reaching production and
shifts CNAPP left to streamline your application
protection at its creation. With CloudGuard CloudGuard shift-left functionality seamlessly ∙ Empower developers to fix vulnerabilities,
enforce security policies throughout the software integrates seamlessly integrates into the CI/CD misconfigurations, and exposed secrets
development lifecycle without creating friction pipeline to scan code, automate protection, proactively before code deployment
for developers. detect malware, and eliminate blind spots.
∙ Identify and remediate supply chain risks across
your pipeline tools including Git, Jenkins & more

∙ Extend workload protection throughout the CI/CD

pipeline to remediate issues prior to production
 11
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 11

Focus on the 1% of
Risks That Matter and
Fix Faster with Effective
Risk Management (ERM)
Staying on top of the flood of security alerts requires smarter action, not
harder work. CloudGuard’s Effective Risk Management (ERM) engine
prioritizes risks and provides actionable remediation guidance based
on the full context including workload posture, network exposure, identity
permissions, attack path analysis and the application business value.

Take action quickly by focusing on the 1% of risks that are the most
critical to your business, while automating security throughout your
cloud environment, with actionable insights from a contextual engine
which uses AI and risk scoring to reduce the attack surface.
∙ Prioritize risks based on full context—on figuration risks, workload posture,
network exposure, permissions, attack path, and business priorities

∙ Focus on the threats that matter across clouds, workloads and code

∙ Deliver optimized remediation guidance based on the fastest path to risk reduction
 12
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 12

Prevent Threats Proactively with

Cloud Detection and Response
Enhance findings with CloudGuard to improve threat hunting, and remediation.
By integrating information from cloud inventory and configuration, account
activity, network traffic logs, and threat feeds such as Check Point ThreatCloud
and IP reputation databases, CloudGuard provides a complete and accurate
picture for SecOps and SOC teams.

With the added intelligence layer, you can:

∙ Prevent security breaches and unauthorized activity before any vulnerabilities
can be exploited. Leveraging AI and UEBA, CloudGuard continuously
analyzes account activity and monitors network traffic for signs of
anomalies and cyber threats.

∙ Receive automatic alerts on rule infringement. Pre-built rules are

comprised of industry best practices, in-depth cybersecurity research,
the MITRE ATT&CK framework and more.

∙ Turn enriched data into actionable insights! Retrieve historical data and
perform advanced incident analysis to drive data-informed decisions.
∙ Take a visual exploration tool that interprets account activity and
network traffic logs, and provides rich contextual information.
CloudGuard provides the tools to filter out false positives, speed up triage, and simplify
incident analysis. Check Point’s world-renowned team of experts is constantly expanding
and improving alerts. Further, with the power of CloudBots technology, automatically
revert risky configuration changes, and create responses to any type of network alert
or audit trail, running entirely within your environment.
 13
CLOUD NATIVE APPLICATION
PROTECTION PL ATFORM 13

“Check Point CloudGuard CNAPP delivers a well-rounded,

industry-leading approach to cloud and DevOps
security. Best of all, we can manage the entire environment
from one place instead of having multiple management
interfaces for different parts.”
—Mark Nix, National Information Security, Risk & Governance Manager
More Context, Actionable Security, Smarter Prevention with CloudGuard
From code to cloud, Check Point CloudGuard delivers automated cloud native security, unified across your applications, workloads, and network to manage risk, maintain posture, and
prevent threats, in context, at cloud speed and scale. CloudGuard’s prevention-first approach protects applications and workloads throughout the software development lifecyle, and
includes an effective risk management engine, with automated remediation prioritization, to allow users to focus on the security risks that matter. For more information on CloudGuard,
visit www.checkpoint.com/cloudguard

Worldwide Headquarters
5 Ha’Solelim Street, Tel Aviv 67897, Israel | Tel: 972-3-753-4555 | Fax: 972-3-624-1100 | Email: [email protected]
U.S. Headquarters
959 Skyway Road, Suite 300, San Carlos, CA 94070 | Tel: 800-429-4391; 650-628-2000 | Fax: 650-654-4233
www.checkpoint.com

© 2024 Check Point Software Technologies Ltd. All rights reserved.