By Ryan Smith, Head of Product at Deepfence. Deepfence were finalists in the Cloud Security Innovator of the Year, and Best Open Source Security Solution categories at The 2024 Cloud Security Awards.

 

According to Gartner, cloud native is the future of enterprise development.

A recent study shows that, by 2028, cloud native platforms will serve as the foundation for more than 95% of new digital initiatives, up from less than 50% in 2023. As these footprints expand, so do threats, making it crucial to understand the security posture of applications at runtime.

Securing cloud-native applications requires a different approach than traditional applications because they are often built using microservices and deployed in containers, which can lead to new vulnerabilities and attack vectors. Ensuring security throughout the CI/CD pipeline and adopting a DevSecOps culture is essential, but can be challenging.

In cloud native environments, it can be difficult to achieve complete visibility over all assets and workloads in runtime. The dynamic nature of the cloud, with its scalable and ephemeral resources, complicates the task of maintaining an up-to-date inventory and understanding the security posture in real time. This lack of runtime visibility can hinder the effective management of security controls and policies. Couple this with the deluge of security alerts coming from various tools and it poses a real challenge to security professionals in knowing exactly where to start making changes to reduce the risk posture across their environment.

In the continuously shifting cybersecurity domain, cloud native application protection platforms (CNAPPs) have emerged as a new comprehensive approach to security. CNAPPs consolidate multiple cloud security tools and functions into a single platform, which can help to reduce complexity and overhead. While CNAPPs are becoming increasingly popular, there are still strides to be made as the technology continues to evolve. Focusing on context and prioritization is most important to enable teams to identify critical vulnerabilities amidst a sea of alerts and expedite mitigation efforts.

Let’s consider a few ways CNAPPs can deliver on this critical need.

How Context Strengthens Runtime Security

In the cloud native landscape, where a plethora of teams and projects often obscure visibility, discerning between critical and non-critical vulnerabilities becomes a pivotal task. Alert fatigue is a significant impediment to progress for many teams, who are sifting through countless alerts, many of which are non-actionable. In fact, Deepfence research has shown that some runtime scans reveal as many as 100,000 vulnerabilities. It’s a problem of scale that cannot be ignored.

It is important to build context into security strategies to understand which alerts are truly critical and require an organization’s immediate attention. In cloud security, context encompasses various factors, including grasping user behaviors and data nuances, infrastructure metrics, and system health parameters. Becoming context-centric can transform vulnerability management within CNAPP and foster the development of proficient security protocols.

Context matters because not all vulnerabilities are created equal. While it’s true that CVEs publish with attached criticality scores, this information doesn’t offer any insight specific to a company’s own environment, risk posture, data policies, compliance requirements, and business priorities. Even medium or low-severity vulnerabilities could pose heightened risks if exposed extensively, especially if exploitable on a broad scale, or if applicable to a critical business application with sensitive data. Without contextual insights, companies can waste time and resources determining which vulnerabilities to address and potentially chasing the wrong ones.

There are five pivotal focus areas to gather context: application, data, network, host, and identity. In-depth telemetry from one or more of these areas can help to identify and prioritize the most significant vulnerabilities and attack routes. A context-centric approach must also incorporate an understanding of business-critical services and the nature of data managed by different applications, as well as be able to discern network contexts and monitor identity facets such as API keys and tokens.

Gathering Deep Context for Runtime Security

As practitioners evaluate CNAPP technology, they should consider the following capabilities and a solution’s ability to deliver.

First, the technology should offer deep traffic visibility, including looking at North-South and East-West traffic. It should also be able to see encrypted and plain text traffic within the network. Teams can use this visibility to match emerging threats rulesets and modsecurity core rules. Comprehensive and granular inspection of network traffic enables early detection and prevention of potential threats in real time. Teams can observe and correlate anomalous behavior across file systems, process and system calls, network traffic, security scans, SBOMs, etc. This supports regulatory compliance by enabling fine-grained control and monitoring of network activity.

Additionally, the solution should support behavioral analysis, which is crucial for early threat detection, remediation and prevention to reduce risk and enhance security posture. This involves the ability to spot anomalous activity and determine that the activity is worth investigating. It requires an understanding of business logic and priorities, access management parameters and other key details.

Finally, the solution should also provide correlations between data findings. This is key for deep contextual insights. Correlations help with early detection of advanced threats and provide a holistic understanding of events for better incident response. This analysis can incorporate industry standards, like MITRE to identify critical attack paths and how they are being exploited. For instance, threat actor events in runtime can be mapped and correlated to various stages of the cyber kill chain.

This deep ‘runtime context’ ultimately reduces alert fatigue because it focuses on the most critical threats against a cloud environment and provides insight into what is actively exploitable based on runtime context in real time.

Utilizing eBPF for Deep Runtime Insights

When it comes to gathering context and delivering unparalleled security observability in cloud native environments, eBPF (Extended Berkeley Packet Filter) has emerged as a significant player. The technology is a powerhouse of proficiency in offering real-time insights, facilitating a comprehensive analysis of traffic patterns, and enabling effective monitoring of encrypted traffic at a process level.

Deploying eBPF for monitoring and securing cloud native facilitates real-time transaction analysis. This aids in establishing superior baselines for threat prioritization and contextualization, which fosters faster detection and response to security incidents. Implementing eBPF encourages deeper traffic analysis, which is instrumental in recognizing and understanding behavioral patterns in cloud environments.

eBPF is particularly beneficial when considering the distributed nature of modern cloud native environments. It allows for a more scalable and specific implementation of controls, potentially preventing the slow-down of detection processes commonly associated with large, centralized log ingestion systems. It also dramatically improves visibility in cloud environments, where a considerable portion of traffic is encrypted, creating security blind spots. Unlike traditional approaches, such as man-in-the-Middle (MITM) proxies, eBPF is a superior alternative, facilitating the monitoring of ingress and egress traffic at a process level.

CNAPP Innovation: The Future of Cloud Native Security

The emergence of CNAPP highlights a key market trend involving the unification of features in cloud security products, steering towards a more concentrated focus on data security and vendor specializations. Moving forward, we can expect to see cloud security platforms adopting a cohesive approach that collects data from networks, applications and other sources to safeguard against numerous attack vectors.

For now, in the dynamic landscape of cloud security, the role of CNAPPs in fortifying runtime protection has become paramount. The infusion of context into vulnerability management is emerging as a promising new capability, fostering the development of agile and effective protocols and helping security professionals manage the complex challenges of cloud native application protection. With a clear understanding of application context, security teams can identify and neutralize threats more effectively to mitigate risk and keep their companies secure. Ultimately, CNAPPs promise a future of scalable, accurate, and adaptive security strategies in the cloud domain.

About the Author: Ryan Smith

Ryan is Head of Product at Deepfence. Ryan is a product management professional with over 7 years experience in the cybersecurity industry. He has a PhD focused in Mass Media and Communication Studies from European Graduate School.