Deepfence monitors cloud-native applications in production: the new stack

Deepfence monitors cloud-native applications in production: the new stack

Cloud-native security offerings have exploded in recent years, with solutions aimed at keeping networks, data, and applications safe. The boom has been fueled in part by cautionary tales like the Solarwinds debacle of 2020, the Log4j vulnerabilities of 2021, and a new focus on software supply chain security.

“Logj4 was a wake-up call for the industry because it was such a catastrophic vulnerability,” Owen Garrettchief product and community officer at Deepfence, a cloud-native observability company, told The New Stack after participating in a panel on security issues in May at KubeCon + CloudNativeCon Europe here.

“It was catastrophic because it was trivially easy to find vulnerable instances. And once you found them, it was trivially easy to exploit them.”

He added: “We had business partners who had to struggle within their development team and spent a week trying to find Log4j instances in production and patch them.”

left shift

The “shift left” movement has put a number of tools in the hands of developers to ensure that applications are built as securely as possible. “But once the application is deployed to production, even with a small number of potential vulnerabilities, attackers can still find a way to exploit it,” Garrett said. “And the challenge is to stay ahead of the attacker by monitoring how the application performs operations.”

Once an application is in production, vulnerabilities can emerge. Components of an app running in production may not have been scanned, Garrett said, and exceptions to a rigorous app-building process may have been made before the app went into production.

Therefore, he said, “So you need to continue to monitor the security of those applications in production. You cannot stop at the end of a project of change to the left”.

Garrett’s company deep fence, uses the security practices that have been built into the development of scroll-left applications and continues to scan applications for vulnerabilities throughout their lifecycle. Deepfence’s deep packet inspection (DPI) scan tool, threat mapperit is designed to examine an application at particular points in time and generate a software bill of materials (SBOM).

“And then you look at the SBOM to say, ‘Do any of these materials have known vulnerabilities?'” Garrett said. “And what we do is we periodically go back to each application and generate the SBOM. We then compare that to current vulnerability lists. So if tomorrow someone published another vulnerability in Log4j, people would use our tool. They would pick up that new vulnerability and match it.”

During KubeCon, the company announced Deepfence Cloud, which aims to lower barriers for businesses looking to secure their applications. The offering allows users to run fully managed ThreatStryker consoles in the cloud (ThreatStryker is Deepfence’s commercial runtime protection solution).

Deepfence Cloud was createdGarrett wrote in a company blog post announcing the platform, to help mitigate a shortage of cybersecurity professionals. (A gap of 2.75 million security professionals worldwideaccording to a 2021 report from the National Initiative for Cybersecurity Education).

Open source as a company value

Deepfence was started in 2017 by Sandeep LahaneCEO, Shyam Krishnaswamychief technology officer, and Swarup Kumar Sahoo, the chief scientist. Previously, Krishnaswamy worked as Director of Engineering at LiveReach Media, and Lahane and Sahoo co-founded Vercept, which focused on memory safety and exploiting prevention logic for Linux processes.

In November 2020, Deepfence announced that it had received $9.5 million in Series A funding, led by AllegisCyber, with participation from Sonae IM and Chiratae Ventures.

The startup’s 30 employees are “very, very spread out,” Garrett said. Deepfence is headquartered in Palo Alto, California, with offices in Nottingham, England and Bangalore, India, with its engineering staff spread across the globe.

The shift to remote work since the start of the COVID-19 pandemic two years ago has opened up hiring opportunities for the startup, Garrett said.

“We no longer have to think about hiring people in particular geographies,” he said. “We work through the community. And if we see, for example, a person who has an exciting project around eBPF, one of the technologies we use, we’ll look to work with them, support what they’re doing, or give them opportunities as a contractor. or as an employee to help support what we’re doing.”

In early 2021, Deepfence launched secret scanner, which locates secrets and passwords in container images and file systems; as its first open source project. Since then, he has also contributed threat mapper (which now includes SecretScanner), PacketStreamera distributed tcpdump for cloud-native environments, and Current meterwhich uses machine learning to classify flows and packets as benign or malicious, for the open source community.

“Open source is at the core of what we do,” Garrett said. “The reason for this is that we strongly believe that security is something that everyone should benefit from. There should be no barriers or costs for people to take advantage of open security information.”

filtering out the noise

In observability, the next frontier is the ability to see activity within applications, Garrett said.

While an observability stack can generate, as he put it, “millions and millions of little signals, none of those signals will specifically point to an attack. The challenge is trying to collect the signals to collect and interpret them to tell you if an attack is taking place.”

He compared developers’ ability to filter out the most important signs of unusual app activity to the insight of a smart detective. “If you think of a heist movie, it’s always the slightly eccentric, overlooked detective on the police force who is the first person to raise their hand and say, ‘Something’s going on that no one else has noticed.'”

“Within an app, it’s the same kind of challenge,” Garrett said. “You see these little subtle signs, and you need to quickly raise your hand and say, ‘There’s something not quite right here.’ And the biggest challenge is doing it at scale, in large applications across multiple cloud environments, with complex applications and huge signal volumes.”

Solving this challenge is a research focus at Deepfence, which is working on using machine learning techniques to try to filter out “noise” and display the most predictive signals.

“What we need to do is reduce the workload on the threat management team,” Garrett said. “So that we give them only the signals that have a very high probability of being correlated with an attack.”

Waiting until critical alerts occur, he said, might be too late to stop or mitigate an attack: “The art is to watch the threat level rise, and you get more and more confident that it’s bad activity of some kind.”

The complex cloud-native security and observability landscape calls for a number of complementary solutions, Garrett suggested.

“There are so many different niches in security, there are no magic solutions,” he said. “This is one of many techniques that a mature company would need to implement to protect their applications and infrastructure.”

Leave a Comment