Many organisations are starting out on their Kubernetes and container journey, while others are encountering complexity issues as they scale out their deployments. Containerised applications bring many benefits, but also introduce new types of security challenges.
Uptycs reduces risk for your cloud and on-premises container workloads by prioritising your responses to threats, vulnerabilities, misconfigurations, sensitive data exposure, and compliance mandates—all from a single platform, UI, and data model. Uptycs provides threat detection for container runtimes correlated with Kubernetes control plane attacks. The product also supports scanning of container images in registries for vulnerabilities, malware, credentials, secret keys, and other sensitive information. These capabilities are available for self-managed Kubernetes deployments as well as for managed services such as Amazon Elastic Kubernetes Service, Azure Kubernetes Service, and Google Kubernetes Engine.
These Uptycs solutions support increased coordination across teams, elimination of data silos for Kubernetes and container deployments, faster threat detection and response times, and rapid identification of risks such as misconfigurations and vulnerabilities.
eBPF on Linux container deployments
The basis for Uptycs container runtime observability is the extended Berkeley Packet Filter (eBPF) technology. The Uptycs sensor uses eBPF to capture process, file, and socket events in the Linux kernel. eBPF offers real-time security observability, speed, and convenience for monitoring extremely high-volume event data. eBPF is a safe way of interacting with the Linux kernel and a preferred alternative to plugging into the auditd framework. It is also a just-in-time (JIT) compiler. After the bytecode is compiled, eBPF is invoked rather than a new interpretation of the bytecode for every method.
With eBPF, Uptycs inserts probes into the Linux kernel to monitor events of interest. This happens when the sensor starts up and passes information back to the userland process, greatly reducing the resource utilisation needed for in-depth security monitoring. eBPF is easily configured for this process and does not create any delays in deployment.
eBPF gives you a single, powerful, and accessible unified tracing framework for tracing processes. Using eBPF helps increase the feature richness of an environment without adding additional layers. Likewise, because eBPF code runs directly in the kernel, it’s possible to store data between eBPF events instead of dumping it like other tracers do.
Container runtime threat detection
Scaling container deployments means more ephemeral assets for teams to secure and protect. Using the detailed telemetry gathered through eBPF, Uptycs is able to detect malicious behavior in real time, mapping detections to the Mitre Attack framework. Uptycs detects threats on running nodes and containers, capturing granular container and node telemetry covering process events, file events, DNS lookups, socket events, and more.
Data is normalised in real time into SQL tables, making it seamless to form complex detection frameworks that string together hundreds of signals. More than 200 Yara rules scan binaries for malware signatures while 1,300-plus behavioral rules monitor for signals from real-time event telemetry.
Locking down the Kubernetes control plane
The Kubernetes control plane is a high-value target for attackers to compromise. From the control plane attackers can create privileged containers, capture configuration standards, and hop deeper into your cloud infrastructure. Uptycs captures more than 50 tables of telemetry covering all Kubernetes objects across pods, deployments, configmaps, ingress, RBAC, and more.
This telemetry provides multi-cluster visibility into compliance, threats, and vulnerabilities through a single source. From a macro view down to a granular view into namespaces, pods, and workloads, Uptycs telemetry aims to answer any infrastructure questions from compliance visibility to runtime threats.
For example, from a compromised Kubernetes control plane, attackers will hunt for privileged containers or create privileged containers themselves. Uptycs monitors for commands for privileged pods being created in your Kubernetes clusters, stopping attackers during the process of creating these attacks and encouraging users to build immutable containers with just-right permissions rather than over-privileged deployments.
Unifying control plane and data plane data
Attackers don’t think in silos, so it’s vital that data from different sections of Kubernetes infrastructure be correlated for tracing attacker actions. Threat actors are constantly looking across infrastructure, attempting container escape attacks. Teams struggle to correlate runtime threats from across running containers and the Kubernetes control plane because of the difficulty with capturing, storing, and processing these two data sources together.
Uptycs captures data from the control plane and the data plane, bringing these sources together in real time for instant-on detection capabilities.
Developer-friendly registry scanning
Registry scanning is a crucial part of devops security. Deployments are becoming faster and it’s vital that container images are “golden” before they hit run time. The burden is shifting further left, and security teams need reliable and seamless ways to support devops processes. It’s no longer enough to detect vulnerabilities. You need ways to prioritise them.
Coordinating remediation efforts across devops, operations, and security teams is a difficult task. To help guide these teams, Uptycs provides crucial context through smart indicators to indicate not only what vulnerabilities are present, but also how to prioritise remediation efforts. Simply providing a severity score is not enough. Teams need to know whether network ports are open to the internet or if the software in question is actually running.
Uptycs can scan your container registry for 60,000 Linux CVEs and 7M indicators. Automated scanning incorporates new CVEs as they are published to seamlessly monitor and update a registry's security posture. Supported registries include JFrog Artifactory, Amazon Elastic Container Registry, Google Container Registry, Azure Container Registry, and Docker Hub.
Uncovering embedded secrets
Public and embedded secrets are quickly becoming a common entry point for attackers, a trend underscored late in 2022 when attackers compromised Uber by stealing hard-coded credentials contained in PowerShell scripts.
With Uptycs, you can scan images for embedded secrets using Yara rules and more than 100 regex-based alerts, incorporated into your CI/CD pipeline for Jenkins, GitLab, and GitHub Actions. You can support devops team even further by failing image builds from reaching production when secrets are discovered.
NSA hardening checks for Kubernetes deployments
Your Kubernetes control plane is the central command-and-control API server for your container deployments. As such, it requires maximum security, with images in runtime needing further protection and hardening too. That’s why the NSA and CISA have released extensive guidance around hardening K8s and container runtime deployments through published configurations for pod security and network segmentation.
These published standards mitigate the threat from three core attacker goals: DDoS to bring down running containers, hijacking containers to turn them into cryptominers, and data exfiltration.
Uptycs has translated these NSA guidelines rules into compliance rules. So, for example, applying a “Deny containers with HostPID access” rule set becomes as easy as enabling the rule set. Then, after a container launches from your Kubernetes control plane, your runtime will be continuously validated against the list of NSA hardening checks during run time to ensure that an attacker hasn’t modified the container to escalate privileges or that containers aren’t drifting from their golden image.
Ganesh Pai is founder and CEO of Uptycs.
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to firstname.lastname@example.org.