ARMO Adds Security Platform Based on Kubescape and eBPF to Portfolio
ARMO today launched a cloud application detection and response platform for securing Kubernetes environments that reduces false positives by identifying issues that can be traced back to anomalous changes in application behavior rather than violations of a pre-defined set of rules.
Based on Kubescape, open-source agent software that leverages telemetry data collected using extended Berkeley Packet Filtering (eBPF) technologies embedded in a Linux kernel, the Behavioral Cloud Application Detection and Response (CADR) platform makes it possible to identify the source of a security issue in a run-time environment all the way down to a specific line of code.
ARMO CEO Shauli Rozen said the platform then analyzes that data to track changes in application behavior that are indicative of a potential security breach to determine whether the issue warrants further investigation. That level of context not only reduces overall fatigue; it also enables DevSecOps teams to respond faster to any new zero-day cybersecurity threat that might be detected, he added.
After all, the trouble with any rules-based approach to security is that they can’t be written until there’s already been some type of incident that enabled them to be defined, said Rozen. Tracking the anomalous behavior of applications makes it possible to identify issues long before there is a catastrophic event that makes the need for an additional rule apparent, he added.
The Kubescape agent itself was recently donated to the Cloud Native Computing Foundation (CNCF). ARMO, meanwhile, continues to provide a range of cybersecurity platforms that leverage the telemetry data collected by agent software that leverages eBPF to function as a runtime sensor.
Cybersecurity teams can then define response policies that trigger automatic actions to contain or mitigate security threats, including a Soft Quarantine capability that secures suspicious processes or containers, using network policies and seccomp profiles without impacting application availability. Additionally, CADR provides Blast Radius Analysis tools to visualize affected resources and dependencies to improve mean-time-to-discovery and mean-time-to-resolution.
It’s not clear how many IT teams are leveraging eBPF to collect telemetry data, but as they upgrade to the latest versions of Linux, many of them are discovering they can streamline the number of agents they previously might have needed to collect telemetry data. That capability in turn, provides analytics tools with the volume of data required to better pinpoint the root cause of any potential issue that might impact application security or availability.
Within the context of cybersecurity, that’s critical because otherwise, more time is wasted tracking down alerts that are created when an application was, for example, updated in a way that violated a rule that turns out to be another instance of a false positive being created. In highly dynamic cloud-native computing environments, it’s not too long before DevSecOps teams are simply overwhelmed by the number of alerts being generated, noted Rozen.
Each IT organization will need to determine at what rate it will upgrade to the latest versions of Linux to take advantage of eBPF but the one thing that is certain is the more telemetry data collected the better the odds become that issues will be detected before there is an incident that could have been more easily avoided.
