Aqua Security Uses eBPF to Extend Security Platform

Aqua Security this week at the Kubecon + CloudNativeCon North America conference added a cloud-native detection and response (CNDR) capability based on its open source Tracee software-based platform.

Tracee is a threat detection engine for runtime environments that runs as a sandbox application at the kernel level of an operating system using extended Berkeley Packet Filter (eBPF) technology. That approach enables security and networking applications to process data significantly faster and makes it more difficult for cybercriminals to launch malware attacks capable of circumventing or evading security platforms.

Aqua Security employs eBPF to analyze more than 80 behavioral indicators of zero-day attacks that the existing runtime controls can then thwart. The behavioral indicators are based on an analysis of thousands of real-world attacks. In addition to behavioral indicators, Aqua Security makes use of threat intelligence, including IP address and DNS reputation and a malware database, to identify threats.

Story Tweedie-Yates, vice president of product for Aqua Security, said CNDR can be applied to thwart attacks against both virtual machines and containers running on platforms such as Kubernetes. CNDR extends the reach of an Aqua Platform that is described as a cloud-native application protection platform (CNAPP) that can either be hosted by an IT team or accessed via a software-as-a-service (SaaS) application.

Additional updates and new capabilities added this week include support for Kubernetes assurance policies that address a wider variety of potential vulnerabilities; additional lightweight management tools for virtual machines; support for a lightweight tool for scanning containers and virtual machines using pattern matching techniques and the ability to detect a wider range of compliance issues. Finally, an addition to the Aqua application programming interface (API) surfaces security risks affecting previously scanned images along with images that have been modified since the last time they were scanned.

As IT environments continue to evolve, security teams are looking for ways to apply a common set of policies across multiple types of application workloads, said Tweedie-Yates. While applications may become more secure thanks to the rise of DevSecOps best practices, she noted that security teams will always be held accountable for making sure the runtime environment those applications are deployed on is secure.

In fact, with the arrival of container applications ensuring security will become more challenging because applications after they are deployed will be updated more frequently because it’s simpler to rip and replace a container than it is to update a legacy monolithic application by apply a patch. On the plus side, that makes it simpler to remediate a vulnerability. However, it also increases the chances a new vulnerability might be introduced in the code that has been encapsulated with the container.

Tweedie-Yates said the most important thing for security teams to remember is to have a risk mitigation plan in place to address the unique requirements of emerging IT platforms. As cybersecurity continues to evolve, the ability to put that plan into action will become increasingly automated, she added.

In the meantime, security teams need to collaborate more closely with developers to better understand the attributes of cloud-native applications that are now starting to show up in production environments.

Avatar photo

Michael Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

mike-vizard has 745 posts and counting.See all posts by mike-vizard