Cloud and container adoption is on the rise, as organizations are increasingly recognizing the potential for rapid growth and evolution that cloud-based infrastructure offers. That being said, along with these advantages comes significant security challenges.
The modern cloud-native attack surface is complex and difficult to secure with many “moving pieces” including endpoints, servers, containers and cloud providers. This makes integrating Threat Intelligence data gathered from all of these surfaces and evaluating potential security and compliance risks and active threats no easy task. Not only is risk harder to identify and evaluate in cloud and container environments, security vulnerabilities, malware and other threats that are also easier to inadvertently inherit from common layers and shared components frequently used in container builds.
To better understand the modern cloud-native attack surface and what is required to close security and observability gaps across cloud-native infrastructure, LinuxSecurity researchers had the privilege of speaking with Ryan Mack, Director of Engineering at Uptycs, a leading open source cloud-native security analytics provider, to discuss the challenges organizations face and how to enhance and simplify cloud-native security and observability for the enterprise.
LinuxSecurity: How do you feel that the extensive adoption of containerization has impacted the digital threat landscape?
Ryan Mack: Containerization, like every evolution in the way software is developed and deployed, trades some conveniences and security benefits for others. On the development side, building container images speeds development by making it much easier to include common layers and shared components. This also makes it easier to inadvertently inherit security vulnerabilities or even malware - commonly coin miners - that have been included in commonly used images on public image repositories. On the deployment side, short-lived containers have dramatically improved the ability to scale to sudden increases in load and provide security benefits by making deployments more immutable. This can present a challenge for heavy weight endpoint security software that don't scale down well into low memory micro VMs or don't make it easy to understand a complex and potentially high churn set of running containers.
LS: What is the most significant challenge that Uptycs helps enterprises overcome? What differentiates your products from other security analytics platforms available for the enterprise?
RM: To be honest this varies widely depending on the enterprise. This can range from just providing a tool to run queries against their corporate assets and cloud infrastructure, historic data collection for after-the-fact security analysis, to our full set of compliance monitoring, real time threat detection, remediation, and vulnerability scanning.
Every security analytics vendor that ingests data from different sources needs to solve the problem of normalization and correlation to perform analysis. Uptycs tackles this problem by extending the osquery concept of SQL-driven analytics. We’ve developed open-source extensions to osquery to expand the types of telemetry gathered and normalized into SQL tables for simpler real-time event correlation and ad hoc querying. With this analysis backend, we can quickly answer different types of questions such as “Are we seeing exploit attempts for this particular CVE, and have these bad actors been doing anything else in our network?” and “What is the compliance posture of our Linux server fleet against the CIS Benchmarks?”
LS: Although the platform itself is not an open-source tool, Uptycs has built on various open-source projects spearheaded by Facebook and Apache to engineer its Uptycs Security Analytics Platform. In your opinion, how does your use of Open Source benefit your engineers and your customers? More specifically, how does your use of Open Source impact the level of security that your customers experience?
RM: The rapid adoption and evolution of cloud-based infrastructure requires that cloud-native Security Analytics innovate and adapt quickly. Open source software provides scalable, battle tested foundations that allow us to focus on the unique requirements of our product instead of reinventing common components. Our ability to rapidly adapt to enterprises' changing requirements and an ever-evolving threat landscape is in no small part due to being able to build on top of robust open source solutions.
LS: How do you anticipate the cloud-native attack surface changing and evolving in coming years?
RM: The key ongoing trend of the last couple of decades has been the shift from a few big servers, to small server scale-out, to virtual machines, containers, and now serverless computing with AWS Lambda and Fargate. Each step has shifted the operational complexity from things we are in direct control of to things we manage indirectly through the configuration of our cloud provider, container orchestration framework, or service mesh. This trend is certainly going to persist foing forward.
Security professionals need to understand how dramatically their attack surfaces will change in the coming years. They need to anticipate these changes because attackers will be looking to exploit gaps in visibility and unmitigated risk in these new environments. New problems demand new solutions, and Uptycs is positioned well to help organizations tackle these emerging security challenges with scalable, integrated technology built on a secure, community-powered open-source foundation.
Have a thought to share or another open-source security tool you’d like us to cover? Connect with us on Twitter and let us know!