Amid myriad security approaches focused on the network, the application, the container and even API calls, Capsule8 focuses on stopping attacks as they happen. It automates responses in real time and provides deep visibility for manual investigation later.
“It’s modeled after how big companies like Google, Amazon and Netflix do security internally,” said Dino Dai Zovi, co-founder and chief technology officer.
“Like GIFEE [Google infrastructure for everyone else] like Kubernetes is bringing this type of infrastructure for everyone else, we’re building the security approach built in these environments for everyone else.”
It starts with a lightweight sensor that sits on every node. Whether you’re running in virtualization or on a hypervisor — it’s able to detect attacks against that host. This gathers high-speed telemetry using built-in mechanisms to the Linux kernel. It’s a single static binary written in Go that takes 1 to 2 percent overhead to your workloads on a loaded system, according to Dai Zovi.
The Capsule8 Flight Recorder runs alongside these sensors to record telemetry events locally, which can be used for forensics later. Key event data is streamed to a distributed, real-time analysis engine, which focuses on detecting evidence of attacks in progress.
“It runs completely in your environment — there’s no SaaS component, whether it’s on-premise or in the cloud, nothing is being sent back to us,” he said. “The model is to get more intelligent. Instead of getting more hay to find the needle, you get a magnet.”
Capsule8 Protect’s analysis covers network, system and application-level data.
The Capsule8 Backplane is a real-time messaging bus written in Go that connects all sensors wherever they are deployed to stream requested real-time events as well as historical events from the Flight Recorder. The Backplane ensures the network is never flooded by Capsule8 telemetry events.
“One of the challenges of building a distributed system is managing high-throughput events [to provide] high speed, low latency and resilience in a safe way. … Alternatives to this such as Kafka — typically anything on the JVM requires a lot of tuning and running [the JVM] with containers comes with other complexities — we made sure to sidestep all of those, but still get the same system design benefits as Kafka,” he said.
When Capsule8 uses a “shoot first, ask questions later” approach when it detects suspicious activity in stateless workloads, automatically freezing any infected component and replacing it. With stateful workloads, Capsule8 can immediately alert a responder and/or isolate the component to prevent a possible attack. Both happen without affecting performance, according to the company.
“When we have indications that a container has been compromised, whether that’s an active attack or from a back source, like introduced from an upstream open source component operating in your environment or whether a developer has done something like put some sort of remote access shell into the container they run in production so they can proceed directly to that system without going through the normal checks — we can detect all of that in the real-time stream,” he said.
The system can restart a process within the container, restart the entire container or do an orchestrator-level restart. He has demonstrated attacks against containers running in Kubernetes to illustrate some of the security problems.
Capsule8 uses what it calls Capsulators as the mechanism for extensions to the system, whether customers want to integrate with tools, including SIEMs, orchestration tools, Splunk, Slack or Big Data stores or tie it in which their own security practices. Through Capsulators organizations gain real-time visibility across clusters and the ability to query the Flight Recorder data.
The Capsule8 API server provides a consistent interface for managing data.
The gRPC API server also includes an HTTP/JSON gateway that allows for easy testing and support for languages without gRPC support. And its Console provides a Capsule8-specific dashboard and filtering.
It runs on hosted Linux and supports Kubernetes and bare metal installations that aren’t orchestrated or aren’t even using containers, independent of the cloud provider or on-premises.
The company, based in Brooklyn, New York, was founded in the fall of 2016. It launched its Capsule8 Protect beta in July. It announced a $6 million round of funding in September, bringing total funding to more than $8.5 million.
The market for container security technologies is an increasingly crowded space with multiple vendors including Twistlock, Aqua Security and NeuVector, though Dai Zovi named Stackrox as the company’s closest competitor.
It’s differentiating itself on attack disruption rather than code analysis and configuration management.
“Hardening — fixing vulnerabilities and secure configuration — are necessary for security, but not sufficient. There are vulnerabilities in custom code, companies have out outdated software throughout their infrastructure, … but it’s more important to detect and stop attacks. Everything else is in support of that. This is where we think people should begin,” he said.
Aqua Security, Stackrox and Twistlock are sponsors of The New Stack.