Deepfence Monitors Cloud Native Applications in Production
Cloud native security offerings have exploded in recent years, with solutions aimed at keeping networks, data and applications secure. The boom has been fueled in part by cautionary tales like 2020’s Solarwinds debacle, 2021’s Log4j vulnerabilities, and a new focus on securing the software supply chain.
“Logj4 was a wake-up call for industry because it was such a catastrophic vulnerability,” Owen Garrett, head of products and community at Deepfence, a cloud native observability company, told The New Stack after participating in a panel on security issues in May at KubeCon + CloudNativeCon Europe here.
“It was catastrophic because it was trivially easy to find vulnerable instances. And once you’d find them, it was trivially easy to exploit them.”
He added, “We had enterprise partners who had to scramble within their development team and spent a week just trying to find instances of Log4j in production and get those patched.”
The “shift-left” movement has put a number of tools into developers’ hands to ensure that applications are built as securely as possible. “But once the application is deployed into production, even with a small number of potential vulnerabilities, attackers can still find a way to exploit,” Garrett said. “And the challenge is to keep ahead of the attacker by monitoring how the application is performing the operations.”
Once an application is in production, vulnerabilities can emerge. Components of an application that’s running in production may not have been scanned, Garrett said — and exceptions to a rigorous app-building process might have been made before the app was pushed into production.
Therefore, he said, “So you need to continue to monitor the security of those applications in production. You can’t stop at the end of a shift-left project.”
Garrett’s company, Deepfence, uses the security practices that have been embedded in shift-left app development and continues to scan apps for vulnerabilities throughout their lifecycle. Deepfence’s deep packet inspection (DPI) scanning tool, ThreatMapper, is designed to examine an application at particular points in time and generate a software bill of materials (SBOM).
“And then you look at the SBOM to say, ‘Do any of these materials have known vulnerabilities?’” Garrett said. “And what we do is we go back periodically to each application and we generate the SBOM. Then we match that against current vulnerability lists. So if tomorrow someone was to publish another vulnerability in Log4j, people would use our tool. They’d pick up that new vulnerability and they’d match it.”
During KubeCon, the company announced Deepfence Cloud, aimed at reducing the obstacles for enterprises looking to secure their applications. The offering allows users to run fully managed ThreatStryker consoles in the cloud (ThreatStryker is Deepfence’s commercial runtime protection solution).
Deepfence Cloud was created, Garrett wrote in a company blog post announcing the platform, to help mitigate the shortage of cybersecurity professionals. (A gap of 2.75 million security pros worldwide, according to a 2021report by the National Initiative for Cybersecurity Education.)
Open Source as a Company Value
Deepfence was started in 2017 by Sandeep Lahane, CEO, Shyam Krishnaswamy, chief technology officer, and Swarup Kumar Sahoo, chief scientist. Previously, Krishnaswamy worked as director of engineering at LiveReach Media, and Lahane and Sahoo co-founded Vercept, which was focused on memory safety and exploiting prevention logic to Linux processes.
In November 2020, Deepfence announced it had received $9.5 million in Series A funding, led by AllegisCyber, with participation from Sonae IM, and Chiratae Ventures.
The startup’s 30 employees are “very, very distributed,” Garrett said. Deepfence maintains a headquarters in Palo Alto, Calif., and offices in Nottingham, England, and Bangalore, India, with its engineering staff spread around the world.
The shift to remote work since the start of the COVID-19 pandemic two years ago has opened up hiring opportunities for the startup, Garrett said.
“We no longer have to think about hiring people in particular geographies,” he said. “We work through the community. And if we see, for example, an individual who’s got an exciting project around eBPF, one of the technologies we use, then we’ll look to work with them, support what they’re doing, or provide opportunities for them as a contractor or as an employee to help support what we’re doing.”
In early 2021, Deepfence released SecretScanner, which locates secrets and passwords in container images and file systems; as its first open source project. Since then, it has also contributed ThreatMapper (which now includes SecretScanner), PacketStreamer, a distributed tcpdump for cloud native environments, and FlowMeter, which uses machine learning to classify flows and packets as benign or malicious, to the open source community.
“Open source is at the core of what we do,” Garrett said. “The reason for that is that we believe strongly that security is something that everybody should benefit from. There shouldn’t be barriers in place, or costs in place, for people to take advantage of open security information.”
Filtering out the Noise
In observability, the next frontier is the ability to see activity within applications, Garrett said.
While an observability stack can generate, as he put it, “millions and millions of little signals, none of those signals will point specifically to an attack. The challenge is trying to collect the signals to gather and interpret them to tell you if an attack is happening.”
He likened the ability of developers to filter out the most important signals of unusual application activity to the savvy of a smart detective. “If you think of a heist movie, it’s always the slightly eccentric, disregarded detective in the police force who’s the first person to put his or her hand up and say, ‘There’s there’s something happening that no one else has noticed.’”
“Within an application, it’s the same kind of challenge,” Garrett said. “You see these little subtle signals, and you need to put your hand up quickly and say, ‘There’s something not quite right here.’ And the biggest challenge is to do that at scale, in large applications across multiple cloud environments, with complex applications and enormous volumes of signals.”
Solving this challenge is a focus of research at Deepfence, which is working on using machine learning techniques to try to filter out the “noise” and surface the most predictive signals.
“What we need to do is to reduce the workload burden on that threat management team,” Garrett said. “So that we give them just the signals that have a very high probability that it correlates with an attack.”
Waiting until critical alerts occur, he said, might be too late to stop or mitigate an attack: “The art is to watch as the threat level escalates, and you get more and more confidence that it’s a bad activity of some kind.”
The complex cloud native security and observability landscape demands a number of complementary solutions, Garrett suggested.
“There are so many different niches in security, there are no silver bullets,” he said. “This is one of the many techniques that a mature enterprise would need to have in place in order to protect their applications and the infrastructure.”