Security startup tCell.io takes inspiration from the immune system in providing what it calls “application immunity” — empowering apps to protect themselves.
It combines what it considers the best of runtime application security protection (RASP) and web application firewall (WAF) technology with cloud-based analytics to provide real-time monitoring of application behavior and pinpoint actual breaches.
CEO Michael Feiertag, former head of products at Okta and technology director at Blue Coat, and Boris Chen, former vice president of engineering at Splunk teamed up to develop a security approach that works with the DevOps approach of delivering software faster.
Based on their own experiences of culture and tools impeding delivery, “We decided to build something new specifically for teams and companies trying to innovate as fast as they could. And to help security teams support more rapid innovation and help them become more secure,” Feiertag said.
“[It was] rather than, ‘Hey, before you ship this software, I need to run this code analysis’ or ‘Before you ship this software, I need to do this design review’ or ‘After you put this software out there, I’m going to put a bunch of networking gear in place, and I won’t let you go to AWS’ We needed a solution that would improve security and help all the teams work in the way they need to.”
Part of Workflow
How do you protect an app or web service in a production environment? That’s the basic question, Feiertag said.
San Francisco-based tCell is like an immune system that provides insight into what’s happening with the app while it’s running to identify attackers and prevent damage to the application.
They came up with a few requirements:
- It had to have a deployment model that’s natural so development, operations and security teams work together.
- The software had to be highly scriptable, lightweight and should run anywhere you deploy your application.
- It should deploy with your application with the tools you’re already using, all the automation tools you already have in place.
With containers, for instance, its lightweight agents are part of the app inside the container. Nothing changes with all the automation you have in place to build those containers, run them and monitor them, he said.
The system scales transparently, from individual test systems to hundreds of globally distributed nodes.
App, Server, Browser
The sensors monitor:
- Request processing and routing
- Authentication and session management
- Database access
- OS access
- Package loading
- Response generation
Sensors collect relevant data, including generating request, controller and the actual command, making it possible to distinguish actual breaches from attack attempts.
Kept at a minimum, instrumentation includes added logging and policy checks at the enforcement points. There is no code or trace analysis or other test baggage. Policies are kept lightweight and executed in memory. These strategies enable tCell keeps performance overhead below four percent on a busy system, and usually much less, according to a company whitepaper.
It uses a proprietary data analytics platform supporting both stream-based analytics for near real-time event processing as well as batch processing for less time-sensitive analytics.
It helps client set up best-practices security policies, such as the Content Security Policy, a web standard whitelist of acceptable third-party content that can be uploaded to the browser.
Once a problem is detected — whether an actual breach or just an attempt — users are notified directly, and they can sandbox or block the attack. They can use policy to set blocks, such as saying, “Do not let this application run shell commands” — a tactic hackers used to access the server in the massive Equifax breach, according to Feiertag.