Containers / DevOps / Security

tCell.io Aims to Make Application Security More DevOps Friendly

11 Dec 2017 6:00am, by

Security startup tCell.io takes inspiration from the immune system in providing what it calls “application immunity” — empowering apps to protect themselves.

It combines what it considers the best of runtime application security protection (RASP) and web application firewall (WAF) technology with cloud-based analytics to provide real-time monitoring of application behavior and pinpoint actual breaches.

CEO Michael Feiertag, former head of products at Okta and technology director at Blue Coat, and Boris Chen, former vice president of engineering at Splunk teamed up to develop a security approach that works with the DevOps approach of delivering software faster.

Based on their own experiences of culture and tools impeding delivery, “We decided to build something new specifically for teams and companies trying to innovate as fast as they could. And to help security teams support more rapid innovation and help them become more secure,” Feiertag said.

“[It was] rather than, ‘Hey, before you ship this software, I need to run this code analysis’ or ‘Before you ship this software, I need to do this design review’ or ‘After you put this software out there, I’m going to put a bunch of networking gear in place, and I won’t let you go to AWS’ We needed a solution that would improve security and help all the teams work in the way they need to.”

Part of Workflow

How do you protect an app or web service in a production environment? That’s the basic question, Feiertag said.

San Francisco-based tCell is like an immune system that provides insight into what’s happening with the app while it’s running to identify attackers and prevent damage to the application.

In developing the products, they looked not at existing security tools, but at those that developers and ops teams love, such AppDynamics and New Relic, he said.

They came up with a few requirements:

  • It had to have a deployment model that’s natural so development, operations and security teams work together.
  • The software had to be highly scriptable, lightweight and should run anywhere you deploy your application.
  • It should deploy with your application with the tools you’re already using, all the automation tools you already have in place.

With containers, for instance, its lightweight agents are part of the app inside the container. Nothing changes with all the automation you have in place to build those containers, run them and monitor them, he said.

The system scales transparently, from individual test systems to hundreds of globally distributed nodes.

Customers include John Muir Health, Sophos, life sciences software vendor Veeva and human resources platform Zenefits.

App, Server, Browser

The architecture places lightweight agents in the application server, the web server, and in the browser. These days 40 percent of the code is JavaScript running inside the browser. It’s all connected to a cloud platform that can take the contextual information from those agents and see far more than you ever could from the network layer, he said.

It recently added its web server agent to its stable of agents for JavaScript, Java, Ruby, Python, Node.js, and .Net to protect against OWASP Top 10  attacks such as cross-site scripting, SQL injection, cross-site request forgery and more.

The sensors monitor:

  • Request processing and routing
  • Authentication and session management
  • Database access
  • OS access
  • Package loading
  • Response generation

Sensors collect relevant data, including generating request, controller and the actual command, making it possible to distinguish actual breaches from attack attempts.

Kept at a minimum, instrumentation includes added logging and policy checks at the enforcement points. There is no code or trace analysis or other test baggage. Policies are kept lightweight and executed in memory. These strategies enable tCell keeps performance overhead below four percent on a busy system, and usually much less, according to a company whitepaper.

It uses a proprietary data analytics platform supporting both stream-based analytics for near real-time event processing as well as batch processing for less time-sensitive analytics.

It helps client set up best-practices security policies, such as the Content Security Policy, a web standard whitelist of acceptable third-party content that can be uploaded to the browser.

Once a problem is detected — whether an actual breach or just an attempt — users are notified directly, and they can sandbox or block the attack. They can use policy to set blocks, such as saying, “Do not let this application run shell commands” — a tactic hackers used to access the server in the massive Equifax breach, according to Feiertag.

The company has added integrations such as webhooks, incident response vendors such as Demisto, PagerDuty, collaboration app Slack and more.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.