While modern cyber threats can take different forms and delivery methods, email continues to be one of the primary approaches cyber attackers are using to exploit organizations, according to multiple research reports released in May 2019.

In this monthly roundup, eSecurity Planet summarizes findings from seven different research reports — and the key lessons that enterprises can learn to protect themselves against current and emerging security risks.

• Mimecast – State of Email Security
• Proofpoint- Q1 2019 Threat Report
• Rapid 7 – Quarterly Threat Report: Q1 2019
• Risk Based Security – Q1 2019 Data Breach Report
• RSA – Quarterly Fraud Report
• Vade Secure – Phishers Favorites
• White Ops – Bot Baseline

Mimecast – State of Email Security

Among the high-level findings Mimecast’s State of Email Security report is that impersonation attacks, a form of Business Email Compromise (BEC), are on the rise, with 73 percent of organizations admitting they experienced a direct loss due to an impersonation attack. Phishing attacks, which aim to trick unsuspecting users into clicking on something or providing personal information, were also on the rise, with the majority (55 percent) of respondents identifying a rise in phishing attacks over the last 12 months.

Email is also a common delivery mechanism for ransomware, which is having a growing impact on organizations. According to the report, 53 percent of organizations experienced a business-disrupting ransomware attack, up from 26 percent in the 2018 report.

“Email security systems are the front line defense for most of attacks,” said Josh Douglas, vice president of threat intelligence at Mimecast. “Yet, just having and providing data on these attacks is not what creates value for most respondents,”

Key Takeaway: Organizations need to have tools that provide actionable intelligence to help identify new and emerging email threats.

Proofpoint – Q1 2019 Threat Report

Proofpoint’s Q1 2019 Threat report identified the Emotet botnet as a dominant threat during the quarter.

61 percent of all malicious payloads observed by Proofpoint during the first quarter of 2019 were attributed to the Emotet botnet. Emotet is an agile botnet used to deliver various forms of attack traffic, including information-stealing malware as well as spam emails. Also of note in the report is the finding that by volume, there were five times more attacks that made use of malicious URLs in email than malicious attachments.

“Assume  users  will  click,” the Proofpoint Threat Insight Team wrote in a blog post. “Social  engineering  is  increasingly  the  most  popular  way  to  launch email attacks, and criminals continue to find new ways to exploit the human factor.”

Key Takeaway: Have systems in place that can protect the organization against users who will click on potentially malicious web addresses.

Rapid7 – Quarterly Threat Report

Rapid7’s first quarter 2019 threat report warned of the continued risk of remote entry attacks.

According to Rapid7’s analysis, remote entry attacks were the most prevalent threat category for large organizations in the first quarter of 2019, with over 40 percent of large organizations affected. Rapid7 also warned of the continuing risk of fake login pages that victims are directed to via phishing attacks. In particular, fake Microsoft login pages for services such as Office 365, Exchange and OneDrive were found to be increasingly prevalent.

Overall however, credential stuffing and replay was identified by Rapid7 as the top threat across all industries. With a credential stuffing or replay attack, usernames and passwords stolen from one site are used by attackers on other sites in an attempt to exploit users who reuse the same credentials across multiple sites.

“With 2018 being the year of ‘Credentials Gone Wild’ and a constant heartbeat of security news informing us all about ransomware hitting municipalities and SMBs, it was somewhat unnerving to see that attackers in our corpus are still relying on credential replay as a primary tool in their arsenal,” Bob Rudis, chief data scientist at Rapid7, told eSecurity Planet. “The continued use of this technique is a sign that it continues to be effective, which also likely means folks are still abusing their credentials by reusing their credentials.”

Key Takeaway: Do not reuse the same username and password on multiple sites. Use unique credentials in order to minimize the risk of credential stuffing.

Risk Based Security – Q1 2019 Data Breach Report

According to Risk Based Security’s Q1 2019 Data Breach QuickView Report released May 7, 2019 is already on pace to be the worst year on record for publicly reported data breaches.

In the first quarter, there were 1,903 publicly disclosed data breach events that exposed over 1.9 billion records. The vast majority of the breaches recorded (67.6 percent) in the first quarter were the result of sensitive data being exposed publicly on the internet.

“Researchers are increasingly going public when they discover sizable, unprotected databases containing sensitive information, and unfortunately, they aren’t terribly difficult to find when you know where to look,” said Inga Goddijn, executive vice president and head of Cyber Risk Analytics at Risk Based Security.

Key Takeaway: Protect online databases and make very certain they are not “world-readable” by anyone on the internet. And see our picks for top database security tools.

RSA – Quarterly Fraud Report

RSA first quarter fraud report found a 300 percent spike in fraud attacks coming from rogue mobile apps.

Rogue mobile apps represented 50 percent of observed attacks in the first quarter of 2019. In contrast, phishing attacks accounted for 29 percent of fraud attacks, with the top target of phishing-related fraud being Canada at 52 percent of attacks, with the U.S. coming in at only 6 percent. Card-not-present (CNP) fraud transactions increased 17 percent last quarter, and 56 percent of those originated from mobile. On a positive note, RSA recovered over 14.2 million unique compromised cards in Q1, a 33 percent increase from the previous quarter.

“In Q1, the most drastic difference between the value of genuine and fraud transactions was observed in North America, where the average value of a fraud transaction was $403, nearly double that of a genuine transaction,” the RSA report stated.

Key Takeaway: Monitor devices and user behavior with the right technology (User and Entity Behavior Analytics) to help identify and limit the risk for fraud.

WhiteOps – Bot Baseline

White Ops in partnership with the ANA (Association of National Advertisers) released the Bot Baseline report on May 1, providing insight into the state of bot-driven online fraud.

The big finding in the report is that bot fraud financial losses in the advertising business are forecast to come in at $5.8 billion. While that number is staggering, it represents a decline from the $6.5 billion reported in the previous Bot Baseline report released in 2017. Overall bot-related fraud attempts account for 20 to 35 percent of all ad impressions, though the report contends that the amount of successful fraud is a small percentage.

“We are coming off a year of unprecedented industry collaboration that has proved to be a powerful tool for tackling ad fraud at a global scale,” said Tamer Hassan, CEO and Co-founder at White Ops. “But it is important to remember that fraud will always follow the money.”

Key Takeaway: Industry collaboration can have an impact on reducing fraud.

Vade Secure – Phishers’ Favorites

On May 2, Vade Secure released its Phishers’ Favorites report for Q1 2019, looking at the current state of phishing attacks.

According to the report, social media phishing is on the rise as hackers increasingly turn to Facebook and Instagram to lure in their victims. While the social media sites are becoming more popular, they still haven’t unseated the top seed on the list, which for the fourth straight quarter is once again Microsoft. Vade reported seeing multiple types of Microsoft inspired phishing campaigns, including a variety of Office 365 attacks, with victims being sent links to fraudulent documents.

“It seems like every quarter cybercriminals are upping their game and getting increasingly sophisticated, and Q1 2019 was no exception,” said Adrien Gendre, Chief Solution Architect, Vade Secure. “These hackers are now intimately familiar with how both consumer and corporate email users interact with the internet and are constantly evolving their techniques to trick users into clicking malicious links and providing their credentials.”

Key Takeaway: Think twice before clicking a link and use tools that help identify potential phishing addresses.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Email Still a Major Attack Vector: Security Research appeared first on eSecurity Planet.

With serverless computing, cloud computing is expressed at its most pristine level, without the need for organizations to run any long-lived servers. Advocates of serverless computing praise its pure service-based approach, while skeptics have their own complexity and security concerns.

So what exactly is serverless cloud computing? And perhaps more importantly, how can organizations take proactive steps to secure it? That’s what this eSecurity Planet guide is all about.

• What is Serverless Computing
• Serverless Computing Risk
• How To Manage Serverless Security
• Serverless Computing Security Vendors

What is Serverless Computing?

Serverless computing is also sometimes referred to as Functions-as-a-Service, which is perhaps a more descriptive term. Serverless is also referred to as Event-Driven Computing by some vendors.

With cloud computing, instead of organizations needing their own servers, cloud services provide virtual server compute instances on which to run applications. In the serverless model, the services component is taken a step further and the server itself is abstracted away.

In a nutshell, with serverless, rather than needing a long-running server or container, as is the case with other cloud computing services, a simple function is executed to achieve a given task based on an event trigger.

For example, rather than having a long-running email service, with a serverless email function, an email function can be triggered whenever there is a need to send an email.

Serverless is an idea that was pioneered with the AWS Lambda service and is now an approach that is also available on Microsoft’s Azure public cloud as well as the Google Cloud Platform (GCP). There are also multiple open source options that enable serverless for private cloud and Kubernetes container orchestration system deployments.

Serverless Computing Risks

While serverless computing offers organizations a different, more agile approach for service delivery, it’s also a different deployment and management paradigm that could introduce new risks.

Among the serverless computing risks that organizations should consider are:

• Vendor security: Serverless functions execute on a provider’s infrastructure, which may or may not be secure.
• Multi-tenancy: Functions in a serverless service often run on shared infrastructure that is running code for multiple customers; that could be a concern when it comes to sensitive data.
• Injection attacks: In an injection attack, unauthorized or unexpected content or data is injected into an application flow; in the serverless model, an injection attack can come from an event that the serverless function calls to execute.
• Encryption: Serverless functions can often call out to databases and other privileged resources; if the connection isn’t encrypted, data can potentially be leaked
• Security misconfigurations: In order to enable access to different resources, a developer could potentially input access keys, tokens and passwords directly into the function; not protecting those secrets is a risk
• Function permissions: Often serverless functions are granted the same permissions as a server might get. A serverless function, however, requires only a bare minimum permission to execute, and overprovisioning permissions opens up the function to potential risk
• Component vulnerabilities: Functions often rely on a supply chain of third-party libraries and components. If there is a known (or unknown) vulnerability in one of the components, the serverless function could potentially be exploited

How to Manage Serverless Security

Managing serverless security is all about having appropriate controls and policies in place. While cloud server security policies may well be effective for virtual compute server instances in the cloud, additional levels of control, granularity and visibility are needed for serverless computing.

Reduce Serverless Permissions

Among the greatest risks to serverless computing are functions that have more permissions than are needed. With serverless, it’s possible to significantly reduce the attack surface by implementing a least privilege model for all deployed functions. Reducing the number of privileges can be done during the development phase for a function, with automated checks set up in staging environments.?By profiling function behavior, it’s also possible to see which privileges a running function actually uses. With that visibility, an administrator can dial down the access to only enable the required privileges.

Enforce Authentication

All functions that call out to a service, be it internal to the same cloud provider or not, must require access control and authentication to help limit risk.?Cloud providers provide guidance on best practices for how to enforce serverless authentication, which administrators should follow.

Use Cloud Provider Controls

Cloud providers also have multiple built-in services that can help users identify potential misconfigurations. For example, AWS Trusted Advisor is an option for those running AWS Lambda.

Log Function Activity

Since serverless functions are event driven and stateless, looking at real-time activity will often miss most activity.?By using cloud provider (or third party) logging and monitoring for serverless, it’s possible to have an audit trail that can be useful when and if threat hunting is required.

Monitor Function Layers

Functions can have multiple layers, which call in different code and third-party libraries. By monitoring layers, an administrator can potentially identify attempts at injection and malicious activity.

Consider Third-Party Security Tools

While serverless platform providers often integrate some security controls, they tend to be limited in scope, focusing just on the platform on which the functions are running. There are multiple third party tools and technologies that provide additional layers of visibility and control for serverless computing.

Serverless Computing Security Vendors

The market for serverless computing security tools is a relatively new one, but there are already multiple vendors in the space. There is some overlap with container security vendors (see eSecurity Planet‘s list of top container security vendors), since serverless technologies typically involve the use of short-lived stateless containers.

Aqua Security

Aqua Security provides a full container and serverless security platform that can help organizations assess and mitigate serverless risk.

Nuweba

Nuweba is a newer entrant into the serverless space, emerging from stealth in February 2019 with its own secure Functions-as-a-Service platform that can integrate with serverless services from major public cloud providers.

Puresec

The PureSec Serverless Security Platform is purpose-built for the challenges of serverless security and can integrate into an organization’s existing Continuous Integration/Continuous Development (CI/CD) workflow.

Protego Labs

Protego Labs is also focused on serverless security, aiming to provide full lifecycle security from development through deployment.

Snyk

The Snyk platform enables organizations to continuously scan functions to help identify any potential risks.

Twistlock

Twistlock’s platform provides security for both containers and serverless functions across the full development and deployment lifecycle.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

The post What is Serverless Computing Security? appeared first on eSecurity Planet.

The RSA Conference is one of the biggest events of the year in the InfoSec industry, drawing vendors, experts, security practitioners and the curious from near and far.

The theme for the 2019 event is “Better,” with the idea being that organizations, vendors and the cybersecurity industry as a whole can continue to do better. The RSA Conference 2019 takes place from March 4-8 across the cavernous North, South and West buildings of the Moscone Center in San Francisco, with additional sessions and events overflowing into the adjacent Marriott Marquis hotel.

The conference is overwhelming to the newcomer and the veteran attendee alike, with so many things to see and do, often at the same time.

One of the best ways to have a successful experience at the RSA Conference is to have an idea of what to expect and to have a plan, so we hope this preview proves helpful.

• Keynotes
• Innovation and startups
• Vendors
• Sessions not to be missed

Keynotes

No security conference on the planet has the same breadth and depth of keynotes as the RSA Conference USA, with leaders of tech companies, government officials and other well-known public figures, and CEOs of large technology vendors all sharing their experiences.

For 2019, RSA Conference will have more keynotes than ever, with two keynote stages. The traditional vendor and guest speaker keynotes will happen on the Moscone West Stage, while a broader set of panels and experts will deliver keynotes on the Moscone South Stage.

In total, there are some 31 keynotes scheduled across four days (March 5-8). That’s a staggering volume of content — and there are over 500 sessions too.

Tech leaders

The kickoff keynote at RSA Conference is always done by RSA Security, and this year RSA Security President Rohit Ghai will be talking about the trust landscape, which is increasingly under cyberattack.

The idea of trust is also a theme that Google executives will be talking about in a March 8 keynote, titled Engineering Trust and Security in the Cloud Era. Among the CEOs and tech leaders taking the keynote stage at RSA will be George Kurtz, CEO of CrowdStrike, who will be talking about hacking Mac OS alongside CTO Dmitri Alperovitch.

Nikesh Arora, CEO of Palo Alto Networks, and Arista Networks CEO Jayshree Ullal are set to deliver a keynote on secrets of a successful cloud journey. Mary O’Brien, recently named General Manager of IBM Security, will be speaking about how to change an organization’s cybersecurity approach for the better. VMware CEO Pat Gelsinger will be on the Moscone West Stage, where he plans to talk about three things the security industry isn’t talking about but should be.

Cisco executives, including Liz Centoni, SVP and General Manager for IoT, and and Matt Watchinski, Vice President of the Global Threat Intelligence Group, are speaking on the risks of Internet of Things (IoT) devices as an emerging threat vector. Other CEOs hitting the keynote stage include Kevin Mandia of FireEye and Stuart McClure of Cylance, among others.

Government officials

Government officials are also making an appearance on the RSA Conference stage, among them General Paul Nakasone, who holds the joint command of both the National Security Agency and the U.S. Cyber Command. FBI Director Christopher Wray will also be on the keynote stage talking about the role of his agency in combating cyber threats.

Among the most anticipated keynotes in any given year at the RSA Conference is the annual cryptographer panel, which brings together the world’s most renowned cryptographers. At the RSA 2018 event, cryptographers were blunt about the state of cybersecurity and weren’t particularly enthusiastic about blockchain either.

Sandbox events

Aside from the events occurring across the Moscone Conference center buildings, there are multiple events at the Marriott Marquis, including the annual RSA Conference Innovation Sandbox Contest.

For 2019, there are 10 vendors that are finalists in the competition and are set to showcase their wares in a series of three-minute pitches on March 4 before a panel of judges between 2 and 3:30 p.m. Judges are expected to announce the winner at 4:30 p.m.

Check out eSecurity Planet‘s overview of the 10 finalists to find out more about the companies that will be onstage at the Innovation Sandbox contest.

RSA Conference Launch Pad

The Sandbox area will also play host to the RSA Conference Launch Pad event on March 5 between 4 and 4:45, where NuID, Spherical Defence and Styra will present their company’s technologies to a panel of venture capitalists in a bid to gain new funding.

Early Stage Expo

The innovation sandbox and the launch pad aren’t the only areas where attendees can see more than 50 startup vendors showcasing their innovations. Several of the same vendors from the Innovation sandbox and launch pad contests — including Axonius, NuID and Eclypsium — will be at the expo. The Early Stage Expo is located in the Marriott Marquis, Yerba Buena 9 area, from March 5-7.

Vendors

The largest single area and biggest draw for the tens of thousands of RSA attendees is often the expansive exhibit halls where vendors set up booths to explain their products and services.

Just like the two sets of keynote locations, there are two different vendor expo halls at RSA Conference. Getting lost in the expo halls is a right of passage for any RSA Conference attendee, but there are floor plans to help navigate the maelstrom.

The North expo hall is often considered to be the primary, as it is home to RSA Security itself, which commands a massive 70-by-60 foot booth that is the first thing attendees will see when entering the hall. The North Hall is also home to other big vendors, including Cisco, McAfee, Cisco, Symantec, VMware, IBM Security and Intel, among many others.

Check out the full floor plan for the North Hall here.

The South Hall is also packed solid with vendors, with the largest booth size coming in at 30 by 30 feet. Among the many vendors in the South Hall are Trend Micro, Webroot, F5 Networks, Mimecast, Citrix and many others.

Check out the full floor plan for the South Hall here.

With over 700 exhibitors across all the expo areas, it’s a challenge for anyone to take it all in, so plan ahead.

Key Sessions

There are over 500 sessions at the 2019 RSA Conference that span every facet of the cybersecurity landscape. The full conference guide to all the sessions (available here) is an overwhelming document, including everything that is happening.

So which sessions should you go to? Be sure to check out eSecurity Planet‘s guide to RSA Conference sessions that shouldn’t be missed.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

The post RSA Conference 2021: Speakers, Vendors & Sessions appeared first on eSecurity Planet.

Containers are an increasingly popular way to deploy applications because of the improved efficiency and agility they offer.

Container technologies include multiple native security attributes, but they also introduce a number of security challenges that organizations need to consider. The growing popularity of the open source Kubernetes container orchestration platform for deploying and managing containers further adds to the complexity, and potentially opens up additional avenues of risk.

The new deployment paradigm for containers is often referred to as Cloud Native, as containers are particularly well suited for agile, distributed cloud deployment. The widespread use of containers has also led to the emergence of a new category of security technologies, purpose-built for containers;?see eSecurity Planet‘s guide to the top Kubernetes and container security vendors.

At the Kubecon + CloudNativeCon event last month, a trio of executives from container security vendors Aqua Security, NeuVector and Twistlock participated in a panel discussion moderated by eSecurity Planet during Cloud Native Storage Day. The panelists offered their viewpoints and tips on how to secure both storage and applications to help organizations reduce container risks.

Kubernetes can be deployed by organizations on their own without additional tools, but panelists generally agreed that’s not a best practice that should be followed for production deployments for a number of reasons.

Tip #1: Don’t assume Kubernetes is secure by default

Twistlock’s Sonya Koptyev cautions that organizations can not take Kubernetes security for granted, even if it is hosted, managed and running on one of the big cloud providers. In her view, one of the most important things that organizations should do is stay aware and on top of vulnerabilities in the platform.

While managed providers often provide default security controls for their platforms, securing the default platform on its own is not enough, as it’s often individual applications and configurations that can represent risk.

Koptyev also noted that for different industries, security is often tied to compliance with different regulatory requirements. As such, maintaining compliance is something that each individual organization needs to consider, making sure their own applications and use cases are within the required parameters.

“In general, just to stay up to speed, have a tool that plugs into the latest and greatest updates and alerts you in a real-time capacity,” she said.

Tip #2: Kubernetes is not traditional security

Aqua Security’s Roni Osnat advised that traditional security for non-container/Kubernetes systems might not apply for Kubernetes deployments.

While some of the same security concerns, such as malware and abuse of privileges, can occur in cloud-native deployments as well, the control points are different. As such, different tools and capabilities are needed to properly secure Kubernetes deployments.

“We’re talking about a much more dynamic environment,” Osnat said. “If you have persistent storage, that storage itself is maybe managed in a very similar manner to traditional storage, but access to it and how it’s being deployed and used in Kubernetes production environments is very different.”

Tip #3: Have proper controls in place

NeuVector’s Glen Kosaka said that he constantly talks to companies that have put Kubernetes into production without any additional security controls.

Default permissions for Kubernetes might not be appropriate for all types of application deployments and organizations, and it’s important that organizations understand what controls are available. Having control is also tied to having visibility into an application and the deployment environment.

“You know you would never put an application into production without being able to detect both network attacks against it as well as application layer attacks, right?” Kosaka said. “So if you have a business-critical application, why would you launch a bunch of Kubernetes pods where you have no visibility of how the pods are communicating to each other over the network, or what’s actually happening in every pod?”

Tip #4: Validate images

In a traditional operating system environment, organizations have become accustomed to anti-malware scanning prior to installing an application, yet the same approach is not commonplace with containers, according to Twistlock’s Koptyev.

“One of the common things we see is again taking for granted the fact that if there is an image in an open and public repository at a container registry, folks download it and think they can just use it,” she said. “You absolutely must scan and lock things down and also go through and make sure that the image that you pull down is going to actually be doing what you want it to do.”

Among the different threats that have been publicly reported with container images is cryptojacking software. Koptyev added that hackers have become increasingly stealthy at embedding malware, most notably cryptocurrency mining software, inside packages.

Tip #5: Lock down access controls

Whether an organization is running Kubernetes on-premises or in the cloud, NeuVector’s Kosaka said it’s important to lock down and evaluate all the access controls.

Access controls include multiple elements such as service accounts, namespaces and storage volume access. Providing blanket access controls for a Kubernetes cluster in which many different applications run is not a good idea. Rather, Kosaka suggests that organizations review access policies and make sure that only the required access is being granted. Aqua’s Osnat noted that when it comes to storage access, for example, things like storage volume mounts are not secured by default.

“If you don’t do things properly, you’re actually at risk of letting people into your databases through your cloud-native deployment,” Osnat said.

Tip #6: Secure stateful access to non-Kubernetes assets

Containers are often thought off as being stateless — that is they don’t have to run in a persistent manner and can be spun up or turned off as needed. In contrast, data storage, for example, needs to be stateful and persistent in order to maintain the data.

Kubernetes deployments will often connect to stateful (and sometimes non-container) data storage and databases, and there is a need to make sure that those data connections are secured. Koptyev said it’s important that organizations encrypt data storage to help reduce risk. Additionally, organizations should be watching all Kubernetes connections into and out of data storage.

Koptyev suggests that one way to help limit the risk of malicious stateful connections is by first knowing exactly how different container micro services are supposed to be communicating between themselves and with data stores.

“So if you know your normal state of behavior, then you can identify anomalies that happen,” she said.

Tip #7: Take a multi-layered approach to Kubernetes security

Kubernetes and container deployments can be complicated, with myriad elements and components.

Much like with traditional application deployment architectures, there isn’t any one “silver bullet” or approach that can provide uniform security for all scenarios. While the panelists agreed that having security by default is a good idea in general, they also agreed that having defense in depth is also a key best practice for any type of technology deployment.

“Ultimately, security is a multi-layered approach and there’s no one tool that’s going to give you all of the protection for all of the layers,” NeuVector’s Kosaka said. “But you need to think through all of those different layers and then apply the proper tools.”

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.

The post Container & Kubernetes Security Best Practices appeared first on eSecurity Planet.

See our complete list of top container and Kubernetes security vendors

Company Description

Sysdig is a cloud-native intelligence company, founded in 2013 by CTO Loris Degioanni, one of the co-creators of WireShark, a visibility tool for monitoring and troubleshooting network infrastructure. With the widespread adoption of the cloud and the advent of containers, Degioanni saw that containers and microservices in the cloud would require a new approach to monitoring, security and forensics.

Sysdig launched its first open source security and troubleshooting tools Sysdig and Sysdig Falco in 2013. The company has since launched its commercial monitoring and security products, Sysdig Monitor and Sysdig Secure.

Sysdig is designed for modern, cloud-native applications that leverage microservices, docker containers, and kubernetes, but is also compatible with previous software architectures.

Sysdig ContainerVision, a technology within the Sysdig platform, utilizes a single point of instrumentation, delivering monitoring, security, troubleshooting, and forensics from a single, low-resource agent. Sysdig ServiceVision, another technology within the platform, uses Kubernetes context to implement security at the microservices level in addition to the container, host, and network levels.

The Sysdig cloud-native intelligence platform monitors and secures millions of containers across hundreds of enterprises, including Fortune 500 companies and web-scale properties. Sysdig is a private company headquartered in San Francisco, with additional offices in Davis, CA; Raleigh, NC; London; and Belgrade, Serbia. Suresh Vasudevan has been CEO since June 2013.

Markets

The Sysdig products are horizontal and can be used in any market. However, within all markets, Sysdig targets forward-leaning, progressive companies that have adopted modern software approaches that leverage microservices, Docker containers, Kubernetes, and DevOps.

Products

Open Source Sysdig is the open source project that started the company. It provides system visibility through system calls to provide deep forensics and troubleshooting. Sysdig Falco is an open source container security monitor designed to detect anomalous activity in containers. It offers deep container visibility, predefined rule sets, and takes action when containers fail to perform properly.

Sysdig Secure is a container security and forensics solution for microservices. Sysdig Secure, part of the Sysdig Cloud-Native Intelligence Platform, can secure the end-to-end container lifecycle. It is available as both a cloud and an on-premises software offering.

Sysdig Monitor, part of the Sysdig Cloud-Native Intelligence Platform, is a container-native monitoring and troubleshooting solution. It is crafted to provide enterprise-class Prometheus support and extend Prometheus support to meet enterprise requirements. It comes with full container visibility and deep orchestrator integrations, including Kubernetes, Docker, AWS ECS, and Mesos. It is available as both a cloud and an on-premises software offering.

Sysdig Cloud-Native Intelligence Platform. The platform combines Sysdig Secure, Sysdig Monitor, and open source components in one easily managed offering. It is available as both a cloud and an on-premises software offering.

Key Features

Open Source Sysdig is 100 percent open source, allowing developers and operators to bring rich security functionality to their environments with no licensing costs. With a powerful query language, Sysdig provides instant access to data buried within containers.

CSysdig & Sysdig Inspect helps organizations visualize container state, enabling administrators to drill down into individual containers, gaining protocol level views of an application’s behavior to find application errors and bottlenecks.

Sysdig Falco is 100 percent open source and provides deep container visibility into the behavior of containers and applications down to fine details such as system, network, and file activity. When containers don’t behave as expected, Falco can take action by killing a container, sending alerts, and notifying a third party.

Sysdig Secure key features include: Vulnerability Management, which scans images and blocks vulnerabilities across the CI/CD pipeline registry or in production; Adaptive Run-Time Defense, which identifies and blocks threats based on application, container, file, host, or network activity; Compliance & Audit, which detects violations of external compliance requirements like CIS, PCI-DSS and GDPR, and can also enforce custom compliance controls; and Forensics, which triggers automatic system captures to see activity before and after security events to provide robust incident response, even when containers are long gone.

Sysdig Monitor key features: Performance data is used not only to monitor applications, but also to help security professionals hunt for indicators of compromise. Service-Oriented Performance Management measures the performance of services as well as underlying hardware and software. Application-Intelligent Monitoring automatically determines what applications are running and how they’re performing, with no plug-ins or configs. Trace-driven Troubleshooting captures detailed system information that allow users to troubleshoot containers even after they’re long gone. Enterprise-class Prometheus support provides scale-out enterprise grade Prometheus capabilities and extends them with enterprise needs.

Product Performance Metrics

Sysdig supports millions of containers across hundreds of enterprise customers. Sysdig’s main instrumentation point uses fewer resources than a kubelet to provide all security and monitoring data.

Delivery

Sysdig is available as a software as a service, and as an on-premises software offering. Both offerings have the same functionality.

Pricing

Falco and Open source Sysdig are free and can be downloaded from Github.

Sysdig Monitor offers flexible pricing, with entry-level pricing starting at $20 a month per host. The most popular package, Pro Cloud, is $30 a month and includes 30 containers, 500 custom metrics, unlimited teams, and enterprise features. Pricing for enterprise packages varies.

Prices for the Sysdig Platform (combined monitoring, security, and forensics) and Sysdig Secure varies based on customizable options.

The post Sysdig: Container Security Product Overview and Analysis appeared first on eSecurity Planet.

See our complete list of top container and Kubernetes security vendors

Company Description

Founded in fall 2016 and headquartered in Brooklyn, NY, Capsule8 was started by experienced hackers and security entrepreneurs John Viega, Dino Dai Zovi, Brandon Edwards and Pete Markowsky, and funded by Bessemer Venture Partners and ClearSky.

Markets

Capsule8 is targeting Fortune 1000 enterprises as well as high-growth tech companies looking to proactively protect their legacy and next-generation Linux infrastructure. Key verticals include financial services, technology, and media.

Products

Capsule8 provides a real-time, zero-day attack detection platform capable of scaling to massive production deployments. Capsule8 delivers continuous security across customers’ entire production environment — containerized, virtualized and bare metal — to detect and shut down attacks as they happen.

Key Features

The Capsule8 platform has features that help enable production workloads. When an organization’s system or network is under heavy load, Capsule8 ensures that overall performance isn’t impacted, all without deploying any kernel modules or high-risk components. It deploys alongside an organization’s infrastructure, not as a SaaS solution, leaving full control of data on the customer’s premises.

Capsule8 detects signs of exploitation in progress, as well as evidence of post-exploitation activity. The company’s distributed telemetry makes it easy to perform forensic investigations on historical data, without significant impact to network performance or storage. With Automated Disruption, Capsule8 can go beyond detection and enable companies to automatically disrupt an attack once detected. For instance, customers can strategically (and automatically) kill attacker connections, restart workloads, or alert an investigator immediately upon initial detection.

Product Performance Metrics

In most cases, Capsule8 has no impact on performance. Under moderate load (40 percent), there was no significant overhead. Running Apache Bench with a load average of 6 (CPU maxed out and trying to use far more), Capsule8’s performance impact maxes out at 10 percent without any optimization turned on.

Delivery

Capsule8 deploys easily in a Kubernetes orchestrated environment through cloud providers such as AWS, GCP or Azure, as well as bare metal environments deployed with an organization’s operations tools of choice such as Ansible, Puppet, Chef or SaltStack.

Capsule8 is designed with an API-first approach via a gRPC pub/sub interface (and an optional HTTP/JSON bridge), ensuring that any functions which can be accessed via the GUI and Command line are also available via the API. This enables operations functions to plug Capsule8 into their existing detection and response workflows.

Pricing

Capsule8’s pricing structure is an annual license based on number of servers/nodes.

The post Capsule 8: Container Security Product Overview and Analysis appeared first on eSecurity Planet.

See our complete list of top container and Kubernetes security vendors

Company Description

StackRox helps enterprises secure their containerized, cloud-native applications at scale. StackRox says its Container Security Platform uses the inherent security advantages of containers – immutability and declarative configuration – to improve security posture.

The company’s  CEO and co-founder, Ali Golshan, draws on his roots as a whitehat government hacker and serial entrepreneur of security startups in defining the technical vision and leading the StackRox team. Founded in 2014, StackRox is privately held and headquartered in Mountain View, California. The company has raised $39 million in funding, and backers include Amplify Partners, Sequoia Capital, and Redpoint Ventures.

Markets

StackRox sells to a combination of Global 2000 enterprises, cloud-native companies, and government agencies. The company’s customers span the financial services, technology, media, and e-commerce industries. StackRox is primarily targeting North American companies, although the company also has customers in Europe.

Products

The StackRox Container Security Platform provides security across the entire container life cycle, enabling customers to reduce the attack surface during build, reduce profile runtime risk during deployment, and detect and respond to attacks during runtime.

Key Features

Among the features of the StackRox platform are multiple vendor integrations as well as data discovery and enrichment features. Integrations for alert notifications include Slack, JIRA, email, Google Cloud Security Command Center. The platform also includes native vulnerability scanning as well as integration with third-party vulnerability scanners.

For assessment and enforcement, StackRox provides multi-factor risk profiling as well as enforcement actions for build and deployment. The platform also includes attack detection capabilities that support threat hunting.

Product Performance Metrics

The StackRox Container Security Platform leverages the Adversarial Intent Model to understand events that are related and surface attacks. The Adversarial Intent Model relies on recognizing patterns of attack across foothold, persistence, movement, privilege escalation, and objectives. The volume of events at the container level make it impossible for humans to process and analyze, so StackRox uses continuous Machine Learning for centralized correlation and analysis of distributed events. This technique allows the software to focus security analysts on just one incident rather than parsing through all the events that signal that incident.

Delivery

The StackRox Container Security Platform is software that can run on premises or in the cloud.

Pricing

The StackRox software sells as a subscription license on a one-year or three-year term. Pricing is by the node, with a broad range based on volume.

The post StackRox: Container Security Product Overview and Analysis appeared first on eSecurity Planet.

See our complete list of top container and Kubernetes security vendors

Company Description

Founded by industry veterans from Fortinet, VMware and Trend Micro, NeuVector has developed patent-pending behavioral learning and network inspection for container security. The company was co-founded in 2015 by CEO Fei Huang and CTO Gary Duan. NeuVector is a private, venture-funded company headquartered in San Jose, California.

NeuVector customers include global leaders in financial services, healthcare and publishing, and partners include AWS, Docker, Google, IBM, Rancher, Red Hat and others.

Markets

NeuVector has offices in North America, EMEA and Asia, and serves customers across multiple industries, including: Financial services, government, ecommerce, travel, healthcare and consumer.

Products

The NeuVector multi-vector container security platform provides an integrated, automated security platform for Kubernetes, Docker and Red Hat OpenShift. The platform helps organizations deploy enterprise-wide container strategies across multi-cloud and on-premise environments. NeuVector delivers east-west container traffic visibility, host security and container inspection in an integrated, automated security solution.

Key Features

Complete end-to-end container security platform with vulnerability scanning, compliance testing, and run-time protection, including a Layer 7 container firewall. Run-time protection covers network (Layer 7 firewall), container process and file system monitoring, and host exploit detection.

Product Performance Metrics

NeuVector performs layer 7 deep packet inspection to detect connection violations and network-based attacks instantly, and can run inline to block attacks in real time without affecting normal container traffic. NeuVector also monitors file systems and processes in containers and hosts for anomaly detection and alerting.

Delivery

NeuVector is a cloud-native security solution that is delivered as a container itself, and is deployed by customers on premises (or in their public cloud) using their container orchestration tools such as Kubernetes, Docker, and OpenShift. NeuVector does not require any external or SaaS connections to secure containers.

Pricing

Pricing is based on the number of worker nodes or application hosts protected in production environments. The average annual subscription-based pricing is approximately $1,200 per year per host and includes support.

The post NeuVector: Container Security Product Overview and Insight appeared first on eSecurity Planet.

See our complete list of top container and Kubernetes security vendors

Company Description

Anchore is based in Santa Barbara, CA, and was founded in 2016 by Saïd Ziouani and Dan Nurmi, co-founders of Eucalyptus Systems and Ansible, respectively.

Anchore is an open platform for container security and compliance that helps developers, operations and security teams discover, analyze, and certify container images on premises and in the cloud. Anchore lets operations and developers perform detailed analysis, run queries, produce reports and define policies on container images that can be used in CI/CD pipelines to ensure that only containers that meet an organization’s requirements are deployed into production.

Markets

Developers, operations and security teams working in containerized environments. from enterprises to SMBs.

Products

Anchore Engine: an open source centralized service for performing detailed analysis on container images, running queries, producing reports and defining policies that can be used in CI/CD pipelines. It is available on GitHub and as a Docker container on DockerHub.

Anchore Cloud: the company’s SaaS offering, available at anchore.io

Anchore Enterprise: an enterprise-ready, on-premises container security and compliance platform, available at anchore.com/enterprise

Key Features

All products are built around the following features:

Insight & Analysis: Performs deep analysis on container images including searchable lists of all packages, files and software artifacts such as Ruby GEMs and Node.js modules.

Policy Management: Define policies to certify images, including vulnerabilities, package whitelists, blacklists, configuration files, secrets, manifest changes, exposed ports, or any user-defined checks.

Compliance: Ensures compliance standards and organizational best practices are met by certifying images within the CI/CD pipeline, within container registries, or before images are deployed into production.

Pricing

Anchore Enterprise is priced per repository scanned.

The post Anchore: Container Security Product Overview and Analysis appeared first on eSecurity Planet.

See our complete list of top container and Kubernetes security vendors

Company

Fundamental to Aporeto’s approach is the principle that everything in an application is accessible to everyone and could be compromised at any time. The company was founded in 2015 with company headquarters in San Jose, CA. The company is led by CEO Jason Schmitt, formerly of HPE, with co-founders from Nuage, Cisco and VMware.

Products

Aporeto uses application context to enforce authentication, authorization, and encryption policies for applications. With Aporeto, enterprises implement a uniform security policy decoupled from the underlying infrastructure, enabling workload isolation, API access control and application identity management across public, private or hybrid clouds.

The Aporet product has two core components :

• A SaaS security orchestrator for policy management and visibility of application dependencies across a heterogeneous environment.
• An enforcer that performs distributed policy enforcement. The enforcer can be deployed as an agent, a Kubernetes daemon-set, a privileged container, a sidecar or a customer authorizer for API gateways.

Key Features

1. Zero Trust policy enforcement for workload segmentation independent of infrastructure: Authenticate and Authorize requests both at L4 (TCP) and L7 (HTTP) between workloads or between a user and a workload. A workload can be container, process or serverless. Policy is defined centrally but enforced in a distributed manner. Policy enforcement works independent of IP addresses and applicable to workloads on public or private clouds.
2. Service Identity: In order to authenticate and authorize a persistent workload, identity is required. Aporeto assigns workloads (container or process) a cryptographically signed service identity independent of IP infrastructure.
3. Application visibility for compliance: Dependency maps across all applications protected by Aporeto independent of the infrastructure on which the application is deployed.
4. Runtime visibility: For containers, Aporeto offer runtime visibility of interactions between the container and the host and enforcement of runtime policies.

Product Performance Metrics

The use of service identity independent of IP infrastructure for policy enforcement allows the solution to scale to tens of thousands of hosts. Performance overhead is very minimal for Layer 4 enforcement. Only TCP connection establishment is in the enforcer data path. Once a connection is mutually authenticated and authorized, the enforcer is no longer in the data path.

Delivery

SaaS service with options for custom deployments for regulated industries

Pricing

Subscription pricing model

The post Aporeto: Container Security Product Overview and Analysis appeared first on eSecurity Planet.