Runtime security plays a critical role in protecting cloud-based workloads from various threats, including data breaches, unauthorised access, and malicious attacks. Cloud environments often involve multiple services, platforms, and providers, resulting in a complex and dynamic infrastructure. This complexity can make it challenging to manage and monitor security effectively. This challenge is just going to grow. According to Gartner, “90% of global organisations will be running containerised applications in production by 2026 – up from 40% in 2021.” That’s hardly surprising: cloud native application development means we can introduce new code more quickly. However, such dynamism in these environments comes with increased vulnerability to runtime attacks.
Preventing risky code from running involves more than just using assurance gateways in the repository and CI/CD pipelines Static analysis isn’t enough. For example, containers should be immutable, but if they aren’t, as is often the case, an attacker can execute a fileless attack, thereby loading the malware directly into memory and executed, evading common defences and static scanning.
The problem is that security professionals often struggle to implement security guardrails and can fail to spot the difference between authorised and illegitimate application behaviour in real-time. Furthermore, the challenge of preventing attacks in cloud native environments is exacerbated by the time sensitive nature and ease of lateral movement in comparison to on-premises environments. So, when a breach occurs, it’s harder to stop. Let’s look a little more closely at the issues involved.
Traditional security challenges
Cloud native environments are built on dynamism, introducing unmatched versatility and efficiency, but also changes in how they are secured. Perhaps the most significant challenge in runtime security is the poor visibility of the dynamic architecture. Traditional security procedures are static by design and so find it difficult to keep up with the fleeting nature of cloud native implementations.
Static analysis tools and pre-deployment security scans are helpful but fall short in fully addressing the risks associated with runtime threats. Similarly, Endpoint Detection and Response (EDR) solutions are more adapted to protecting endpoint devices, usually based on Windows, and aren’t as well suited to the attacker’s modus operandi in cloud-based applications. While EDR agents are crucial for traditional endpoint security, they struggle in an environment with a constantly shifting perimeter because of scalability, management complexity, and visibility challenges.
Instead, runtime security embraces a variety of processes and technologies, which are specifically designed to identify, stop and ameliorate threats during application execution. These defences work in real-time, overseeing application behaviour and the underlying infrastructure to detect and mitigate malicious activity quickly.
Key runtime security capabilities
When assessing cloud native security solutions, it is vital to identify the key capabilities that will deliver robust security and seamless operations across multiple cloud platforms. First: the ability to secure workloads of all types across public, private and hybrid clouds, ensuring a thorough security posture throughout your cloud transformation journey, and protecting against various attacks on different architectures.
Runtime security solutions should also use the eBPF (Extended Berkeley Packet Filter), which provides increased proficiency and visibility for cloud native ecosystems. eBPF’s kernel-level integration delivers high efficiency at low overheads, making it the perfect fit for high-performance environments. It also provides a profound view of system calls, network packets and other kernel-level activity, allowing detailed monitoring and identification of malicious operations. That means eBPF can carry out security policies in real-time, offering instant responses to threats while minimising liabilities.
In addition, runtime security solutions must use a multi-layered approach to identify potentially dangerous workload behaviour, whether provoked by bad actors or tricky applications which expose the environment to threat actors. Let’s look at the reverse-shell attack as a use case for runtime security: it dodges traditional firewall and network security settings, enabling the attacker to remotely execute commands and carry out malicious operations on the victim’s system. With identifying indicators of attack (IoA) in runtime, this pattern of attack can be detected and from happening in real time.
There are essentially four layers of runtime protection to consider:
- Prevent: Prevent attacks by reducing the attack surface. Hardening the environment to reduce attack surface, such as limiting the ability to run images as root or preventing images with high severity CVEs from running in production could be very helpful in closing off open doors and windows for an attacker. The most effective hardening measure is preventing an attacker’s ability to add executables to a running container. Containers should be immutable and if kept as such, you’re making the attacker’s life very difficult. Of course, it’s crucial to implement automatic blocking of all known indicators of compromise such as malware, rootkits, crypto miner identifiers etc.
- Detect: Detect threats in real-time by observing suspect patterns, uncovering behavioural anomalies and using real-world threat intelligence
- Stop: Stop attacks across workloads by preventing complex zero-day attacks, stopping malware in real-time and blocking exploitation of vulnerabilities
- Respond: Investigate and respond faster by gathering forensic data, reporting attack impact and mitigating attacks across all stages.
Look for a solution that provides genuine cloud native workload protection, risk minimisation, and attack prevention, which extends beyond simple risk management and offers security teams comprehensive visibility and the tools they need to stop complex threats from being carried out in runtime.
The imperative of runtime
If companies want to adopt the benefits of cloud computing without compromising security, it is vital they wrap their heads around the significance of runtime security in cloud native scenarios. By implementing runtime security processes and embracing a proactive approach to threat detection and mitigation, companies can protect their cloud native applications in an ever-changing threat environment.
Shira Bendkowski, VP of Product Management at Aqua Security.