Discover LinuxSecurity Features
Uptycs Lead Engineer Shares Top Tips for Securing the Enterprise
Cloud and container adoption is on the rise, as organizations are increasingly recognizing the potential for rapid growth and evolution that cloud-based infrastructure offers. That being said, along with these advantages comes significant security challenges.
The modern cloud-native attack surface is complex and difficult to secure with many “moving pieces” including endpoints, servers, containers and cloud providers. This makes integrating Threat Intelligence data gathered from all of these surfaces and evaluating potential security and compliance risks and active threats no easy task. Not only is risk harder to identify and evaluate in cloud and container environments, security vulnerabilities, malware and other threats that are also easier to inadvertently inherit from common layers and shared components frequently used in container builds.
To better understand the modern cloud-native attack surface and what is required to close security and observability gaps across cloud-native infrastructure, LinuxSecurity researchers had the privilege of speaking with Ryan Mack, Director of Engineering at Uptycs, a leading open source cloud-native security analytics provider, to discuss the challenges organizations face and how to enhance and simplify cloud-native security and observability for the enterprise.
LinuxSecurity: How do you feel that the extensive adoption of containerization has impacted the digital threat landscape?
Ryan Mack: Containerization, like every evolution in the way software is developed and deployed, trades some conveniences and security benefits for others. On the development side, building container images speeds development by making it much easier to include common layers and shared components. This also makes it easier to inadvertently inherit security vulnerabilities or even malware - commonly coin miners - that have been included in commonly used images on public image repositories. On the deployment side, short-lived containers have dramatically improved the ability to scale to sudden increases in load and provide security benefits by making deployments more immutable. This can present a challenge for heavy weight endpoint security software that don't scale down well into low memory micro VMs or don't make it easy to understand a complex and potentially high churn set of running containers. As you can imagine, all of these have been areas of intense focus at Uptycs: container vulnerability scanning, real-time threat detection in micro VMs or serverless computing environments, and providing a holistic understanding of an organization’s infrastructure by integrating data coming from individual containers with their cloud configuration.
LS: The modern cloud-native attack surface is composed of endpoints, servers, containers/Kubernetes, cloud providers, SaaS providers and identity providers. Which of these entities do you feel has the potential to pose the biggest security threat to an organization? Where do you feel the biggest security and observability gaps across cloud-native infrastructure exist?
RM: Each of those attack surfaces presents its own unique set of risks and challenges. I would argue that the biggest risk comes from an inability to see the forest for the trees. With so many moving pieces in today's typical deployment, being able to integrate data coming from all of these surfaces and provide comprehensive, high-signal insights into compliance risks, active threats and potential security risks is key. Uptycs provides these insights out of the box along with a Cloud UI that makes it easy to explore and better understand how the pieces of an organization’s cloud infrastructure fit together from a security point of view.
LS: What is the most significant challenge that Uptycs helps enterprises overcome?
RM: To be honest this varies widely depending on the enterprise - and that's why Uptycs' product offerings are customizable to fit businesses’ varying needs. This can range from just providing a tool to run queries against their corporate assets and cloud infrastructure, historic data collection for after-the-fact security analysis, to our full set of compliance monitoring, real time threat detection, remediation, and vulnerability scanning. If I had to summarize, I would say Uptycs provides enterprises with confidence in their security posture and their ability to detect and respond to new and evolving threats.
LS: What differentiates your products from other security analytics platforms available for the enterprise?
RM: Every security analytics vendor that ingests data from different sources needs to solve the problem of normalization and correlation to perform analysis. Uptycs tackles this problem by extending the osquery concept of SQL-driven analytics. A large part of osquery’s popularity is due to how it normalizes the telemetry from macOS, Windows, and Linux platforms into SQL tables. We’ve developed open-source extensions to osquery to expand the types of telemetry gathered and normalized into SQL tables for simpler real-time event correlation and ad hoc querying. With this analysis backend, we can quickly answer different types of questions for our customers, such as “Are we seeing exploit attempts for this particular CVE, and have these bad actors been doing anything else in our network?” and “What is the compliance posture of our Linux server fleet against the CIS Benchmarks?” The possibilities of the questions we can answer are really only limited by the imagination!
LS: Although the platform itself is not an open-source tool, Uptycs has built on various open-source projects spearheaded by Facebook and Apache to engineer its Uptycs Security Analytics Platform. In your opinion, how does your use of Open Source benefit your engineers and your customers? More specifically, how does your use of Open Source impact the level of security that your customers experience?
RM: The rapid adoption and evolution of cloud-based infrastructure requires that cloud-native Security Analytics innovate and adapt quickly. Open source software provides scalable, battle tested foundations that allow us to focus on the unique requirements of our product instead of reinventing common components. osquery, an open source project originally developed by Facebook, is a great example. It provides a trusted foundation for a cloud-managed endpoint security agent and offers a wide range of monitoring out of the box. On top of that we've been able to engineer an entire suite of products, offering best-in-class eBPF-based container workload threat detection, cloud configuration monitoring and compliance, vulnerability scanning, and our recently announced Uptycs Protect which adds real time threat blocking and remediation. Our ability to rapidly adapt to changing customer needs and an always evolving threat landscape is in no small part due to being able to build on top of robust open source solutions.
LS: How do you anticipate the cloud-native attack surface changing and evolving in coming years?
RM: The key ongoing trend of the last couple of decades has been the shift from a few big servers, to small server scale-out, to virtual machines, containers, and now serverless computing with AWS Lambda and Fargate. Each step has shifted the operational complexity from things we are in direct control of to things we manage indirectly through the configuration of our cloud provider, container orchestration framework, or service mesh. That trend is certainly going to continue. That means an ever increasing share of security risk will exist inside cloud configuration and our ability to detect risks and threats will require cloud native security software that integrates data across these layers.
LS: Is there anything else you think people should know about the cloud-native threat landscape and how Uptycs is helping enterprises secure cloud-based infrastructure?
RM: Security professionals need to understand how dramatically their attack surfaces will change in the coming years. They need to anticipate these changes because attackers will be looking to exploit gaps in visibility and unmitigated risk in these new environments. Uptycs provides a scalable way for defenders to protect their modern attack surfaces—across their productivity endpoints, server fleets, container-based workloads, and cloud infrastructure. New problems demand new solutions, and Uptycs is positioned well to help organizations tackle these emerging security challenges.
Have a thought to share or another open-source security tool you’d like us to cover? Connect with us on Twitter and let us know!