Capsule8: Container-aware real-time threat protection

Despite massive adoption of Linux in the enterprise, there has been no world-class security offering for Linux infrastructure — until now.

In this podcast recorded at RSA Conference 2017, Dino Dai Zovi, CTO at Capsule8, illustrates how they’re pioneering the industry’s first container-aware real-time threat protection platform designed to proactively protect legacy and next-generation Linux infrastructure from both known and unknown attacks.

Here’s a transcript of the podcast for your convenience.

My name is Dino Dai Zovi. I’m the CTO at Capsule8. And we do container-aware, real-time threat protection.

Can you tell me more about your technology in general?

Sure. We provide visibility and real-time protection into what’s going on in your containerized or un-containerized workloads on your server infrastructure. This combines sort of low level telemetry on what’s going on in the servers with some advanced analytics to identify malicious behavior in real time, and halt it in real time as well.

A lot of the other products are focused on kind of static protections. They’re focused on eliminating vulnerabilities, they’re focused on making it more difficult to escape out of containers or to persist on the host. And we’re focused on that dynamic element and on what happens inside the container. So, for instance, your data is operated on inside the container, and an attacker may exploit an application vulnerability, get access to that container, get the database credentials, go straight to that database. That container already has access to talk to and exfiltrate all the data. And what we’re doing is focusing on stopping that type of activity.

While people weren’t looking, Linux just took over the world. So people will know, ‘Oh, yeah, Android is a big operating system’, but they won’t know that there’s Linux underneath. People don’t know that almost every smart device is running Linux. And similarly, on the servers or in people’s datacenters and in the cloud, the vast majority of the workload is now either running Linux or will be running Linux.

Linux is the native operating system of the cloud, where 92% of AWS IC2 instances are running Linux. And even on Amazon, on Microsoft as your cloud, one in three are running Linux. And so, we’re seeing this just becoming just normal for how cloud-based workloads are handled. And so, anything big data, anything cloud, anything containers, that’s basically Linux.

We’re not competing with the security that’s being provided by the platforms, like Docker and Kubernetes, because we see that there’s a lot of interesting work going on there, and especially things like CoreOS and a lot of the trusted operating systems kind of foundations that are being put into these platforms. But they kind of stop at what happens inside the container. Once they stared running in a container, they’re like, ‘Okay, our job is done. As long as nothing breaks out, we’re good.’

And so, what we’re really looking at is how to provide visibility into what happens in that container, what happens between containers, what happens between containers in a particular pod – if you’re using Kubernetes – and also getting you a forensic trail on what happens when a short-lived container is launched on this infrastructure.

And one of the other things that we’re seeing from a lot of customers is that the security world is used to IP addresses having some notion of identity from what bubble is running on that server. That doesn’t mean anything in the cloud and container-based world. What has identity is the container image and the container instance. And the same container image may run on one host one minute, on another host the next. And so, which IP address it was sending traffic from doesn’t have meaning. Even that same IP address might be running multiple workloads at different times. It’s just so dynamic that that change in the ability to repeatedly understand security policy with network-based access control lists. That just doesn’t work here. And the same thing with network security appliances. We no longer have that visibility. And the network security appliances don’t have the advantage point to reconstruct traffic and give you an idea of what’s going on, especially with the rise of end-to-end encryption into the server. And we’re hearing from a number of environments that want to really aggressively terminate SSL and TLS in the microservice. And so, these network-based appliances, they’re kind of the workhorse of a lot of security technologies – are just not effective anymore. And TLS 1.3 makes this even more challenging.

And I think over the last 20 years, we’ve kind of grown accustomed to network traffic as a proxy for behavior. And so, it’s some indicator of behavior, but it’s not the full story. So what we’re trying to provide is this telemetry into host behavior so you can really understand what’s going on. And containers really help up separate that from the noise of the background operating system to give you a really clear signal of this behavior. And when we put it into context with additional information, it becomes a really powerful security tool to know what is normal for your environment and what is anomalous.

So, basically, we’re doing our first releases very soon, and focusing on container-based infrastructure. And soon after that, we’re broadening to non-container-based workloads, and expending the scope so that we can give people visibility as it traverses their environment from their containerized cluster to their legacy databases that are not containerized or other infrastructure, and just anything in their production infrastructure, whether it’s on-premises, in the cloud or some combination of the two.

I guess I would just like to emphasize how revolutionary a lot of this containerized automation-based workflow is, and how in security it’s very often for us to want to halt changes, we want to inspect, we want to review. And I think a better approach is to try and make safe where the world is headed, and see if we can anticipate that and work with it to kind of usher in kind of these new technologies rather than trying to fight it. Because when we try and fight it what happens is people work around security, and then the organizations we’re trying to protect are less safe in the end. So what we’re trying to do with containers is take this approach to people. And we’re really excited about the developers, we’re really excited about being able to deploy quickly, being able to iterate quickly and help their applications kind of find the features that people like more quickly. And we’re just giving the security tools so that people can do that with confidence, and see what’s going on, and be assured that if there’s malicious behavior happening in those environments that it will be responded to automatically and quickly.