SAN FRANCISCO, Jan. 30, 2024 - Today KSOC revealed the first standard for fingerprinting the behavior of cloud native workloads, with a free online catalog containing open source, popular container image fingerprints. An effective way to validate the integrity of software against the next SolarWinds, Codecov or nation state software supply chain attack has remained elusive, despite a litany of tools that secure the CI/CD process, find vulnerabilities, produce software bills of material (SBOMs) or perform image attestation. Using eBPF, the RAD security standard codifies the baseline behavior of a cloud native workload into a fingerprint, making it the first to offer development teams a transparent, verifiable defense against the next wave of zero day software supply chain attacks.
"The goal of the RAD security standard is to reverse the balance of power in software supply chain security. If development teams can compare a verified, clean runtime fingerprint against the same image running in their environment, they have a real chance in defending against the next zero day attack,” explains Jimmy Mesta, CTO and Co-Founder of KSOC.
Software supply chain attacks are on the rise, and constituted the top most common attack type in 2023. Suspected nation state attacks like Codecov and, more recently, the 3CX breach, have made headlines by successfully targeting application development build systems (the CI/CD pipeline). While software supply chain security guidelines resulting from the Biden administration’s 2021 executive order (e.g. NIST 800-161) have focused almost exclusively on activity like the creation of software bills of materials (SBOMs), image attestation, and cultural shifts around shifting left; none of these methods utilize the advantages of runtime behavior to catch a zero day attack early on.
And runtime methods, useful later in the application development lifecycle, after the zero day attack has already been successful, are based on reliance on an opaque black box for anomaly detection, or static signature-based rules that signify bad behavior. Both of these models result in false positives, noise and a long laundry list of ‘bad’ behaviors.
Instead of looking for bad behavior, the RAD security standard uses eBPF to codify good behavior, understanding the clean, baseline runtime processes and patterns of a container image. This opens a way to detect novel attacks without false positives or opacity of the black box, by observation of divergence from the expected app behavior.
"Open, shareable, runtime fingerprints change the game for those of us that have wanted to better understand everything that's running in our environments -- not just the number of CVEs you have today or what your black box scanner reports. With these fingerprints, teams now have ground zero to start understanding and attesting to what happens in your CI/CD pipeline all the way to production,” comments Mark Manning, Security Architect at Snowflake.
The RAD security standard is powered by eBPF, and comparing the fingerprint to new runtime activity can show:
- Is this process, program, file, or network activity expected based on the behavior that's been represented in the fingerprint?
- Does the node appear at the expected location in the hierarchy?
- Do the node's properties match the expected properties?
- Is the process opening the expected file?
Cloud native workload fingerprints for popular open source images, made with the RAD security standard, are accessible in the online catalog, and teams can sign up for early access to deploying RAD security in their own environment for validation of their software supply chain.
To learn more about the RAD security standard, visit the KSOC blog.
KSOC is a cloud native security company that empowers engineering and security teams to push boundaries, build technology and drive innovation so they can focus on growth versus security problems. In today’s environment, attackers are more versed in cloud native security than security teams. KSOC removes the blind spots of legacy CSPM and container tools, closing the detection and response gap between cloud native infrastructure and runtime.