Brooklyn-based cybersecurity startup Capsule8 today released a beta version of Capsule8, the company's new Threat Prevention and Response solution for cloud and container environments.
Enterprises and their development teams are flocking to containers so it makes sense that attackers aren't too far behind. Yet, relying on traditional security appliances to keep hackers at bay in the cloud and containerized application era can be a costly mistake, warned John Viega, CEO of Capsule8.
"Appliances are monoliths that aren't appropriate for a microservices world. They don't scale up well, they don't scale down at all," Viega told eSecurity Planet in an email. There are three reasons security appliances fall short, he noted.
"First, appliances use the IP address for asset identity. In a containerized world, many workloads can share an IP address. They may go up and down quickly," Viega stated. "That model doesn't work."https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Additionally, he cautioned that "appliances can't see traffic between containers running on the same host, but that's important to see to be able to protect properly." Newer advances in network protocols, namely Transport Layer Security (TLS) 1.3 and Quick UDP Internet Connections (QUIC), can also add risk.
"Third, TLS 1.3 and QUIC make it effectively impossible for today's security appliances to live out-of-band (they use a trick to be able to decrypt a copy of traffic). Putting an appliance in-line adds too much risk to availability and performance," Viega said. The executive also noted that in addition to the glaring blind spots, appliances tend to be overly conservative, generating an abundance of false positives.
Conversely, Capsule8's technology works provides visibility into an entire production environment, including intra-container, system and network data for a more accurate appraisal of an organization's security posture and more targeted threat prevention capabilities.
"Capsule8 automatically and seamlessly integrates with complicated Linux deployments, running sensors on each instance of the Linux kernel, but getting data out in a way that's guaranteed not to interfere with the workload it's protecting, or the network it's running on," Viega said. "We also do it in a way that's fully container aware."
Combined with artificial intelligence (AI) and distributed security analytics from security experts, Capsule8 Protect can detect and block attacks as they occur, stopping and replacing the affected component on the fly.
"We then analyze data in real time, with far more dimensions of data. Since we have visibility into the Linux endpoints, we have much higher fidelity data for decision making, and can even see traffic that was encrypted end-to-end," Viega explained.
"We can therefore detect sophisticated attacks (including zero-days) as they're happening, and can even automatically respond, providing resilience under an attack," he continued. And for cybersecurity sleuths, Viega said the platform also makes "rich forensic data available."