Book a Demo

Contextualized Runtime Security for Containerized Environments


Throughout the last decade – possibly beginning with the creation of Cisco’s pxGrid framework in 2013 – security researchers have been developing tools and concepts to enhance traditional capabilities through a practice known as context-aware security. In context-aware security, analysts try to incorporate a wider field of information types, such as device locations, device types, time of the event, and IP matches from low reputation lists. The intended purpose of including this data in security investigations is to contextualize events for analysts and aid them in identifying false positives. But, does it work?

Does More Information Equal More Context?

Following nearly a decade of development in the context-aware security arena – which now includes many enterprise vendors – contemporary studies show that approximately 45% of alerts in security applications are false positives. As a result, nearly 75% of organizations report spending as much time – or even more – dealing with false positives as they do responding to real attacks, making false positives responsible for as much system downtime as genuine malicious activity. 

With global cybercrime rates riding a three-year spike that shows no sign of relenting, it’s time for security experts to reevaluate what a contextualized view is in security investigations and ask whether the addition of more information from more sources always translates into better awareness. The fastest way to distinguish real attacks from harmless anomalies is to detect intent. Actions signal intent as one event leads to another, revealing conscious purpose. 

But can analysts see intent and causal connections in the likely half dozen security feeds they’re monitoring? The trends for false positives and dwell times suggest that the answer is typically no and that even context-aware data may only add to the clutter of data overload at that moment. 

Sequence-Oriented Context with Spyderbat

Spyderbat’s comprehensive runtime monitoring platform takes a radically different approach to contextualizing security events. Instead of piling on more data to be weighed in an investigation, Spyderbat captures all workload behaviors – as extracted from eBPF – in a living map called the Spyderbat Behavioral Web. 

Using the Behavioral Web, operators see activities mapped to their process lineage, connecting previous processes. Spyderbat monitors every causal sequence of activities, called a Spydertrace. Spyderbat flags suspicious activities on the Behavioral Web as they occur.  As flagged activities accumulate, Spyderbat raises the threat score for the entire Spydertrace . 

With the ability to monitor events in a causally related sequence, Spyderbat immediately detects concerning activities while avoiding false positives. By using eBPF, Spyderbat captures activities consistently throughout the entirety of your environment, no matter how delocalized or containerized it may be. 

To learn more about how to stop live attacks in your cloud-native environments and see Spydertraces in action, book a personalized demo.

Previous Announcing the Spyderbat Falco Connector
What is Mean Time to Know (MTTK) and how does it relate to Container Security? Next