Spyderbat Extends Leadership in Runtime Security with New Kernel-to-Cloud Context
New active runtime agent combines eBPF data with Kubernetes and cloud platform context, to find and stop attacks in real time
Chicago, IL Nov 7th, 2023 - Spyderbat, a trailblazer in Cloud and Kubernetes runtime security, announces new enhancements that unify platform and Kubernetes control plane context with kernel-level data plane activity to find—and automatically block—threats in runtime. Spyderbat’s Behavioral Context Web now tracks application activity up and down the app stack, from the Linux kernel and container runtime, to Kubernetes and cloud orchestration. This not only provides unprecedented visibility, but also immediately identifies risk, suppresses false positives and meaningless alerts, and automatically blocks threats as they occur in runtime.
"We all know that attacks don't live in one place very long. We would traditionally need a few different tools to try to follow attack behavior across containers, Kubernetes and our Cloud, but Spyderbat showed us that they can do it all—they trace attacks up and down the stack." Says Zach Roof, Security Leader at Credible. "Now every threat comes with an instant incident response report across my environment, and Spyderbat can stop modern attacks like container escapes, or cloud breaches in real time, automatically."
The Complexity of Runtime Risk
Today’s attack surface is broader than ever. Modern cloud attacks only need a single vulnerable container to gain persistence, after which attackers mix tactics across both data and control planes to escalate privileges, change security settings, and gain control over entire environments. Identifying these multi-layered attacks requires proactively watching container activity, host activity, cluster activity, Kubernetes configuration activity, and any administrative changes to cloud platforms.
However, until now, security teams have not been provided with the context needed to immediately differentiate benign app and infrastructure behavior from attacks. Passive scanners cannot provide causal deterministic linkages between activities at various levels of the stack, and cloud security teams were therefore left with only a partial map—like having the words in the middle of a sentence without the context of the beginning and end. This lack of context resulted in missed attacks (false negatives), a high volume of alerts (false positives), and long, inconclusive investigations to manually search for where, when, and how attacks occurred.
More than Passive Scanning or Best-effort Correlation
The Spyderbat Behavioral Context Web has been enhanced to include new, additional cloud control plane context, along with existing best-in-class data plane context. Now cloud security teams get the industry’s most comprehensive insights into running app activity with clear, deterministic causal mapping—not loose correlation or simple time-based linkages. This means threats, risk, and anomalies are identified and scored in real time, and can therefore be immediately acted upon with an alert, a proactive guardrail, or whatever automated action is appropriate based on policy.
Unlike generation 1 scanners and legacy agent-based products that attempt to reactively correlate unrelated runtime and build time event and log data, Spyderbat proactively traces actions as they move across layers of the stack, to immediately and automatically identify risk and stop threats in runtime.
Deep Visibility for Trusted Control
“Years back, when we founded TippingPoint, we learned that just detecting threats wasn’t enough—security teams needed to stop threats in real time, but that took extreme accuracy and line-level speed,” said Marc Willebeek-LeMair, CEO and co-founder of Spyderbat. “Now at Spyderbat, we took that same learning and applied it to cloud-native security. Our kernel-level data gathering and new control plane processing guarantee pinpoint accuracy without a performance hit, all while delivering real-time automated root cause analysis—no log correlation or human effort required. We're raising the bar with a level of trustable automation that's second to none."
Spyderbat is uniquely architected to identify attack tactics deployed in either data or control planes, and link these activities together to give security teams the industry’s most accurate intrusion recognition and response:
- Do No Harm
Runtime security is ineffective if it’s too resource intensive to deploy everywhere. Spyderbat consumes fewer than 2% of runtime resources and offloads all computationally expensive data processing, to minimize performance impact and ongoing resource cost.
- Continuous Runtime Behavior
Spyderbat uses a combination of eBPF and container runtime data to continuously track application and service behavior when operating at cloud scale and cloud speed.
- Multilayer Context
All gathered data includes the relevant control plane information to maintain the context of who, what, and where for each connection and process.
- Cause-based Tracing
Correlation is not causation. Ground-truth data and control plane context define a clear, deterministic sequence of linked events. These traces maintain state across ephemeral systems and layers of the application stack and extend from milliseconds to months, as needed, to instantly provide answers to questions like "What happened when?" and "Who, or what, caused what?"
- Automation-grade Accuracy
Generating thousands of alerts is useless and a remnant of antiquated solutions. Comprehensive accuracy provides automatic root cause analysis so human analysts no longer need to dig through logs to understand causation. True pinpoint accuracy is also critical for security teams to trust a solution enough to unleash automated actions.
- Real-time Blocking
Detection is important, but cloud runtime attacks require automated protection as well. Automation includes surgically precise actions like stopping individual processes, killing a Kubernetes pod, or applying virtual patches, all while protecting uptime and app performance.
With these newest enhancements, Spyderbat’s Behavioral Context Web gives security and ops teams even more confidence and clarity, so they have the accuracy needed to further reduce alert noise, minimize needless interrupts, and actively stop runtime threats as they attempt to move from containers to cloud control planes.
Spyderbat is the only runtime security solution that monitors all containerized app events, from the kernel to the cloud, to provide automated security guardrails, real-time threat blocking, and instant incident response. By combining insight from eBPF data, container runtime, and Kubernetes, Spyderbat’s Behavioral Context Web reduces alerts, eliminates the need for manual log investigation and correlation, and stops app drift and attacks. Spyderbat was founded by cybersecurity veterans Marc Willebeek-Lemair and Brian Smith, former founders of TippingPoint—inventors of the Intrusion Prevention System category— and is backed by Benhamou Global Ventures, Live Oak Venture Partners, NTT Ventures and industry luminary John McHale.