Protecting a large network can be an intimidatingly difficult challenge. It’s the process of solving an endless series of problems over an infinite amount of time. The difficulties never stop coming, they simply change shape, and the teams defending those networks often don’t have the time to step back and look at the bigger picture.
A couple years ago, Dino Dai Zovi, a security researcher who had spent time on internal security teams and also helped build out the security of Square’s mobile payment platform, began thinking about a different approach to protecting users at scale. The prevailing mentality of securing individual hosts and devices and trying to detect known attacks didn’t seem to be keeping pace with modern attacks. This was especially true for the growing number of organizations that rely on some combination of cloud and in-house infrastructure. That kind of network has its own set of challenges, and Dai Zovi thought there was a more efficient way to deliver security for those organizations. The key would be to continuously gather event data and analyze it to identify attacks in progress, before they’re able to do any damage. And not just known attacks, but also new techniques or those exploiting zero day vulnerabilities.
At the same time, John Viega, a longtime security industry executive and technologist, was casting about for something new to do.
“I had been looking around for what to do next and a VC friend said to me, I’d love to fund you to do something in zero-day detection for production infrastructure. I had dinner scheduled with Dino and Brandon Edwards and we’d all seen the need,” said Viega. “MSSP customers weren’t well-protected in the cloud or in data centers.”
Forming the idea was one thing, but making it into a system that enterprises would bet their security on was something else altogether. That would require time and, of course, funding. The money came and time passed, and the concept that Dai Zovi imagined became the Capsule8 platform. Capsule8 comprises a set of software sensors deployed in a customer’s environment that gather behavioral data directly from the Linux kernel using Linux tracing. The system collects information from every host in the production environment and streams it continuously to a nearby analysis host that reconstructs the state of a given host and look for attacks in progress. Capsule8 doesn’t deploy a kernel module, but instead gathers data from a userland process.
“It’s based on what the priorities were in production environments. Stability risks are people’s primary concerns,” said Dai Zovi, CTO of Capsule8. “Performance is their secondary concern, and security is third. If you compromise the first two, you won’t get any traction.”
Much of the way the company’s platform is designed is the result of long conversations with large enterprises about how they run their networks and what their priorities are.
“We spent six months talking to fifty large enterprises about what they’re looking for,” said Viega, Capsule8’s CEO. “People don’t like sending data back to other people’s solutions in the cloud. Because of the way our sensor is designed, it doesn’t put workloads at risk. Dino designed it with the API in mind first and people can come to our console to manage the alerts and search for data.”
“We spent six months talking to fifty large enterprises about what they’re looking for."
One of the many challenges that security teams at large enterprises face is getting time-sensitive attack information quickly enough to take action. Dai Zovi sought to solve that problem by using data streaming rather than simply gathering every single bit of information and then waiting for analysts to dig through it looking for attack signatures.
“One of the important things we designed in is the concept that the evidence outruns the attack. Even if an attacker is attacking a host, there’s no chance to block the alert. The second the attacker is doing anything, the data is streamed off the host,” Dai Zovi said.
“The customer is seeing alerts that come out of the analysis engines. They’re indicators of broad attack activity. It could be a remote shell launched from a remote service, or a process that’s exploiting the kernel.”
This approach, a kind of continuous delivery of security, is one that some companies have tried to do on their own. But it’s not a simple thing to pull off, and it’s not something that most organizations even attempt.
“In Silicon Valley, people have been trying to build this themselves,” Viega said. “A lot of the things we’ve been talking about are replacing stuff that companies shoestring together internally. Only companies like Google and Netflix have the resources to do it.”
Dai Zovi points out that the underlying concept that Capsule8 relies on has been in use in the financial sector for many years with real-time trading platforms, but not many people had thought to apply the idea to security. That, he said, is changing.
“I think it’s inevitable. Organizations will be moving closer to continuous delivery because it’s a massive differentiator,” he said. “Traditional security organizations will have to adapt. There are common patterns that are going to expand across the industry. If you look at how infrastructure operations changed with SRE [site reliability engineering] and DevOps, you have a lot of very common elements because you have to adapt to deploy that frequently. Everyone wants that. Once the assembly line and modern manufacturing was innovated, everyone wanted it. Security teams will have to adapt to that frequency.”