RSAC 2024 Innovation Sandbox | RAD Security: New Solutions for Cloud-Native Anomaly Detection and Response

RSAC 2024 Innovation Sandbox | RAD Security: New Solutions for Cloud-Native Anomaly Detection and Response

April 30, 2024 | NSFOCUS

The RSA Conference 2024 will kick off on May 6. Known as the “Oscars of Cybersecurity,” the RSAC Innovation Sandbox has become a benchmark for innovation in the cybersecurity industry.

Figure 1: Top 10 Finalists for the RSAC 2024 Innovation Sandbox Contest

Today, let’s get to know the company RAD Security.

Company Introduction

RAD Security is a cloud-native security company co-founded by Brooke Motta and Jimmy Mesta, formerly known as the Kubernetes Security Operations Center (KSOC). On February 15, 2022, the company officially announced the acquisition of $6 million in seed funding. In the past year alone, the investment return has tripled, and the customer retention rate has reached 100% over the past two years.

Figure 2:Founders of RAD Security (Left: Brooke Motta; Right: Jimmy Mesta)

Before the renaming, the company focused on Kubernetes security operations such as real-time Kubernetes Security Posture Management (KSPM) and Cloud-Native Identity Threat Detection and Response (ITDR). On March 12, 2024, the company officially changed its name to RAD Security, explaining that “RAD” stands for the widely recognized security it provides, rather than being an acronym or hint. With the release of its cloud-native workload fingerprint, RAD Security has officially shifted its focus to the detection and response of cloud-native anomalies.

Product Capability Introduction

As shown in Figure 3, RAD Security claims to establish fingerprints of normal behavior in the cloud for the software supply chain, cloud-native infrastructure, and workloads. By comparing these normal fingerprints, it can detect anomalies to defend against 0-Day attacks in the cloud-native build, deployment, and runtime lifecycle.

Let’s start with the product capabilities to see how RAD Security detects and responds to cloud-native anomalies and defends against 0-Day attacks.

Figure 3: RAD Security Solution

1. Real-time KSPM

RAD Security claims to have released the industry’s first real-time KSPM tool, capable of displaying the status of cloud-native infrastructure in seconds. It is also convenient for deployment, supporting deployment in clusters via Helm in just minutes.

As shown in Figure 4, the real-time KSPM tool mainly utilizes Kubernetes monitoring management features (through the Agent calling the Kubelet API to query cluster resources) and the Kubernetes Bill of Materials (KBOM) tool. It monitors or scans components, networks, policies, images, container runtimes, etc., within the cluster, and visualizes the risk chain from the asset dimension by combining vulnerability risks. As for the security closure loop, it uses AI tools to generate repair suggestions to assist security personnel. Of course, the tool also includes other functions such as a dynamic admission controller built on the Open Policy Agent (OPA), generating an SBOM for running containers, generating a KBOM for cluster configuration, compliance testing against NSA and CIS guidelines, and generating reports across multiple clusters.

Figure 4: Real-time KSPN Tools in Cluster

We will briefly explore this tool from the following aspects:

1) Kubernetes Bill of Materials (KBOM)

With the continuous development of cloud-native technology, a large number of Kubernetes plugins and tools have emerged, but these third-party ecosystems often hide many dangers. KBOM is the first Kubernetes Bill of Materials standard released by KSOC, aiming to provide a security overview for Kubernetes clusters. It is worth mentioning that RAD Security has already open-sourced the initial version of KBOM.

The open-sourced KBOM is a lightweight CLI tool, which is different from the well-known SBOM: SBOM focuses on software components, providing their detailed inventory, sources, and usually includes license information; KBOM is designed specifically to address the complexity of the Kubernetes environment, supporting the output of cluster information in JSON, YAML, XML, and other formats to the command window or files. The outputted cluster information mainly includes the following:

  • Asset Discovery

In addition to cluster type, cluster size, node information (such as quantity, architecture, container runtime, kernel version, operating system, etc.), it also supports the discovery of third-party plugin information in the Kubernetes environment, such as Crossplane, Jenkins, CubeFS, and Clusternet.

  • Image Scanning

The official has not disclosed specific technical details about the image scanning capabilities of the repository and clusters. It is speculated that it is probably a combination of CVE databases to scan container images and mark dangerous images with vulnerabilities.

  • Custom Resource (CRD) Analysis

Identify and analyze CRDs in the Kubernetes cluster. Analyze the identified CRDs in conjunction with the CVE database, mark dangerous CRD resources, and provide high-risk warnings for CRD resources related to the Clusternet API.

2) Visualized Threat Vectors

As shown in Figure 5, a large amount of information such as the image CVE information discovered by KBOM, RBAC dangerous permissions, and Kubernetes misconfigurations are visually displayed layer by layer from the cluster to eliminate security blind spots in the cluster.

Figure 5: KSOC Threat Vectors

 

As shown in Figure 6, from the official publicity, RAD Security expects the threat vectors to provide a priority for Kubernetes vulnerabilities, sorting out the vulnerabilities that truly need to be fixed from a large number of cloud-native security alerts. Up to now, according to the information inquired from the official website, this feature can only provide a reference, and the final priority still needs to be judged manually, with more promotional content. Combining vulnerability exploitability verification technology and vulnerability severity level for vulnerability priority ranking is one of the more recognized solutions in the industry, and RAD Security’s ranking effect obviously has a certain gap compared to the latter.

Figure 6: Using Threat Vectors for Vulnerability Prioritization

3) Using AI Tools to Generate Incorrect Configuration Suggestions

The tool supports the use of AI tools to generate repair suggestions for the discovered threat vectors. After selecting the “Use AI to fix all issues” button on the threat vector page, as shown in Figure 7, the AI directly uses OpenAI GPT-4, and by inputting the specific information of the threat vector, you can get repair suggestions.  

Figure 7: AI-Generated Repair Suggestions

2. Cloud-Native Identity Threat Detection and Response

In 2023, three out of four major attacks on Kubernetes depended on overly permissive RBAC (Role-Based Access Control) policies. A recent survey by Red Hat found that 58% of teams using Kubernetes have experienced security incidents due to incorrect RBAC policies in the past 12 months. RAD Security believes that cloud-native ITDR is an effective method to mitigate Kubernetes RBAC attacks.

RAD Security’s cloud-native ITDR solution integrates cross-cloud IAM and RBAC, an AI-based query engine called AccessIQ, and Kubernetes RBAC insights, aiming to identify malicious cloud-native identity resources and perform closed-loop processing such as deletion, blocking, or adjustment of malicious identities.

Cloud-native ITDR is different from traditional RBAC security tools such as CIEM (Cloud Infrastructure Entitlement Management) and KIEM (Kubernetes Infrastructure Entitlement Management): CIEM focuses on Cloud IAM, and KIEM only focuses on the state of Kubernetes RBAC. These RBAC security tools aim to enhance identity status and implement reinforcement policies. In contrast, cloud-native ITDR not only focuses on the permissions themselves but also pays attention to whether the permissions are bound to accounts or used through behavior auditing, and provides risk accounts and permissions based on a zero-trust mechanism. The specific comparison is shown in Figure 8.

Figure 8: Differences Between Cloud-Native ITDR and Traditional RBAC Tools

Through the introduction on RAD Security’s official website, we can understand that native ITDR adds RBAC management capabilities on the basis of real-time KSPM, and its general functions are as follows:

1) Identity Risk Scoring

As shown in Figure 9, RAD Security prioritizes identity risk events by judging whether the RBAC permissions of the same container follow the principle of minimalism, whether the permissions are used by accounts, and whether they generate threat vectors (i.e., runtime events, containers with CVE images, incorrect permission configurations, etc.).

Figure 9: Identity Risk Ranking

2) RBAC Admission Controller

Consistent with real-time KSPM, this tool also relies on OPA to control the use of RBAC resources. As shown in Figure 10, the event triggered the policy that account passwords can only be mounted to Pods that communicate with the API Server.

Figure 10: RBAC Admission Control

3) RBAC Permission Risk Repair Suggestions

RAD Security supports providing repair suggestions for risky RBAC configurations, which is no different from using AI to provide modification suggestions for incorrect configurations in real-time KSPM. As shown in Figure 11, it provides minimal permission modification suggestions for policies with excessive permissions.

Figure 11: RBAC Permission Modification Suggestions

3. Cloud-Native Workload Fingerprints

Cloud-native workload fingerprints are “security” baselines established for normal cloud behavior using eBPF technology, also known as the “RAD Security Standard.” RAD Security claims that cloud-native workload fingerprints can prevent software supply chain 0-Day attacks. Let’s take a look at this together.

Chief Technology Officer and Co-founder Jimmy pointed out: “If development teams can compare a verified, clean runtime fingerprint against the same image running in their environment, they have a real chance in defending against the next zero day attack.”  Indeed, there are many unknown attack behaviors, and we only need to focus on secure behavior, with other behaviors being defined as attacks. This solution is implemented with eBPF technology, which uses eBPF Hook kernel Kprobe and Tracepoint probes to achieve call chain tracking, generating all reasonable call chains into a baseline. These baselines are the behavior whitelist, the standard for the secure behavior of the running workload, applicable to any scenario where the image is used. As shown in Figure 12, once the baseline is established, any call behavior that deviates from the baseline will be identified and blocked, effectively detecting and preventing 0-Day attacks.

Figure 12: Runtime Fingerprint Model

As shown in Figure 13, unlike traditional solutions such as CWPP or runtime security tools, which either detect after the fact or are based on rule comparison and cannot protect against unknown attacks, cloud-native workload fingerprints can use eBPF technology to compare behaviors and execute responses at the kernel call level. Since it is a call chain on the kernel, it naturally covers all running workloads, and thus naturally covers supply chain software.

Figure 13: Comparison Between Cloud-Native Workload Fingerprints and Traditional Security Methods

Conclusion

RAD Security has mainly released three products: real-time KSPM that integrates Kubernetes Bill of Materials and AI capabilities, ITDR that supplements RBAC management capabilities, and cloud-native workload fingerprints based on eBPF technology.

We appreciate the utilization of eBPF technology for identifying cloud behavior and establishing baseline behavior, which represents a significant innovation. However, it is our respectful observation that the remaining aspects may not exhibit the same level of innovation. The reasons for this perspective are as follows:

  • The industry has long released many best practice lists related to Kubernetes, which are no different from the Kubernetes Bill of Materials;
  • It is not difficult to manage the entire cluster with the strong service capabilities of Kubernetes, let alone RBAC resources;
  • After the widespread popularity of GPT, the application of AI technology in security products is no longer a novelty.
  • There have been mature practices for call chain tracking based on eBPF technology.

However, the approach of capturing detailed call chains through eBPF, establishing various application behavior whitelists, and applying this solution to cloud scene protection is innovative. Currently, there is no similar implementation or propaganda for such a solution in other products within the industry.

It is worth noting that in the article “An Insight into RSAC 2023: Build Cloud-Native Security Base Based on Zero Trust” released last year, NSFOCUS expressed the idea of doing zero-trust at the kernel level in the cloud scene, and we have also verified the feasibility of kernel-level response based on eBPF. We believe that there are the following problems with cloud-native workload fingerprints:

1) How to keep the fingerprint updates in line with normal business needs?

The difficulty in covering a vast array of tools and products: The CNCF product overview chart has countless products and tools, and even if a BOM list is enforced, the number of tools and products that need to establish fingerprints is also considerable. Moreover, the behavior of official software cannot be fully trusted, and a large amount of call chain security judgment is required.

Tools and products update and iterate quickly, and it is difficult to ensure response time: Every change in logic may change the call chain, and the behavior fingerprints of the call chains need to be updated. The update of behavior fingerprints mostly has a lag, which may affect the normal business environment.

2) How to ensure that the behavior chain obtained before the cloud-native workload fingerprint takes effect is real?

Because the cloud-native workload fingerprint is based on eBPF technology to do the call chain, the obtained call information is susceptible to tampering. If the hook in the environment has been hijacked before the cloud-native workload fingerprint takes effect, then all the whitelist mechanisms will also become ineffective.

Leveraging AI technology may provide some relief for the first concern. However, an effective solution has not yet been identified within the industry for the second.

More RSAC 2024 Innovation Sandbox Finalist Introduction:

References

[1] https://rad.security/blog/ksoc-our-story

[2] Reimagining Cloud Native Detection & Response: KSOC’s Evolutionary Shift to RAD Security

[3] https://github.com/ksoclabs/kbom

[4] KSOC Releases the First Kubernetes Bill of Materials (KBOM) Standard

[5] https://rad.security/kubernetes-vulnerability-prioritization

[6] How to Protect Yourself From the New Kubernetes Attacks in 2023

[7] https://www.redhat.com/en/resources/state-kubernetes-security-report-2023

[8] ITDR Best Practices Checklist for Cloud Native Security: Identity Threat Detection and Response

[9] An Insight into RSAC 2023: Build Cloud-Native Security Base Based on Zero Trust