Asset Inventory

• Identifies assets and provides visibility across a multi-cloud infrastructure
• Associates misconfigurations and vulnerabilities with asset
• Categorize assets in type of cloud resource and further allow assets to be in a customized group
• Segregated assets based on different environments (dev/test or prod) and tagging

Misconfiguration is deemed by NSA as a leading vulnerability reason in a cloud environment where the risk might be less sophisticated but their implications are generally critical.

• AccuKnox provides you a single pane of glass view with clear action items and a tracking of these findings in a multi-cloud environment.

• Continuous compliance trends of the categorized assets of interest to see the conformance or deviation from the custom baselines or standard technical or governance framework in general.

• Leverage these scans results (periodically stored as a JSON in the Import section) to create a baseline on day 1 of your infrastructure and then you can compare it at any Day1++ to see what “Delta” difference got induced
• Any deviation from the baseline, could result in an Alert trigger to either of the integration method supported by Slack/Jira
• Moreover define custom Baseline and get customized alerts whenever those security controls get violated

AccuKnox can secure containers by:

• Periodic scanning of container images in registries

• Continuous monitoring of code, dependencies in registries and evaluating it against security best practices

• Evaluates continuous compliance via auto-recommended hardening policies based on standard frameworks like MITRE, NIST, CIS, HIPAA, PCI-DSS

AccuKnox provides flexibility to integrate a variety of open source and commercial security scanning tools through built-in parsers to provide you a composite security posture of your infrastructure

• Automate collection and execution through “Playbooks Builder” where we provide flexibility to define security tools of choice to assess the infrastructure

• Prioritize and deduplicates results from a variety of security scanning tools for SAST, SCA, DAST, and Container Security  to reduce alerts fatigue

App Behavior

AccuKnox Runtime Security helps you discover the Application Behavior of the workloads running in Public Cloud, Private Cloud, or On-prem in VM/BareMetal or local Kubernetes orchestrated cluster or unorchestrated pure-containerized cluster.

AccuKnox auto-detects and recommends Behavioral Policies based on app observability

• File system access for processes

• Processes that are getting accessed

• network access for certain process

AccuKnox CWPP delivers Application Micro-Segmentation by:

• Pod level isolation

• Fine-grained control

• Application-aware Policies

How we approach this problem?

• Detects which specific process requires network access and careful whitelisting

• Derive network understanding from CNI (agnostic to type) to construct L3, L4 and L7 layers of understanding

• Ensures workload security by isolating workloads and protecting lateral movement or unauthorized access

Micro-Segmentation by:

• Cluster-level isolation

• Network-level Control

• IP-based segmentation

• Network Security Enforcement

Modern Problem requires Modern Solution:

• Segments cluster based on service-mesh understanding

• Segment network based on IP, node and protocol

• Auto-discovered network and firewall policies

• Enforce network control via LSMs at kernel-level

• AccuKnox recommends a set of hardening policies that are based on industry-leading compliance and attack frameworks such as CIS, MITRE, NIST-800-53, and STIGs

• These policies are designed to help you secure your workloads in a way that is compliant with these frameworks and recommended best practices

• It helps to reduce the attack surface by introducing block based policy recommended to the cluster

• Hardening Policies are Auto-Recommended to the cluster and additionally, you can create a customized policy as well

• Any violation of the policy will be blocked with a unique “in-line mitigation” approach

Ransomware Attacks on HashiCorp Vault:

HashiCorp Vault helps organizations reduce the risk of breaches and data exposure with identity-based security automation and encryption as a service.

If any ransomware attacker tries to compromise the security of the pod and gets access to the vault pod, they can do a command injection and encrypt the secrets stored in the Volume mount points. Then the organizations have to pay millions of dollars to get back their secrets decrypted

Fortifying Vault with AccuKnox Security

AccuKnox helps in identifying default security posture when the vault is accessing the volume mount process concerning: –

• Process that is accessing volume mount point

• Path from where its getting accessed

Based on this behavior, we can restrict operation to these specific processes from a specific path. Hence, even in the case of a breach, any Remote Code Execution will be blocked instantly

Ransomware Attacks on CyberArk Conjur:

CyberArk Conjur when deployed in the Kubernetes cluster stores sensitive information in the volume mount points.

So if any attacker who gets access to these Volume mount points through lateral movements might see this sensitive information and secrets. Also, they can do encryption of the data and ask for ransomware. We can prevent these types of attacks AccuKnox’s runtime security engine KubeArmor access to these volume mount points and deny such attacks

Fortifying Conjur with AccuKnox Security

AccuKnox helps in identifying default security posture when Conjur is accessing the volume mount process concerning:

• Process that is accessing volume mount point

• Path from where its getting accessed

Based on this behavior, we can restrict operation to these specific processes from specific paths. Hence, even in the case of a breach, any Remote Code Execution will be blocked instantly.

Defend the Backbone: Fortify Your 5G Control Plane with AccuKnox Security

The most critical part of 5G is the control plane.

• nRT-RIC (near-RealTime RIC) built on micro-ONOS using a microservice architecture hosted on Kubernetes (K8s).

• SD-RAN control functions are containerized and deployed by Kubernetes as extensible workloads (or xApps).

While this fosters rapid innovation in the control plane it also poses challenges regarding the stability and security of deployed xApps such as:

• Permissive process-level constraints

• Authenticated identities

• Data flow privacy

• Comprehensive runtime monitoring

• AccuKnox KubeArmor auto-discovers default posture behavior of the control plane and recommends security policies based on that understanding

• Deep observability using eBPF telemetry

• Process being executed

• Granular Auto-generated Policies for container isolation

• Sensitive or mission-critical files being accessed

• Recommends Security Best Practices or Hardening Policy based on standards and governance framework such as MITRE, ENISA, FiGHT, NIST 800-53, etc.

Zero Trust both from Network and Application perspective

• Network: Only allow known entities to connect to the edge device, deny everything else.

• Application: Only allow known processes to operate within the container, deny everything else.

Sensitive Data: Only allow known processes to access sensitive data

Securing IBM Open Horizon

• Deployment Mode: Systemd mode

• Observability:
  • From Agent node to Management Hub (and vice-versa)
  • Agent edge node and the container applications
  • Inside the container application itself

• Enforcement:
  • Protects host and workloads running on it by enforcing either some predefined security policies or automatically generated least permissive security policies (using Discovery Engine)

Embrace the Next Generation of Security with Policy-as-Code

• Auto-recommended Policy-as-Code, a powerful framework that combines security policies and code to fortify your digital landscape

• Enforce security best practices, detect vulnerabilities, and ensure compliance throughout your entire software development lifecycle

• Customize curated Policies with a simple Policy Editor UI Tool

AccuKnox delivers Zero Trust security controls to thwart several attack vectors by preventing:

• Backdoor fetch-store-exec operations from subverted process or embedded malicious logic

• Unauthorized network Interface usage

• Unauthorized file system manipulations

• Prevents unauthorized process execution, termination, thread hijacking

• Prevents unauthorized administrative functions and command invocations

• Introduces strong identity management for all cross-container communications

• Produces fine-grain app-level audits and alerts for all permission violations

Approach to achieve Zero-Trust Posture

Allow specific, deny/audit everything else

• Process Whitelisting

• Volume Mount point / File System access whitelisting

• Process based Network Access whitelisting

Hildegard Attack: K8s based TTPs – Anatomy of the attack

• Initial Access: Misconfigured kubelet allows anon access

• Malware attempted to spread over as many containers as possible using service account tokens and eventually launched cryptojacking operations.

• Two C&C conns: Reverse tmate shell and IRC channel

• Uses a known Linux process name (bioset) to disguise the malicious process.

• LD_PRELOAD to hide the malicious processes.

• Encrypts the malicious payload inside a binary to make automated static analysis more difficult.

Deployment Options

AccuKnox offers one of the most flexible deployment options: Public Cloud, Private Cloud, Multi-Cloud. We have one of the most flexible architecture which allows us to offer a durable roadmap that covers Zero Trust Security for IoT/Edge and 5G workloads.

• Cloud Resource Visibility

• Cloud Workload Visibility

Supporting Cloud Native Resources and Workloads on Azure

• Cloud Resource Visibility

• Cloud Workload Visibility

Supporting Cloud Native Resources and Workloads on Google

• Cloud Resource Visibility

• Cloud Workload Visibility

AccuKnox runtime protection is agnostic to cloud and have been tested for support in below mentioned Private Cloud

• Openstack
• SUSE Rancher
• Red Hat Openshift
• Oracle Cloud
• IBM Cloud
• Mirantis Cloud
• D2IQ
• Platform9