What is runtime security?

Runtime security is the technology that provides protection to running processes, wherever they are executed. Runtime security is a vital component in cybersecurity — especially in the cloud — protecting your applications, infrastructure, data, and users from malicious code and exploits.

Let’s explore runtime security, its different types, and the technologies and products that used to implement it.

What is runtime security?

Runtime security provides protection to running processes, rather than scanning static files. Runtime security technologies can protect processes running in containers, as serverless functions, in virtual machines, and those running on a local machine itself.

This provides end-to-end protection of applications during execution, which ensures that running processes cannot harbor cybersecurity threats that are not detectable through other threat scanning methods.

What threats does runtime security protect against?

Runtime security protects against the following cybersecurity threats:

• Malware and malicious code: Malware that has not yet been identified and cataloged can hide in software dependencies, and malicious code that is able to mask its purpose until it is executed can escape traditional code and file scanning detection. Only when executed can these threats be detected and caught.
• Code injection and memory corruption: Buffer overflows and other code injection methods mean that malicious code is introduced into your running application rather than being present prior to deployment. This means that it is only detectable with runtime protection.
• Unauthorized access and privilege escalation: Runtime security can detect unauthorized access (or attempted access) to resources. Security policies can be enforced to deny attempts at escalating privileges, and the attempt may be logged as evidence of a compromised process.
• Zero-day exploits: Previously unknown vulnerabilities in otherwise reputable software is a common attack vector. As the attack vector is as-yet unknown, runtime security may be able to detect the results of the exploit, allowing you to narrow down the cause. Network segmentation and a strong security posture are the best protection against zero-day attacks in the cloud.
• Suspicious behavior: Runtime security can also detect other suspicious activities that may indicate a highly targeted attack in progress, such as outbound network connection to a C2 servers, elevating permissions within a containerised workload, or by obfuscating scripts on the command line to evade traditional endpoint detection rules.

To combat the above threats, runtime security establishes a baseline for how an application interacts with its environment and other resources. In combination with your own policies, this allows it to identify, in real-time, the abnormal behaviors that signal a potential cyberattack in progress.

Securing the Cloud with End-to-End Detection

LEARN MORE

How runtime security differs from other security approaches

Static analysis tools that check code for anomalies and vulnerabilities before it is deployed to production, and dynamic analysis that check code running in controlled environments, are not enough (alone or in combination) to fully protect an application.

As-yet unidentified vulnerabilities can pass static analysis, and malicious behavior may not be triggered in a controlled environment. Runtime security actively monitors applications in production as they are running. This means that it is able to detect and respond to code injection, privilege escalation, zero-days, and other malicious activities that static and dynamic code analysis may not be able to identify.

The importance of runtime security in cloud environments

Runtime security is vital to securing and maintaining applications in native cloud environments. Malicious code and other cyberattacks can be used to exploit cloud resources for free computing power, access to expensive APIs, and to sabotage business operations.  Attackers can also turn your infrastructure into an attack vector against others as part of a botnet or for other illicit purposes.

One of the biggest concerns for businesses is the potential for an attacker to exploit a running process to access and subsequently leak sensitive data. If leaked data includes personally identifiable information (PII), this can lead to reputational damage as well as legal repercussions through privacy laws such as GDPR and CCPA.

The always-online nature, as well as the complexity and scale of cloud infrastructure, makes visibility difficult for security teams. Runtime security in cloud native environments must address this issue directly with a full spectrum of monitoring and logging tools. It should also provide the ability to configure alerts so that the right people are notified, ensuring that important alerts indicating an attack in progress are not overlooked.

Types of runtime security

Runtime security, including automated detection and response, should cover all of your cloud applications, regardless of where or how they are running:

• Application runtime security: Runtime application self-protection (RASP) is implemented within an application itself, and is implemented by the developer.
• Container runtime security: Runtime security for containers and orchestration platforms like Kubernetes protects both the container platform, as well as the host and adjacent infrastructure from potential exploits of the containerized code. To truly understand, and correlate behavior between a Kubernetes abstraction, such as a pod or service, and the underlying process that runs within that ephemeral workload, businesses need to enrich the context of raw system calls with the events observed in Kubernetes audit logs.
• Cloud runtime security: Cloud environments such as AWS, GCP, and Azure have their own  dedicated cloud services with their own associated audit logging  systems used to monitor unwanted behaviors  in those cloud services. It’s important to aggregate and analyze these cloud audit logs in the same way we observe system calls in the host runtime to understand if a workload or server is under attack.
• Host runtime security: Intrusion and endpoint detection provide real-time detection and response for the machines that run virtualization and containerization platforms, or that directly run cloud workloads.
• Serverless runtime security: Serverless functions such as AWS Lambda are not immune from exploit, and can be leveraged by attackers if not actively monitored for unexpected behaviors.

Outside of cloud environments, endpoint runtime security products (usually in the form of antivirus and endpoint protection platforms) protects devices like laptops, phones, and workstations from malware.

Runtime security tools

Runtime security is provided by various tools for specific environments. For example, Falco is an open source security tool that protects running Docker containers and the Kubernetes platforms used to orchestrate them. Sysdig Secure protects cloud native environments for AWS, Google Cloud, and AWS, while SELinux and AppArmor provide runtime security for processes running on Linux systems both locally and in the cloud.

Runtime security best practices

There are several best practices your security teams can adopt to ensure that the benefits of their investment in cloud security are fully realized:

• Monitor running applications, and ensure notifications are targeted: Ensure that your security platform is properly configured to monitor all running applications (even those in horizontally scaling environments), and that notifications are only sent to relevant team members, to prevent individual security team members from becoming overwhelmed and overlooking important alerts.
• Use RBAC: Role based access control (RBAC) should be used to control what resources both users and running processes have access to, to prevent a successful attacker from being able to cause further damage by moving through your network. The principle of least privilege (POLP) strengthens this by granting access only to the specific resources required for a task.
• Run regular response training: Your security team should understand the infrastructure and applications they are tasked with protecting, and run regular response training. This, combined with automated detection and response will help protect against even highly targeted attacks.

Sysdig integrates runtime security into a full native cloud security platform

The Sysdig cloud-native application protection platform (CNAPP) integrates container workload protection, providing a comprehensive, unified solution to runtime security in the cloud.

Sysdig integrates with AWS, Google Cloud, and Azure to secure code from deployment to execution in scalable production environments. The platform monitors permissions, configurations, and application behavior for signs of attack, immediately notifies stakeholders, and automatically enacts mitigation and remediation measures for the highest possible level of cloud protection.