The power of prioritization: Why practitioners need CNAPP with runtime insights

By Marla Rosner - FEBRUARY 20, 2024


CNAPP with runtime insights

The heightened demand for cloud applications places a premium on the agility of development teams to swiftly create and deploy them. Simultaneously, security teams face the crucial task of safeguarding the organization’s cloud infrastructure without impeding the pace of innovation. Navigating this balance between speed and security has become a pivotal challenge, compelling security teams and developers to seek integrated solutions that safeguard the entire cloud-native application lifecycle — from development to production. 

This demand has given rise to the adoption of cloud-native application protection platforms (CNAPP). Security practitioners are embracing CNAPP to streamline their cloud security programs by consolidating point solutions into a single platform. Operating from a unified user interface, security teams gain comprehensive threat visibility across the organization’s cloud environments and workloads, offering a more effective and efficient approach to preventing, detecting, and responding to cloud security risks.

There are two questions CNAPP adopters must ask themselves:

How can security teams unlock the full potential of CNAPP to effectively carry out their responsibilities? And how can they use CNAPPs to ensure development teams can swiftly build and deliver applications? 

TL;DR answer:

The key lies in giving security practitioners the ability to identify and address real risks promptly. Enter runtime insights — the linchpin CNAPP capability that enables security teams to effectively prioritize the most important and relevant risks in their environment. 

It probably doesn’t come as a surprise that risk prioritization is the key for CNAPP practitioners to be successful. But to grasp the importance of runtime insights in delivering this capability, it’s important to understand the cloud security complexities driving the need for better prioritization.

Lack of end-to-end visibility and alert overload

While there are multiple factors driving the shift to CNAPP, one of the most important is the need for visibility into risk across the entire application lifecycle. As risk spreads throughout development, staging, and runtime operations, both security and DevOps teams need deep visibility and insights across the organization’s entire multi-cloud footprint. 

In order to ensure comprehensive visibility, a successful CNAPP must process substantial volumes of data from diverse sources. This encompasses data from system calls, Kubernetes audit logs, cloud logs, identity and access tools such as Okta, and more. Extensive coverage is crucial due to the many potential entry points for attacks, as well as the potential for attackers to move laterally across these domains. However, this analysis can generate a flood of alerts and findings that may or may not represent real risk. Security teams can get overwhelmed by the endless stream of alerts, impeding their ability to identify actual suspicious activity such as remote code execution (RCE), privilege escalation, or lateral movement across cloud workloads.

The backlog of notifications can also delay development, as developers waste time with false positives or remediating low-risk vulnerabilities. Without addressing this, security can quickly become an obstacle that slows the pace of innovation. 

Collectively, these challenges make it critical for CNAPPs to provide deeper insights and prioritize the most critical vulnerabilities based on runtime context. That’s where runtime insights excel, distinguishing the most effective CNAPP solutions from the rest.

Enable rapid risk prioritization with runtime insights

The key for security teams to prioritize the most impactful issues across cloud environments is runtime insights. Runtime insights provide actionable information on the most critical problems in an environment based on the knowledge of what is running right now. This provides a lens into what’s actually happening in deployments, allowing security and development teams to focus on current, exploitable risks. 

Runtime insights are an essential capability for an effective CNAPP solution to eliminate alert fatigue, provide deep visibility, and enable teams to identify real and relevant suspicious activity.

For example, a CNAPP with runtime insights:

  • Prioritizes the most critical vulnerabilities to fix by analyzing which packages are in use at runtime. Sysdig research shows that 87% of container images have high or critical vulnerabilities, but only 15% of vulnerabilities are actually tied to loaded packages at runtime.
  • Aids in promptly identifying anomalous behavior, suspicious activity, or posture drift that pose a genuine, immediate risk.
  • Highlights the excessive permissions to fix first by leveraging runtime access patterns. 
  • Guides remediation efforts that ultimately help teams make informed decisions directly where it matters most — at the source of the misconfiguration or vulnerability issue.

Runtime use case: Preventing lateral movement

Let’s explore how a CNAPP with runtime insights can effectively identify and mitigate a lateral movement attack across an organization’s two cloud vendor environments:

Attack path:

  1. Entry: The attacker exploits a publicly exposed critical vulnerability.
  2. Access: Having gained entry, the attacker now has access to a Kubernetes workload.
  3. Privilege escalation: Exploiting failed privilege controls and excessive unused permissions, the attacker escalates privileges, obtaining permissions with admin access.
  4. Lateral movement: Using acquired credentials, the attacker navigates across cloud environments, reaching a sensitive Amazon S3 bucket.

How runtime insights mitigate the attack:

  • Stop initial access by identifying in-use vulnerabilities:

Challenge: Teams face an overwhelming number of system vulnerabilities.

Solution: Using runtime insights, security teams can pinpoint which vulnerabilities are actively in use, enabling practitioners to prioritize immediate patching of exploitable entry points.

  • Track and control excess permissions to block lateral movement:

Challenge: Sorting through permissions can be daunting, leading to excessive and unnecessary access.

Solution: Security teams can leverage runtime insights to differentiate between actively used and excessively assigned permissions so practitioners can effectively ensure they’re applying the principle of least privilege. 

With proper runtime visibility, it is possible for teams to conduct a thorough analysis of permissions usage over an extended period (e.g., 30 to 90 days). If higher-level permissions remain unused during this time, this signals that they are likely unnecessary for regular operations. This proactive visibility equips teams with the knowledge to promptly remove unnecessary permissions, effectively thwarting an attacker’s ability to escalate privileges, and thereby preventing lateral movement.

By leveraging runtime insights, practitioners can significantly enhance their ability to detect, prioritize, and address critical elements of a lateral movement attack, ultimately fortifying the organization’s cloud infrastructure against such security threats.

Wrapping up

Prioritizing CNAPP alerts with runtime insights empowers security practitioners to prevent and respond to cloud security issues with greater efficiency and confidence. As organizations increasingly navigate cloud security complexities, runtime insights provide a decisive advantage by offering comprehensive visibility, enabling rapid risk prioritization, and mitigating alert overload. 

By addressing the challenges of end-to-end visibility and alert fatigue, CNAPPs equipped with runtime insights enable security and development teams to swiftly identify, prioritize, and address critical vulnerabilities, ensuring the organization’s cloud security posture aligns seamlessly with the pace of innovation. 

Subscribe and get the latest updates