Unless you’re Dr. Emmett Brown or a Time Lord you know that time travel is just a fantasy for our favorite books and TV shows. We know that we can’t go back and change the past and we can’t see the future no matter how much we might like. However, the idea of being able to control the past, present, and future isn’t as far fetched as you might think.
One of the companies that is giving us a peek into the possibilities is Spyderbat. An earlier contender for Most Awesome Company Name, Spyderbat is focused on providing security for cloud-native software. Their platform has distinct components that allow you to see things as they were, as they are, and how they should be. I had a chance to sit down with Seth Goldhammer, VP of Marketing, to talk about what Spyderbat is doing and how it relates to the world of runtime security.
The Past
The first part of the platform is Flashback. Flashback is a recorder that captures information from the workloads and stores it for future reference. Using eBPF, Spyderbat is able to grab all the traces from the containers and store them for analysis. Perhaps you want to be able to figure out why your app was offline on a Tuesday at 9:17am. Flashback can give you the exact details of what was going on at that point in time.
Troubleshooting root cause isn’t something that happens in the heat of the moment. Triage is more concerned with getting things online right now and worrying about the other issues later. With Flashback you can capture the state of the runtime now and figure out how to fix the issue and then go back later and analyze what caused it. Was it a badd configuration that was pushed to production? Or could it be a nefarious actor looking to gain a foothold? With Flashback you’ll know for sure.
The community version of Spyderbat allows you to store up to 30 days of traces from up to five devices. The flagship offering has storage for up to 90 days of traces. If you need more the enterprise solution has an unlimited amount of storage.
The Present
Capturing data from your infrastructure is nice but how do you prevent the kinds of problems that take down your environment? It’s not always a malicious problem. Sometimes your newest developer doesn’t understand why things are done the way they’re done and tries to be helpful by removing a bunch of unimportant lines of code before pushing those changes to production on a Friday.
Keeping your software running right now means having guardrails to prevent unintended changes from taking things down. Spyderbat’s solution for today is Guardian. Guardian takes a look at what your current environment looks like and compares the changes that are being made to it for errors. Perhaps the code is correct from a syntax perspective but violates some other constraint, such as publishing API keys. Guardian can be configured to look for these violations and send an alert or require authorization before they can be pushed into production.
Guardian can also be set up to execute changes during configured windows. No more pushing changes in the workday to get this out the door. Now you can ensure that authorized updates only happen on a schedule to prevent the kind of chaos that a sleepy developer can cause after a weekend of too little rest. And if there is an updated process that needs to be changed it’s easy to go in and change the guardrails because the configuration files for Guardian’s polices are built using YAML.
The Future
While we might know how to troubleshoot our existing issues and keep our developers from doing things they aren’t supposed to do you can’t always know what’s coming. Maybe there’s a new exploit that has just been found that gives attackers a way to get into your system. It could be a set of stolen credentials that allows for privilege escalation on a system. No matter what could happen you need to be prepared to respond to it quickly so the dwell time is minimized.
Spyderbat has a solution for the future too. Interceptor is designed to look at runtime attack patterns and keep them from executing. Leveraging the MITRE attack framework, Interceptor can ensure that unauthorized access doesn’t become an event that gets you on the news. You can stop traces from executing as they happen to prevent lateral movement and ensure systems stay safe. This can happen in real-time instead of munging mountains of log files in the hopes of isolating something that might look out of place. No machine learning algorithm is going to help you if the attackers are already in the building. Interceptor gets them before they get through the door.
Bringing It All Together
The power of a solution like Spyderbat is that you have to handle all three parts of time travel. You have to know what happened, what’s going on, and what could happen before you know it. Thanks to solutions like Flashback, Guardian, and Interceptor you can get a handle on the whole process from beginning to end. If you want to give Spyderbat a try you can download their free community edition for no charge and try it out. There’s even a great learning tool included to help you understand how they catch problems and identify attacks as they’re happening. If you’re ready to be a container time lord or master the arts of run-time travel make sure you check out Spyderbat.
For more information on Spyderbat and their platform and to try out their community edition, make sure to check out Spyderbat’s website.