As we reflect on the transformative year of 2023, the resilience and success of KSOC is a testament to the unwavering commitment of our incredible customers and dedicated employees, even amidst challenging market conditions. Positioned strategically in the cloud-native security landscape, our company thrived due to the incredible support and collaboration of our valued customers, the tireless efforts of our talented employees and the market readiness for a modern approach to cloud native security. In the face of economic uncertainties, rising interest rates, and global conflicts, KSOC not only weathered the storm but expanded its footprint, thanks to the trust and partnership of our customers and the relentless dedication of our employees.
As we navigate the predictions for cloud-native security in 2024, we recognize that our success is a shared achievement, fueled by the collective efforts of our customers and employees who continue to inspire us with their resilience and commitment to innovation.
As we all strive to give 2024 a strong start, positive signs of economic stability and recovery are already evident. Against this backdrop, we share some commentary on the predictions for 2023 and bring forth new predictions for 2024. KSOC has never been more ready to tackle the challenges facing security teams in their cloud native infrastructure, and we look forward to what 2024 will hold!
KSOC in review: 2023
In 2023, KSOC made it a priority to help Platform Engineering teams, Security, and CISOs cover their massive blind spots in Kubernetes risk visibility. To that end, we added capabilities to KSOC that are now protecting thousands of nodes across multiple Fortune 500 companies, as well as the top 10 of the Fortune Cloud 100.
New Capabilities
Real-time KSPM
The year got off to a great start with an alternative to the static, inoperable check-box approach to Kubernetes Security Posture Management from legacy container and cloud-focused CNAPP providers. KSOC launched event-based misconfigurations that change as fast as your Kubernetes workloads, avoiding the challenge of finding a workload that is no longer there, but was tied to a misconfiguration from a static, poll based scanner.
My co-founder, and KSOC’s CTO, Jimmy Mesta, said in the press release, “Anybody who operates Kubernetes knows how ephemeral workloads are; they come and they go in the space of 5 minutes. There is no way to secure Kubernetes without taking this into account, and yet that is what the industry has been trying to force-feed platform teams and cloud security teams. It hasn’t worked; nobody is using those solutions. KSOC is here to change all that and give teams a solution so they can finally operationalize security at the speed of Kubernetes.”
Find your top risk in no time with threat vectors
To reduce noise and get better signal around vulnerabilities in cloud native infrastructure, we introduced attack paths that take a Kubernetes-first view in order to tell infrastructure security engineers their clear, top priority issue across RBAC, image CVEs, Kubernetes misconfigurations, public cloud, network and runtime. Threat vectors, with the background of real-time KSPM, make KSOC the first and only enterprise-first company to secure ephemeral environments without complete blind spots around cloud native infrastructure.
Complete your asset inventory and expand software supply chain security to Kubernetes with a KBOM
Despite the large third party ecosystem of tools for Kubernetes, Kubernetes has been largely ignored when it comes to compliance regulations for the software supply chain. The Kubernetes Bill of Materials (KBOM) is an open source project that easily provides a quick view of the scope of your Kubernetes cluster, including:
- Cluster size (workload count)
- Cluster cost (node types, e.g. AWS/GCP/etc.)
- Vulnerabilities (both for internal and hosted images)
- Third party customizations and plugins (CRDs, authentication, service mesh, GitOps, management, and more)
- Version details for the managed platform, the kubelet, and more
Know who is doing what in your clusters with AI-Powered Cloud native identity threat detection
KSOC launched an answer to the failure of CSPM and open source RBAC tools in identifying malicious activity versus lists of over permissions. The AI-powered, cloud native identity threat detection platform creates:
- Attack paths between Cloud IAM and Kubernetes RBAC
- Find risks in the interaction of Cloud IAM and Kubernetes RBAC
- Cloud native identity anomaly detection
- AccessIQ: actual usage based on AI queries of Kubernetes API audit logs to find Malicious insiders and other attacks utilizing valid or overly permissive credentials
- Baseline ‘normal’ RBAC behavior and detect anomalies using AI to query cloud metadata, RBAC configurations and Kubernetes API audit logs
- Top priority RBAC and IAM misconfigurations
- Prioritize the most critical configurations based on the connections between RBAC permissions, Kubernetes misconfigurations, network exposure, runtime alerts and image CVEs on the same workload
Prioritize the vulnerabilities in active use with CVE Exploitability
Vulnerability management in a cloud native environment is so hard because there are simply too many vulnerabilities and not enough people to address them. KSOC released CVE Exploitability to see which of your CVEs are in-use in your running environment, so you can better prioritize which ones to fix first, combining eBPF runtime data with the cluster images.
AI-powered auto-remediation
To speed up the time to remediation for the misconfigurations in your environment, we announced a new AI-powered remediation capability that provides the actual, suggested changes in your manifest code. See it in action here:
Searchable SBOM
In response to the ingress-nginx vulnerability, we released a searchable SBOM feature for customers, allowing them to quickly find any new zero day vulnerabilities across their environments.
Content and Community
Swag donations
Every event KSOC sponsored in 2023 dedicated swag budget to local communities. Across the year, we sponsored Hak4Kids in Chicago, Washingtons’ National Park Fund, Ukraine friends, and more.
Top Content - ranked by you
In case you missed it, our community of followers found these articles to be some of the most helpful educational content:
Kubernetes version 1.29 overview
Kubernetes Ingress-nginx vulnerability
The Impossible Job of the Infrastructure Security Engineer
Download the Impossible Job of the Infra Security Engineer Whitepaper
How did our 2023 predictions evolve?
Each of the predictions we made in 2023 have evolved and taken on new life. As a reflection exercise, it's important to check in on the continued validity, and evolution, of these concepts.
Concept #1: Proliferation of eBPF
In 2023, we noted the proliferation of eBPF in cloud native tooling, and stated that:
- Regular observability tools aren’t enough for kernel-level behavior
- Most eBPF solutions require elevated privileges
- Practitioners must think in advance about what might happen in the case of vulnerabilities for runtime/eBPF tooling
Over the course of 2023, runtime protection became more and more of a concern, to the point that it is driving security teams into the fray of cloud native security. eBPF is the defacto standard for runtime behavior, BUT teams are still finding eBPF too intrusive, too difficult and taking up too much CPU (per point #3 above).
Concept #2: SBOMs = the most clear and unclear Software Supply Chain Security Requirement
It was clear, even in the beginning of 2023, that SBOMs were the closest that the Biden administration, or any other software supply chain security requirements, were to a hard software supply chain security requirement. We posed a few solutions to the unresolved question about how to use those SBOMs. You could use them to:
- Analyze artifacts running in your clusters
- Analyze a particular repo
- Do dynamic SBOM evaluation at admissions
In 2023, there was significant frustration on the part of buyers in the SBOM space, with little guidance about how SBOMs would practically fit into simple day to day activity. And there was more activity around the application of the concept of a BOM to other areas of the application development lifecycle, like Kubernetes, as shown in the KBOM feature KSOC announced above.
2024 predictions
Looking ahead, we believe that 2024 will be a year where teams try to improve efficiency, while at the same time covering any blind spots across new and evolving cloud native environments. Let’s get started!
#1. The scope of Zero trust and identity security will expand
According to the recent cost of the breach data from IBM, malicious insiders are the single most costly initial attack vector, followed by stolen or compromised credentials. And breaches initiated with stolen or compromised creds, typically by malicious insiders, took the longest to resolve, compared to phishing or exploitation of zero day vulnerabilities.
The Okta breach, as well as the usage of credential stuffing in the 23andme breach, both demonstrate that zero trust paradigms have to cover the environment, and even zero trust tools themselves, to be effective. This includes Kubernetes.
#2. Security teams will level up Kubernetes security coverage that doesn’t require them to become experts themselves
In a live poll at Kubecon 2023, engineers and SREs often said that, while they wished the responsibility for securing Kubernetes would lie with security teams, the engineering teams were the ones with the most detailed knowledge of Kubernetes itself. And the security teams they enjoyed the most, or had the most success with, were those that were less high level and more in the weeds of the technical details.
While this makes sense from an engineering perspective, on the side of the security teams, the reduction in their team sizes and budgets makes Kubernetes expertise a challenge. The answer?
#3. Security teams are shrinking, but will need to cover a broader set of environments
Even before teams and resources started to shrink in 2023, security teams were not as efficient as they wanted to be, due to new expanding environments in the cloud and cloud native development. But software supply chain security and cloud infrastructure requirements are pressing, with public breaches associated with each that have made headlines.
#4. New adoption of runtime security will drive better efficiencies
Runtime security has finally reached a critical level of adoption, as security teams find their customers and compliance requirements demanding incident detection and response controls for cloud native environments. As this continues, the inefficiencies of legacy vendors will be exposed and a new set of agents and flexible runtime agents will become available, without the downfalls of legacy agents, and without the ‘no agent’ compromise of agentless solutions.
#5. Software Supply Chain Security solutions will need to become more efficient
The frustration amongst security teams for vendors touting the latest and greatest SBOM was palpable in 2023, based on a perceived lack of practical use and benefit. In 2024, we expect to see security and engineering teams require software supply chain security solutions to become more efficient. This new set of tools will allow smaller, more nimble security teams to search for certain packages, or quickly understand their exposure.
#6. In 2024, there will be a very public K8s breach
Tesla holds the crown for the most well-known Kubernetes Security breach, back in 2018. Since then, we have seen many Kubernetes attacks, and 2024 will be no different, except that this time we expect a public breach to make major news. Based on the volume of Kubernetes CVEs that have been coming out in 2023, and the dearth of controls that adequately protect growing and changing Kubernetes environments, we expect to see a significant, public breach with Kubernetes at the center.
Conclusion
2024 will be a ‘year of adaptability’ where teams change their methods to focus more on tools that help them operationalize cloud native security while covering blind spots. Senior security leaders will further their careers by helping the company save resources and recover from the economic downturn, driving true innovation and protecting blind spots. For all of us here at KSOC, we can help make cloud native security accessible and part of the solution. Contact us today to see how KSOC can kick 2024 off right (think contextual risk, vendor consolidation and zero trust)!
