Streamline Container Runtime Security with CRI-O Support
We are excited to announce support for
CRI-O (Container Runtime Interface – Orchestrator).
CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using Open Container Initiative (OCI) compatible runtimes, making integration between Kubernetes and container runtimes lightweight & seamless.
Upwind’s CNAPP will now support CRI-O users, in addition to our existing support of other container runtimes such as Containerd and Docker.
This new capability allows you to receive runtime insights and protections for CRI-O Kubernetes environments including:
- Visibility of container image layers
- Kubernetes runtime insights
- Real-time Kubernetes threat detection and response
Using this new capability from Upwind to receive runtime protections and insights for Kubernetes environments with CRI-O runtimes and strengthen your overall infrastructure security.
Ensure Seamless Hybrid-Cloud Security with Support for OpenShift Container Platform
We are excited to introduce support for Red Hat OpenShift in the Cloud or On-Premises.
Runtime Security for Red Hat OpenShift
Red Hat OpenShift Container Platform is a hybrid-cloud PaaS built around Linux containers, orchestrated and managed by Kubernetes with a Red Hat Enterprise Linux foundation.
With this new capability, you can now seamlessly protect Red Hat OpenShift with Upwind, on AWS, Azure, GCP, Oracle Cloud, or even On-premise (following our existing BYOC support for on-prem data centers and hybrid-cloud environments).
CWPP For Red Hat OpenShift
Upwind’s support for OpenShift unlocks the opportunity to achieve real-time security at runtime for your OpenShift containerized environment. These capabilities include finding misconfigurations, scanning for software and package vulnerabilities, and conducting a deep assessment of your network topology for threat detection, workload process security, malware protection, and anomaly detection.
We are excited to announce the release of a significant new capability – SSH session monitoring. In the dynamic landscape of remote system management, Secure Shell (SSH) serves as a pivotal tool, providing seamless access and control. However, this convenience also presents a Pandora’s box of potential security risks when SSH sessions go unmonitored. SSH, […]
Pinpoint Vulnerability Origins With Complete Visibility into Container Image Layers
We are excited to release an important new capability – container image layer visibility.
A Docker build consists of a series of ordered build instructions. A layer, or image layer, is a change in an image, or an intermediate image. Every command specified (
COPY, etc.) in a Dockerfile causes the previous image to change, thus creating a new layer.
This new capability provides a detailed breakdown of each container image by:
- Highlighting specific image layers
- Identifying image changes between layers
- Pinpointing the introduction layer for every package
Understanding and tracking container image layers is crucial for identifying when and where vulnerabilities were first introduced and can also be used to discover package drifts related to packages installed outside the base image layer.
In addition to layer visibility and the ability to pinpoint vulnerabilities origins, you can also use this capability for:
1. Streamlined scans of large images, leveraging our ability to break the scan per layer
2. More efficient scans that only scan the last layer
3. Faster and easier scanning for your organization
Use this capability for increased transparency into your running container images, helping you rapidly identify and track how image layers introduce or resolve vulnerabilities and how this impacts your overall cloud security.
Evaluate Your Vulnerability Resolution Over Time
We are excited to announce a new section in the Upwind Platform – the Vulnerability Dashboard.
The Vulnerability Dashboard will give you the ability to see both an overview of your current critical vulnerabilities and the state of your vulnerabilities over time.
Get an instant overview of your current vulnerabilities, including:
- the most critical vulnerabilities that should be prioritized for remediation
- the amount of vulnerabilities by severity
- the number of CVEs and severities for Kubernetes workloads, scaling groups, and hosts.
- top container images with the highest number of critical CVEs.
The Vulnerability Dashboard will also give you high-level insights into your vulnerability management over time, including:
- how your environment was exposed over a period of time
- how many new vulnerabilities were introduced versus how many were resolved
- the number of CVEs count and severities for each workload type over a period of time
Use Upwind’s Vulnerability Dashboard to easily get a high-level overview of the state of your vulnerabilities, and use this feature to evaluate and track your organization’s progress with vulnerability remediation over time.
Detect Suspicious Cloud Instance Metadata Activities
We’re excited to release a new detection type, allowing you to detect advanced metadata DNS rebind activities in real time.
A metadata DNS rebind detection alerts you that a virtual machine or a container is querying a domain that resolves to the metadata service IP address (
What is Cloud Instance Metadata Service (IMDS)?
When cloud instances/containers in AWS, Microsoft Azure or Google Cloud require access to data about itself or the cloud environment, it can query its Instance Metadata Service (IMDS) that typically listens to the IPv4 address of
169.254.169.254 as well as, in the case of AWS, the IPv6 address of
Using IMDS, machines can discover things like the region and availability zone they run in, the subnet the instance/VM is a part of, the image used to launch the system and the security groups used to control network access to the system.
There are some more sensitive items that can be retrieved as well, like:
- User-data (startup/boot script) passed to the system at boot time (could contain secrets)
- IAM role credentials (could allow access to the greater AWS cloud account)
- Managed identity credentials (could allow access to the Azure account)
- Service account tokens (allowing access to the Google Cloud account)
Indicators of Metadata Compromise
When a metadata DNS rebind is detected, it can indicate compromise or that a malicious action is being attempted. For example, it could signify that an attacker is attempting to carry out a DNS rebinding to obtain instance or user metadata from a virtual machine, such as its IAM credentials, and use them to do anything that the virtual machine or the application is permitted to do.
In a DNS rebind attack, a malicious entity tricks an application running on a virtual machine to load return data from a URL, getting the domain name in the URL to resolve to the virtual machine metadata IP address (
169.254.169.254). In doing so, the application accesses the virtual machine and can make its instance and user metadata available to the attacker.
It’s worth noting that a DNS rebind attack can only successfully access virtual machine metadata if the virtual machine is running a vulnerable application that will allow for the injection of URLs, or if a user accesses the URL in a web browser that is running on the virtual machine. Upwind leverages runtime context to determine real risk and immediately identify if your applications are vulnerable and if a DNS rebind attack poses a true risk to your organization.
Read more about Metadata DNS Rebind detections in the Upwind Documentation Center.
Get DevOps-Grade Visibility into Your Upwind Runtime Sensor
We recently released a new capability – Upwind’s sensor collection metrics.
The Upwind eBPF-sensor is lightweight, high performance and easy to deploy and operate. With this new capability, you can receive even more visibility into your active sensor usage with real-time sensor metrics & data visualization, including CPU and node memory utilization.
The Upwind sensor provides a modern approach to cloud security, giving you complete visibility of your cloud resource activity at runtime and allowing you to detect and respond to threats in real time.
Use this capability to easily visualize your sensor usage, track sensor performance over time and ensure that all of your running sensors are healthy, running efficiently and utilizing the latest updates.
In recent weeks, Upwind’s research team dug into Argo CD, our research revealed two batches of vulnerabilities, specifically critical security vulnerabilities in Argo CD, including Cross-Site Request Forgery (CSRF) impacting GET, POST, and PUT requests, and Remote Code Execution (RCE) capabilities. These vulnerabilities opened doors to unauthorized exposure and manipulation of sensitive data within Kubernetes […]
Evaluating Microsoft’s Cyber Hack
Russian state-sponsored threat actor Nobelium recently attacked Microsoft and hacked numerous accounts using a password-spray attack. This allowed them to access a test account and gain access to Microsoft corporate email accounts, including senior leaders. After gaining access, they were able to operate within Microsoft’s infrastructure for more than two months before being discovered.
This indicates a total unawareness of how infrastructure and applications are behaving at runtime, highlighting the importance of runtime data in cloud security.
Leveraging runtime data is the key to securing your cloud infrastructure and applications. With runtime insights, you can identify anomalous human and machine activities and suspicious behavior in real time and quickly take steps to block it, rather than finding out days – or in Microsoft’s case – months later.
Learn more about how Upwind provides protections and controls at runtime:
- continuous monitoring & visibility of cloud events
- real-time threat detection & response
- detailed root-cause analysis
Make 2024 your year of real-time cloud security.
Filter Your Network Topology in Real Time
We are excited to announce a new capability – custom runtime topology map views.
This allows you to view Upwind’s runtime topology map with predefined filters including riskiest resources and resources with active internet ingress.
We will be constantly adding new out-of-the-box views, and you can also create your own custom views with any combination of filters including filtering by:
- Cloud provider
- Cloud account
- Resource kind
- Risk Overview
In addition to using Upwind’s predefined filters, you can also use custom filter options including filtering by Internet resources, sensitive data, ports and more.
Use our custom views capability to quickly access real-time network topology insights and focus your searches on the relevant resources and resource behaviors. Perhaps most importantly, you can also use this capability to rapidly prioritize your most vulnerable resources and potential attack paths, helping your team improve time to remediation and heighten your overall security stance.