RSS for Slack
All Posts
Product

Connect the Dots for Security Findings with Upwind’s Issue Stories

We are excited to announce the release of Upwind’s “Issue Stories” – a GenAI-based capability designed to address the challenge of connecting the dots between seemingly isolated security findings.

By providing a unified narrative that consolidates and contextualizes events Upwind has determined to be related, Issue Stories enhance the comprehensiveness of our existing Issue types (toxic combinations of threats, vulnerabilities, exposed secrets & posture misconfigurations).

Issue Stories act as incident summaries, consolidating detections, vulnerabilities, and SSH login activity. This unified perspective offers a deeper understanding of security events by detailing the sequence of events, their implications, and their impact within a single narrative. Attacks often begin with subtle reconnaissance actions that might be tagged as separate events. With Issue Stories, these events are contextualized as part of the full attack sequence, allowing for a clearer picture of how an incident unfolds. 

Issue Stories transform security investigations by addressing alert fatigue, providing context, and enabling timely responses. By consolidating relevant data points into a clear narrative, Issue Stories allow teams to focus on the bigger picture and prioritize threats more effectively. They detail the sequence of events, including vulnerabilities, detections, and login activity, giving a deeper understanding of the “why” behind an event. This comprehensive view streamlines investigations, allowing for faster and more efficient threat responses.

“Upwind Issue Stories has drastically reduced triage and investigation time by correlating runtime detections with audit logs and giving us end-to-end visibility. Understanding who did what, how, and when, at a single glance has been a major game-changer”

Dobromir Kosev, Security Engineer, Yotpo

Beneficial not only to security teams but also to developers and DevOps engineers, Issue Stories bridge the gaps between these domains, surfacing and contextualizing all relevant issues. This unified narrative enhances collaboration and strengthens the overall security posture.

To learn more about Upwind’s Issue Stories and risk prioritization, visit the Upwind Documentation Center (login required) or schedule a demo.

Read More
Product

Automatically Identify Abnormal Resource Behavior with Upwind’s Security Baselines

We are excited to announce a powerful new capability –  the ability to view behavioral baselines for resources in your cloud environment, which we refer to as “security baselines.” The Upwind Cloud Security Platform continuously monitors your application’s behavior over hours, days and weeks to build baseline models of normal and abnormal activity. This deep, […]

Product

Proactively Protect Your Kubernetes with Upwind’s Non-Human Identity Security

We recently announced the release of Upwind’s Identity Security, designed to provide real-time protection for human and non-human identities with a comprehensive Cloud Identity Entitlement Management (CIEM) offering. In this blog post, we will dive deeper into Upwind’s protection for non-human identities (NHI), which provide machine-to-machine access and authentication within your software environment and cloud […]

Product

Prioritize & Eliminate Critical Risks with Upwind

Upwind brings a new approach that redefines the speed, visibility and actionability of cloud security, cutting 95% of alert noise to help you focus on your most critical risks.

The Upwind Cloud Security Platform gives you the ability to:

  • Instantly identify critical risks
  • Get to root causes 10x faster
  • Stop attacks in real time

Accelerate productivity and empower your Dev, Security, and DevOps teams to innovate within a secure & efficient environment.

To learn more about the Upwind Cloud Security Platform, visit the Upwind Documentation Center (login required) or schedule a demo.

Read More
Product

Detect Malicious File Activities 

We are excited to announce a significant new capability in the Upwind Cloud Security Platform – threat detections for malicious file-based activity. Upwind’s threat detection and response capabilities have always allowed customers to detect and respond to threats in real time, powered by our innovative eBPF-based sensor. With this new capability, Upwind’s threat detection capabilities […]

Product

Top Ways Upwind Helps DevOps Engineers Monitor APIs & CI/CD

This is part two of a two-part blog series on how Upwind helps DevOps teams. You can read part 1 here. The Upwind Cloud Security Platform helps organizations accelerate productivity and empower their Dev, Security, and DevOps teams to innovate within a secure and efficient environment. In our last article on how Upwind helps DevOps […]

Product

Detect Suspicious Communication with a Public DNS Resolver 

We are excited to announce a new capability to detect unusual DNS resolver activity.

This detection notifies you of unusual behavior by a virtual machine or container in your cloud environment, which is communicating with a public DNS resolver that it hasn’t communicated with recently.

DNS Resolvers

Trusting your DNS resolvers is a critical part of your overall security hygine, since this is the component that maps out IP addresses for hosts connected to the Internet.

Indicators of Compromise

Due to its important nature, DNS resolution issues are often the cause of network outages. Errors such as misconfigurations in a single DNS server can cause widespread communication failures for all services that communicate with it, and they are typically very difficult to identify since teams often need to investigate each server individually in order to find issues.

DNS is also the focal point or frequent target for many attacks, due to its important role in internet communication. Attackers can hijack resources and cause them to communicate with a public DNS resolver in attempts to gain access to an environment or steal data.

This detection notifies you of unusual behavior by a virtual machine or container in your cloud environment, which is communicating with a public DNS resolver that it hasn’t communicated with recently. This is suspicious because it deviates from the established baseline behavior of the resource within the environment and may indicate an attempt to use alternative DNS resolvers for bypassing network monitoring, exfiltrating data, or other malicious activities aimed at evading detection.

Upwind leverages runtime data to rapidly identify unusual DNS resolver communication and immediately alert you to suspicious activity. Read more about DNS resolver detections in the Upwind Documentation Center (login required).

Read More
Product

Detect Malicious Port Sweep Activities

We are excited to announce support for a new detection type – the identification of malicious port sweeps.

Port sweeps can occur when compromised hosts or containers within your environment probe a port on a large number of publicly routable IP addresses or a large number of internal IP addresses. This type of activity is typically used to find vulnerable hosts or services to exploit.

Port sweeps are conceptually related to port scans, with port sweeps looking for a specific port or ports across multiple hosts, and port scans enumerating any ports to be found on one or more hosts. Sometimes attackers will use a port sweep to narrow down their attack surface, and follow with a port scan, targeted at finding a vulnerable service.

TCP Ports

TCP ports number from 0 to 65535, with the standard ports occupying numbers 0 to 1023. Discovering that a standard port is “open” can indicate either an already infected port, or one that is vulnerable to attack. 

Commonly used ports include:

  • Port 20 (UDP): File Transfer Protocol (FTP) for data transfer
  • Port 22 (TCP): Secure Shell (SSH) protocol for secure logins, FTP, and port forwarding
  • Port 23 (TCP): Telnet protocol for unencrypted text commutations
  • Port 53 (UDP): Domain Name System (DNS) translates names of all computers on internet-to-IP addresses
  • Port 80 (TCP): World Wide Web HTTP

Indicators of Compromise

Potentially malicious port sweeps are detected through their suspicious access patterns – including repeated attempts to connect to a port with a large number of publicly routable IP addresses over a short period of time, or using a large number of internal IP addresses to connect to a port or ports over a short period of time. A port sweep attack aims to locate open ports to discover which services the machine is running and to identify its operating system, to inform which vulnerabilities to exploit.

Internally-based port sweeps are similar to port scan attacks, but rather than leveraging an external application to scan for vulnerable hosts through repeated port scans, internal port sweeps use compromised internal resources to perform port sweeps, with the same goal of identifying vulnerable hosts.

A port sweep can provide useful information about a network environment, including: 

  • Existing network defenses, such as firewalls
  • Running applications
  • Machines that are online
  • Information about the targeted system
  • Information about vulnerable networks and servers

Attackers can then use this information to conduct an attack on a virtual machine or container.

Upwind leverages runtime data and machine learning to rapidly identify unusual port sweeps and immediately alert you to suspicious activity. Read more about port sweep detections in the Upwind Documentation Center (login required).

Read More
Product

Detect Unusual DoT Communications

We are excited to announce a new detection type, identifying unusual DoT activity.

This detection notifies you of unusual DNS over TLS (Transport Layer Security) communication, often referred to as DoT, which could indicate attempts to blend malicious communications with regular encrypted web traffic to evade detection.

DNS over TLS (DoT) 

DNS is a crucial part of infrastructure that maps out IP addresses for hosts connected to the internet through a process called DNS resolution, allowing users to access websites with user-friendly names rather than remembering specific IP addresses for sites.

DNS is a fundamentally “insecure” network whose communication can easily be intercepted. To avoid security risks, DNS needs TLS or HTTPS (Hypertext Transfer Protocol Secure) encryption protocols to improve network security.

TLS is a widely-used protocol that is designed to keep data secure in Internet communications. By using DNS over TLS, users can protect data that is being transferred, keeping it private even if it is intercepted. By using DNS over TLS (DoT), you send DNS requests over an encrypted TLS tunnel and can ensure the data is not readable by unauthorized parties – acting as a needed safeguard against data breaches. 

This is why DoT has become a popular method of safeguarding DNS communications.

Indicators of Compromise 

While DoT helps safeguard data, it can still be compromised by attackers. Upwind detects when a host or container in your cloud environment engages in DoT communication that deviates from established baseline behavior, which may indicate a “Command and Control” or “Defense Evasion” attempt using encrypted channels. This unusual communication could indicate an attacker’s method to compromise your system remotely, exfiltrate data, or deliver further payloads, blending malicious communications with regular encrypted web traffic to evade detection.

Upwind leverages runtime data to rapidly identify unusual DNS over TLS (DoT) communication and immediately alert you to suspicious activity. Read more about DNS over TLS (DoT) detections in the Upwind Documentation Center.

Read More
Product

Top Ways Upwind Gives DevOps Engineers Network & Infrastructure Visibility

This is part one of a two-part blog series on how Upwind helps DevOps teams. You can read part 2 here. Upwind’s Cloud Security Platform provides customers with end-to-end visibility into their environment – continually performing DevOps-grade deep assessments of your infrastructure & configuration, discovering everything you run and keeping this inventory up-to-date.  We systemically […]

Add the Upwind
RSS Feed to Slack

Connect the Upwind RSS Feed to your Slack.
Follow the how-to here.