RSS for Slack
All Posts

Streamline Container Runtime Security with CRI-O Support

We are excited to announce support for CRI-O (Container Runtime Interface – Orchestrator).

CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) to enable using Open Container Initiative (OCI) compatible runtimes, making integration between Kubernetes and container runtimes lightweight & seamless.

Upwind’s CNAPP will now support CRI-O users, in addition to our existing support of other container runtimes such as Containerd and Docker.

This new capability allows you to receive runtime insights and protections for CRI-O Kubernetes environments including:

Using this new capability from Upwind to receive runtime protections and insights for Kubernetes environments with CRI-O runtimes and strengthen your overall infrastructure security. 

Read More

Ensure Seamless Hybrid-Cloud Security with Support for OpenShift Container Platform 

We are excited to introduce support for Red Hat OpenShift in the Cloud or On-Premises.

Runtime Security for Red Hat OpenShift 

Red Hat OpenShift Container Platform is a hybrid-cloud PaaS built around Linux containers, orchestrated and managed by Kubernetes with a Red Hat Enterprise Linux foundation.

With this new capability, you can now seamlessly protect Red Hat OpenShift with Upwind, on AWS, Azure, GCP, Oracle Cloud, or even On-premise (following our existing BYOC support for on-prem data centers and hybrid-cloud environments).

CWPP For Red Hat OpenShift

Upwind’s support for OpenShift unlocks the opportunity to achieve real-time security at runtime for your OpenShift containerized environment. These capabilities include finding misconfigurations, scanning for software and package vulnerabilities, and conducting a deep assessment of your network topology for threat detection, workload process security, malware protection, and anomaly detection.

Read More

Streamline Auditing and Secure Your Infrastructure with Upwind’s SSH Session Monitoring 

We are excited to announce the release of a significant new capability – SSH session monitoring.  In the dynamic landscape of remote system management, Secure Shell (SSH) serves as a pivotal tool, providing seamless access and control. However, this convenience also presents a Pandora’s box of potential security risks when SSH sessions go unmonitored. SSH, […]


Pinpoint Vulnerability Origins With Complete Visibility into Container Image Layers

We are excited to release an important new capability – container image layer visibility.

A Docker build consists of a series of ordered build instructions. A layer, or image layer, is a change in an image, or an intermediate image. Every command specified (FROM, RUN, COPY, etc.) in a Dockerfile causes the previous image to change, thus creating a new layer.

This new capability provides a detailed breakdown of each container image by:

  • Highlighting specific image layers
  • Identifying image changes between layers
  • Pinpointing the introduction layer for every package

Understanding and tracking container image layers is crucial for identifying when and where vulnerabilities were first introduced and can also be used to discover package drifts related to packages installed outside the base image layer.

In addition to layer visibility and the ability to pinpoint vulnerabilities origins, you can also use this capability for:

1. Streamlined scans of large images, leveraging our ability to break the scan per layer

2. More efficient scans that only scan the last layer

3. Faster and easier scanning for your organization

Use this capability for increased transparency into your running container images, helping you rapidly identify and track how image layers introduce or resolve vulnerabilities and how this impacts your overall cloud security.

Read More

Evaluate Your Vulnerability Resolution Over Time

We are excited to announce a new section in the Upwind Platform – the Vulnerability Dashboard. 

The Vulnerability Dashboard will give you the ability to see both an overview of your current critical vulnerabilities and the state of your vulnerabilities over time. 

Get an instant overview of your current vulnerabilities, including:

  • the most critical vulnerabilities that should be prioritized for remediation 
  • the amount of vulnerabilities by severity
  • the number of CVEs and severities for Kubernetes workloads, scaling groups, and hosts. 
  • top container images with the highest number of critical CVEs.

The Vulnerability Dashboard will also give you high-level insights into your vulnerability management over time, including: 

  • how your environment was exposed over a period of time 
  • how many new vulnerabilities were introduced versus how many were resolved 
  • the number of CVEs count and severities for each workload type over a period of time

Use Upwind’s Vulnerability Dashboard to easily get a high-level overview of the state of your vulnerabilities, and use this feature to evaluate and track your organization’s progress with vulnerability remediation over time. 

Read More

Detect Suspicious Cloud Instance Metadata Activities

We’re excited to release  a new detection type, allowing you to detect advanced metadata DNS rebind activities in real time.

A metadata DNS rebind detection alerts you that a virtual machine or a container is querying a domain that resolves to the metadata service IP address ( 

What is Cloud Instance Metadata Service (IMDS)?

When cloud instances/containers in AWS, Microsoft Azure or Google Cloud require access to data about itself or the cloud environment, it can query its Instance Metadata Service (IMDS) that typically listens to the IPv4 address of as well as, in the case of AWS, the IPv6 address of fd00:ec2::254

Using IMDS, machines can discover things like the region and availability zone they run in, the subnet the instance/VM is a part of, the image used to launch the system and the security groups used to control network access to the system.

There are some more sensitive items that can be retrieved as well, like:

  • User-data (startup/boot script) passed to the system at boot time (could contain secrets)
  • IAM role credentials (could allow access to the greater AWS cloud account)
  • Managed identity credentials (could allow access to the Azure account)
  • Service account tokens (allowing access to the Google Cloud account)

Indicators of Metadata Compromise

When a metadata DNS rebind is detected, it can indicate compromise or that a malicious action is being attempted. For example, it could signify that an attacker is attempting to carry out a DNS rebinding to obtain instance or user metadata from a virtual machine, such as its IAM credentials, and use them to do anything that the virtual machine or the application is permitted to do.

In a DNS rebind attack, a malicious entity tricks an application running on a virtual machine to load return data from a URL, getting the domain name in the URL to resolve to the virtual machine metadata IP address ( In doing so, the application accesses the virtual machine and can make its instance and user metadata available to the attacker.

It’s worth noting that a DNS rebind attack can only successfully access virtual machine metadata if the virtual machine is running a vulnerable application that will allow for the injection of URLs, or if a user accesses the URL in a web browser that is running on the virtual machine. Upwind leverages runtime context to determine real risk and immediately identify if your applications are vulnerable and if a DNS rebind attack poses a true risk to your organization.

Read more about Metadata DNS Rebind detections in the Upwind Documentation Center.

Read More

Get DevOps-Grade Visibility into Your Upwind Runtime Sensor

We recently released a new capability – Upwind’s sensor collection metrics.

The Upwind eBPF-sensor is lightweight, high performance and easy to deploy and operate. With this new capability, you can receive even more visibility into your active sensor usage with real-time sensor metrics & data visualization, including CPU and node memory utilization.

The Upwind sensor provides a modern approach to cloud security, giving you complete visibility of your cloud resource activity at runtime and allowing you to detect and respond to threats in real time. 

Use this capability to easily visualize your sensor usage, track sensor performance over time and ensure that all of your running sensors are healthy, running efficiently and utilizing the latest updates.

Read More

Filter Your Network Topology in Real Time

We are excited to announce a new capability – custom runtime topology map views.

This allows you to view Upwind’s runtime topology map with predefined filters including riskiest resources and resources with active internet ingress.

We will be constantly adding new out-of-the-box views, and you can also create your own custom views with any combination of filters including filtering by:

  • Cloud provider
  • Cloud account
  • Resource kind
  • Resources
  • Risk Overview
  • Tags
  • Labels

In addition to using Upwind’s predefined filters, you can also use custom filter options including filtering by Internet resources, sensitive data, ports and more. 

Use our custom views capability to quickly access real-time network topology insights and focus your searches on the relevant resources and resource behaviors. Perhaps most importantly, you can also use this capability to rapidly prioritize your most vulnerable resources and potential attack paths, helping your team improve time to remediation and heighten your overall security stance.

Read More

Visualize Internet Exposure Paths in Real-Time

We are excited to announce a new capability – real-time Internet exposure path visualization.

This new capability visualizes exposure paths from the Internet for AWS resources, showing you the entire exposure path through Internet gateways, routing tables, security groups and load balancers. This gives you the ability to identify attack paths and better prioritize vulnerabilities to avoid exploitation.

Use this capability to increase your understanding of exposure paths to the Internet, rapidly identify potential attack paths and proactively strengthen your cloud security.

Read More

Understand Your Network Patterns with Throughput Over Time

We are excited to introduce a new metric, allowing you to get visibility into your incoming and outgoing throughput over time for the last 7 days.

This new capability gives you even more network visibility and allows you to easily and quickly understand real-time network patterns and over-time patterns.

This information can be viewed through connections insights, easily accessible from within Upwind’s real-time topology map.

Use this capability to view network patterns, investigate security and production incidents in seconds and better understand throughput and resource behavior over time.

Read More

Add the Upwind
RSS Feed to Slack

Connect the Upwind RSS Feed to your Slack.
Follow the how-to here.