RSS for Slack
Company News

Upwind Achieves AWS Security Competency Status

June 10, 2024– Upwind announced today that it has achieved Amazon Web Services (AWS) Security Competency status. This designation recognizes that Upwind has successfully met AWS’s requirements for providing cyber security capabilities to AWS customers. The AWS Security Competency directly aligns common customer use cases to AWS Partner capabilities, accelerating positive security outcomes. The AWS […]

Product

Automatically Identify Abnormal Resource Behavior with Upwind’s Security Baselines

We are excited to announce a powerful new capability –  the ability to view behavioral baselines for resources in your cloud environment, which we refer to as “security baselines.” The Upwind Cloud Security Platform continuously monitors your application’s behavior over hours, days and weeks to build baseline models of normal and abnormal activity. This deep, […]

Product

Proactively Protect Your Kubernetes with Upwind’s Non-Human Identity Security

We recently announced the release of Upwind’s Identity Security, designed to provide real-time protection for human and non-human identities with a comprehensive Cloud Identity Entitlement Management (CIEM) offering. In this blog post, we will dive deeper into Upwind’s protection for non-human identities (NHI), which provide machine-to-machine access and authentication within your software environment and cloud […]

Product

Prioritize & Eliminate Critical Risks with Upwind

Upwind brings a new approach that redefines the speed, visibility and actionability of cloud security, cutting 95% of alert noise to help you focus on your most critical risks.

The Upwind Cloud Security Platform gives you the ability to:

  • Instantly identify critical risks
  • Get to root causes 10x faster
  • Stop attacks in real time

Accelerate productivity and empower your Dev, Security, and DevOps teams to innovate within a secure & efficient environment.

To learn more about the Upwind Cloud Security Platform, visit the Upwind Documentation Center (login required) or schedule a demo.

Read More
Product

Detect Malicious File Activities 

We are excited to announce a significant new capability in the Upwind Cloud Security Platform – threat detections for malicious file-based activity. Upwind’s threat detection and response capabilities have always allowed customers to detect and respond to threats in real time, powered by our innovative eBPF-based sensor. With this new capability, Upwind’s threat detection capabilities […]

White Paper

Leveraging eBPF for DevSecOps

eBPF is a revolutionary technology, originating from the Linux kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring changing the kernel source code or loading kernel modules/extensions. Today, eBPF is used extensively to: eBPF-Enriched Context  eBPF is the base data layer that is needed in runtime cloud security. […]

Product

Detect Suspicious Communication with a Public DNS Resolver 

We are excited to announce a new capability to detect unusual DNS resolver activity.

This detection notifies you of unusual behavior by a virtual machine or container in your cloud environment, which is communicating with a public DNS resolver that it hasn’t communicated with recently.

DNS Resolvers

Trusting your DNS resolvers is a critical part of your overall security hygine, since this is the component that maps out IP addresses for hosts connected to the Internet.

Indicators of Compromise

Due to its important nature, DNS resolution issues are often the cause of network outages. Errors such as misconfigurations in a single DNS server can cause widespread communication failures for all services that communicate with it, and they are typically very difficult to identify since teams often need to investigate each server individually in order to find issues.

DNS is also the focal point or frequent target for many attacks, due to its important role in internet communication. Attackers can hijack resources and cause them to communicate with a public DNS resolver in attempts to gain access to an environment or steal data.

This detection notifies you of unusual behavior by a virtual machine or container in your cloud environment, which is communicating with a public DNS resolver that it hasn’t communicated with recently. This is suspicious because it deviates from the established baseline behavior of the resource within the environment and may indicate an attempt to use alternative DNS resolvers for bypassing network monitoring, exfiltrating data, or other malicious activities aimed at evading detection.

Upwind leverages runtime data to rapidly identify unusual DNS resolver communication and immediately alert you to suspicious activity. Read more about DNS resolver detections in the Upwind Documentation Center (login required).

Read More
Product

Detect Suspicious Port Scanning Activities

We are excited to announce support for a new detection type: identification of malicious port scans.

Port scanners are applications that probe a host or server to find open ports or “weak points” in your network. These can be used by malicious actors to exploit vulnerabilities and identify network or security services running on a host.

Port Scanning
There are a variety of TCP ports, numbered from 0 to 65535, with the standard ports occupying numbers 0 to 1023. A standard port that is left open can indicate an infected or vulnerable port. 

Commonly used ports include:

  • Port 20 (UDP): File Transfer Protocol (FTP) for data transfer
  • Port 22 (TCP): Secure Shell (SSH) protocol for secure logins, FTP, and port forwarding
  • Port 23 (TCP): Telnet protocol for unencrypted text commutations
  • Port 53 (UDP): Domain Name System (DNS) translates names of all computers on internet-to-IP addresses
  • Port 80 (TCP): World Wide Web HTTP

Port scans are not always malicious – they can also occur when security services are deployed on virtual machines in your environment. This occurs because the services  conduct port scans to alert you to potentially misconfigured ports that have been left open. 

Indicators of Compromise

Potentially malicious port scans are detected through their suspicious access patterns – including repeated attempts to connect to multiple ports over a short period of time, or connecting a resource or host to multiple ports over a short period of time. A port scan attack aims to locate open ports to discover which services the machine is running and to identify its operating system, to inform which vulnerabilities to exploit.

A port scan can provide useful information about a network environment, including: 

  • Existing network defenses, such as firewalls
  • Running applications
  • Machines that are online
  • Information about the targeted system
  • Information about vulnerable networks and servers

Attackers can then use this information to conduct an attack on a virtual machine.

Port Scan Attack Methods

In a port scanning attack, attackers generally do one of the following:

  1. Leverage a resource to perform outbound port scans to a remote host
  2. Use a remote host to port scan a resource 
  3. Use an internal source to port scan a resource 
  4. Leverage a remote host using UDP to port scan a resource 

Upwind leverages runtime data to rapidly identify unusual port scanning and immediately alert you to suspicious activity. Read more about port scanning detections in the Upwind Documentation Center.

Read More
Product

Detect Exposed Kubernetes Dashboards

We are excited to announce a new threat detection, with the ability to identify an exposed Kubernetes Dashboard.

This threat detection will inform you when the Kubernetes dashboard for your cluster is exposed to the internet by a Load Balancer.  Exposing your dashboard to the internet makes the management interface of your cluster vulnerable to attack. This creates an opportunity for adversaries to exploit weaknesses in authentication and access control, compromising the security of your system.

What is the Kubernetes Dashboard?

The Kubernetes Dashboard is a web-based Kubernetes user interface (UI) that is used to manage a Kubernetes system, allowing you to run commands on pods within the dashboard and deploy access keys to your clusters.

The Kubernetes Dashboard has a number of uses, including:

  • Deploying containerized applications to the Kubernetes cluster
  • Troubleshooting your containerized application
  • Managing cluster resources
  • Getting on overview of applications running on the cluster
  • Creating or modifying Kubernetes resources such as DaemonSets or Deployments

The Kubernetes Dashboard also gives you information on the state of Kubernetes resources in your cluster and notifies you or any potential errors.

Indicators of Compromise

While the Kubernetes Dashboard gives you extensive capabilities for managing Kubernetes, it can also be a launchpad for attacks if there are misconfigurations or excessive/loose permissions. A Load Balancer can expose your Kubernetes Dashboard to the Internet if not properly configured, ultimately making the management interface of your cluster vulnerable. This can also create an opportunity for attackers to exploit any weaknesses in authentication and access control, such as overly permissive RBAC, which can potentially compromise the security of your system.

Use Upwind’s Exposed Kubernetes Dashboard Detection to identify any exposures of your Kubernetes Dashboard and proactively remediate exposures or open attack paths. For  more information on the Exposed Kubernetes Dashboard detection, please visit the Upwind Documentation Center (login required).

Read More
Product

Master Risk Prioritization by Leveraging Insights into Runtime Facts & Critical Cloud Misconfigurations

In today’s increasingly cloud-centric business landscape, securing your cloud environment is crucial. The growth and dynamic nature of attack surfaces often make it difficult for security teams to identify and address their most critical risks, resulting in a lack of clear prioritization and delaying remediation. Upwind’s Cloud Security Platform actively addresses this challenge by leveraging […]

Add the Upwind
RSS Feed to Slack

Connect the Upwind RSS Feed to your Slack.
Follow the how-to here.