What is Runtime Security?

Runtime security definition

Runtime security is the technology that provides protection to running processes, wherever they are executed. Runtime security is a vital component in cybersecurity — especially in the cloud — protecting your applications, infrastructure, data, and users from malicious code and exploits.

Runtime security provides protection to running processes, rather than scanning static files. Runtime security technologies can protect processes running in containers, as serverless functions, in virtual machines (VM), and those running on a local machine.

This provides end-to-end protection of applications during execution, which ensures that running processes cannot harbor cybersecurity threats that are not detectable through other threat scanning methods.

Why is runtime security important?

Runtime security is vital to securing and maintaining applications in native-cloud environments. Malicious code and other cyberattacks can be used to exploit cloud resources for free computing power, access to expensive APIs, and to sabotage business operations. Attackers can also turn your infrastructure into an attack vector against others as part of a botnet or for other illicit purposes.

One of the biggest concerns for businesses is the potential for an attacker to exploit a running process to access and subsequently leak sensitive data. If leaked data includes personally identifiable information (PII), this can lead to reputational damage as well as legal repercussions through privacy laws such as GDPR and CCPA.

The always-online nature, as well as the complexity and scale of cloud infrastructure, makes visibility difficult for security teams. Runtime security in cloud native environments must address this issue directly with a full spectrum of monitoring and logging tools. It should also provide the ability to configure alerts so that the right people are notified, ensuring that important alerts indicating an attack in progress are not overlooked.

Traditional security measures like statically scanning code help keep an application protected from misconfigurations and known vulnerabilities but attackers target live environments more and more. From zero-day attacks to privilege escalation, threat actors can use dynamic attacks that static scanning can’t catch. This makes implementing runtime security in the cloud all the more integral.

What threats does runtime security protect against?

Runtime security protects against the following common cybersecurity threats:

• Malware and malicious code: Malware that has not yet been identified and cataloged can hide in software dependencies, and malicious code that is able to mask its purpose until it is executed can escape traditional code and file scanning detection. Only when executed can these threats be detected and caught.
• Code injection and memory corruption: Buffer overflows and other code injection methods mean that malicious code is introduced into your running application rather than being present prior to deployment. This means that it is only detectable with runtime protection.
• Unauthorized access and privilege escalation: Runtime security can detect unauthorized access (or attempted access) to resources. Security policies can be enforced to deny attempts at escalating privileges, and the attempt may be logged as evidence of a compromised process.
• Zero-day exploits: Previously unknown vulnerabilities in otherwise reputable software is a common attack vector. As the attack vector is as-yet unknown, runtime security may be able to detect the results of the exploit, allowing you to narrow down the cause. Network segmentation and a strong security posture are the best protection against zero-day attacks in the cloud.
• Suspicious behavior: Runtime security can also detect other suspicious activities that may indicate a highly targeted attack in progress, such as outbound network connection to a C2 server, elevating permissions within a containerized workload, or by obfuscating scripts on the command line to evade traditional endpoint detection rules.

To combat the above threats, runtime security establishes a baseline for how an application interacts with its environment and other resources. In combination with threat detection policies, this allows it to identify, in real time, the abnormal behaviors that signal a potential cyberattack in progress.

How runtime security differs from other cloud security

Static analysis tools that check code for anomalies and vulnerabilities before it is deployed to production, and dynamic analysis that check code running in controlled environments, are not enough (alone or in combination) to fully protect an application.

As-yet unidentified vulnerabilities can pass static analysis, and malicious behavior may not be triggered in a controlled environment. Runtime security actively monitors applications in production as they are running. This means that it is able to detect and respond to code injection, privilege escalation, zero-days, and other malicious activities that static and dynamic code analysis may not be able to identify.

Benefits of runtime security

Runtime security helps keep applications and processes secure, especially in more ephemeral environments, such as containers, virtual machines (VM), and serverless functions.

Other runtime security benefits include:

• Real-time threat detection: Continuously monitor, discover, and remediate dynamic threats that static analysis tools won’t catch, such as zero-days.
• Layered security: Implementing runtime security provides additional security controls to create more defense in depth.
• Faster incident response: Continuous monitoring for risks enables security teams to work more proactively if suspicious activity is detected.
• Secure at scale: Runtime security enables security teams to protect applications and processes better as the organization grows.

Challenges of runtime security

Runtime security challenges depend slightly on the type of runtime environment, but common risks include:

• Shifting attack surface: Organizations spin up and down containers and VMs constantly. Their short shelf life makes it difficult to protect and requires strong security controls.
• Complex environments: Some data formats aren’t as easy to understand as others, while multi-cloud environments add management complexity.
• Alert fatigue: Runtime security can sometimes result in more noise, which increases the amount of alerts that security teams must review.
• Increased compute needs: Expect to use more compute resources compared to static analysis tools as runtime security performs scans more frequently.

Types of runtime security

Runtime security, including automated detection and response, should cover all of your cloud applications, regardless of where or how they are running:

• Application runtime security: Runtime application self-protection (RASP) is implemented within an application itself, and is implemented by the developer.
• Container runtime security: Runtime security for containers and orchestration platforms like Kubernetes protects both the container platform, as well as the host and adjacent infrastructure from potential exploits of the containerized code. To truly understand, and correlate behavior between a Kubernetes abstraction, such as a pod or service, and the underlying process that runs within that ephemeral workload, businesses need to enrich the context of raw system calls with the events observed in Kubernetes audit logs.
• Cloud runtime security: Cloud environments such as AWS, GCP, and Azure have their own dedicated cloud services with their own associated audit logging systems used to monitor unwanted behaviors in those cloud services. It's important to aggregate and analyze these cloud audit logs in the same way we observe system calls in the host runtime to understand if a workload or server is under attack.
• Host runtime security: Intrusion and endpoint detection provide real-time detection and response for the machines that run virtualization and containerization platforms, or that directly run cloud workloads.
• Serverless runtime security: Serverless functions, such as AWS Lambda, are not immune from exploit, and can be leveraged by attackers if not actively monitored for unexpected behaviors.

Outside of cloud environments, endpoint runtime security products (usually in the form of antivirus and endpoint protection platforms) protects devices like laptops, phones, and workstations from malware.

Components of runtime security

Every security tool is different, but generally runtime security tools include:

• Continuous monitoring: Often known as system call monitoring, tools provide visibility into processes running in containers and other ephemeral environments to find risks and collect data for processing.
• Security policy enforcement: Tools use security policies to manage access to containers, VMs, and other cloud environments.
• Detection: Real-time scanning helps discover threats and new vulnerabilities. 
• Response: Tools can perform some response actions like creating an alert for security teams, triggering a webhook, or isolating the impacted environment to limit attacks from progressing further.
• Investigation: Forensic analysis capabilities investigate discovered threats. Tools can capture telemetry like executed commands, file access, and network connections and then they can correlate related events into a single threat narrative.
• File integrity monitoring: With FIM, runtime security tools can identify changes or tampering done to file systems in an environment.

Runtime security tools

Organizations have a variety of tools available for runtime security. For example, Sysdig Secure protects cloud-native environments like Amazon AWS, Google Cloud, Microsoft Azure, IBM Cloud, and Oracle Cloud.

Other runtime security tools include Security-Enhanced Linux (SELinux) and AppArmor. SELinux is a security module already included in the Linux kernel that uses security policies to enforce mandatory access controls (MAC). AppArmor is an application security system that supplements Unix discretionary access control and MAC.

Another open source runtime security tool is Falco. It is a cloud-native security tool for hosts, containers, cloud environments, and Kubernetes. Falco uses system calls to discover whether activity is suspicious and create an alert. Falco runtime security can use Kubernetes audit logs to provide visibility inside a cluster.

How runtime security works

Runtime security protects dynamic cloud environments with real-time monitoring, detection, and response capabilities.

For example, Sysdig runtime security is powered by Falco, the open source solution for cloud threat detection. Falco ingests system calls and other logs (e.g., Kubernetes audit logs, cloud logs, etc.) and analyzes these to provide full visibility into everything happening across the cloud environment. Sysdig identifies suspicious activity based on Falco rules that define conditions under which an alert is generated. Falco rules can be customized to a user’s specific environment.

Once suspicious activity has been detected, Sysdig provides forensic analysis capabilities to help investigate the threat. Sysdig captures executed commands, file access, and network connections and correlates related events into a single threat narrative. Once a threat has been confirmed, Sysdig offers a number of response actions including killing or pausing a container, isolating a workload from the network, or quarantining a suspicious file.

Runtime security best practices

There are several best practices your security teams can adopt to ensure that the benefits of their investment in cloud security are fully realized:

• Monitor running applications, and ensure notifications are targeted: Ensure that your security platform is properly configured to monitor all running applications (even those in horizontally scaling environments), and that notifications are only sent to relevant team members, to prevent individual security team members from becoming overwhelmed and overlooking important alerts.
• Use strong access controls: Role-based access control (RBAC) should be used to control what resources both users and running processes have access to, to prevent a successful attacker from being able to cause further damage by moving through your network. The principle of least privilege (POLP) strengthens this by granting access only to the specific resources required for a task.
• Run regular response training: Your security team should understand the infrastructure and applications they are tasked with protecting, and run regular response training. This, combined with automated detection and response will help protect against even highly targeted attacks.
• Perform patch management: Regularly check for updates and fixes for known risks to keep applications and processes secure.
• Implement security posture management: Continuously monitor and evaluate security and risks to keep runtime processes protected from known and emerging threats.

Sysdig integrates runtime security into its CNAPP solution

The Sysdig cloud-native application protection platform (CNAPP) integrates container workload protection, providing a comprehensive, unified solution to runtime security in the cloud.

Sysdig integrates with AWS, Google Cloud, and Azure to secure code from deployment to execution in scalable production environments. The platform monitors permissions, configurations, and application behavior for signs of attack, immediately notifies stakeholders, and automatically enacts mitigation and remediation measures for the highest possible level of cloud protection.